├── .gitignore ├── Makefile ├── README.md ├── exampleapp ├── .gitignore ├── Dockerfile ├── Makefile ├── README.md ├── assets │ ├── app.js │ ├── dependencies │ │ ├── jquery-3.2.1.min.js │ │ └── socket.io.js │ ├── index.html │ └── styles.css ├── config.txt └── main.go ├── helm ├── vault-backend │ ├── .helmignore │ ├── Chart.yaml │ ├── charts │ │ └── consul-helm │ │ │ ├── .gitignore │ │ │ ├── .helmignore │ │ │ ├── CHANGELOG.md │ │ │ ├── Chart.yaml │ │ │ ├── LICENSE.md │ │ │ ├── Makefile │ │ │ ├── README.md │ │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── client-clusterrole.yaml │ │ │ ├── client-clusterrolebinding.yaml │ │ │ ├── client-config-configmap.yaml │ │ │ ├── client-daemonset.yaml │ │ │ ├── client-podsecuritypolicy.yaml │ │ │ ├── client-serviceaccount.yaml │ │ │ ├── connect-inject-authmethod-clusterrole.yaml │ │ │ ├── connect-inject-authmethod-clusterrolebinding.yaml │ │ │ ├── connect-inject-authmethod-serviceaccount.yaml │ │ │ ├── connect-inject-clusterrole.yaml │ │ │ ├── connect-inject-clusterrolebinding.yaml │ │ │ ├── connect-inject-deployment.yaml │ │ │ ├── connect-inject-mutatingwebhook.yaml │ │ │ ├── connect-inject-podsecuritypolicy.yaml │ │ │ ├── connect-inject-service.yaml │ │ │ ├── connect-inject-serviceaccount.yaml │ │ │ ├── dns-service.yaml │ │ │ ├── enterprise-license-clusterrole.yaml │ │ │ ├── enterprise-license-clusterrolebinding.yaml │ │ │ ├── enterprise-license-serviceaccount.yaml │ │ │ ├── enterprise-license.yaml │ │ │ ├── server-acl-init-clusterrole.yaml │ │ │ ├── server-acl-init-clusterrolebinding.yaml │ │ │ ├── server-acl-init-job.yaml │ │ │ ├── server-acl-init-serviceaccount.yaml │ │ │ ├── server-clusterrole.yaml │ │ │ ├── server-clusterrolebinding.yaml │ │ │ ├── server-config-configmap.yaml │ │ │ ├── server-disruptionbudget.yaml │ │ │ ├── server-podsecuritypolicy.yaml │ │ │ ├── server-service.yaml │ │ │ ├── server-serviceaccount.yaml │ │ │ ├── server-statefulset.yaml │ │ │ ├── sync-catalog-clusterrole.yaml │ │ │ ├── sync-catalog-clusterrolebinding.yaml │ │ │ ├── sync-catalog-deployment.yaml │ │ │ ├── sync-catalog-podsecuritypolicy.yaml │ │ │ ├── sync-catalog-serviceaccount.yaml │ │ │ ├── tests │ │ │ │ └── test-runner.yaml │ │ │ └── ui-service.yaml │ │ │ ├── test │ │ │ ├── acceptance │ │ │ │ ├── _helpers.bash │ │ │ │ └── server.bats │ │ │ ├── docker │ │ │ │ └── Test.dockerfile │ │ │ ├── terraform │ │ │ │ ├── main.tf │ │ │ │ ├── outputs.tf │ │ │ │ ├── service-account.yaml │ │ │ │ └── variables.tf │ │ │ └── unit │ │ │ │ ├── _helpers.bash │ │ │ │ ├── client-clusterrole.bats │ │ │ │ ├── client-clusterrolebinding.bats │ │ │ │ ├── client-configmap.bats │ │ │ │ ├── client-daemonset.bats │ │ │ │ ├── client-podsecuritypolicy.bats │ │ │ │ ├── client-serviceaccount.bats │ │ │ │ ├── connect-inject-authmethod-clusterrole.bats │ │ │ │ ├── connect-inject-authmethod-clusterrolebinding.bats │ │ │ │ ├── connect-inject-authmethod-serviceaccount.bats │ │ │ │ ├── connect-inject-clusterrole.bats │ │ │ │ ├── connect-inject-clusterrolebinding.bats │ │ │ │ ├── connect-inject-deployment.bats │ │ │ │ ├── connect-inject-mutatingwebhook.bats │ │ │ │ ├── connect-inject-podsecuritypolicy.bats │ │ │ │ ├── connect-inject-service.bats │ │ │ │ ├── connect-inject-serviceaccount.bats │ │ │ │ ├── dns-service.bats │ │ │ │ ├── enterprise-license-clusterrole.bats │ │ │ │ ├── enterprise-license-clusterrolebinding.bats │ │ │ │ ├── enterprise-license-serviceaccount.bats │ │ │ │ ├── enterprise-license.bats │ │ │ │ ├── server-acl-init-clusterrole.bats │ │ │ │ ├── server-acl-init-clusterrolebinding.bats │ │ │ │ ├── server-acl-init-job.bats │ │ │ │ ├── server-acl-init-serviceaccount.bats │ │ │ │ ├── server-clusterrole.bats │ │ │ │ ├── server-clusterrolebinding.bats │ │ │ │ ├── server-configmap.bats │ │ │ │ ├── server-disruptionbudget.bats │ │ │ │ ├── server-podsecuritypolicy.bats │ │ │ │ ├── server-service.bats │ │ │ │ ├── server-serviceaccount.bats │ │ │ │ ├── server-statefulset.bats │ │ │ │ ├── sync-catalog-clusterrole.bats │ │ │ │ ├── sync-catalog-clusterrolebinding.bats │ │ │ │ ├── sync-catalog-deployment.bats │ │ │ │ ├── sync-catalog-podsecuritypolicy.bats │ │ │ │ ├── sync-catalog-serviceaccount.bats │ │ │ │ └── ui-service.bats │ │ │ └── values.yaml │ ├── requirements.yaml │ ├── templates │ │ ├── _helpers.tpl │ │ ├── vault-acl-config.yaml │ │ └── vault-acl-job.yaml │ └── values.yaml ├── vault-helm-acl │ ├── .helmignore │ ├── Chart.yaml │ ├── templates │ │ ├── _helpers.tpl │ │ ├── acl-config.yaml │ │ ├── acl-init-clusterrole.yaml │ │ ├── acl-init-clusterrolebinding.yaml │ │ ├── acl-init-job.yaml │ │ ├── acl-init-serviceaccount.yaml │ │ └── tests │ │ │ └── test-runner.yaml │ └── values.yaml └── vault-helm │ ├── .gitignore │ ├── .helmignore │ ├── CHANGELOG.md │ ├── Chart.yaml │ ├── LICENSE.md │ ├── Makefile │ ├── README.md │ ├── templates │ ├── _helpers.tpl │ ├── ha-ui-configmap.yaml │ ├── ha-ui-service.yaml │ ├── server-disruptionbudget.yaml │ ├── server-ha-clusterrole.yaml │ ├── server-ha-clusterrolebinding.yaml │ ├── server-ha-config-configmap.yaml │ ├── server-ha-init-job.yaml │ ├── server-ha-service.yaml │ ├── server-ha-serviceaccount.yaml │ └── server-ha-statefulset.yaml │ ├── test │ ├── acceptance │ │ ├── _helpers.bash │ │ ├── server-ha.bats │ │ └── server.bats │ ├── docker │ │ └── Test.dockerfile │ ├── terraform │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── service-account.yaml │ │ └── variables.tf │ └── unit │ │ ├── _helpers.bash │ │ ├── server-configmap.bats │ │ ├── server-ha-configmap.bats │ │ ├── server-ha-disruptionbudget.bats │ │ ├── server-ha-statefulset.bats │ │ ├── server-service.bats │ │ ├── server-statefulset.bats │ │ └── ui-service.bats │ └── values.yaml ├── images ├── application-secrets-workflow.png ├── exampleapp-sidecar-updated.png ├── exampleapp-sidecar.png ├── exampleapp-simple.png ├── overview.png ├── vault-backend.png ├── vault-ha.png └── web-preview.png ├── kubernetes ├── exampleapp-database-sidecar.yaml ├── exampleapp-sidecar.yaml ├── exampleapp-simple.yaml ├── mysql.yaml ├── tiller-rbac.yaml └── vault.yaml └── scripts ├── 00-build-cluster.sh ├── 00-install-vault.sh ├── 01-consul.sh ├── 02-certs.sh ├── 03-vault.sh ├── 04-acl.sh ├── 05-k8s-auth.sh ├── 06-policy.sh ├── 07-exampleapp-simple.sh ├── 08-token.sh ├── 09-get-secret.sh ├── 10-exampleapp-sidecar.sh ├── 11-deploy-mysql.sh ├── 12-dynamic-db-secret.sh ├── 13-dynamic-secrets-sidecar.sh ├── __helpers.sh ├── clean-all.sh └── clean-kubernetes.sh /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | 3 | tls/ 4 | vault-config.yaml -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | 0-install-vault: 2 | bash scripts/00-install-vault.sh 3 | 4 | 0-build-cluster: 5 | bash scripts/00-build-cluster.sh 6 | 7 | 1-consul: 8 | bash scripts/01-consul.sh 9 | 10 | 2-certs: 11 | bash scripts/02-certs.sh 12 | 13 | 3-vault: 14 | bash scripts/03-vault.sh 15 | 16 | 4-acl: 17 | bash scripts/04-acl.sh 18 | 19 | 5-auth: 20 | bash scripts/05-k8s-auth.sh 21 | 22 | 6-policy: 23 | bash scripts/06-policy.sh 24 | 25 | 7-simple: 26 | bash scripts/07-exampleapp-simple.sh 27 | 28 | 8-token: 29 | bash scripts/08-token.sh 30 | 31 | 9-secret: 32 | bash scripts/09-get-secret.sh 33 | 34 | 10-sidecar: 35 | bash scripts/10-exampleapp-sidecar.sh 36 | 37 | 11-mysql: 38 | bash scripts/11-deploy-mysql.sh 39 | 40 | 12-database-secret-engine: 41 | bash scripts/12-dynamic-db-secret.sh 42 | 43 | 13-dynamic-secrets-sidecar: 44 | bash scripts/13-dynamic-secrets-sidecar.sh 45 | 46 | clean-kubernetes: 47 | bash scripts/clean-kubernetes.sh 48 | 49 | clean: 50 | bash scripts/clean-all.sh -------------------------------------------------------------------------------- /exampleapp/.gitignore: -------------------------------------------------------------------------------- 1 | rice-box.go 2 | build/ 3 | -------------------------------------------------------------------------------- /exampleapp/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.7 2 | MAINTAINER Anubhav Mishra 3 | 4 | ENV VAULT_VERSION=1.1.3 5 | 6 | RUN apk add --no-cache ca-certificates gnupg curl git unzip bash openssh libcap openssl 7 | 8 | RUN curl -LOks https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \ 9 | unzip vault_${VAULT_VERSION}_linux_amd64.zip -d /tmp/vault_${VAULT_VERSION} && \ 10 | mv /tmp/vault_${VAULT_VERSION}/vault /usr/local/bin/vault && \ 11 | rm vault_${VAULT_VERSION}_linux_amd64.zip 12 | 13 | ADD build/linux/amd64/exampleapp /usr/bin/exampleapp 14 | ENTRYPOINT ["exampleapp"] 15 | -------------------------------------------------------------------------------- /exampleapp/Makefile: -------------------------------------------------------------------------------- 1 | BUILD_ID := $(shell git rev-parse --short HEAD 2>/dev/null || echo no-commit-id) 2 | IMAGE_NAME := anubhavmishra/exampleapp 3 | 4 | .DEFAULT_GOAL := help 5 | help: ## List targets & descriptions 6 | @cat Makefile* | grep -E '^[a-zA-Z_-]+:.*?## .*$$' | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' 7 | 8 | clean: ## Clean the project 9 | rm -rf ./build 10 | mkdir ./build 11 | 12 | deps: 13 | go get github.com/GeertJohan/go.rice 14 | go get github.com/GeertJohan/go.rice/rice 15 | go get . 16 | 17 | build-service: ## Build the main Go service 18 | mkdir -p ./build/linux/amd64 19 | rice embed-go 20 | GOOS=linux GOARCH=amd64 go build -v -o ./build/linux/amd64/exampleapp . 21 | docker build -t $(IMAGE_NAME):$(BUILD_ID) . 22 | docker tag $(IMAGE_NAME):$(BUILD_ID) $(IMAGE_NAME):latest 23 | 24 | push: ## docker push the service images tagged 'latest' & 'BUILD_ID' 25 | docker push $(IMAGE_NAME):$(BUILD_ID) 26 | docker push $(IMAGE_NAME):latest 27 | 28 | deps-test: 29 | go get -t 30 | 31 | test: ## Run tests, coverage reports, and clean (coverage taints the compiled code) 32 | go test -v . 33 | 34 | run: ## Build and run the project 35 | mkdir -p ./build 36 | go build -o ./build/exampleapp && PORT=8080 CONFIG_FILE=config.txt ./build/exampleapp -------------------------------------------------------------------------------- /exampleapp/README.md: -------------------------------------------------------------------------------- 1 | # Example App 2 | 3 | An example app to showcase Vault's secret management capabilities. 4 | 5 | ## Usage 6 | 7 | Build the service 8 | 9 | ```bash 10 | make build-service 11 | ``` 12 | 13 | Run locally 14 | 15 | ```bash 16 | make run 17 | ``` 18 | 19 | Build and push the Docker image 20 | 21 | ```bash 22 | make build-service push 23 | ``` -------------------------------------------------------------------------------- /exampleapp/assets/app.js: -------------------------------------------------------------------------------- 1 | var socket = io({ transports: ["websocket"] }); 2 | 3 | // Listen for messages 4 | socket.on("message", function(message) { 5 | function showCount(record) { 6 | var secrets = message.secrets 7 | console.log(secrets) 8 | 9 | secretLen = secrets.length; 10 | 11 | text = "

"; 12 | for (i = 0; i < secretLen; i++) { 13 | text += secrets[i].Username + "=" + secrets[i].Password + "\n"; 14 | } 15 | text += "

"; 16 | 17 | $("#config").html(text) 18 | $("#hostname").text(message.Messsage) 19 | } 20 | 21 | showCount(message); 22 | }); 23 | 24 | socket.on("connect", function() { 25 | // Broadcast a message 26 | function broadcastMessage() { 27 | socket.emit("send", {"message":"get count"}, function(result) { 28 | // Silent success, reload again 29 | setTimeout(broadcastMessage, 200) // In milliseconds 30 | }); 31 | } 32 | broadcastMessage(); 33 | }); 34 | -------------------------------------------------------------------------------- /exampleapp/assets/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Example App 6 | 7 | 8 | 9 |
10 |

Example App

11 |
12 |
-
13 |
-
14 |
15 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /exampleapp/assets/styles.css: -------------------------------------------------------------------------------- 1 | /* 2 | grey (light to dark) 3 | #7C8797 4 | #9e225a 5 | #8D929C 6 | #4f112d 7 | #280817 8 | 9 | #7c8797 10 | 11 | */ 12 | 13 | body { 14 | background: #7C8797; 15 | background: -moz-linear-gradient(-45deg, #7C8797 0%, #8D929C 100%); 16 | background: -webkit-linear-gradient(-45deg, #7C8797 0%,#8D929C 100%); 17 | background: linear-gradient(135deg, #7C8797 0% ,#8D929C 100%); 18 | filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#7C8797', endColorstr='#8D929C',GradientType=1 ); 19 | 20 | /* height: 100%; /* Firefox background fix */ */ 21 | 22 | margin: 0; 23 | padding: 1em; 24 | } 25 | 26 | body, 27 | p { 28 | font-family: -apple-system, BlinkMacSystemFont, sans-serif; 29 | } 30 | 31 | h1 { 32 | color:white; 33 | font-weight: normal; 34 | } 35 | 36 | #line { 37 | border-bottom: 10px solid #fff; 38 | width: 4em; 39 | } 40 | 41 | #config { 42 | font-size: 5em; 43 | font-weight: bold; 44 | text-align: left; 45 | color: #fff; 46 | } 47 | 48 | #hostname { 49 | color: white; 50 | text-align: right; 51 | font-family: monospace; 52 | } 53 | 54 | #connection-status { 55 | position: fixed; 56 | top: 10px; 57 | right: 10px; 58 | font-weight: bold; 59 | color: white; 60 | border-radius: 0.2em; 61 | padding: 0.2em 0.5em; 62 | text-align: right; 63 | background-color: grey; 64 | } 65 | 66 | .connected { 67 | background-color: green !important; 68 | } 69 | 70 | .container { 71 | margin: 0 auto; 72 | max-width: 700px; 73 | } 74 | 75 | @media only screen and (max-width: 700px) { 76 | body { 77 | padding: 10px; 78 | } 79 | h1 { 80 | font-size: 1.5em; 81 | } 82 | #count { 83 | font-size: 8em; 84 | } 85 | } 86 | -------------------------------------------------------------------------------- /exampleapp/config.txt: -------------------------------------------------------------------------------- 1 | hello=world 2 | exampleapp=secretpassword 3 | wow=what 4 | -------------------------------------------------------------------------------- /exampleapp/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io/ioutil" 6 | "log" 7 | "net/http" 8 | "os" 9 | "strings" 10 | "time" 11 | 12 | rice "github.com/GeertJohan/go.rice" 13 | "github.com/gorilla/mux" 14 | gosocketio "github.com/graarh/golang-socketio" 15 | "github.com/graarh/golang-socketio/transport" 16 | ) 17 | 18 | var secretConfigFile string 19 | var port string 20 | 21 | type Config struct { 22 | Secrets []Secret `json:"secrets"` 23 | Message string `json:"message"` 24 | } 25 | 26 | type Secret struct { 27 | Username string 28 | Password string 29 | } 30 | 31 | func main() { 32 | port = getEnvOrDefault("PORT", "80") 33 | portWithColon := fmt.Sprintf(":%s", port) 34 | 35 | secretConfigFile = getEnvOrDefault("CONFIG_FILE", "/etc/exampleapp/config") 36 | 37 | fmt.Printf("Starting server on http://0.0.0.0:%s\n", port) 38 | fmt.Println("(Pass as PORT environment variable)") 39 | 40 | router := mux.NewRouter() 41 | router.PathPrefix("/socket.io/").Handler(startWebsocket()) 42 | router.HandleFunc("/health", HealthHandler) 43 | router.PathPrefix("/").Handler(http.FileServer(rice.MustFindBox("assets").HTTPBox())) 44 | 45 | log.Fatal(http.ListenAndServe(portWithColon, router)) 46 | } 47 | 48 | func getEnvOrDefault(key, fallback string) string { 49 | if value, ok := os.LookupEnv(key); ok { 50 | return value 51 | } 52 | return fallback 53 | } 54 | 55 | // HealthHandler returns a succesful status and a message. 56 | func HealthHandler(w http.ResponseWriter, r *http.Request) { 57 | w.WriteHeader(http.StatusOK) 58 | fmt.Fprintf(w, "Hello, you've hit %s\n", r.URL.Path) 59 | } 60 | 61 | func startWebsocket() *gosocketio.Server { 62 | server := gosocketio.NewServer(transport.GetDefaultWebsocketTransport()) 63 | 64 | fmt.Println("Starting websocket server...") 65 | server.On(gosocketio.OnConnection, handleConnection) 66 | server.On("send", handleSend) 67 | 68 | return server 69 | } 70 | 71 | func handleConnection(c *gosocketio.Channel) { 72 | fmt.Println("New client connected") 73 | c.Join("visits") 74 | handleSend(c, Config{}) 75 | } 76 | 77 | func handleSend(c *gosocketio.Channel, msg Config) string { 78 | config, err := getSecretDataFromFile(secretConfigFile) 79 | fmt.Println(config) 80 | 81 | if err != nil { 82 | config = Config{Secrets: nil, Message: err.Error()} 83 | } 84 | fmt.Println("secrets:", config.Secrets) 85 | c.Ack("message", config, time.Second*10) 86 | return "OK" 87 | } 88 | 89 | func getSecretDataFromFile(c string) (Config, error) { 90 | t, err := ioutil.ReadFile(c) 91 | if err != nil { 92 | return Config{}, err 93 | } 94 | 95 | var s []Secret 96 | 97 | for _, cf := range strings.Split(string(t), "\n") { 98 | sp := strings.Split(cf, "=") 99 | if len(sp) > 1 { 100 | s = append(s, Secret{Username: sp[0], Password: sp[1]}) 101 | } 102 | } 103 | 104 | return Config{Secrets: s, Message: "ok"}, nil 105 | } 106 | -------------------------------------------------------------------------------- /helm/vault-backend/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /helm/vault-backend/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: "1.0" 3 | description: A Helm chart of backend Consul for Vault on Kubernetes 4 | name: vault-backend 5 | version: 0.1.0 6 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .terraform/ 3 | .terraform.tfstate* 4 | terraform.tfstate* 5 | terraform.tfvars 6 | values.dev.yaml 7 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/.helmignore: -------------------------------------------------------------------------------- 1 | .git/ 2 | .terraform/ 3 | bin/ 4 | test/ 5 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: consul 3 | version: 0.8.1 4 | description: Install and configure Consul on Kubernetes. 5 | home: https://www.consul.io 6 | sources: 7 | - https://github.com/hashicorp/consul 8 | - https://github.com/hashicorp/consul-helm 9 | - https://github.com/hashicorp/consul-k8s 10 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/Makefile: -------------------------------------------------------------------------------- 1 | TEST_IMAGE?=consul-helm-test 2 | 3 | test-docker: 4 | @docker build --rm -t '$(TEST_IMAGE)' -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR) 5 | 6 | .PHONY: test-docker 7 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 2 | Thank you for installing HashiCorp Consul! 3 | 4 | Now that you have deployed Consul, you should look over the docs on using 5 | Consul with Kubernetes available here: 6 | 7 | https://www.consul.io/docs/platform/k8s/index.html 8 | 9 | 10 | Your release is named {{ .Release.Name }}. To learn more about the release, try: 11 | 12 | $ helm status {{ .Release.Name }} 13 | $ helm get {{ .Release.Name }} 14 | 15 | 16 | {{- if (and .Values.global.bootstrapACLs (gt (len .Values.server.extraConfig) 3)) }} 17 | Warning: Defining server extraConfig potentially disrupts the automatic ACL 18 | bootstrapping required settings. This may cause future issues if 19 | there are conflicts. 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Create a default fully qualified app name. 3 | We truncate at 63 chars because some Kubernetes name fields are limited to 4 | this (by the DNS naming spec). If release name contains chart name it will 5 | be used as a full name. 6 | */}} 7 | {{- define "consul.fullname" -}} 8 | {{- if .Values.fullnameOverride -}} 9 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 10 | {{- else -}} 11 | {{- $name := default .Chart.Name .Values.nameOverride -}} 12 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 13 | {{- end -}} 14 | {{- end -}} 15 | 16 | {{/* 17 | Create chart name and version as used by the chart label. 18 | */}} 19 | {{- define "consul.chart" -}} 20 | {{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 21 | {{- end -}} 22 | 23 | {{/* 24 | Expand the name of the chart. 25 | */}} 26 | {{- define "consul.name" -}} 27 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 28 | {{- end -}} 29 | 30 | {{/* 31 | Compute the maximum number of unavailable replicas for the PodDisruptionBudget. 32 | This defaults to (n/2)-1 where n is the number of members of the server cluster. 33 | Special case of replica equaling 3 and allowing a minor disruption of 1 otherwise 34 | use the integer value 35 | Add a special case for replicas=1, where it should default to 0 as well. 36 | */}} 37 | {{- define "consul.pdb.maxUnavailable" -}} 38 | {{- if eq (int .Values.server.replicas) 1 -}} 39 | {{ 0 }} 40 | {{- else if .Values.server.disruptionBudget.maxUnavailable -}} 41 | {{ .Values.server.disruptionBudget.maxUnavailable -}} 42 | {{- else -}} 43 | {{- if eq (int .Values.server.replicas) 3 -}} 44 | {{- 1 -}} 45 | {{- else -}} 46 | {{- sub (div (int .Values.server.replicas) 2) 1 -}} 47 | {{- end -}} 48 | {{- end -}} 49 | {{- end -}} 50 | 51 | {{/* 52 | Inject extra environment vars in the format key:value, if populated 53 | */}} 54 | {{- define "consul.extraEnvironmentVars" -}} 55 | {{- if .extraEnvironmentVars -}} 56 | {{- range $key, $value := .extraEnvironmentVars }} 57 | - name: {{ $key }} 58 | value: {{ $value | quote }} 59 | {{- end -}} 60 | {{- end -}} 61 | {{- end -}} 62 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/client-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-client 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | {{- if (or .Values.global.enablePodSecurityPolicies .Values.global.bootstrapACLs) }} 12 | rules: 13 | {{- end }} 14 | {{- if .Values.global.enablePodSecurityPolicies }} 15 | - apiGroups: ["policy"] 16 | resources: ["podsecuritypolicies"] 17 | resourceNames: 18 | - {{ template "consul.fullname" . }}-client 19 | verbs: 20 | - use 21 | {{- end }} 22 | {{- if .Values.global.bootstrapACLs }} 23 | - apiGroups: [""] 24 | resources: 25 | - secrets 26 | resourceNames: 27 | - {{ .Release.Name }}-consul-client-acl-token 28 | verbs: 29 | - get 30 | {{- end }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/client-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-client 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ template "consul.fullname" . }}-client 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ template "consul.fullname" . }}-client 18 | namespace: {{ .Release.Namespace }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/client-config-configmap.yaml: -------------------------------------------------------------------------------- 1 | # ConfigMap with extra configuration specified directly to the chart 2 | # for client agents only. 3 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: {{ template "consul.fullname" . }}-client-config 8 | namespace: {{ .Release.Namespace }} 9 | labels: 10 | app: {{ template "consul.name" . }} 11 | chart: {{ template "consul.chart" . }} 12 | heritage: {{ .Release.Service }} 13 | release: {{ .Release.Name }} 14 | data: 15 | extra-from-values.json: |- 16 | {{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} 17 | {{- if (and .Values.connectInject.enabled .Values.connectInject.centralConfig.enabled) }} 18 | central-config.json: |- 19 | { 20 | "enable_central_service_config": true 21 | } 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/client-podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-client 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | spec: 12 | privileged: false 13 | # Required to prevent escalations to root. 14 | allowPrivilegeEscalation: false 15 | # This is redundant with non-root + disallow privilege escalation, 16 | # but we can provide it for defense in depth. 17 | requiredDropCapabilities: 18 | - ALL 19 | # Allow core volume types. 20 | volumes: 21 | - 'configMap' 22 | - 'emptyDir' 23 | - 'projected' 24 | - 'secret' 25 | - 'downwardAPI' 26 | hostNetwork: false 27 | hostPorts: 28 | - min: 8500 29 | max: 8502 30 | hostIPC: false 31 | hostPID: false 32 | runAsUser: 33 | # Require the container to run without root privileges. 34 | rule: 'RunAsAny' 35 | seLinux: 36 | rule: 'RunAsAny' 37 | supplementalGroups: 38 | rule: 'RunAsAny' 39 | fsGroup: 40 | rule: 'RunAsAny' 41 | readOnlyRootFilesystem: false 42 | {{- end }} 43 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/client-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-client 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/connect-inject-authmethod-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.bootstrapACLs }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-connect-injector-authmethod-role 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | rules: 13 | - apiGroups: [""] 14 | resources: 15 | - serviceaccounts 16 | verbs: 17 | - get 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/connect-inject-authmethod-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.bootstrapACLs }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-connect-injector-authmethod-authdelegator-role-binding 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: "system:auth-delegator" 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account 19 | namespace: {{ .Release.Namespace }} 20 | --- 21 | apiVersion: rbac.authorization.k8s.io/v1 22 | kind: ClusterRoleBinding 23 | metadata: 24 | name: {{ template "consul.fullname" . }}-connect-injector-authmethod-serviceaccount-role-binding 25 | labels: 26 | app: {{ template "consul.name" . }} 27 | chart: {{ template "consul.chart" . }} 28 | heritage: {{ .Release.Service }} 29 | release: {{ .Release.Name }} 30 | roleRef: 31 | apiGroup: rbac.authorization.k8s.io 32 | kind: ClusterRole 33 | name: {{ template "consul.fullname" . }}-connect-injector-authmethod-role 34 | subjects: 35 | - kind: ServiceAccount 36 | name: {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account 37 | namespace: {{ .Release.Namespace }} 38 | {{- end }} 39 | {{- end }} 40 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/connect-inject-authmethod-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.bootstrapACLs }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | {{- end }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/connect-inject-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | # The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. 2 | {{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-connect-injector-webhook 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | rules: 13 | - apiGroups: ["admissionregistration.k8s.io"] 14 | resources: ["mutatingwebhookconfigurations"] 15 | verbs: 16 | - "get" 17 | - "list" 18 | - "watch" 19 | - "patch" 20 | {{- if .Values.global.enablePodSecurityPolicies }} 21 | - apiGroups: ["policy"] 22 | resources: ["podsecuritypolicies"] 23 | resourcesName: 24 | - {{ template "consul.fullname" . }}-connect-injector-webhook 25 | verbs: 26 | - use 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/connect-inject-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-connect-injector-webhook-admin-role-binding 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ template "consul.fullname" . }}-connect-injector-webhook 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account 18 | namespace: {{ .Release.Namespace }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/connect-inject-mutatingwebhook.yaml: -------------------------------------------------------------------------------- 1 | # The MutatingWebhookConfiguration to enable the Connect injector. 2 | {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} 3 | apiVersion: admissionregistration.k8s.io/v1beta1 4 | kind: MutatingWebhookConfiguration 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-connect-injector-cfg 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | webhooks: 14 | - name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com 15 | clientConfig: 16 | service: 17 | name: {{ template "consul.fullname" . }}-connect-injector-svc 18 | namespace: {{ .Release.Namespace }} 19 | path: "/mutate" 20 | caBundle: {{ .Values.connectInject.certs.caBundle }} 21 | rules: 22 | - operations: [ "CREATE" ] 23 | apiGroups: [""] 24 | apiVersions: ["v1"] 25 | resources: ["pods"] 26 | {{- if .Values.connectInject.namespaceSelector }} 27 | namespaceSelector: 28 | {{ tpl .Values.connectInject.namespaceSelector . | indent 6 }} 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/connect-inject-podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-connect-injector-webhook 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | spec: 12 | privileged: false 13 | # Required to prevent escalations to root. 14 | allowPrivilegeEscalation: false 15 | # This is redundant with non-root + disallow privilege escalation, 16 | # but we can provide it for defense in depth. 17 | requiredDropCapabilities: 18 | - ALL 19 | # Allow core volume types. 20 | volumes: 21 | - 'configMap' 22 | - 'emptyDir' 23 | - 'projected' 24 | - 'secret' 25 | - 'downwardAPI' 26 | hostNetwork: false 27 | hostIPC: false 28 | hostPID: false 29 | runAsUser: 30 | # Require the container to run without root privileges. 31 | rule: 'RunAsAny' 32 | seLinux: 33 | rule: 'RunAsAny' 34 | supplementalGroups: 35 | rule: 'RunAsAny' 36 | fsGroup: 37 | rule: 'RunAsAny' 38 | readOnlyRootFilesystem: false 39 | {{- end }} 40 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/connect-inject-service.yaml: -------------------------------------------------------------------------------- 1 | # The service for the Connect sidecar injector 2 | {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-connect-injector-svc 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | spec: 14 | ports: 15 | - port: 443 16 | targetPort: 8080 17 | selector: 18 | app: {{ template "consul.name" . }} 19 | release: "{{ .Release.Name }}" 20 | component: connect-injector 21 | {{- end }} 22 | 23 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/connect-inject-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/dns-service.yaml: -------------------------------------------------------------------------------- 1 | # Service for Consul DNS. 2 | {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.global.enabled)) }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-dns 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | spec: 14 | ports: 15 | - name: dns-tcp 16 | port: 53 17 | protocol: "TCP" 18 | targetPort: dns-tcp 19 | - name: dns-udp 20 | port: 53 21 | protocol: "UDP" 22 | targetPort: dns-udp 23 | selector: 24 | app: {{ template "consul.name" . }} 25 | release: "{{ .Release.Name }}" 26 | hasDNS: "true" 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/enterprise-license-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 3 | {{- if .Values.global.bootstrapACLs }} 4 | {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} 5 | apiVersion: rbac.authorization.k8s.io/v1 6 | kind: ClusterRole 7 | metadata: 8 | name: {{ template "consul.fullname" . }}-enterprise-license 9 | labels: 10 | app: {{ template "consul.name" . }} 11 | chart: {{ template "consul.chart" . }} 12 | heritage: {{ .Release.Service }} 13 | release: {{ .Release.Name }} 14 | rules: 15 | - apiGroups: [""] 16 | resources: 17 | - secrets 18 | resourceNames: 19 | - {{ .Release.Name }}-consul-enterprise-license-acl-token 20 | verbs: 21 | - get 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/enterprise-license-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 3 | {{- if .Values.global.bootstrapACLs }} 4 | {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} 5 | apiVersion: rbac.authorization.k8s.io/v1 6 | kind: ClusterRoleBinding 7 | metadata: 8 | name: {{ template "consul.fullname" . }}-enterprise-license 9 | labels: 10 | app: {{ template "consul.name" . }} 11 | chart: {{ template "consul.chart" . }} 12 | heritage: {{ .Release.Service }} 13 | release: {{ .Release.Name }} 14 | roleRef: 15 | apiGroup: rbac.authorization.k8s.io 16 | kind: ClusterRole 17 | name: {{ template "consul.fullname" . }}-enterprise-license 18 | subjects: 19 | - kind: ServiceAccount 20 | name: {{ template "consul.fullname" . }}-enterprise-license 21 | namespace: {{ .Release.Namespace }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/enterprise-license-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 3 | {{- if .Values.global.bootstrapACLs }} 4 | {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} 5 | apiVersion: v1 6 | kind: ServiceAccount 7 | metadata: 8 | name: {{ template "consul.fullname" . }}-enterprise-license 9 | namespace: {{ .Release.Namespace }} 10 | labels: 11 | app: {{ template "consul.name" . }} 12 | chart: {{ template "consul.chart" . }} 13 | heritage: {{ .Release.Service }} 14 | release: {{ .Release.Name }} 15 | {{- end }} 16 | {{- end }} 17 | {{- end }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/enterprise-license.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-license 7 | labels: 8 | app.kubernetes.io/managed-by: {{.Release.Service | quote }} 9 | app.kubernetes.io/instance: {{.Release.Name | quote }} 10 | helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" 11 | app: {{ template "consul.name" . }} 12 | chart: {{ template "consul.chart" . }} 13 | heritage: {{ .Release.Service }} 14 | release: {{ .Release.Name }} 15 | annotations: 16 | "helm.sh/hook": post-install 17 | "helm.sh/hook-weight": "100" 18 | "helm.sh/hook-delete-policy": hook-succeeded 19 | spec: 20 | template: 21 | metadata: 22 | name: {{ template "consul.fullname" . }}-license 23 | labels: 24 | app.kubernetes.io/managed-by: {{.Release.Service | quote }} 25 | app.kubernetes.io/instance: {{.Release.Name | quote }} 26 | helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" 27 | app: {{ template "consul.name" . }} 28 | chart: {{ template "consul.chart" . }} 29 | release: {{ .Release.Name }} 30 | component: license 31 | spec: 32 | restartPolicy: Never 33 | serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license 34 | containers: 35 | - name: apply-enterprise-license 36 | image: "{{ default .Values.global.image .Values.server.image }}" 37 | env: 38 | - name: ENTERPRISE_LICENSE 39 | valueFrom: 40 | secretKeyRef: 41 | name: {{ .Values.server.enterpriseLicense.secretName }} 42 | key: {{ .Values.server.enterpriseLicense.secretKey }} 43 | - name: CONSUL_HTTP_ADDR 44 | value: http://{{ template "consul.fullname" . }}-server:8500 45 | {{- if .Values.global.bootstrapACLs }} 46 | - name: CONSUL_HTTP_TOKEN 47 | valueFrom: 48 | secretKeyRef: 49 | name: "{{ .Release.Name }}-consul-enterprise-license-acl-token" 50 | key: "token" 51 | {{- end}} 52 | command: 53 | - "/bin/sh" 54 | - "-ec" 55 | - | 56 | consul license put "${ENTERPRISE_LICENSE}" 57 | {{- if .Values.global.bootstrapACLs }} 58 | initContainers: 59 | - name: ent-license-acl-init 60 | image: {{ .Values.global.imageK8S }} 61 | command: 62 | - "/bin/sh" 63 | - "-ec" 64 | - | 65 | consul-k8s acl-init \ 66 | -secret-name="{{ .Release.Name }}-consul-enterprise-license-acl-token" \ 67 | -k8s-namespace={{ .Release.Namespace }} \ 68 | -init-type="sync" 69 | {{- end }} 70 | {{- end }} 71 | {{- end }} 72 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/server-acl-init-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 3 | {{- if .Values.global.bootstrapACLs }} 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | kind: ClusterRole 6 | metadata: 7 | name: {{ template "consul.fullname" . }}-server-acl-init 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | rules: 14 | - apiGroups: [""] 15 | resources: 16 | - pods 17 | verbs: 18 | - list 19 | - apiGroups: [""] 20 | resources: 21 | - secrets 22 | verbs: 23 | - create 24 | - get 25 | {{- if .Values.connectInject.enabled }} 26 | - apiGroups: [""] 27 | resources: 28 | - serviceaccounts 29 | verbs: 30 | - get 31 | - apiGroups: [""] 32 | resources: 33 | - services 34 | verbs: 35 | - get 36 | {{- end }} 37 | {{- end }} 38 | {{- end }} 39 | {{- end }} -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/server-acl-init-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 3 | {{- if .Values.global.bootstrapACLs }} 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | kind: ClusterRoleBinding 6 | metadata: 7 | name: {{ template "consul.fullname" . }}-server-acl-init 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | roleRef: 14 | apiGroup: rbac.authorization.k8s.io 15 | kind: ClusterRole 16 | name: {{ template "consul.fullname" . }}-server-acl-init 17 | subjects: 18 | - kind: ServiceAccount 19 | name: {{ template "consul.fullname" . }}-server-acl-init 20 | namespace: {{ .Release.Namespace }} 21 | {{- end }} 22 | {{- end }} 23 | {{- end }} -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/server-acl-init-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 3 | {{- if .Values.global.bootstrapACLs }} 4 | apiVersion: v1 5 | kind: ServiceAccount 6 | metadata: 7 | name: {{ template "consul.fullname" . }}-server-acl-init 8 | namespace: {{ .Release.Namespace }} 9 | labels: 10 | app: {{ template "consul.name" . }} 11 | chart: {{ template "consul.chart" . }} 12 | heritage: {{ .Release.Service }} 13 | release: {{ .Release.Name }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/server-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-server 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | {{- if (or .Values.global.enablePodSecurityPolicies .Values.global.bootstrapACLs) }} 12 | rules: 13 | {{- end }} 14 | {{- if .Values.global.enablePodSecurityPolicies }} 15 | - apiGroups: ["policy"] 16 | resources: ["podsecuritypolicies"] 17 | resourceNames: 18 | - {{ template "consul.fullname" . }}-server 19 | verbs: 20 | - use 21 | {{- end }} 22 | {{- if .Values.global.bootstrapACLs }} 23 | - apiGroups: [""] 24 | resources: 25 | - secrets 26 | resourceNames: 27 | - {{ .Release.Name }}-consul-client-acl-token 28 | verbs: 29 | - get 30 | {{- end }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/server-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-server 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ template "consul.fullname" . }}-server 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ template "consul.fullname" . }}-server 18 | namespace: {{ .Release.Namespace }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/server-config-configmap.yaml: -------------------------------------------------------------------------------- 1 | # StatefulSet to run the actual Consul server cluster. 2 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-server-config 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | data: 14 | extra-from-values.json: |- 15 | {{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }} 16 | {{- if .Values.global.bootstrapACLs }} 17 | acl-config.json: |- 18 | { 19 | "acl": { 20 | "enabled": true, 21 | "default_policy": "deny", 22 | "down_policy": "extend-cache", 23 | "enable_token_persistence": true 24 | } 25 | } 26 | {{- end }} 27 | {{- if (and .Values.connectInject.enabled .Values.connectInject.centralConfig.enabled) }} 28 | central-config.json: |- 29 | { 30 | "enable_central_service_config": true 31 | } 32 | {{- if gt (len .Values.connectInject.centralConfig.proxyDefaults) 3 }} 33 | proxy-defaults-config.json: |- 34 | { 35 | "config_entries": { 36 | "bootstrap": [ 37 | { 38 | "kind": "proxy-defaults", 39 | "name": "global", 40 | "config": 41 | {{ tpl .Values.connectInject.centralConfig.proxyDefaults . | trimAll "\"" | indent 14 }} 42 | } 43 | ] 44 | } 45 | } 46 | {{- end }} 47 | {{- end }} 48 | {{- end }} 49 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/server-disruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | # PodDisruptionBudget to prevent degrading the server cluster through 2 | # voluntary cluster changes. 3 | {{- if (and .Values.server.disruptionBudget.enabled (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} 4 | apiVersion: policy/v1beta1 5 | kind: PodDisruptionBudget 6 | metadata: 7 | name: {{ template "consul.fullname" . }}-server 8 | namespace: {{ .Release.Namespace }} 9 | labels: 10 | app: {{ template "consul.name" . }} 11 | chart: {{ template "consul.chart" . }} 12 | heritage: {{ .Release.Service }} 13 | release: {{ .Release.Name }} 14 | spec: 15 | maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }} 16 | selector: 17 | matchLabels: 18 | app: {{ template "consul.name" . }} 19 | release: "{{ .Release.Name }}" 20 | component: server 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/server-podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-server 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | spec: 12 | privileged: false 13 | # Required to prevent escalations to root. 14 | allowPrivilegeEscalation: false 15 | # This is redundant with non-root + disallow privilege escalation, 16 | # but we can provide it for defense in depth. 17 | requiredDropCapabilities: 18 | - ALL 19 | # Allow core volume types. 20 | volumes: 21 | - 'configMap' 22 | - 'emptyDir' 23 | - 'projected' 24 | - 'secret' 25 | - 'downwardAPI' 26 | - 'persistentVolumeClaim' 27 | hostNetwork: false 28 | hostIPC: false 29 | hostPID: false 30 | runAsUser: 31 | # Require the container to run without root privileges. 32 | rule: 'RunAsAny' 33 | seLinux: 34 | rule: 'RunAsAny' 35 | supplementalGroups: 36 | rule: 'RunAsAny' 37 | fsGroup: 38 | rule: 'RunAsAny' 39 | readOnlyRootFilesystem: false 40 | {{- end }} 41 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/server-service.yaml: -------------------------------------------------------------------------------- 1 | # Headless service for Consul server DNS entries. This service should only 2 | # point to Consul servers. For access to an agent, one should assume that 3 | # the agent is installed locally on the node and the NODE_IP should be used. 4 | # If the node can't run a Consul agent, then this service can be used to 5 | # communicate directly to a server agent. 6 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 7 | apiVersion: v1 8 | kind: Service 9 | metadata: 10 | name: {{ template "consul.fullname" . }}-server 11 | namespace: {{ .Release.Namespace }} 12 | labels: 13 | app: {{ template "consul.name" . }} 14 | chart: {{ template "consul.chart" . }} 15 | heritage: {{ .Release.Service }} 16 | release: {{ .Release.Name }} 17 | annotations: 18 | # This must be set in addition to publishNotReadyAddresses due 19 | # to an open issue where it may not work: 20 | # https://github.com/kubernetes/kubernetes/issues/58662 21 | service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" 22 | spec: 23 | clusterIP: None 24 | # We want the servers to become available even if they're not ready 25 | # since this DNS is also used for join operations. 26 | publishNotReadyAddresses: true 27 | ports: 28 | - name: http 29 | port: 8500 30 | targetPort: 8500 31 | - name: serflan-tcp 32 | protocol: "TCP" 33 | port: 8301 34 | targetPort: 8301 35 | - name: serflan-udp 36 | protocol: "UDP" 37 | port: 8301 38 | targetPort: 8301 39 | - name: serfwan-tcp 40 | protocol: "TCP" 41 | port: 8302 42 | targetPort: 8302 43 | - name: serfwan-udp 44 | protocol: "UDP" 45 | port: 8302 46 | targetPort: 8302 47 | - name: server 48 | port: 8300 49 | targetPort: 8300 50 | - name: dns-tcp 51 | protocol: "TCP" 52 | port: 8600 53 | targetPort: dns-tcp 54 | - name: dns-udp 55 | protocol: "UDP" 56 | port: 8600 57 | targetPort: dns-udp 58 | selector: 59 | app: {{ template "consul.name" . }} 60 | release: "{{ .Release.Name }}" 61 | component: server 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/server-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-server 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/sync-catalog-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if $syncEnabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-sync-catalog 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | rules: 13 | - apiGroups: [""] 14 | resources: 15 | - services 16 | - endpoints 17 | verbs: 18 | - get 19 | - list 20 | - watch 21 | - update 22 | - patch 23 | - delete 24 | - create 25 | - apiGroups: [""] 26 | resources: 27 | - nodes 28 | verbs: 29 | - get 30 | {{- if .Values.global.bootstrapACLs }} 31 | - apiGroups: [""] 32 | resources: 33 | - secrets 34 | resourceNames: 35 | - {{ .Release.Name }}-consul-catalog-sync-acl-token 36 | verbs: 37 | - get 38 | {{- end }} 39 | {{- if .Values.global.enablePodSecurityPolicies }} 40 | - apiGroups: ["policy"] 41 | resources: ["podsecuritypolicies"] 42 | verbs: 43 | - use 44 | resourceNames: 45 | - {{ template "consul.fullname" . }}-sync-catalog 46 | {{- end }} 47 | {{- end }} 48 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/sync-catalog-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if $syncEnabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-sync-catalog 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: {{ template "consul.fullname" . }}-sync-catalog 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ template "consul.fullname" . }}-sync-catalog 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/sync-catalog-podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled))) }} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-sync-catalog 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | spec: 12 | privileged: false 13 | # Required to prevent escalations to root. 14 | allowPrivilegeEscalation: false 15 | # This is redundant with non-root + disallow privilege escalation, 16 | # but we can provide it for defense in depth. 17 | requiredDropCapabilities: 18 | - ALL 19 | # Allow core volume types. 20 | volumes: 21 | - 'configMap' 22 | - 'emptyDir' 23 | - 'projected' 24 | - 'secret' 25 | - 'downwardAPI' 26 | hostNetwork: false 27 | hostIPC: false 28 | hostPID: false 29 | runAsUser: 30 | # Require the container to run without root privileges. 31 | rule: 'RunAsAny' 32 | seLinux: 33 | rule: 'RunAsAny' 34 | supplementalGroups: 35 | rule: 'RunAsAny' 36 | fsGroup: 37 | rule: 'RunAsAny' 38 | readOnlyRootFilesystem: false 39 | {{- end }} 40 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/sync-catalog-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if $syncEnabled }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-sync-catalog 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/tests/test-runner.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ template "consul.fullname" . }}-test-{{ randAlphaNum 5 | lower }}" 5 | labels: 6 | app: {{ template "consul.name" . }} 7 | chart: {{ template "consul.chart" . }} 8 | heritage: {{ .Release.Service }} 9 | release: {{ .Release.Name }} 10 | annotations: 11 | "helm.sh/hook": test-success 12 | spec: 13 | containers: 14 | - name: consul-test 15 | image: "{{ .Values.global.image }}" 16 | env: 17 | - name: HOST_IP 18 | valueFrom: 19 | fieldRef: 20 | fieldPath: status.hostIP 21 | - name: CONSUL_HTTP_TOKEN 22 | valueFrom: 23 | secretKeyRef: 24 | name: {{ .Release.Name }}-consul-bootstrap-acl-token 25 | key: token 26 | command: 27 | - "/bin/sh" 28 | - "-ec" 29 | - | 30 | export VALUE="{{randAlphaNum 24 | lower }}" 31 | export CONSUL_HTTP_ADDR="${HOST_IP}:8500" 32 | consul kv delete _consul_helm_test 33 | consul kv put _consul_helm_test $VALUE 34 | [ `consul kv get _consul_helm_test` = "$VALUE" ] 35 | consul kv delete _consul_helm_test 36 | restartPolicy: Never 37 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/templates/ui-service.yaml: -------------------------------------------------------------------------------- 1 | # UI Service for Consul Server 2 | {{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-ui 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | {{- if .Values.ui.service.annotations }} 14 | annotations: 15 | {{ tpl .Values.ui.service.annotations . | nindent 4 | trim }} 16 | {{- end }} 17 | spec: 18 | selector: 19 | app: {{ template "consul.name" . }} 20 | release: "{{ .Release.Name }}" 21 | component: server 22 | ports: 23 | - name: http 24 | port: 80 25 | targetPort: 8500 26 | {{- if .Values.ui.service.type }} 27 | type: {{ .Values.ui.service.type }} 28 | {{- end }} 29 | {{- if .Values.ui.service.additionalSpec }} 30 | {{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }} 31 | {{- end }} 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/acceptance/_helpers.bash: -------------------------------------------------------------------------------- 1 | # name_prefix returns the prefix of the resources within Kubernetes. 2 | name_prefix() { 3 | printf "consul" 4 | } 5 | 6 | # helm_install installs the Consul chart. This will source overridable 7 | # values from the "values.yaml" file in this directory. This can be set 8 | # by CI or other environments to do test-specific overrides. Note that its 9 | # easily possible to break tests this way so be careful. 10 | helm_install() { 11 | local values="${BATS_TEST_DIRNAME}/values.yaml" 12 | if [ ! -f "${values}" ]; then 13 | touch $values 14 | fi 15 | 16 | helm install -f ${values} \ 17 | --name consul \ 18 | --wait \ 19 | ${BATS_TEST_DIRNAME}/../.. 20 | } 21 | 22 | # helm_delete deletes the Consul chart and all resources. 23 | helm_delete() { 24 | helm delete --purge consul 25 | kubectl delete --all pvc 26 | } 27 | 28 | # wait for a pod to be ready 29 | wait_for_ready() { 30 | POD_NAME=$1 31 | 32 | check() { 33 | # This requests the pod and checks whether the status is running 34 | # and the ready state is true. If so, it outputs the name. Otherwise 35 | # it outputs empty. Therefore, to check for success, check for nonzero 36 | # string length. 37 | kubectl get pods $1 -o json | \ 38 | jq -r 'select( 39 | .status.phase == "Running" and 40 | ([ .status.conditions[] | select(.type == "Ready" and .status == "True") ] | length) == 1 41 | ) | .metadata.namespace + "/" + .metadata.name' 42 | } 43 | 44 | for i in $(seq 30); do 45 | if [ -n "$(check ${POD_NAME})" ]; then 46 | echo "${POD_NAME} is ready." 47 | return 48 | fi 49 | 50 | echo "Waiting for ${POD_NAME} to be ready..." 51 | sleep 2 52 | done 53 | 54 | echo "${POD_NAME} never became ready." 55 | exit 1 56 | } 57 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/acceptance/server.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server: default, comes up healthy" { 6 | helm_install 7 | wait_for_ready $(name_prefix)-consul-server-0 8 | 9 | # Verify there are three servers 10 | local server_count=$(kubectl exec "$(name_prefix)-consul-server-0" consul members | 11 | grep server | 12 | wc -l) 13 | [ "${server_count}" -eq "3" ] 14 | 15 | # Clean up 16 | helm_delete 17 | } 18 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/docker/Test.dockerfile: -------------------------------------------------------------------------------- 1 | # This Dockerfile installs all the dependencies necessary to run the unit and 2 | # acceptance tests. This image also contains gcloud so you can run tests 3 | # against a GKE cluster easily. 4 | # 5 | # This image has no automatic entrypoint. It is expected that you'll run 6 | # a script to configure kubectl, potentially install Helm, and run the tests 7 | # manually. This image only has the dependencies pre-installed. 8 | 9 | FROM alpine:latest 10 | WORKDIR /root 11 | 12 | ENV BATS_VERSION "1.1.0" 13 | 14 | # base packages 15 | RUN apk update && apk add --no-cache --virtual .build-deps \ 16 | ca-certificates \ 17 | curl \ 18 | tar \ 19 | bash \ 20 | openssl \ 21 | python \ 22 | py-pip \ 23 | git \ 24 | jq 25 | 26 | # yq 27 | RUN pip install yq 28 | 29 | # gcloud 30 | RUN curl -OL https://dl.google.com/dl/cloudsdk/channels/rapid/install_google_cloud_sdk.bash && \ 31 | bash install_google_cloud_sdk.bash --disable-prompts --install-dir='/root/' && \ 32 | ln -s /root/google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud 33 | 34 | # kubectl 35 | RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && \ 36 | chmod +x ./kubectl && \ 37 | mv ./kubectl /usr/local/bin/kubectl 38 | 39 | # helm 40 | RUN curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash 41 | 42 | # bats 43 | RUN curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz \ 44 | && tar -zxf /tmp/bats.tgz -C /tmp \ 45 | && /bin/bash /tmp/bats-core-$BATS_VERSION/install.sh /usr/local 46 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/terraform/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | service_account_path = "${path.module}/service-account.yaml" 3 | } 4 | 5 | provider "google" { 6 | project = "${var.project}" 7 | } 8 | 9 | resource "random_id" "suffix" { 10 | byte_length = 4 11 | } 12 | 13 | data "google_container_engine_versions" "main" { 14 | zone = "${var.zone}" 15 | } 16 | 17 | resource "google_container_cluster" "cluster" { 18 | name = "consul-k8s-${random_id.suffix.dec}" 19 | project = "${var.project}" 20 | enable_legacy_abac = true 21 | initial_node_count = 5 22 | zone = "${var.zone}" 23 | min_master_version = "${data.google_container_engine_versions.main.latest_master_version}" 24 | node_version = "${data.google_container_engine_versions.main.latest_node_version}" 25 | } 26 | 27 | resource "null_resource" "kubectl" { 28 | count = "${var.init_cli ? 1 : 0 }" 29 | 30 | triggers { 31 | cluster = "${google_container_cluster.cluster.id}" 32 | } 33 | 34 | # On creation, we want to setup the kubectl credentials. The easiest way 35 | # to do this is to shell out to gcloud. 36 | provisioner "local-exec" { 37 | command = "gcloud container clusters get-credentials --zone=${var.zone} ${google_container_cluster.cluster.name}" 38 | } 39 | 40 | # On destroy we want to try to clean up the kubectl credentials. This 41 | # might fail if the credentials are already cleaned up or something so we 42 | # want this to continue on failure. Generally, this works just fine since 43 | # it only operates on local data. 44 | provisioner "local-exec" { 45 | when = "destroy" 46 | on_failure = "continue" 47 | command = "kubectl config get-clusters | grep ${google_container_cluster.cluster.name} | xargs -n1 kubectl config delete-cluster" 48 | } 49 | 50 | provisioner "local-exec" { 51 | when = "destroy" 52 | on_failure = "continue" 53 | command = "kubectl config get-contexts | grep ${google_container_cluster.cluster.name} | xargs -n1 kubectl config delete-context" 54 | } 55 | } 56 | 57 | resource "null_resource" "helm" { 58 | count = "${var.init_cli ? 1 : 0 }" 59 | depends_on = ["null_resource.kubectl"] 60 | 61 | triggers { 62 | cluster = "${google_container_cluster.cluster.id}" 63 | } 64 | 65 | provisioner "local-exec" { 66 | command = < 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "client/ClusterRole: disabled with global.enabled=false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/client-clusterrole.yaml \ 18 | --set 'global.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "client/ClusterRole: can be enabled with global.enabled=false" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/client-clusterrole.yaml \ 28 | --set 'global.enabled=false' \ 29 | --set 'client.enabled=true' \ 30 | . | tee /dev/stderr | 31 | yq -s 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "true" ] 33 | } 34 | 35 | @test "client/ClusterRole: disabled with client.enabled=false" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/client-clusterrole.yaml \ 39 | --set 'client.enabled=false' \ 40 | . | tee /dev/stderr | 41 | yq 'length > 0' | tee /dev/stderr) 42 | [ "${actual}" = "false" ] 43 | } 44 | 45 | @test "client/ClusterRole: enabled with client.enabled=true" { 46 | cd `chart_dir` 47 | local actual=$(helm template \ 48 | -x templates/client-clusterrole.yaml \ 49 | --set 'client.enabled=true' \ 50 | . | tee /dev/stderr | 51 | yq 'length > 0' | tee /dev/stderr) 52 | [ "${actual}" = "true" ] 53 | } 54 | 55 | #-------------------------------------------------------------------- 56 | # global.enablePodSecurityPolicies 57 | 58 | @test "client/ClusterRole: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" { 59 | cd `chart_dir` 60 | local actual=$(helm template \ 61 | -x templates/client-clusterrole.yaml \ 62 | --set 'client.enabled=true' \ 63 | --set 'global.enablePodSecurityPolicies=true' \ 64 | . | tee /dev/stderr | 65 | yq -r '.rules[0].resources[0]' | tee /dev/stderr) 66 | [ "${actual}" = "podsecuritypolicies" ] 67 | } 68 | 69 | #-------------------------------------------------------------------- 70 | # global.bootstrapACLs 71 | 72 | @test "client/ClusterRole: allows secret access with global.bootsrapACLs=true" { 73 | cd `chart_dir` 74 | local actual=$(helm template \ 75 | -x templates/client-clusterrole.yaml \ 76 | --set 'client.enabled=true' \ 77 | --set 'global.bootstrapACLs=true' \ 78 | . | tee /dev/stderr | 79 | yq -r '.rules[0].resources[0]' | tee /dev/stderr) 80 | [ "${actual}" = "secrets" ] 81 | } 82 | 83 | @test "client/ClusterRole: allows secret access with global.bootsrapACLs=true and global.enablePodSecurityPolicies=true" { 84 | cd `chart_dir` 85 | local actual=$(helm template \ 86 | -x templates/client-clusterrole.yaml \ 87 | --set 'client.enabled=true' \ 88 | --set 'global.bootstrapACLs=true' \ 89 | --set 'global.enablePodSecurityPolicies=true' \ 90 | . | tee /dev/stderr | 91 | yq -r '.rules[1].resources[0]' | tee /dev/stderr) 92 | [ "${actual}" = "secrets" ] 93 | } 94 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/client-clusterrolebinding.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "client/ClusterRoleBinding: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/client-clusterrolebinding.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "client/ClusterRoleBinding: disabled with global.enabled=false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/client-clusterrolebinding.yaml \ 18 | --set 'global.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "client/ClusterRoleBinding: disabled with client disabled" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/client-clusterrolebinding.yaml \ 28 | --set 'client.enabled=false' \ 29 | . | tee /dev/stderr | 30 | yq 'length > 0' | tee /dev/stderr) 31 | [ "${actual}" = "false" ] 32 | } 33 | 34 | @test "client/ClusterRoleBinding: enabled with client enabled" { 35 | cd `chart_dir` 36 | local actual=$(helm template \ 37 | -x templates/client-clusterrolebinding.yaml \ 38 | --set 'client.enabled=true' \ 39 | . | tee /dev/stderr | 40 | yq -s 'length > 0' | tee /dev/stderr) 41 | [ "${actual}" = "true" ] 42 | } 43 | 44 | @test "client/ClusterRoleBinding: enabled with client enabled and global.enabled=false" { 45 | cd `chart_dir` 46 | local actual=$(helm template \ 47 | -x templates/client-clusterrolebinding.yaml \ 48 | --set 'global.enabled=false' \ 49 | --set 'client.enabled=true' \ 50 | . | tee /dev/stderr | 51 | yq -s 'length > 0' | tee /dev/stderr) 52 | [ "${actual}" = "true" ] 53 | } -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/client-configmap.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "client/ConfigMap: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/client-config-configmap.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "client/ConfigMap: enable with global.enabled false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/client-config-configmap.yaml \ 18 | --set 'global.enabled=false' \ 19 | --set 'client.enabled=true' \ 20 | . | tee /dev/stderr | 21 | yq 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "true" ] 23 | } 24 | 25 | @test "client/ConfigMap: disable with client.enabled" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | -x templates/client-config-configmap.yaml \ 29 | --set 'client.enabled=false' \ 30 | . | tee /dev/stderr | 31 | yq 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "false" ] 33 | } 34 | 35 | @test "client/ConfigMap: disable with global.enabled" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/client-config-configmap.yaml \ 39 | --set 'global.enabled=false' \ 40 | . | tee /dev/stderr | 41 | yq 'length > 0' | tee /dev/stderr) 42 | [ "${actual}" = "false" ] 43 | } 44 | 45 | @test "client/ConfigMap: extraConfig is set" { 46 | cd `chart_dir` 47 | local actual=$(helm template \ 48 | -x templates/client-config-configmap.yaml \ 49 | --set 'client.extraConfig="{\"hello\": \"world\"}"' \ 50 | . | tee /dev/stderr | 51 | yq '.data["extra-from-values.json"] | match("world") | length' | tee /dev/stderr) 52 | [ ! -z "${actual}" ] 53 | } 54 | 55 | #-------------------------------------------------------------------- 56 | # connectInject.centralConfig 57 | 58 | @test "client/ConfigMap: centralConfig is disabled by default" { 59 | cd `chart_dir` 60 | local actual=$(helm template \ 61 | -x templates/client-config-configmap.yaml \ 62 | --set 'connectInject.enabled=true' \ 63 | . | tee /dev/stderr | 64 | yq '.data["central-config.json"] | length > 0' | tee /dev/stderr) 65 | [ "${actual}" = "false" ] 66 | } 67 | 68 | @test "client/ConfigMap: centralConfig can be enabled" { 69 | cd `chart_dir` 70 | local actual=$(helm template \ 71 | -x templates/client-config-configmap.yaml \ 72 | --set 'connectInject.enabled=true' \ 73 | --set 'connectInject.centralConfig.enabled=true' \ 74 | . | tee /dev/stderr | 75 | yq '.data["central-config.json"] | contains("enable_central_service_config")' | tee /dev/stderr) 76 | [ "${actual}" = "true" ] 77 | } 78 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/client-podsecuritypolicy.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "client/PodSecurityPolicy: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/client-podsecuritypolicy.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "client/PodSecurityPolicy: disabled with client disabled and global.enablePodSecurityPolicies=true" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/client-podsecuritypolicy.yaml \ 18 | --set 'client.enabled=false' \ 19 | --set 'global.enablePodSecurityPolicies=true' \ 20 | . | tee /dev/stderr | 21 | yq 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "false" ] 23 | } 24 | 25 | @test "client/PodSecurityPolicy: enabled with global.enablePodSecurityPolicies=true" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | -x templates/client-podsecuritypolicy.yaml \ 29 | --set 'global.enablePodSecurityPolicies=true' \ 30 | . | tee /dev/stderr | 31 | yq -s 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "true" ] 33 | } 34 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/client-serviceaccount.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "client/ServiceAccount: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/client-serviceaccount.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "client/ServiceAccount: disabled with global.enabled=false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/client-serviceaccount.yaml \ 18 | --set 'global.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "client/ServiceAccount: disabled with client disabled" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/client-serviceaccount.yaml \ 28 | --set 'client.enabled=false' \ 29 | . | tee /dev/stderr | 30 | yq 'length > 0' | tee /dev/stderr) 31 | [ "${actual}" = "false" ] 32 | } 33 | 34 | @test "client/ServiceAccount: enabled with client enabled" { 35 | cd `chart_dir` 36 | local actual=$(helm template \ 37 | -x templates/client-serviceaccount.yaml \ 38 | --set 'client.enabled=true' \ 39 | . | tee /dev/stderr | 40 | yq 'length > 0' | tee /dev/stderr) 41 | [ "${actual}" = "true" ] 42 | } 43 | 44 | @test "client/ServiceAccount: enabled with client enabled and global.enabled=false" { 45 | cd `chart_dir` 46 | local actual=$(helm template \ 47 | -x templates/client-serviceaccount.yaml \ 48 | --set 'global.enabled=false' \ 49 | --set 'client.enabled=true' \ 50 | . | tee /dev/stderr | 51 | yq -s 'length > 0' | tee /dev/stderr) 52 | [ "${actual}" = "true" ] 53 | } -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/connect-inject-authmethod-clusterrole.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "connectInjectAuthMethod/ClusterRole: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/connect-inject-authmethod-clusterrole.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "connectInjectAuthMethod/ClusterRole: enabled with global.enabled false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/connect-inject-authmethod-clusterrole.yaml \ 18 | --set 'global.enabled=false' \ 19 | --set 'connectInject.enabled=true' \ 20 | --set 'global.bootstrapACLs=true' \ 21 | . | tee /dev/stderr | 22 | yq -s 'length > 0' | tee /dev/stderr) 23 | [ "${actual}" = "true" ] 24 | } 25 | 26 | @test "connectInjectAuthMethod/ClusterRole: disabled with connectInject.enabled" { 27 | cd `chart_dir` 28 | local actual=$(helm template \ 29 | -x templates/connect-inject-authmethod-clusterrole.yaml \ 30 | --set 'connectInject.enabled=true' \ 31 | . | tee /dev/stderr | 32 | yq 'length > 0' | tee /dev/stderr) 33 | [ "${actual}" = "false" ] 34 | } 35 | 36 | @test "connectInjectAuthMethod/ClusterRole: enabled with global.bootstrapACLs.enabled=true" { 37 | cd `chart_dir` 38 | local actual=$(helm template \ 39 | -x templates/connect-inject-authmethod-clusterrole.yaml \ 40 | --set 'connectInject.enabled=true' \ 41 | --set 'global.bootstrapACLs=true' \ 42 | . | tee /dev/stderr | 43 | yq -s 'length > 0' | tee /dev/stderr) 44 | [ "${actual}" = "true" ] 45 | } 46 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/connect-inject-authmethod-clusterrolebinding.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "connectInjectAuthMethod/ClusterRoleBinding: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/connect-inject-authmethod-clusterrolebinding.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "connectInjectAuthMethod/ClusterRoleBinding: enabled with global.enabled false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/connect-inject-authmethod-clusterrolebinding.yaml \ 18 | --set 'global.enabled=false' \ 19 | --set 'connectInject.enabled=true' \ 20 | --set 'global.bootstrapACLs=true' \ 21 | . | tee /dev/stderr | 22 | yq -s 'length > 0' | tee /dev/stderr) 23 | [ "${actual}" = "true" ] 24 | } 25 | 26 | @test "connectInjectAuthMethod/ClusterRoleBinding: disabled with connectInject.enabled" { 27 | cd `chart_dir` 28 | local actual=$(helm template \ 29 | -x templates/connect-inject-authmethod-clusterrolebinding.yaml \ 30 | --set 'connectInject.enabled=true' \ 31 | . | tee /dev/stderr | 32 | yq 'length > 0' | tee /dev/stderr) 33 | [ "${actual}" = "false" ] 34 | } 35 | 36 | @test "connectInjectAuthMethod/ClusterRoleBinding: enabled with global.bootstrapACLs.enabled=true" { 37 | cd `chart_dir` 38 | local actual=$(helm template \ 39 | -x templates/connect-inject-authmethod-clusterrolebinding.yaml \ 40 | --set 'connectInject.enabled=true' \ 41 | --set 'global.bootstrapACLs=true' \ 42 | . | tee /dev/stderr | 43 | yq -s 'length > 0' | tee /dev/stderr) 44 | [ "${actual}" = "true" ] 45 | } 46 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/connect-inject-authmethod-serviceaccount.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "connectInjectAuthMethod/ServiceAccount: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/connect-inject-authmethod-serviceaccount.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "connectInjectAuthMethod/ServiceAccount: enabled with global.enabled false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/connect-inject-authmethod-serviceaccount.yaml \ 18 | --set 'global.enabled=false' \ 19 | --set 'connectInject.enabled=true' \ 20 | --set 'global.bootstrapACLs=true' \ 21 | . | tee /dev/stderr | 22 | yq -s 'length > 0' | tee /dev/stderr) 23 | [ "${actual}" = "true" ] 24 | } 25 | 26 | @test "connectInjectAuthMethod/ServiceAccount: disabled with connectInject.enabled" { 27 | cd `chart_dir` 28 | local actual=$(helm template \ 29 | -x templates/connect-inject-authmethod-serviceaccount.yaml \ 30 | --set 'connectInject.enabled=true' \ 31 | . | tee /dev/stderr | 32 | yq 'length > 0' | tee /dev/stderr) 33 | [ "${actual}" = "false" ] 34 | } 35 | 36 | @test "connectInjectAuthMethod/ServiceAccount: enabled with global.bootstrapACLs.enabled=true" { 37 | cd `chart_dir` 38 | local actual=$(helm template \ 39 | -x templates/connect-inject-authmethod-serviceaccount.yaml \ 40 | --set 'connectInject.enabled=true' \ 41 | --set 'global.bootstrapACLs=true' \ 42 | . | tee /dev/stderr | 43 | yq -s 'length > 0' | tee /dev/stderr) 44 | [ "${actual}" = "true" ] 45 | } 46 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/connect-inject-clusterrole.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "connectInject/ClusterRole: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/connect-inject-clusterrole.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "connectInject/ClusterRole: enabled with global.enabled false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/connect-inject-clusterrole.yaml \ 18 | --set 'global.enabled=false' \ 19 | --set 'connectInject.enabled=true' \ 20 | . | tee /dev/stderr | 21 | yq -s 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "true" ] 23 | } 24 | 25 | @test "connectInject/ClusterRole: disabled with connectInject.enabled" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | -x templates/connect-inject-clusterrole.yaml \ 29 | --set 'connectInject.enabled=false' \ 30 | . | tee /dev/stderr | 31 | yq 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "false" ] 33 | } 34 | 35 | @test "connectInject/ClusterRole: disabled with connectInject.certs.secretName set" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/connect-inject-clusterrole.yaml \ 39 | --set 'connectInject.enabled=true' \ 40 | --set 'connectInject.certs.secretName=foo' \ 41 | . | tee /dev/stderr | 42 | yq 'length > 0' | tee /dev/stderr) 43 | [ "${actual}" = "false" ] 44 | } 45 | 46 | @test "connectInject/ClusterRole: enabled with connectInject.certs.secretName not set" { 47 | cd `chart_dir` 48 | local actual=$(helm template \ 49 | -x templates/connect-inject-clusterrole.yaml \ 50 | --set 'connectInject.enabled=true' \ 51 | . | tee /dev/stderr | 52 | yq 'length > 0' | tee /dev/stderr) 53 | [ "${actual}" = "true" ] 54 | } 55 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/connect-inject-clusterrolebinding.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "connectInject/ClusterRoleBinding: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/connect-inject-clusterrolebinding.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "connectInject/ClusterRoleBinding: enabled with global.enabled false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/connect-inject-clusterrolebinding.yaml \ 18 | --set 'global.enabled=false' \ 19 | --set 'connectInject.enabled=true' \ 20 | . | tee /dev/stderr | 21 | yq -s 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "true" ] 23 | } 24 | 25 | @test "connectInject/ClusterRoleBinding: disabled with connectInject.enabled false" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | -x templates/connect-inject-clusterrolebinding.yaml \ 29 | --set 'connectInject.enabled=false' \ 30 | . | tee /dev/stderr | 31 | yq 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "false" ] 33 | } 34 | 35 | @test "connectInject/ClusterRoleBinding: disabled with connectInject.certs.secretName set" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/connect-inject-clusterrolebinding.yaml \ 39 | --set 'connectInject.enabled=true' \ 40 | --set 'connectInject.certs.secretName=foo' \ 41 | . | tee /dev/stderr | 42 | yq 'length > 0' | tee /dev/stderr) 43 | [ "${actual}" = "false" ] 44 | } 45 | 46 | @test "connectInject/ClusterRoleBinding: enabled with connectInject.certs.secretName not set" { 47 | cd `chart_dir` 48 | local actual=$(helm template \ 49 | -x templates/connect-inject-clusterrolebinding.yaml \ 50 | --set 'connectInject.enabled=true' \ 51 | . | tee /dev/stderr | 52 | yq 'length > 0' | tee /dev/stderr) 53 | [ "${actual}" = "true" ] 54 | } 55 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/connect-inject-mutatingwebhook.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "connectInject/MutatingWebhookConfiguration: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/connect-inject-mutatingwebhook.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "connectInject/MutatingWebhookConfiguration: enable with global.enabled false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/connect-inject-mutatingwebhook.yaml \ 18 | --set 'global.enabled=false' \ 19 | --set 'connectInject.enabled=true' \ 20 | . | tee /dev/stderr | 21 | yq 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "true" ] 23 | } 24 | 25 | @test "connectInject/MutatingWebhookConfiguration: disable with connectInject.enabled" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | -x templates/connect-inject-mutatingwebhook.yaml \ 29 | --set 'connectInject.enabled=false' \ 30 | . | tee /dev/stderr | 31 | yq 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "false" ] 33 | } 34 | 35 | @test "connectInject/MutatingWebhookConfiguration: disable with global.enabled" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/connect-inject-mutatingwebhook.yaml \ 39 | --set 'global.enabled=false' \ 40 | . | tee /dev/stderr | 41 | yq 'length > 0' | tee /dev/stderr) 42 | [ "${actual}" = "false" ] 43 | } 44 | 45 | @test "connectInject/MutatingWebhookConfiguration: namespace is set" { 46 | cd `chart_dir` 47 | local actual=$(helm template \ 48 | -x templates/connect-inject-mutatingwebhook.yaml \ 49 | --set 'connectInject.enabled=true' \ 50 | --namespace foo \ 51 | . | tee /dev/stderr | 52 | yq '.webhooks[0].clientConfig.service.namespace' | tee /dev/stderr) 53 | [ "${actual}" = "\"foo\"" ] 54 | } 55 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/connect-inject-podsecuritypolicy.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "connectInject/PodSecurityPolicy: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/connect-inject-podsecuritypolicy.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "connectInject/PodSecurityPolicy: disabled by default with connectInject enabled" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/connect-inject-podsecuritypolicy.yaml \ 18 | --set 'connectInject.enabled=true' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "connectInject/PodSecurityPolicy: disabled with connectInject disabled and global.enablePodSecurityPolicies=true" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/connect-inject-podsecuritypolicy.yaml \ 28 | --set 'connectInject.enabled=false' \ 29 | --set 'global.enablePodSecurityPolicies=true' \ 30 | . | tee /dev/stderr | 31 | yq 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "false" ] 33 | } 34 | 35 | @test "connectInject/PodSecurityPolicy: enabled with connectInject enabled and global.enablePodSecurityPolicies=true" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/connect-inject-podsecuritypolicy.yaml \ 39 | --set 'connectInject.enabled=true' \ 40 | --set 'global.enablePodSecurityPolicies=true' \ 41 | . | tee /dev/stderr | 42 | yq -s 'length > 0' | tee /dev/stderr) 43 | [ "${actual}" = "true" ] 44 | } 45 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/connect-inject-service.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "connectInject/Service: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/connect-inject-service.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "connectInject/Service: enable with global.enabled false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/connect-inject-service.yaml \ 18 | --set 'global.enabled=false' \ 19 | --set 'connectInject.enabled=true' \ 20 | . | tee /dev/stderr | 21 | yq 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "true" ] 23 | } 24 | 25 | @test "connectInject/Service: disable with connectInject.enabled" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | -x templates/connect-inject-service.yaml \ 29 | --set 'connectInject.enabled=false' \ 30 | . | tee /dev/stderr | 31 | yq 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "false" ] 33 | } 34 | 35 | @test "connectInject/Service: disable with global.enabled" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/connect-inject-service.yaml \ 39 | --set 'global.enabled=false' \ 40 | . | tee /dev/stderr | 41 | yq 'length > 0' | tee /dev/stderr) 42 | [ "${actual}" = "false" ] 43 | } 44 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/connect-inject-serviceaccount.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "connectInject/ServiceAccount: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/connect-inject-serviceaccount.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "connectInject/ServiceAccount: enabled with global.enabled false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/connect-inject-serviceaccount.yaml \ 18 | --set 'global.enabled=false' \ 19 | --set 'connectInject.enabled=true' \ 20 | . | tee /dev/stderr | 21 | yq -s 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "true" ] 23 | } 24 | 25 | @test "connectInject/ServiceAccount: disabled with connectInject.enabled false" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | -x templates/connect-inject-serviceaccount.yaml \ 29 | --set 'connectInject.enabled=false' \ 30 | . | tee /dev/stderr | 31 | yq 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "false" ] 33 | } 34 | 35 | @test "connectInject/ServiceAccount: disabled with connectInject.certs.secretName set" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/connect-inject-serviceaccount.yaml \ 39 | --set 'connectInject.enabled=true' \ 40 | --set 'connectInject.certs.secretName=foo' \ 41 | . | tee /dev/stderr | 42 | yq 'length > 0' | tee /dev/stderr) 43 | [ "${actual}" = "false" ] 44 | } 45 | 46 | @test "connectInject/ServiceAccount: enabled with connectInject.certs.secretName not set" { 47 | cd `chart_dir` 48 | local actual=$(helm template \ 49 | -x templates/connect-inject-serviceaccount.yaml \ 50 | --set 'connectInject.enabled=true' \ 51 | . | tee /dev/stderr | 52 | yq 'length > 0' | tee /dev/stderr) 53 | [ "${actual}" = "true" ] 54 | } 55 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/dns-service.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "dns/Service: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/dns-service.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "dns/Service: enable with global.enabled false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/dns-service.yaml \ 18 | --set 'global.enabled=false' \ 19 | --set 'dns.enabled=true' \ 20 | . | tee /dev/stderr | 21 | yq 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "true" ] 23 | } 24 | 25 | @test "dns/Service: disable with dns.enabled" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | -x templates/dns-service.yaml \ 29 | --set 'dns.enabled=false' \ 30 | . | tee /dev/stderr | 31 | yq 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "false" ] 33 | } 34 | 35 | @test "dns/Service: disable with global.enabled" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/dns-service.yaml \ 39 | --set 'global.enabled=false' \ 40 | . | tee /dev/stderr | 41 | yq 'length > 0' | tee /dev/stderr) 42 | [ "${actual}" = "false" ] 43 | } 44 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/enterprise-license-clusterrole.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "enterpriseLicense/ClusterRole: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/enterprise-license-clusterrole.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "enterpriseLicense/ClusterRole: disabled with global.bootstrapACLs=true" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/enterprise-license-clusterrole.yaml \ 18 | --set 'global.bootstrapACLs=true' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "enterpriseLicense/ClusterRole: disabled with server=false, global.bootstrapACLs=true, ent secret defined" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/enterprise-license-clusterrole.yaml \ 28 | --set 'global.bootstrapACLs=true' \ 29 | --set 'server.enabled=false' \ 30 | --set 'server.enterpriseLicense.secretName=foo' \ 31 | --set 'server.enterpriseLicense.secretKey=bar' \ 32 | . | tee /dev/stderr | 33 | yq 'length > 0' | tee /dev/stderr) 34 | [ "${actual}" = "false" ] 35 | } 36 | 37 | @test "enterpriseLicense/ClusterRole: disabled with client=false, global.bootstrapACLs=true, ent secret defined" { 38 | cd `chart_dir` 39 | local actual=$(helm template \ 40 | -x templates/enterprise-license-clusterrole.yaml \ 41 | --set 'global.bootstrapACLs=true' \ 42 | --set 'client.enabled=false' \ 43 | --set 'server.enterpriseLicense.secretName=foo' \ 44 | --set 'server.enterpriseLicense.secretKey=bar' \ 45 | . | tee /dev/stderr | 46 | yq 'length > 0' | tee /dev/stderr) 47 | [ "${actual}" = "false" ] 48 | } 49 | 50 | @test "enterpriseLicense/ClusterRole: disabled when ent secretName missing" { 51 | cd `chart_dir` 52 | local actual=$(helm template \ 53 | -x templates/enterprise-license-clusterrole.yaml \ 54 | --set 'global.bootstrapACLs=true' \ 55 | --set 'server.enterpriseLicense.secretKey=bar' \ 56 | . | tee /dev/stderr | 57 | yq 'length > 0' | tee /dev/stderr) 58 | [ "${actual}" = "false" ] 59 | } 60 | 61 | @test "enterpriseLicense/ClusterRole: disabled when ent secretKey missing" { 62 | cd `chart_dir` 63 | local actual=$(helm template \ 64 | -x templates/enterprise-license-clusterrole.yaml \ 65 | --set 'global.bootstrapACLs=true' \ 66 | --set 'server.enterpriseLicense.secretName=foo' \ 67 | . | tee /dev/stderr | 68 | yq 'length > 0' | tee /dev/stderr) 69 | [ "${actual}" = "false" ] 70 | } 71 | 72 | @test "enterpriseLicense/ClusterRole: can be enabled" { 73 | cd `chart_dir` 74 | local actual=$(helm template \ 75 | -x templates/enterprise-license-clusterrole.yaml \ 76 | --set 'global.bootstrapACLs=true' \ 77 | --set 'server.enterpriseLicense.secretName=foo' \ 78 | --set 'server.enterpriseLicense.secretKey=bar' \ 79 | . | tee /dev/stderr | 80 | yq 'length > 0' | tee /dev/stderr) 81 | [ "${actual}" = "true" ] 82 | } 83 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/enterprise-license-clusterrolebinding.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "enterpriseLicense/ClusterRoleBinding: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/enterprise-license-clusterrolebinding.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "enterpriseLicense/ClusterRoleBinding: disabled with global.bootstrapACLs=true" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/enterprise-license-clusterrolebinding.yaml \ 18 | --set 'global.bootstrapACLs=true' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "enterpriseLicense/ClusterRoleBinding: disabled with server=false, global.bootstrapACLs=true, ent secret defined" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/enterprise-license-clusterrolebinding.yaml \ 28 | --set 'global.bootstrapACLs=true' \ 29 | --set 'server.enabled=false' \ 30 | --set 'server.enterpriseLicense.secretName=foo' \ 31 | --set 'server.enterpriseLicense.secretKey=bar' \ 32 | . | tee /dev/stderr | 33 | yq 'length > 0' | tee /dev/stderr) 34 | [ "${actual}" = "false" ] 35 | } 36 | 37 | @test "enterpriseLicense/ClusterRoleBinding: disabled with client=false, global.bootstrapACLs=true, ent secret defined" { 38 | cd `chart_dir` 39 | local actual=$(helm template \ 40 | -x templates/enterprise-license-clusterrolebinding.yaml \ 41 | --set 'global.bootstrapACLs=true' \ 42 | --set 'client.enabled=false' \ 43 | --set 'server.enterpriseLicense.secretName=foo' \ 44 | --set 'server.enterpriseLicense.secretKey=bar' \ 45 | . | tee /dev/stderr | 46 | yq 'length > 0' | tee /dev/stderr) 47 | [ "${actual}" = "false" ] 48 | } 49 | 50 | @test "enterpriseLicense/ClusterRoleBinding: disabled when ent secretName missing" { 51 | cd `chart_dir` 52 | local actual=$(helm template \ 53 | -x templates/enterprise-license-clusterrolebinding.yaml \ 54 | --set 'global.bootstrapACLs=true' \ 55 | --set 'server.enterpriseLicense.secretKey=bar' \ 56 | . | tee /dev/stderr | 57 | yq 'length > 0' | tee /dev/stderr) 58 | [ "${actual}" = "false" ] 59 | } 60 | 61 | @test "enterpriseLicense/ClusterRoleBinding: disabled when ent secretKey missing" { 62 | cd `chart_dir` 63 | local actual=$(helm template \ 64 | -x templates/enterprise-license-clusterrolebinding.yaml \ 65 | --set 'global.bootstrapACLs=true' \ 66 | --set 'server.enterpriseLicense.secretName=foo' \ 67 | . | tee /dev/stderr | 68 | yq 'length > 0' | tee /dev/stderr) 69 | [ "${actual}" = "false" ] 70 | } 71 | 72 | @test "enterpriseLicense/ClusterRoleBinding: can be enabled" { 73 | cd `chart_dir` 74 | local actual=$(helm template \ 75 | -x templates/enterprise-license-clusterrolebinding.yaml \ 76 | --set 'global.bootstrapACLs=true' \ 77 | --set 'server.enterpriseLicense.secretName=foo' \ 78 | --set 'server.enterpriseLicense.secretKey=bar' \ 79 | . | tee /dev/stderr | 80 | yq 'length > 0' | tee /dev/stderr) 81 | [ "${actual}" = "true" ] 82 | } 83 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/enterprise-license-serviceaccount.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "enterpriseLicense/ServiceAccount: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/enterprise-license-serviceaccount.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "enterpriseLicense/ServiceAccount: disabled with global.bootstrapACLs=true" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/enterprise-license-serviceaccount.yaml \ 18 | --set 'global.bootstrapACLs=true' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "enterpriseLicense/ServiceAccount: disabled with server=false, global.bootstrapACLs=true, ent secret defined" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/enterprise-license-serviceaccount.yaml \ 28 | --set 'global.bootstrapACLs=true' \ 29 | --set 'server.enabled=false' \ 30 | --set 'server.enterpriseLicense.secretName=foo' \ 31 | --set 'server.enterpriseLicense.secretKey=bar' \ 32 | . | tee /dev/stderr | 33 | yq 'length > 0' | tee /dev/stderr) 34 | [ "${actual}" = "false" ] 35 | } 36 | 37 | @test "enterpriseLicense/ServiceAccount: disabled with client=false, global.bootstrapACLs=true, ent secret defined" { 38 | cd `chart_dir` 39 | local actual=$(helm template \ 40 | -x templates/enterprise-license-serviceaccount.yaml \ 41 | --set 'global.bootstrapACLs=true' \ 42 | --set 'client.enabled=false' \ 43 | --set 'server.enterpriseLicense.secretName=foo' \ 44 | --set 'server.enterpriseLicense.secretKey=bar' \ 45 | . | tee /dev/stderr | 46 | yq 'length > 0' | tee /dev/stderr) 47 | [ "${actual}" = "false" ] 48 | } 49 | 50 | @test "enterpriseLicense/ServiceAccount: disabled when ent secretName missing" { 51 | cd `chart_dir` 52 | local actual=$(helm template \ 53 | -x templates/enterprise-license-serviceaccount.yaml \ 54 | --set 'global.bootstrapACLs=true' \ 55 | --set 'server.enterpriseLicense.secretKey=bar' \ 56 | . | tee /dev/stderr | 57 | yq 'length > 0' | tee /dev/stderr) 58 | [ "${actual}" = "false" ] 59 | } 60 | 61 | @test "enterpriseLicense/ServiceAccount: disabled when ent secretKey missing" { 62 | cd `chart_dir` 63 | local actual=$(helm template \ 64 | -x templates/enterprise-license-serviceaccount.yaml \ 65 | --set 'global.bootstrapACLs=true' \ 66 | --set 'server.enterpriseLicense.secretName=foo' \ 67 | . | tee /dev/stderr | 68 | yq 'length > 0' | tee /dev/stderr) 69 | [ "${actual}" = "false" ] 70 | } 71 | 72 | @test "enterpriseLicense/ServiceAccount: can be enabled" { 73 | cd `chart_dir` 74 | local actual=$(helm template \ 75 | -x templates/enterprise-license-serviceaccount.yaml \ 76 | --set 'global.bootstrapACLs=true' \ 77 | --set 'server.enterpriseLicense.secretName=foo' \ 78 | --set 'server.enterpriseLicense.secretKey=bar' \ 79 | . | tee /dev/stderr | 80 | yq 'length > 0' | tee /dev/stderr) 81 | [ "${actual}" = "true" ] 82 | } 83 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/enterprise-license.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/EnterpriseLicense: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/enterprise-license.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "server/EnterpriseLicense: disabled when servers are disabled" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/enterprise-license.yaml \ 18 | --set 'server.enabled=false' \ 19 | --set 'server.enterpriseLicense.secretName=foo' \ 20 | --set 'server.enterpriseLicense.secretKey=bar' \ 21 | . | tee /dev/stderr | 22 | yq 'length > 0' | tee /dev/stderr) 23 | [ "${actual}" = "false" ] 24 | } 25 | 26 | @test "server/EnterpriseLicense: disabled when secretName is missing" { 27 | cd `chart_dir` 28 | local actual=$(helm template \ 29 | -x templates/enterprise-license.yaml \ 30 | --set 'server.enterpriseLicense.secretKey=bar' \ 31 | . | tee /dev/stderr | 32 | yq 'length > 0' | tee /dev/stderr) 33 | [ "${actual}" = "false" ] 34 | } 35 | 36 | @test "server/EnterpriseLicense: disabled when secretKey is missing" { 37 | cd `chart_dir` 38 | local actual=$(helm template \ 39 | -x templates/enterprise-license.yaml \ 40 | --set 'server.enterpriseLicense.secretName=foo' \ 41 | . | tee /dev/stderr | 42 | yq 'length > 0' | tee /dev/stderr) 43 | [ "${actual}" = "false" ] 44 | } 45 | 46 | @test "server/EnterpriseLicense: enabled when secretName and secretKey is provided" { 47 | cd `chart_dir` 48 | local actual=$(helm template \ 49 | -x templates/enterprise-license.yaml \ 50 | --set 'server.enterpriseLicense.secretName=foo' \ 51 | --set 'server.enterpriseLicense.secretKey=bar' \ 52 | . | tee /dev/stderr | 53 | yq 'length > 0' | tee /dev/stderr) 54 | [ "${actual}" = "true" ] 55 | } 56 | 57 | #-------------------------------------------------------------------- 58 | # global.bootstrapACLs 59 | 60 | @test "server/EnterpriseLicense: CONSUL_HTTP_TOKEN env variable created when global.bootstrapACLs=true" { 61 | cd `chart_dir` 62 | local actual=$(helm template \ 63 | -x templates/enterprise-license.yaml \ 64 | --set 'server.enterpriseLicense.secretName=foo' \ 65 | --set 'server.enterpriseLicense.secretKey=bar' \ 66 | --set 'global.bootstrapACLs=true' \ 67 | . | tee /dev/stderr | 68 | yq '[.spec.template.spec.containers[0].env[].name] | any(contains("CONSUL_HTTP_TOKEN"))' | tee /dev/stderr) 69 | [ "${actual}" = "true" ] 70 | } 71 | 72 | @test "server/EnterpriseLicense: init container is created when global.bootstrapACLs=true" { 73 | cd `chart_dir` 74 | local object=$(helm template \ 75 | -x templates/enterprise-license.yaml \ 76 | --set 'server.enterpriseLicense.secretName=foo' \ 77 | --set 'server.enterpriseLicense.secretKey=bar' \ 78 | --set 'global.bootstrapACLs=true' \ 79 | . | tee /dev/stderr | 80 | yq '.spec.template.spec.initContainers[0]' | tee /dev/stderr) 81 | 82 | local actual=$(echo $object | 83 | yq -r '.name' | tee /dev/stderr) 84 | [ "${actual}" = "ent-license-acl-init" ] 85 | 86 | local actual=$(echo $object | 87 | yq -r '.command | any(contains("consul-k8s acl-init"))' | tee /dev/stderr) 88 | [ "${actual}" = "true" ] 89 | } 90 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/server-acl-init-clusterrole.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "serverACLInit/ClusterRole: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/server-acl-init-clusterrole.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "serverACLInit/ClusterRole: enabled with global.bootstrapACLs=true" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/server-acl-init-clusterrole.yaml \ 18 | --set 'global.bootstrapACLs=true' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "true" ] 22 | } 23 | 24 | @test "serverACLInit/ClusterRole: disabled with server=false and global.bootstrapACLs=true" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/server-acl-init-clusterrole.yaml \ 28 | --set 'global.bootstrapACLs=true' \ 29 | --set 'server.enabled=false' \ 30 | . | tee /dev/stderr | 31 | yq 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "false" ] 33 | } 34 | 35 | @test "serverACLInit/ClusterRole: disabled with client=false and global.bootstrapACLs=true" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/server-acl-init-clusterrole.yaml \ 39 | --set 'global.bootstrapACLs=true' \ 40 | --set 'client.enabled=false' \ 41 | . | tee /dev/stderr | 42 | yq 'length > 0' | tee /dev/stderr) 43 | [ "${actual}" = "false" ] 44 | } 45 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/server-acl-init-clusterrolebinding.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "serverACLInit/ClusterRoleBinding: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/server-acl-init-clusterrolebinding.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "serverACLInit/ClusterRoleBinding: enabled with global.bootstrapACLs=true" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/server-acl-init-clusterrolebinding.yaml \ 18 | --set 'global.bootstrapACLs=true' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "true" ] 22 | } 23 | 24 | @test "serverACLInit/ClusterRoleBinding: disabled with server=false and global.bootstrapACLs=true" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/server-acl-init-clusterrolebinding.yaml \ 28 | --set 'global.bootstrapACLs=true' \ 29 | --set 'server.enabled=false' \ 30 | . | tee /dev/stderr | 31 | yq 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "false" ] 33 | } 34 | 35 | @test "serverACLInit/ClusterRoleBinding: disabled with client=false and global.bootstrapACLs=true" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/server-acl-init-clusterrolebinding.yaml \ 39 | --set 'global.bootstrapACLs=true' \ 40 | --set 'client.enabled=false' \ 41 | . | tee /dev/stderr | 42 | yq 'length > 0' | tee /dev/stderr) 43 | [ "${actual}" = "false" ] 44 | } 45 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/server-acl-init-serviceaccount.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "serverACLInit/ServiceAccount: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/server-acl-init-serviceaccount.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "serverACLInit/ServiceAccount: enabled with global.bootstrapACLs=true" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/server-acl-init-serviceaccount.yaml \ 18 | --set 'global.bootstrapACLs=true' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "true" ] 22 | } 23 | 24 | @test "serverACLInit/ServiceAccount: disabled with server=false and global.bootstrapACLs=true" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/server-acl-init-serviceaccount.yaml \ 28 | --set 'global.bootstrapACLs=true' \ 29 | --set 'server.enabled=false' \ 30 | . | tee /dev/stderr | 31 | yq 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "false" ] 33 | } 34 | 35 | @test "serverACLInit/ServiceAccount: disabled with client=false and global.bootstrapACLs=true" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/server-acl-init-serviceaccount.yaml \ 39 | --set 'global.bootstrapACLs=true' \ 40 | --set 'client.enabled=false' \ 41 | . | tee /dev/stderr | 42 | yq 'length > 0' | tee /dev/stderr) 43 | [ "${actual}" = "false" ] 44 | } 45 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/server-clusterrole.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/ClusterRole: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/server-clusterrole.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "server/ClusterRole: disabled with global.enabled=false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/server-clusterrole.yaml \ 18 | --set 'global.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "server/ClusterRole: can be enabled with global.enabled=false" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/server-clusterrole.yaml \ 28 | --set 'global.enabled=false' \ 29 | --set 'server.enabled=true' \ 30 | . | tee /dev/stderr | 31 | yq -s 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "true" ] 33 | } 34 | 35 | @test "server/ClusterRole: disabled with server.enabled=false" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/server-clusterrole.yaml \ 39 | --set 'server.enabled=false' \ 40 | . | tee /dev/stderr | 41 | yq 'length > 0' | tee /dev/stderr) 42 | [ "${actual}" = "false" ] 43 | } 44 | 45 | @test "server/ClusterRole: enabled with server.enabled=true" { 46 | cd `chart_dir` 47 | local actual=$(helm template \ 48 | -x templates/server-clusterrole.yaml \ 49 | --set 'server.enabled=true' \ 50 | . | tee /dev/stderr | 51 | yq 'length > 0' | tee /dev/stderr) 52 | [ "${actual}" = "true" ] 53 | } 54 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/server-clusterrolebinding.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/ClusterRoleBinding: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/server-clusterrolebinding.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "server/ClusterRoleBinding: disabled with global.enabled=false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/server-clusterrolebinding.yaml \ 18 | --set 'global.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "server/ClusterRoleBinding: disabled with server disabled" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/server-clusterrolebinding.yaml \ 28 | --set 'server.enabled=false' \ 29 | . | tee /dev/stderr | 30 | yq 'length > 0' | tee /dev/stderr) 31 | [ "${actual}" = "false" ] 32 | } 33 | 34 | @test "server/ClusterRoleBinding: enabled with server enabled" { 35 | cd `chart_dir` 36 | local actual=$(helm template \ 37 | -x templates/server-clusterrolebinding.yaml \ 38 | --set 'server.enabled=true' \ 39 | . | tee /dev/stderr | 40 | yq -s 'length > 0' | tee /dev/stderr) 41 | [ "${actual}" = "true" ] 42 | } 43 | 44 | @test "server/ClusterRoleBinding: enabled with server enabled and global.enabled=false" { 45 | cd `chart_dir` 46 | local actual=$(helm template \ 47 | -x templates/server-clusterrolebinding.yaml \ 48 | --set 'global.enabled=false' \ 49 | --set 'server.enabled=true' \ 50 | . | tee /dev/stderr | 51 | yq -s 'length > 0' | tee /dev/stderr) 52 | [ "${actual}" = "true" ] 53 | } -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/server-podsecuritypolicy.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/PodSecurityPolicy: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/server-podsecuritypolicy.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "server/PodSecurityPolicy: disabled with server disabled and global.enablePodSecurityPolicies=true" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/server-podsecuritypolicy.yaml \ 18 | --set 'server.enabled=false' \ 19 | --set 'global.enablePodSecurityPolicies=true' \ 20 | . | tee /dev/stderr | 21 | yq 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "false" ] 23 | } 24 | 25 | @test "server/PodSecurityPolicy: enabled with global.enablePodSecurityPolicies=true" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | -x templates/server-podsecuritypolicy.yaml \ 29 | --set 'global.enablePodSecurityPolicies=true' \ 30 | . | tee /dev/stderr | 31 | yq -s 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "true" ] 33 | } 34 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/server-service.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/Service: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/server-service.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "server/Service: enable with global.enabled false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/server-service.yaml \ 18 | --set 'global.enabled=false' \ 19 | --set 'server.enabled=true' \ 20 | . | tee /dev/stderr | 21 | yq 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "true" ] 23 | } 24 | 25 | @test "server/Service: disable with server.enabled" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | -x templates/server-service.yaml \ 29 | --set 'server.enabled=false' \ 30 | . | tee /dev/stderr | 31 | yq 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "false" ] 33 | } 34 | 35 | @test "server/Service: disable with global.enabled" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/server-service.yaml \ 39 | --set 'global.enabled=false' \ 40 | . | tee /dev/stderr | 41 | yq 'length > 0' | tee /dev/stderr) 42 | [ "${actual}" = "false" ] 43 | } 44 | 45 | # This can be seen as testing just what we put into the YAML raw, but 46 | # this is such an important part of making everything work we verify it here. 47 | @test "server/Service: tolerates unready endpoints" { 48 | cd `chart_dir` 49 | local actual=$(helm template \ 50 | -x templates/server-service.yaml \ 51 | . | tee /dev/stderr | 52 | yq -r '.metadata.annotations["service.alpha.kubernetes.io/tolerate-unready-endpoints"]' | tee /dev/stderr) 53 | [ "${actual}" = "true" ] 54 | 55 | local actual=$(helm template \ 56 | -x templates/server-service.yaml \ 57 | . | tee /dev/stderr | 58 | yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) 59 | [ "${actual}" = "true" ] 60 | } 61 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/server-serviceaccount.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/ServiceAccount: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/server-serviceaccount.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "server/ServiceAccount: disabled with global.enabled=false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/server-serviceaccount.yaml \ 18 | --set 'global.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "server/ServiceAccount: disabled with server disabled" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/server-serviceaccount.yaml \ 28 | --set 'server.enabled=false' \ 29 | . | tee /dev/stderr | 30 | yq 'length > 0' | tee /dev/stderr) 31 | [ "${actual}" = "false" ] 32 | } 33 | 34 | @test "server/ServiceAccount: enabled with server enabled" { 35 | cd `chart_dir` 36 | local actual=$(helm template \ 37 | -x templates/server-serviceaccount.yaml \ 38 | --set 'server.enabled=true' \ 39 | . | tee /dev/stderr | 40 | yq 'length > 0' | tee /dev/stderr) 41 | [ "${actual}" = "true" ] 42 | } 43 | 44 | @test "server/ServiceAccount: enabled with server enabled and global.enabled=false" { 45 | cd `chart_dir` 46 | local actual=$(helm template \ 47 | -x templates/server-serviceaccount.yaml \ 48 | --set 'global.enabled=false' \ 49 | --set 'server.enabled=true' \ 50 | . | tee /dev/stderr | 51 | yq -s 'length > 0' | tee /dev/stderr) 52 | [ "${actual}" = "true" ] 53 | } 54 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/sync-catalog-clusterrole.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "syncCatalog/ClusterRole: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/sync-catalog-clusterrole.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "syncCatalog/ClusterRole: disabled with global.enabled=false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/sync-catalog-clusterrole.yaml \ 18 | --set 'global.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "syncCatalog/ClusterRole: disabled with sync disabled" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/sync-catalog-clusterrole.yaml \ 28 | --set 'syncCatalog.enabled=false' \ 29 | . | tee /dev/stderr | 30 | yq 'length > 0' | tee /dev/stderr) 31 | [ "${actual}" = "false" ] 32 | } 33 | 34 | @test "syncCatalog/ClusterRole: enabled with sync enabled" { 35 | cd `chart_dir` 36 | local actual=$(helm template \ 37 | -x templates/sync-catalog-clusterrole.yaml \ 38 | --set 'syncCatalog.enabled=true' \ 39 | . | tee /dev/stderr | 40 | yq 'length > 0' | tee /dev/stderr) 41 | [ "${actual}" = "true" ] 42 | } 43 | 44 | @test "syncCatalog/ClusterRole: enabled with sync enabled and global.enabled=false" { 45 | cd `chart_dir` 46 | local actual=$(helm template \ 47 | -x templates/sync-catalog-clusterrole.yaml \ 48 | --set 'global.enabled=false' \ 49 | --set 'syncCatalog.enabled=true' \ 50 | . | tee /dev/stderr | 51 | yq -s 'length > 0' | tee /dev/stderr) 52 | [ "${actual}" = "true" ] 53 | } 54 | 55 | #-------------------------------------------------------------------- 56 | # global.enablePodSecurityPolicies 57 | 58 | @test "syncCatalog/ClusterRole: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" { 59 | cd `chart_dir` 60 | local actual=$(helm template \ 61 | -x templates/sync-catalog-clusterrole.yaml \ 62 | --set 'syncCatalog.enabled=true' \ 63 | --set 'global.enablePodSecurityPolicies=true' \ 64 | . | tee /dev/stderr | 65 | yq -r '.rules[2].resources[0]' | tee /dev/stderr) 66 | [ "${actual}" = "podsecuritypolicies" ] 67 | } 68 | 69 | #-------------------------------------------------------------------- 70 | # global.bootstrapACLs 71 | 72 | @test "syncCatalog/ClusterRole: allows secret access with global.bootsrapACLs=true" { 73 | cd `chart_dir` 74 | local actual=$(helm template \ 75 | -x templates/sync-catalog-clusterrole.yaml \ 76 | --set 'syncCatalog.enabled=true' \ 77 | --set 'global.bootstrapACLs=true' \ 78 | . | tee /dev/stderr | 79 | yq -r '.rules[2].resources[0]' | tee /dev/stderr) 80 | [ "${actual}" = "secrets" ] 81 | } 82 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/sync-catalog-clusterrolebinding.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "syncCatalog/ClusterRoleBinding: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/sync-catalog-clusterrolebinding.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "syncCatalog/ClusterRoleBinding: disabled with global.enabled=false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/sync-catalog-clusterrolebinding.yaml \ 18 | --set 'global.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "syncCatalog/ClusterRoleBinding: disabled with sync disabled" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/sync-catalog-clusterrolebinding.yaml \ 28 | --set 'syncCatalog.enabled=false' \ 29 | . | tee /dev/stderr | 30 | yq 'length > 0' | tee /dev/stderr) 31 | [ "${actual}" = "false" ] 32 | } 33 | 34 | @test "syncCatalog/ClusterRoleBinding: enabled with sync enabled" { 35 | cd `chart_dir` 36 | local actual=$(helm template \ 37 | -x templates/sync-catalog-clusterrolebinding.yaml \ 38 | --set 'syncCatalog.enabled=true' \ 39 | . | tee /dev/stderr | 40 | yq -s 'length > 0' | tee /dev/stderr) 41 | [ "${actual}" = "true" ] 42 | } 43 | 44 | @test "syncCatalog/ClusterRoleBinding: enabled with sync enabled and global.enabled=false" { 45 | cd `chart_dir` 46 | local actual=$(helm template \ 47 | -x templates/sync-catalog-clusterrolebinding.yaml \ 48 | --set 'global.enabled=false' \ 49 | --set 'syncCatalog.enabled=true' \ 50 | . | tee /dev/stderr | 51 | yq -s 'length > 0' | tee /dev/stderr) 52 | [ "${actual}" = "true" ] 53 | } 54 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/sync-catalog-podsecuritypolicy.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "syncCatalog/PodSecurityPolicy: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/sync-catalog-podsecuritypolicy.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "syncCatalog/PodSecurityPolicy: disabled by default with syncCatalog enabled" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/sync-catalog-podsecuritypolicy.yaml \ 18 | --set 'syncCatalog.enabled=true' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "syncCatalog/PodSecurityPolicy: disabled with syncCatalog disabled and global.enablePodSecurityPolicies=true" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/sync-catalog-podsecuritypolicy.yaml \ 28 | --set 'syncCatalog.enabled=false' \ 29 | --set 'global.enablePodSecurityPolicies=true' \ 30 | . | tee /dev/stderr | 31 | yq 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "false" ] 33 | } 34 | 35 | @test "syncCatalog/PodSecurityPolicy: enabled with syncCatalog enabled and global.enablePodSecurityPolicies=true" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/sync-catalog-podsecuritypolicy.yaml \ 39 | --set 'syncCatalog.enabled=true' \ 40 | --set 'global.enablePodSecurityPolicies=true' \ 41 | . | tee /dev/stderr | 42 | yq -s 'length > 0' | tee /dev/stderr) 43 | [ "${actual}" = "true" ] 44 | } 45 | -------------------------------------------------------------------------------- /helm/vault-backend/charts/consul-helm/test/unit/sync-catalog-serviceaccount.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "syncCatalog/ServiceAccount: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/sync-catalog-serviceaccount.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "syncCatalog/ServiceAccount: disabled with global.enabled=false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/sync-catalog-serviceaccount.yaml \ 18 | --set 'global.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "syncCatalog/ServiceAccount: disabled with sync disabled" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | -x templates/sync-catalog-serviceaccount.yaml \ 28 | --set 'syncCatalog.enabled=false' \ 29 | . | tee /dev/stderr | 30 | yq 'length > 0' | tee /dev/stderr) 31 | [ "${actual}" = "false" ] 32 | } 33 | 34 | @test "syncCatalog/ServiceAccount: enabled with sync enabled" { 35 | cd `chart_dir` 36 | local actual=$(helm template \ 37 | -x templates/sync-catalog-serviceaccount.yaml \ 38 | --set 'syncCatalog.enabled=true' \ 39 | . | tee /dev/stderr | 40 | yq 'length > 0' | tee /dev/stderr) 41 | [ "${actual}" = "true" ] 42 | } 43 | 44 | @test "syncCatalog/ServiceAccount: enabled with sync enabled and global.enabled=false" { 45 | cd `chart_dir` 46 | local actual=$(helm template \ 47 | -x templates/sync-catalog-serviceaccount.yaml \ 48 | --set 'global.enabled=false' \ 49 | --set 'syncCatalog.enabled=true' \ 50 | . | tee /dev/stderr | 51 | yq -s 'length > 0' | tee /dev/stderr) 52 | [ "${actual}" = "true" ] 53 | } 54 | -------------------------------------------------------------------------------- /helm/vault-backend/requirements.yaml: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: consul 3 | repository: file://./charts/consul-helm 4 | version: 0.8.1 -------------------------------------------------------------------------------- /helm/vault-backend/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "backend-consul.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "backend-consul.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "backend-consul.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "backend-consul.labels" -}} 38 | app.kubernetes.io/name: {{ include "backend-consul.name" . }} 39 | helm.sh/chart: {{ include "backend-consul.chart" . }} 40 | app.kubernetes.io/instance: {{ .Release.Name }} 41 | {{- if .Chart.AppVersion }} 42 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 43 | {{- end }} 44 | app.kubernetes.io/managed-by: {{ .Release.Service }} 45 | {{- end -}} 46 | -------------------------------------------------------------------------------- /helm/vault-backend/templates/vault-acl-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ template "backend-consul.name" . }}-vault-acl-config 5 | namespace: {{ .Release.Namespace }} 6 | data: 7 | vault.json: | 8 | { 9 | "key_prefix": { 10 | "vault/": { 11 | "policy": "write" 12 | } 13 | }, 14 | "node_prefix": { 15 | "": { 16 | "policy": "write" 17 | } 18 | }, 19 | "service": { 20 | "vault": { 21 | "policy": "write" 22 | } 23 | }, 24 | "agent_prefix": { 25 | "": { 26 | "policy": "write" 27 | } 28 | 29 | }, 30 | "session_prefix": { 31 | "": { 32 | "policy": "write" 33 | } 34 | } 35 | } -------------------------------------------------------------------------------- /helm/vault-backend/templates/vault-acl-job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: {{ template "backend-consul.name" . }}-vault-acl 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: {{ template "backend-consul.name" . }} 8 | chart: {{ template "backend-consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | annotations: 12 | "helm.sh/hook": post-install 13 | "helm.sh/hook-weight": "1" 14 | spec: 15 | template: 16 | metadata: 17 | name: {{ template "backend-consul.name" . }}-vault-acl-init 18 | labels: 19 | app: {{ template "backend-consul.name" . }} 20 | chart: {{ template "backend-consul.chart" . }} 21 | release: {{ .Release.Name }} 22 | component: consul-vault-acl-init 23 | annotations: 24 | "consul.hashicorp.com/connect-inject": "false" 25 | spec: 26 | restartPolicy: Never 27 | serviceAccountName: {{ .Release.Name }}-consul-server-acl-init 28 | containers: 29 | - name: vault-acl 30 | image: {{ .Values.global.image }} 31 | env: 32 | - name: HOST_IP 33 | valueFrom: 34 | fieldRef: 35 | fieldPath: status.hostIP 36 | - name: CONSUL_HTTP_TOKEN 37 | valueFrom: 38 | secretKeyRef: 39 | name: {{ .Release.Name }}-consul-bootstrap-acl-token 40 | key: token 41 | command: 42 | - "/bin/sh" 43 | - "-ec" 44 | - | 45 | export CONSUL_HTTP_ADDR="${HOST_IP}:8500" 46 | consul acl policy create -name vault-service -rules @/consul/aclconfig/vault.json 47 | consul acl token create -description "Token for Vault" -policy-name vault-service 48 | volumeMounts: 49 | - name: aclconfig 50 | mountPath: /consul/aclconfig 51 | volumes: 52 | - name: aclconfig 53 | configMap: 54 | name: {{ template "backend-consul.name" . }}-vault-acl-config 55 | -------------------------------------------------------------------------------- /helm/vault-backend/values.yaml: -------------------------------------------------------------------------------- 1 | global: 2 | image: "consul:1.5.2" 3 | 4 | consul: 5 | global: 6 | bootstrapACLs: true 7 | server: 8 | replicas: 3 9 | bootstrapExpect: 3 -------------------------------------------------------------------------------- /helm/vault-helm-acl/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /helm/vault-helm-acl/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: "1.0" 3 | description: A Helm chart for Vault ACL initialization 4 | name: vault-acl 5 | version: 0.1.0 6 | -------------------------------------------------------------------------------- /helm/vault-helm-acl/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Create a default fully qualified app name. 3 | We truncate at 63 chars because some Kubernetes name fields are limited to 4 | this (by the DNS naming spec). If release name contains chart name it will 5 | be used as a full name. 6 | */}} 7 | {{- define "vault.fullname" -}} 8 | {{- if .Values.fullnameOverride -}} 9 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 10 | {{- else -}} 11 | {{- $name := default .Chart.Name .Values.nameOverride -}} 12 | {{- if contains $name .Release.Name -}} 13 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 14 | {{- else -}} 15 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 16 | {{- end -}} 17 | {{- end -}} 18 | {{- end -}} 19 | 20 | {{/* 21 | Create chart name and version as used by the chart label. 22 | */}} 23 | {{- define "vault.chart" -}} 24 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Expand the name of the chart. 29 | */}} 30 | {{- define "vault.name" -}} 31 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Compute the maximum number of unavailable replicas for the PodDisruptionBudget. 36 | This defaults to (n/2)-1 where n is the number of members of the server cluster. 37 | Add a special case for replicas=1, where it should default to 0 as well. 38 | */}} 39 | {{- define "vault.pdb.maxUnavailable" -}} 40 | {{- if eq (int .Values.serverHA.replicas) 1 -}} 41 | {{ 0 }} 42 | {{- else if .Values.serverHA.disruptionBudget.maxUnavailable -}} 43 | {{ .Values.serverHA.disruptionBudget.maxUnavailable -}} 44 | {{- else -}} 45 | {{- ceil (sub (div (int .Values.serverHA.replicas) 2) 1) -}} 46 | {{- end -}} 47 | {{- end -}} -------------------------------------------------------------------------------- /helm/vault-helm-acl/templates/acl-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ template "vault.fullname" . }}-acl-config 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: {{ template "vault.name" . }} 8 | chart: {{ template "vault.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | data: 12 | admin-policy.hcl: |- 13 | # Manage auth methods broadly across Vault 14 | path "auth/*" 15 | { 16 | capabilities = ["create", "read", "update", "delete", "list", "sudo"] 17 | } 18 | 19 | # Create, update, and delete auth methods 20 | path "sys/auth/*" 21 | { 22 | capabilities = ["create", "update", "delete", "sudo"] 23 | } 24 | 25 | # List auth methods 26 | path "sys/auth" 27 | { 28 | capabilities = ["read"] 29 | } 30 | 31 | # List existing policies via CLI 32 | path "sys/policy" 33 | { 34 | capabilities = ["read"] 35 | } 36 | 37 | # Create and manage ACL policies via CLI 38 | path "sys/policy/*" 39 | { 40 | capabilities = ["create", "read", "update", "delete", "list", "sudo"] 41 | } 42 | 43 | # Create and manage ACL policies via API 44 | path "sys/policies/acl/*" 45 | { 46 | capabilities = ["create", "read", "update", "delete", "list", "sudo"] 47 | } 48 | 49 | # List, create, update, and delete key/value secrets 50 | path "secret/data/*" 51 | { 52 | capabilities = ["create", "read", "update", "delete", "list", "sudo"] 53 | } 54 | 55 | # Manage secret engines broadly across Vault 56 | path "sys/mounts/*" 57 | { 58 | capabilities = ["create", "read", "update", "delete", "list", "sudo"] 59 | } 60 | 61 | # List existing secret engines 62 | path "sys/mounts" 63 | { 64 | capabilities = ["read"] 65 | } 66 | 67 | # Read health checks 68 | path "sys/health" 69 | { 70 | capabilities = ["read", "sudo"] 71 | } 72 | 73 | # Configure the database secret engine and create roles 74 | path "database/*" { 75 | capabilities = [ "create", "read", "update", "delete", "list" ] 76 | } -------------------------------------------------------------------------------- /helm/vault-helm-acl/templates/acl-init-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ template "vault.fullname" . }} 5 | labels: 6 | app: {{ template "vault.name" . }} 7 | chart: {{ template "vault.chart" . }} 8 | heritage: {{ .Release.Service }} 9 | release: {{ .Release.Name }} 10 | rules: 11 | - apiGroups: [""] 12 | resources: 13 | - secrets 14 | resourceNames: 15 | - vault-tokens 16 | verbs: 17 | - get 18 | -------------------------------------------------------------------------------- /helm/vault-helm-acl/templates/acl-init-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: {{ template "vault.fullname" . }} 5 | labels: 6 | app: {{ template "vault.name" . }} 7 | chart: {{ template "vault.chart" . }} 8 | heritage: {{ .Release.Service }} 9 | release: {{ .Release.Name }} 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: {{ template "vault.fullname" . }} 14 | subjects: 15 | - kind: ServiceAccount 16 | name: {{ template "vault.fullname" . }} 17 | namespace: {{ .Release.Namespace }} 18 | -------------------------------------------------------------------------------- /helm/vault-helm-acl/templates/acl-init-job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: {{ template "vault.name" . }}-acl-init 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: {{ template "vault.name" . }}-acl-init 8 | chart: {{ template "vault.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | spec: 12 | template: 13 | metadata: 14 | name: {{ template "vault.name" . }}-acl-init 15 | labels: 16 | app: {{ template "vault.name" . }}-acl-init 17 | chart: {{ template "vault.chart" . }} 18 | release: {{ .Release.Name }} 19 | component: vault-acl-init 20 | annotations: 21 | "consul.hashicorp.com/connect-inject": "false" 22 | spec: 23 | restartPolicy: Never 24 | serviceAccountName: {{ template "vault.fullname" . }} 25 | volumes: 26 | - name: vault-tokens 27 | secret: 28 | secretName: vault-tokens 29 | - name: config-acl 30 | configMap: 31 | name: {{ template "vault.fullname" . }}-acl-config 32 | {{- range .Values.serverHA.extraVolumes }} 33 | - name: userconfig-{{ .name }} 34 | {{ .type }}: 35 | {{- if (eq .type "configMap") }} 36 | name: {{ .name }} 37 | {{- else if (eq .type "secret") }} 38 | secretName: {{ .name }} 39 | {{- end }} 40 | {{- end }} 41 | containers: 42 | - name: vault-init 43 | image: "{{ default .Values.global.image .Values.serverHA.image }}" 44 | env: 45 | - name: VAULT_ADDR 46 | valueFrom: 47 | configMapKeyRef: 48 | name: vault-service-config 49 | key: endpoint 50 | command: 51 | - "/bin/sh" 52 | - "-ce" 53 | - | 54 | export VAULT_TOKEN=$(cat /vault/tokens/root) 55 | export VAULT_CACERT="/vault/userconfig/vault-tls/ca.crt" 56 | vault secrets enable -path=secret/ kv 57 | vault policy write admin-policy /vault/aclconfig/admin-policy.hcl 58 | vault token create -policy=admin-policy 59 | volumeMounts: 60 | - name: vault-tokens 61 | readOnly: true 62 | mountPath: /vault/tokens 63 | - name: config-acl 64 | readOnly: true 65 | mountPath: /vault/aclconfig 66 | {{- range .Values.serverHA.extraVolumes }} 67 | - name: userconfig-{{ .name }} 68 | readOnly: true 69 | mountPath: /vault/userconfig/{{ .name }} 70 | {{- end }} -------------------------------------------------------------------------------- /helm/vault-helm-acl/templates/acl-init-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: {{ template "vault.fullname" . }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: {{ template "vault.name" . }} 8 | chart: {{ template "vault.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} -------------------------------------------------------------------------------- /helm/vault-helm-acl/templates/tests/test-runner.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ template "vault.fullname" . }}-test-{{ randAlphaNum 5 | lower }}" 5 | labels: 6 | app: {{ template "vault.name" . }} 7 | chart: {{ template "vault.chart" . }} 8 | heritage: {{ .Release.Service }} 9 | release: {{ .Release.Name }} 10 | annotations: 11 | "helm.sh/hook": test-success 12 | spec: 13 | {{- range .Values.serverHA.extraVolumes }} 14 | volumes: 15 | - name: vault-tokens 16 | secret: 17 | secretName: vault-tokens 18 | - name: userconfig-{{ .name }} 19 | {{ .type }}: 20 | {{- if (eq .type "configMap") }} 21 | name: {{ .name }} 22 | {{- else if (eq .type "secret") }} 23 | secretName: {{ .name }} 24 | {{- end }} 25 | {{- end }} 26 | containers: 27 | - name: vault-test 28 | image: "{{ .Values.global.image }}" 29 | env: 30 | - name: VAULT_ADDR 31 | valueFrom: 32 | configMapKeyRef: 33 | name: vault-service-config 34 | key: endpoint 35 | command: 36 | - "/bin/sh" 37 | - "-ec" 38 | - | 39 | export VALUE="{{randAlphaNum 24 | lower }}" 40 | export VAULT_TOKEN=$(cat /vault/tokens/admin) 41 | export VAULT_CACERT="/vault/userconfig/vault-tls/ca.crt" 42 | vault kv delete secret/data/testapp/_vault_helm_test 43 | vault kv put secret/data/testapp/_vault_helm_test passcode="$VALUE" 44 | [ `vault kv get -field=passcode secret/data/testapp/_vault_helm_test` = "$VALUE" ] 45 | vault kv delete secret/data/testapp/_vault_helm_test 46 | export VAULT_ROOT_TOKEN=$(cat /vault/tokens/root) 47 | vault token revoke -mode=orphan $VAULT_ROOT_TOKEN 48 | {{- range .Values.serverHA.extraVolumes }} 49 | volumeMounts: 50 | - name: vault-tokens 51 | readOnly: true 52 | mountPath: /vault/tokens 53 | - name: userconfig-{{ .name }} 54 | readOnly: true 55 | mountPath: /vault/userconfig/{{ .name }} 56 | {{- end }} 57 | restartPolicy: Never 58 | -------------------------------------------------------------------------------- /helm/vault-helm-acl/values.yaml: -------------------------------------------------------------------------------- 1 | # Available parameters and their default values for the Vault ACL chart. 2 | 3 | # Server, when enabled, configures a server cluster to run. This should 4 | # be disabled if you plan on connecting to a Vault cluster external to 5 | # the Kube cluster. 6 | 7 | global: 8 | image: "vault:1.1.3" 9 | 10 | serverHA: 11 | extraVolumes: 12 | - type: secret 13 | name: vault-tls 14 | load: false # if true, will add to `-config` to load by Vault -------------------------------------------------------------------------------- /helm/vault-helm/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .terraform/ 3 | .terraform.tfstate* 4 | terraform.tfstate* 5 | terraform.tfvars 6 | -------------------------------------------------------------------------------- /helm/vault-helm/.helmignore: -------------------------------------------------------------------------------- 1 | .git/ 2 | .terraform/ 3 | bin/ 4 | test/ 5 | -------------------------------------------------------------------------------- /helm/vault-helm/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | ## 0.2.0 (September 26, 2018) 2 | 3 | FEATURES: 4 | 5 | * `syncCatalog` can install the [service catalog sync](https://www.hashicorp.com/blog/consul-and-kubernetes-service-catalog-sync) 6 | functionality. 7 | 8 | IMPROVEMENTS: 9 | 10 | * server: support `storageClass` [GH-7] 11 | 12 | ## 0.1.0 13 | 14 | Initial release 15 | -------------------------------------------------------------------------------- /helm/vault-helm/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: vault 3 | version: 0.1.0 4 | description: Install and configure Vault on Kubernetes. 5 | home: https://www.vaultproject.io 6 | sources: 7 | - https://github.com/hashicorp/vault 8 | - https://github.com/hashicorp/vault-helm 9 | -------------------------------------------------------------------------------- /helm/vault-helm/Makefile: -------------------------------------------------------------------------------- 1 | TEST_IMAGE?=consul-helm-test 2 | 3 | test-docker: 4 | @docker build --rm -t '$(TEST_IMAGE)' -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR) 5 | 6 | .PHONY: test-docker 7 | -------------------------------------------------------------------------------- /helm/vault-helm/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Create a default fully qualified app name. 3 | We truncate at 63 chars because some Kubernetes name fields are limited to 4 | this (by the DNS naming spec). If release name contains chart name it will 5 | be used as a full name. 6 | */}} 7 | {{- define "vault.fullname" -}} 8 | {{- if .Values.fullnameOverride -}} 9 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 10 | {{- else -}} 11 | {{- $name := default .Chart.Name .Values.nameOverride -}} 12 | {{- if contains $name .Release.Name -}} 13 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 14 | {{- else -}} 15 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 16 | {{- end -}} 17 | {{- end -}} 18 | {{- end -}} 19 | 20 | {{/* 21 | Create chart name and version as used by the chart label. 22 | */}} 23 | {{- define "vault.chart" -}} 24 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Expand the name of the chart. 29 | */}} 30 | {{- define "vault.name" -}} 31 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Compute the maximum number of unavailable replicas for the PodDisruptionBudget. 36 | This defaults to (n/2)-1 where n is the number of members of the server cluster. 37 | Add a special case for replicas=1, where it should default to 0 as well. 38 | */}} 39 | {{- define "vault.pdb.maxUnavailable" -}} 40 | {{- if eq (int .Values.serverHA.replicas) 1 -}} 41 | {{ 0 }} 42 | {{- else if .Values.serverHA.disruptionBudget.maxUnavailable -}} 43 | {{ .Values.serverHA.disruptionBudget.maxUnavailable -}} 44 | {{- else -}} 45 | {{- ceil (sub (div (int .Values.serverHA.replicas) 2) 1) -}} 46 | {{- end -}} 47 | {{- end -}} 48 | -------------------------------------------------------------------------------- /helm/vault-helm/templates/ha-ui-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if (and (or (and (ne (.Values.serverHA.enabled | toString) "-") .Values.serverHA.enabled) (and (eq (.Values.serverHA.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "vault.fullname" . }}-service-config 6 | labels: 7 | app: {{ template "vault.name" . }} 8 | chart: {{ template "vault.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | data: 12 | endpoint: https://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /helm/vault-helm/templates/ha-ui-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if (and (or (and (ne (.Values.serverHA.enabled | toString) "-") .Values.serverHA.enabled) (and (eq (.Values.serverHA.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "vault.fullname" . }} 6 | labels: 7 | app: {{ template "vault.name" . }} 8 | chart: {{ template "vault.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | spec: 12 | selector: 13 | app: {{ template "vault.name" . }} 14 | release: "{{ .Release.Name }}" 15 | component: server 16 | ports: 17 | - name: https 18 | port: 443 19 | targetPort: 8200 20 | {{- if .Values.ui.service.type }} 21 | type: {{ .Values.ui.service.type }} 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /helm/vault-helm/templates/server-disruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | # PodDisruptionBudget to prevent degrading the server cluster through 2 | # voluntary cluster changes. 3 | {{- if (and .Values.serverHA.disruptionBudget.enabled (or (and (ne (.Values.serverHA.enabled | toString) "-") .Values.serverHA.enabled) (and (eq (.Values.serverHA.enabled | toString) "-") .Values.global.enabled))) }} 4 | apiVersion: policy/v1beta1 5 | kind: PodDisruptionBudget 6 | metadata: 7 | name: {{ template "vault.fullname" . }}-ha-server 8 | labels: 9 | app: {{ template "vault.name" . }} 10 | chart: {{ template "vault.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | spec: 14 | maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }} 15 | selector: 16 | matchLabels: 17 | app: {{ template "vault.name" . }} 18 | release: "{{ .Release.Name }}" 19 | component: server 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /helm/vault-helm/templates/server-ha-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.serverHA.enabled | toString) "-") .Values.serverHA.enabled) (and (eq (.Values.serverHA.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ template "vault.fullname" . }}-server-ha 6 | labels: 7 | app: {{ template "vault.name" . }} 8 | chart: {{ template "vault.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | rules: 12 | - apiGroups: [""] 13 | resources: 14 | - secrets 15 | resourceNames: 16 | - vault-tokens 17 | verbs: 18 | - get 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /helm/vault-helm/templates/server-ha-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.serverHA.enabled | toString) "-") .Values.serverHA.enabled) (and (eq (.Values.serverHA.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ template "vault.fullname" . }}-server-ha 6 | labels: 7 | app: {{ template "vault.name" . }} 8 | chart: {{ template "vault.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ template "vault.fullname" . }}-server-ha 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ template "vault.fullname" . }}-server-ha 18 | namespace: {{ .Release.Namespace }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /helm/vault-helm/templates/server-ha-config-configmap.yaml: -------------------------------------------------------------------------------- 1 | # StatefulSet to run the actual vault server cluster. 2 | {{- if (or (and (ne (.Values.serverHA.enabled | toString) "-") .Values.serverHA.enabled) (and (eq (.Values.serverHA.enabled | toString) "-") .Values.global.enabled)) }} 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: {{ template "vault.fullname" . }}-server-ha-config 7 | labels: 8 | app: {{ template "vault.name" . }} 9 | chart: {{ template "vault.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | data: 13 | extraconfig-from-values.hcl: |- 14 | {{ tpl .Values.serverHA.config . | indent 4 }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /helm/vault-helm/templates/server-ha-init-job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: {{ template "vault.name" . }}-init 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: {{ template "vault.name" . }}-init 8 | chart: {{ template "vault.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | annotations: 12 | "helm.sh/hook": post-install 13 | "helm.sh/hook-weight": "1" 14 | spec: 15 | template: 16 | metadata: 17 | name: {{ template "vault.name" . }}-init 18 | labels: 19 | app: {{ template "vault.name" . }}-init 20 | chart: {{ template "vault.chart" . }} 21 | release: {{ .Release.Name }} 22 | component: vault-init 23 | annotations: 24 | "consul.hashicorp.com/connect-inject": "false" 25 | spec: 26 | restartPolicy: Never 27 | serviceAccountName: {{ template "vault.fullname" . }}-server-ha 28 | {{- range .Values.serverHA.extraVolumes }} 29 | volumes: 30 | - name: userconfig-{{ .name }} 31 | {{ .type }}: 32 | {{- if (eq .type "configMap") }} 33 | name: {{ .name }} 34 | {{- else if (eq .type "secret") }} 35 | secretName: {{ .name }} 36 | {{- end }} 37 | {{- end }} 38 | containers: 39 | - name: vault-init 40 | image: "{{ default .Values.global.image .Values.serverHA.image }}" 41 | env: 42 | - name: VAULT_ADDR 43 | valueFrom: 44 | configMapKeyRef: 45 | name: {{ template "vault.fullname" . }}-service-config 46 | key: endpoint 47 | command: 48 | - "/bin/sh" 49 | - "-c" 50 | - | 51 | export VAULT_CACERT="/vault/userconfig/vault-tls/ca.crt" 52 | vault status 53 | RETCODE=$? 54 | if [ $RETCODE -eq 2 ]; then 55 | vault operator init 56 | exit $? 57 | fi 58 | exit $RETCODE 59 | {{- range .Values.serverHA.extraVolumes }} 60 | volumeMounts: 61 | - name: userconfig-{{ .name }} 62 | readOnly: true 63 | mountPath: /vault/userconfig/{{ .name }} 64 | {{- end }} 65 | -------------------------------------------------------------------------------- /helm/vault-helm/templates/server-ha-service.yaml: -------------------------------------------------------------------------------- 1 | # Headless service for Vault server DNS entries. This service should only 2 | # point to Vault servers. For access to an agent, one should assume that 3 | # the agent is installed locally on the node and the NODE_IP should be used. 4 | # If the node can't run a Vault agent, then this service can be used to 5 | # communicate directly to a server agent. 6 | # TODO: verify for Vault 7 | {{- if (or (and (ne (.Values.serverHA.enabled | toString) "-") .Values.serverHA.enabled) (and (eq (.Values.serverHA.enabled | toString) "-") .Values.global.enabled)) }} 8 | apiVersion: v1 9 | kind: Service 10 | metadata: 11 | name: {{ template "vault.fullname" . }}-ha-server 12 | labels: 13 | app: {{ template "vault.name" . }} 14 | chart: {{ template "vault.chart" . }} 15 | heritage: {{ .Release.Service }} 16 | release: {{ .Release.Name }} 17 | annotations: 18 | # This must be set in addition to publishNotReadyAddresses due 19 | # to an open issue where it may not work: 20 | # https://github.com/kubernetes/kubernetes/issues/58662 21 | service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" 22 | spec: 23 | clusterIP: None 24 | # We want the servers to become available even if they're not ready 25 | # since this DNS is also used for join operations. 26 | publishNotReadyAddresses: true 27 | ports: 28 | - name: http 29 | port: 8200 30 | targetPort: 8200 31 | selector: 32 | app: {{ template "vault.name" . }} 33 | release: "{{ .Release.Name }}" 34 | component: server 35 | {{- end }} 36 | -------------------------------------------------------------------------------- /helm/vault-helm/templates/server-ha-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.serverHA.enabled | toString) "-") .Values.serverHA.enabled) (and (eq (.Values.serverHA.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "vault.fullname" . }}-server-ha 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ template "vault.name" . }} 9 | chart: {{ template "vault.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | {{- end }} -------------------------------------------------------------------------------- /helm/vault-helm/test/acceptance/_helpers.bash: -------------------------------------------------------------------------------- 1 | # name_prefix returns the prefix of the resources within Kubernetes. 2 | name_prefix() { 3 | printf "vault" 4 | } 5 | 6 | # helm_install installs the vault chart. This will source overridable 7 | # values from the "values.yaml" file in this directory. This can be set 8 | # by CI or other environments to do test-specific overrides. Note that its 9 | # easily possible to break tests this way so be careful. 10 | helm_install() { 11 | local values="${BATS_TEST_DIRNAME}/values.yaml" 12 | if [ ! -f "${values}" ]; then 13 | touch $values 14 | fi 15 | 16 | helm install -f ${values} \ 17 | --name vault \ 18 | ${BATS_TEST_DIRNAME}/../.. 19 | } 20 | 21 | # helm_install_ha installs the vault chart using HA mode. This will source 22 | # overridable values from the "values.yaml" file in this directory. This can be 23 | # set by CI or other environments to do test-specific overrides. Note that its 24 | # easily possible to break tests this way so be careful. 25 | helm_install_ha() { 26 | local values="${BATS_TEST_DIRNAME}/values.yaml" 27 | if [ ! -f "${values}" ]; then 28 | touch $values 29 | fi 30 | 31 | helm install -f ${values} \ 32 | --name vault \ 33 | --set 'server.enabled=false' \ 34 | --set 'serverHA.enabled=true' \ 35 | ${BATS_TEST_DIRNAME}/../.. 36 | } 37 | 38 | # wait for consul to be running 39 | wait_for_running_consul() { 40 | check() { 41 | # This requests the pod and checks whether the status is running 42 | # and the ready state is true. If so, it outputs the name. Otherwise 43 | # it outputs empty. Therefore, to check for success, check for nonzero 44 | # string length. 45 | kubectl get pods -l component=client -o json | \ 46 | jq -r '.items[0] | select( 47 | .status.phase == "Running" and 48 | ([ .status.conditions[] | select(.type == "Ready" and .status == "True") ] | length) == 1 49 | ) | .metadata.name' 50 | } 51 | 52 | for i in $(seq 30); do 53 | if [ -n "$(check ${POD_NAME})" ]; then 54 | echo "consul clients are ready." 55 | return 56 | fi 57 | 58 | echo "Waiting for ${POD_NAME} to be ready..." 59 | sleep 2 60 | done 61 | 62 | echo "consul clients never became ready." 63 | exit 1 64 | } 65 | 66 | # wait for a pod to be ready 67 | wait_for_running() { 68 | POD_NAME=$1 69 | 70 | check() { 71 | # This requests the pod and checks whether the status is running 72 | # and the ready state is true. If so, it outputs the name. Otherwise 73 | # it outputs empty. Therefore, to check for success, check for nonzero 74 | # string length. 75 | kubectl get pods $1 -o json | \ 76 | jq -r 'select( 77 | .status.phase == "Running" and 78 | ([ .status.conditions[] | select(.type == "Ready" and .status == "False") ] | length) == 1 79 | ) | .metadata.namespace + "/" + .metadata.name' 80 | } 81 | 82 | for i in $(seq 30); do 83 | if [ -n "$(check ${POD_NAME})" ]; then 84 | echo "${POD_NAME} is ready." 85 | sleep 2 86 | return 87 | fi 88 | 89 | echo "Waiting for ${POD_NAME} to be ready..." 90 | sleep 2 91 | done 92 | 93 | echo "${POD_NAME} never became ready." 94 | exit 1 95 | } 96 | -------------------------------------------------------------------------------- /helm/vault-helm/test/acceptance/server-ha.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server-ha: default, comes up sealed, 1 replica" { 6 | helm_install_ha 7 | wait_for_running $(name_prefix)-ha-server-0 8 | 9 | # Verify installed, sealed, and 1 replica 10 | local sealed_status=$(kubectl exec "$(name_prefix)-ha-server-0" -- vault status -format=json | 11 | jq .sealed ) 12 | [ "${sealed_status}" == "true" ] 13 | 14 | local init_status=$(kubectl exec "$(name_prefix)-ha-server-0" -- vault status -format=json | 15 | jq .initialized) 16 | [ "${init_status}" == "false" ] 17 | } 18 | 19 | # setup a consul env 20 | setup() { 21 | helm install https://github.com/hashicorp/consul-helm/archive/v0.3.0.tar.gz \ 22 | --name consul \ 23 | --set 'ui.enabled=false' \ 24 | 25 | wait_for_running_consul 26 | } 27 | 28 | #cleanup 29 | teardown() { 30 | helm delete --purge vault 31 | helm delete --purge consul 32 | kubectl delete --all pvc 33 | } 34 | -------------------------------------------------------------------------------- /helm/vault-helm/test/acceptance/server.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server: default, comes up sealed" { 6 | helm_install 7 | wait_for_running $(name_prefix)-server-0 8 | 9 | # Verify installed, sealed, and 1 replica 10 | local sealed_status=$(kubectl exec "$(name_prefix)-server-0" -- vault status -format=json | 11 | jq .sealed ) 12 | [ "${sealed_status}" == "true" ] 13 | 14 | local init_status=$(kubectl exec "$(name_prefix)-server-0" -- vault status -format=json | 15 | jq .initialized) 16 | [ "${init_status}" == "false" ] 17 | 18 | # TODO check pv, pvc 19 | } 20 | 21 | # Clean up 22 | teardown() { 23 | echo "helm/pvc teardown" 24 | helm delete --purge vault 25 | kubectl delete --all pvc 26 | } 27 | -------------------------------------------------------------------------------- /helm/vault-helm/test/docker/Test.dockerfile: -------------------------------------------------------------------------------- 1 | # This Dockerfile installs all the dependencies necessary to run the unit and 2 | # acceptance tests. This image also contains gcloud so you can run tests 3 | # against a GKE cluster easily. 4 | # 5 | # This image has no automatic entrypoint. It is expected that you'll run 6 | # a script to configure kubectl, potentially install Helm, and run the tests 7 | # manually. This image only has the dependencies pre-installed. 8 | 9 | FROM alpine:latest 10 | WORKDIR /root 11 | 12 | ENV BATS_VERSION "1.1.0" 13 | 14 | # base packages 15 | RUN apk update && apk add --no-cache --virtual .build-deps \ 16 | ca-certificates \ 17 | curl \ 18 | tar \ 19 | bash \ 20 | openssl \ 21 | python \ 22 | py-pip \ 23 | git \ 24 | jq 25 | 26 | # yq 27 | RUN pip install yq 28 | 29 | # gcloud 30 | RUN curl -OL https://dl.google.com/dl/cloudsdk/channels/rapid/install_google_cloud_sdk.bash && \ 31 | bash install_google_cloud_sdk.bash --disable-prompts --install-dir='/root/' && \ 32 | ln -s /root/google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud 33 | 34 | # kubectl 35 | RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && \ 36 | chmod +x ./kubectl && \ 37 | mv ./kubectl /usr/local/bin/kubectl 38 | 39 | # helm 40 | RUN curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash 41 | 42 | # bats 43 | RUN curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz \ 44 | && tar -zxf /tmp/bats.tgz -C /tmp \ 45 | && /bin/bash /tmp/bats-core-$BATS_VERSION/install.sh /usr/local 46 | -------------------------------------------------------------------------------- /helm/vault-helm/test/terraform/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | service_account_path = "${path.module}/service-account.yaml" 3 | } 4 | 5 | provider "google" { 6 | project = "${var.project}" 7 | region = "us-central1" 8 | 9 | credentials = "${file("vault-helm-dev-creds.json")}" 10 | } 11 | 12 | resource "random_id" "suffix" { 13 | byte_length = 4 14 | } 15 | 16 | data "google_container_engine_versions" "main" { 17 | zone = "${var.zone}" 18 | } 19 | 20 | data "google_service_account" "gcpapi" { 21 | account_id = "${var.gcp_service_account}" 22 | } 23 | 24 | resource "google_container_cluster" "cluster" { 25 | name = "vault-helm-dev-${random_id.suffix.dec}" 26 | project = "${var.project}" 27 | enable_legacy_abac = true 28 | initial_node_count = 3 29 | zone = "${var.zone}" 30 | min_master_version = "${data.google_container_engine_versions.main.latest_master_version}" 31 | node_version = "${data.google_container_engine_versions.main.latest_node_version}" 32 | 33 | node_config { 34 | #service account for nodes to use 35 | oauth_scopes = [ 36 | "https://www.googleapis.com/auth/cloud-platform", 37 | "https://www.googleapis.com/auth/compute", 38 | "https://www.googleapis.com/auth/devstorage.read_write", 39 | "https://www.googleapis.com/auth/logging.write", 40 | "https://www.googleapis.com/auth/monitoring", 41 | "https://www.googleapis.com/auth/service.management.readonly", 42 | "https://www.googleapis.com/auth/servicecontrol", 43 | "https://www.googleapis.com/auth/trace.append", 44 | ] 45 | 46 | service_account = "${data.google_service_account.gcpapi.email}" 47 | } 48 | } 49 | 50 | resource "null_resource" "kubectl" { 51 | count = "${var.init_cli ? 1 : 0 }" 52 | 53 | triggers { 54 | cluster = "${google_container_cluster.cluster.id}" 55 | } 56 | 57 | # On creation, we want to setup the kubectl credentials. The easiest way 58 | # to do this is to shell out to gcloud. 59 | provisioner "local-exec" { 60 | command = "gcloud container clusters get-credentials --zone=${var.zone} ${google_container_cluster.cluster.name}" 61 | } 62 | 63 | # On destroy we want to try to clean up the kubectl credentials. This 64 | # might fail if the credentials are already cleaned up or something so we 65 | # want this to continue on failure. Generally, this works just fine since 66 | # it only operates on local data. 67 | provisioner "local-exec" { 68 | when = "destroy" 69 | on_failure = "continue" 70 | command = "kubectl config get-clusters | grep ${google_container_cluster.cluster.name} | xargs -n1 kubectl config delete-cluster" 71 | } 72 | 73 | provisioner "local-exec" { 74 | when = "destroy" 75 | on_failure = "continue" 76 | command = "kubectl config get-contexts | grep ${google_container_cluster.cluster.name} | xargs -n1 kubectl config delete-context" 77 | } 78 | } 79 | 80 | resource "null_resource" "helm" { 81 | count = "${var.init_cli ? 1 : 0 }" 82 | depends_on = ["null_resource.kubectl"] 83 | 84 | triggers { 85 | cluster = "${google_container_cluster.cluster.id}" 86 | } 87 | 88 | provisioner "local-exec" { 89 | command = < 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "server/ConfigMap: enable with global.enabled false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/server-config-configmap.yaml \ 18 | --set 'global.enabled=false' \ 19 | --set 'server.enabled=true' \ 20 | . | tee /dev/stderr | 21 | yq 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "true" ] 23 | } 24 | 25 | @test "server/ConfigMap: disable with server.enabled" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | -x templates/server-config-configmap.yaml \ 29 | --set 'server.enabled=false' \ 30 | . | tee /dev/stderr | 31 | yq 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "false" ] 33 | } 34 | 35 | @test "server/ConfigMap: disable with global.enabled" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/server-config-configmap.yaml \ 39 | --set 'global.enabled=false' \ 40 | . | tee /dev/stderr | 41 | yq 'length > 0' | tee /dev/stderr) 42 | [ "${actual}" = "false" ] 43 | } 44 | 45 | @test "server/ConfigMap: extraConfig is set" { 46 | cd `chart_dir` 47 | local actual=$(helm template \ 48 | -x templates/server-config-configmap.yaml \ 49 | --set 'server.config="{\"hello\": \"world\"}"' \ 50 | . | tee /dev/stderr | 51 | yq '.data["extraconfig-from-values.hcl"] | match("world") | length' | tee /dev/stderr) 52 | [ ! -z "${actual}" ] 53 | } 54 | -------------------------------------------------------------------------------- /helm/vault-helm/test/unit/server-ha-configmap.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/ConfigMap: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/server-ha-config-configmap.yaml \ 9 | --set 'serverHA.enabled=true' \ 10 | . | tee /dev/stderr | 11 | yq 'length > 0' | tee /dev/stderr) 12 | [ "${actual}" = "true" ] 13 | } 14 | 15 | @test "server/ConfigMap: enable with global.enabled false" { 16 | cd `chart_dir` 17 | local actual=$(helm template \ 18 | -x templates/server-ha-config-configmap.yaml \ 19 | --set 'global.enabled=false' \ 20 | --set 'serverHA.enabled=true' \ 21 | . | tee /dev/stderr | 22 | yq 'length > 0' | tee /dev/stderr) 23 | [ "${actual}" = "true" ] 24 | } 25 | 26 | @test "server/ConfigMap: disable with serverHA.enabled" { 27 | cd `chart_dir` 28 | local actual=$(helm template \ 29 | -x templates/server-ha-config-configmap.yaml \ 30 | --set 'serverHA.enabled=false' \ 31 | . | tee /dev/stderr | 32 | yq 'length > 0' | tee /dev/stderr) 33 | [ "${actual}" = "false" ] 34 | } 35 | 36 | @test "server/ConfigMap: disable with global.enabled" { 37 | cd `chart_dir` 38 | local actual=$(helm template \ 39 | -x templates/server-ha-config-configmap.yaml \ 40 | --set 'global.enabled=false' \ 41 | . | tee /dev/stderr | 42 | yq 'length > 0' | tee /dev/stderr) 43 | [ "${actual}" = "false" ] 44 | } 45 | 46 | @test "server/ConfigMap: extraConfig is set" { 47 | cd `chart_dir` 48 | local actual=$(helm template \ 49 | -x templates/server-ha-config-configmap.yaml \ 50 | --set 'serverHA.enabled=true' \ 51 | --set 'serverHA.config="{\"hello\": \"world\"}"' \ 52 | . | tee /dev/stderr | 53 | yq '.data["extraconfig-from-values.hcl"] | match("world") | length' | tee /dev/stderr) 54 | [ ! -z "${actual}" ] 55 | } 56 | -------------------------------------------------------------------------------- /helm/vault-helm/test/unit/server-ha-disruptionbudget.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/DisruptionBudget: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/server-disruptionbudget.yaml \ 9 | --set 'serverHA.enabled=true' \ 10 | . | tee /dev/stderr | 11 | yq 'length > 0' | tee /dev/stderr) 12 | [ "${actual}" = "true" ] 13 | } 14 | 15 | @test "server/DisruptionBudget: enable with global.enabled false" { 16 | cd `chart_dir` 17 | local actual=$(helm template \ 18 | -x templates/server-disruptionbudget.yaml \ 19 | --set 'global.enabled=false' \ 20 | --set 'serverHA.enabled=true' \ 21 | . | tee /dev/stderr | 22 | yq 'length > 0' | tee /dev/stderr) 23 | [ "${actual}" = "true" ] 24 | } 25 | 26 | @test "server/DisruptionBudget: disable with server.enabled" { 27 | cd `chart_dir` 28 | local actual=$(helm template \ 29 | -x templates/server-disruptionbudget.yaml \ 30 | --set 'serverHA.enabled=false' \ 31 | . | tee /dev/stderr | 32 | yq 'length > 0' | tee /dev/stderr) 33 | [ "${actual}" = "false" ] 34 | } 35 | 36 | @test "server/DisruptionBudget: disable with server.disruptionBudget.enabled" { 37 | cd `chart_dir` 38 | local actual=$(helm template \ 39 | -x templates/server-disruptionbudget.yaml \ 40 | --set 'server.disruptionBudget.enabled=false' \ 41 | . | tee /dev/stderr | 42 | yq 'length > 0' | tee /dev/stderr) 43 | [ "${actual}" = "false" ] 44 | } 45 | 46 | @test "server/DisruptionBudget: disable with global.enabled" { 47 | cd `chart_dir` 48 | local actual=$(helm template \ 49 | -x templates/server-disruptionbudget.yaml \ 50 | --set 'global.enabled=false' \ 51 | . | tee /dev/stderr | 52 | yq 'length > 0' | tee /dev/stderr) 53 | [ "${actual}" = "false" ] 54 | } 55 | 56 | @test "server/DisruptionBudget: correct maxUnavailable with n=3" { 57 | cd `chart_dir` 58 | local actual=$(helm template \ 59 | -x templates/server-disruptionbudget.yaml \ 60 | --set 'serverHA.enabled=true' \ 61 | --set 'serverHA.replicas=3' \ 62 | . | tee /dev/stderr | 63 | yq '.spec.maxUnavailable' | tee /dev/stderr) 64 | [ "${actual}" = "0" ] 65 | } 66 | -------------------------------------------------------------------------------- /helm/vault-helm/test/unit/server-service.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/Service: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/server-service.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "server/Service: enable with global.enabled false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/server-service.yaml \ 18 | --set 'global.enabled=false' \ 19 | --set 'server.enabled=true' \ 20 | . | tee /dev/stderr | 21 | yq 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "true" ] 23 | } 24 | 25 | @test "server/Service: disable with server.enabled" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | -x templates/server-service.yaml \ 29 | --set 'server.enabled=false' \ 30 | . | tee /dev/stderr | 31 | yq 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "false" ] 33 | } 34 | 35 | @test "server/Service: disable with global.enabled" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | -x templates/server-service.yaml \ 39 | --set 'global.enabled=false' \ 40 | . | tee /dev/stderr | 41 | yq 'length > 0' | tee /dev/stderr) 42 | [ "${actual}" = "false" ] 43 | } 44 | 45 | # This can be seen as testing just what we put into the YAML raw, but 46 | # this is such an important part of making everything work we verify it here. 47 | @test "server/Service: tolerates unready endpoints" { 48 | cd `chart_dir` 49 | local actual=$(helm template \ 50 | -x templates/server-service.yaml \ 51 | . | tee /dev/stderr | 52 | yq -r '.metadata.annotations["service.alpha.kubernetes.io/tolerate-unready-endpoints"]' | tee /dev/stderr) 53 | [ "${actual}" = "true" ] 54 | 55 | local actual=$(helm template \ 56 | -x templates/server-service.yaml \ 57 | . | tee /dev/stderr | 58 | yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) 59 | [ "${actual}" = "true" ] 60 | } 61 | -------------------------------------------------------------------------------- /helm/vault-helm/test/unit/ui-service.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "ui/Service: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/ui-service.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "ui/Service: enable with global.enabled false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/ui-service.yaml \ 18 | --set 'global.enabled=false' \ 19 | --set 'server.enabled=true' \ 20 | --set 'ui.enabled=true' \ 21 | . | tee /dev/stderr | 22 | yq 'length > 0' | tee /dev/stderr) 23 | [ "${actual}" = "true" ] 24 | } 25 | 26 | @test "ui/Service: disable with server.enabled" { 27 | cd `chart_dir` 28 | local actual=$(helm template \ 29 | -x templates/ui-service.yaml \ 30 | --set 'server.enabled=false' \ 31 | . | tee /dev/stderr | 32 | yq 'length > 0' | tee /dev/stderr) 33 | [ "${actual}" = "false" ] 34 | } 35 | 36 | @test "ui/Service: disable with ui.enabled" { 37 | cd `chart_dir` 38 | local actual=$(helm template \ 39 | -x templates/ui-service.yaml \ 40 | --set 'ui.enabled=false' \ 41 | . | tee /dev/stderr | 42 | yq 'length > 0' | tee /dev/stderr) 43 | [ "${actual}" = "false" ] 44 | } 45 | 46 | @test "ui/Service: disable with ui.service.enabled" { 47 | cd `chart_dir` 48 | local actual=$(helm template \ 49 | -x templates/ui-service.yaml \ 50 | --set 'ui.service.enabled=false' \ 51 | . | tee /dev/stderr | 52 | yq 'length > 0' | tee /dev/stderr) 53 | [ "${actual}" = "false" ] 54 | } 55 | 56 | @test "ui/Service: disable with global.enabled" { 57 | cd `chart_dir` 58 | local actual=$(helm template \ 59 | -x templates/ui-service.yaml \ 60 | --set 'global.enabled=false' \ 61 | . | tee /dev/stderr | 62 | yq 'length > 0' | tee /dev/stderr) 63 | [ "${actual}" = "false" ] 64 | } 65 | 66 | @test "ui/Service: disable with global.enabled and server.enabled on" { 67 | cd `chart_dir` 68 | local actual=$(helm template \ 69 | -x templates/ui-service.yaml \ 70 | --set 'global.enabled=false' \ 71 | --set 'server.enabled=true' \ 72 | . | tee /dev/stderr | 73 | yq 'length > 0' | tee /dev/stderr) 74 | [ "${actual}" = "false" ] 75 | } 76 | 77 | @test "ui/Service: no type by default" { 78 | cd `chart_dir` 79 | local actual=$(helm template \ 80 | -x templates/ui-service.yaml \ 81 | . | tee /dev/stderr | 82 | yq -r '.spec.type' | tee /dev/stderr) 83 | [ "${actual}" = "null" ] 84 | } 85 | 86 | @test "ui/Service: specified type" { 87 | cd `chart_dir` 88 | local actual=$(helm template \ 89 | -x templates/ui-service.yaml \ 90 | --set 'ui.service.type=LoadBalancer' \ 91 | --set 'ui.enabled=true' \ 92 | . | tee /dev/stderr | 93 | yq -r '.spec.type' | tee /dev/stderr) 94 | [ "${actual}" = "LoadBalancer" ] 95 | } 96 | -------------------------------------------------------------------------------- /images/application-secrets-workflow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hashicorp/hands-on-with-vault-on-kubernetes/bf62625f97636025cfc8c7c2fae11604dfbbc896/images/application-secrets-workflow.png -------------------------------------------------------------------------------- /images/exampleapp-sidecar-updated.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hashicorp/hands-on-with-vault-on-kubernetes/bf62625f97636025cfc8c7c2fae11604dfbbc896/images/exampleapp-sidecar-updated.png -------------------------------------------------------------------------------- /images/exampleapp-sidecar.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hashicorp/hands-on-with-vault-on-kubernetes/bf62625f97636025cfc8c7c2fae11604dfbbc896/images/exampleapp-sidecar.png -------------------------------------------------------------------------------- /images/exampleapp-simple.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hashicorp/hands-on-with-vault-on-kubernetes/bf62625f97636025cfc8c7c2fae11604dfbbc896/images/exampleapp-simple.png -------------------------------------------------------------------------------- /images/overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hashicorp/hands-on-with-vault-on-kubernetes/bf62625f97636025cfc8c7c2fae11604dfbbc896/images/overview.png -------------------------------------------------------------------------------- /images/vault-backend.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hashicorp/hands-on-with-vault-on-kubernetes/bf62625f97636025cfc8c7c2fae11604dfbbc896/images/vault-backend.png -------------------------------------------------------------------------------- /images/vault-ha.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hashicorp/hands-on-with-vault-on-kubernetes/bf62625f97636025cfc8c7c2fae11604dfbbc896/images/vault-ha.png -------------------------------------------------------------------------------- /images/web-preview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hashicorp/hands-on-with-vault-on-kubernetes/bf62625f97636025cfc8c7c2fae11604dfbbc896/images/web-preview.png -------------------------------------------------------------------------------- /kubernetes/exampleapp-database-sidecar.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: exampleapp-database-sidecar 6 | labels: 7 | app: exampleapp-database-sidecar 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: exampleapp-database-sidecar 13 | template: 14 | metadata: 15 | labels: 16 | app: exampleapp-database-sidecar 17 | spec: 18 | volumes: 19 | - name: secrets 20 | emptyDir: {} 21 | - name: vault-token 22 | emptyDir: 23 | medium: Memory 24 | - name: certs 25 | secret: 26 | secretName: vault-tls 27 | securityContext: 28 | runAsGroup: 1000 29 | 30 | initContainers: 31 | - name: vault-authenticator 32 | securityContext: 33 | runAsGroup: 1000 34 | image: sethvargo/vault-kubernetes-authenticator:0.2.0 35 | imagePullPolicy: IfNotPresent 36 | volumeMounts: 37 | - name: vault-token 38 | mountPath: /var/run/secrets/vaultproject.io 39 | - name: certs 40 | readOnly: true 41 | mountPath: /vault/userconfig/vault-tls 42 | env: 43 | - name: VAULT_ADDR 44 | value: "https://vault.prod.svc.cluster.local" 45 | - name: VAULT_CACERT 46 | value: /vault/userconfig/vault-tls/ca.crt 47 | - name: VAULT_ROLE 48 | value: exampleapp-role 49 | 50 | containers: 51 | - name: consul-template 52 | image: hashicorp/consul-template:0.20.0-light 53 | imagePullPolicy: IfNotPresent 54 | volumeMounts: 55 | - name: secrets 56 | mountPath: /etc/secrets 57 | - name: vault-token 58 | mountPath: /var/run/secrets/vaultproject.io 59 | - name: certs 60 | readOnly: true 61 | mountPath: /vault/userconfig/vault-tls 62 | env: 63 | - name: VAULT_ADDR 64 | valueFrom: 65 | configMapKeyRef: 66 | name: vault-service-config 67 | key: endpoint 68 | - name: VAULT_CACERT 69 | value: /vault/userconfig/vault-tls/ca.crt 70 | - name: CT_LOCAL_CONFIG 71 | value: | 72 | vault { 73 | vault_agent_token_file = "/var/run/secrets/vaultproject.io/.vault-token" 74 | grace = "1m" 75 | retry { 76 | backoff = "1s" 77 | } 78 | } 79 | template { 80 | contents = < Unpacking and installing" 7 | docker run -v $HOME/bin:/software sethvargo/hashicorp-installer vault 1.1.2 8 | sudo chown $(whoami):$(whoami) $HOME/bin/vault 9 | sudo chmod +x $HOME/bin/vault 10 | 11 | echo "--> Setting PATH" 12 | export PATH="${PATH}:${HOME}/bin" 13 | 14 | echo "--> Installing completions" 15 | vault -autocomplete-install || true 16 | 17 | echo "--> Done!" 18 | exec $SHELL -------------------------------------------------------------------------------- /scripts/01-consul.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash - 2 | set -Eeuo pipefail 3 | 4 | source "$(pwd)/scripts/__helpers.sh" 5 | 6 | helm upgrade --install $(consul-release) helm/vault-backend --namespace $(namespace) 7 | kubectl rollout status statefulset/$(consul-release)-consul-server --namespace $(namespace) 8 | helm test $(consul-release) 9 | 10 | kubectl wait --for=condition=complete job/vault-backend-vault-acl -n $(namespace) 11 | 12 | PODNAME=$(kubectl get pods --no-headers -o custom-columns=":metadata.name" -n $(namespace) -l app=vault-backend --field-selector=status.phase=Succeeded) 13 | TOKEN=$(kubectl logs ${PODNAME} -n $(namespace) | sed -n -e 's/^SecretID:[[:space:]]*\(.*\)/\1/p') 14 | 15 | kubectl delete secret -n $(namespace) vault-backend-token --ignore-not-found 16 | kubectl create secret -n $(namespace) generic vault-backend-token --from-literal=token=${TOKEN} -------------------------------------------------------------------------------- /scripts/02-certs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash - 2 | set -Eeuo pipefail 3 | 4 | source "$(pwd)/scripts/__helpers.sh" 5 | 6 | DIR="$(pwd)/tls" 7 | 8 | rm -rf "${DIR}" 9 | mkdir -p "${DIR}" 10 | 11 | # Create the conf file 12 | cat > "${DIR}/openssl.cnf" << EOF 13 | [req] 14 | default_bits = 2048 15 | encrypt_key = no 16 | default_md = sha256 17 | prompt = no 18 | utf8 = yes 19 | 20 | distinguished_name = req_distinguished_name 21 | req_extensions = v3_req 22 | 23 | [req_distinguished_name] 24 | C = US 25 | ST = Oregon 26 | L = Portland 27 | O = OSCON19 28 | CN = vault 29 | 30 | [v3_req] 31 | basicConstraints = CA:FALSE 32 | subjectKeyIdentifier = hash 33 | keyUsage = digitalSignature, keyEncipherment 34 | extendedKeyUsage = clientAuth, serverAuth 35 | subjectAltName = @alt_names 36 | 37 | [alt_names] 38 | DNS.1 = *.$(vault-release)-ha-server.$(namespace).svc.cluster.local 39 | DNS.2 = $(vault-release).$(namespace).svc.cluster.local 40 | EOF 41 | 42 | # Generate Vault's certificates and a CSR 43 | openssl genrsa -out "${DIR}/vault.key" 2048 44 | 45 | openssl req \ 46 | -new -key "${DIR}/vault.key" \ 47 | -out "${DIR}/vault.csr" \ 48 | -config "${DIR}/openssl.cnf" 49 | 50 | # Create our CA 51 | openssl req \ 52 | -new \ 53 | -newkey rsa:2048 \ 54 | -days 120 \ 55 | -nodes \ 56 | -x509 \ 57 | -subj "/C=US/ST=California/L=The Cloud/O=Vault CA" \ 58 | -keyout "${DIR}/ca.key" \ 59 | -out "${DIR}/ca.crt" 60 | 61 | # Sign CSR with our CA 62 | openssl x509 \ 63 | -req \ 64 | -days 120 \ 65 | -in "${DIR}/vault.csr" \ 66 | -CA "${DIR}/ca.crt" \ 67 | -CAkey "${DIR}/ca.key" \ 68 | -CAcreateserial \ 69 | -extensions v3_req \ 70 | -extfile "${DIR}/openssl.cnf" \ 71 | -out "${DIR}/vault.crt" 72 | 73 | # Export combined certs for vault 74 | cat "${DIR}/vault.crt" "${DIR}/ca.crt" > "${DIR}/vault-combined.crt" 75 | 76 | kubectl delete secret vault-tls -n $(namespace) --ignore-not-found 77 | kubectl delete secret vault-tls -n default --ignore-not-found 78 | 79 | kubectl create secret generic vault-tls -n $(namespace) \ 80 | --from-file="${DIR}/ca.crt" \ 81 | --from-file="vault.crt=${DIR}/vault-combined.crt" \ 82 | --from-file="vault.key=${DIR}/vault.key" 83 | 84 | kubectl create secret generic vault-tls -n default \ 85 | --from-file="${DIR}/ca.crt" \ 86 | --from-file="vault.crt=${DIR}/vault-combined.crt" \ 87 | --from-file="vault.key=${DIR}/vault.key" -------------------------------------------------------------------------------- /scripts/03-vault.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash - 2 | set -Eeuo pipefail 3 | 4 | source "$(pwd)/scripts/__helpers.sh" 5 | 6 | cat > vault-config.yaml < local.env 15 | echo "export VAULT_ADDR=http://localhost:8200" >> local.env -------------------------------------------------------------------------------- /scripts/09-get-secret.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash - 2 | set -Eeuo pipefail 3 | 4 | source "$(pwd)/scripts/__helpers.sh" 5 | 6 | source local.env 7 | 8 | vault kv get secret/data/exampleapp/config -------------------------------------------------------------------------------- /scripts/10-exampleapp-sidecar.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash - 2 | set -Eeuo pipefail 3 | 4 | source "$(pwd)/scripts/__helpers.sh" 5 | 6 | kubectl apply -f kubernetes/exampleapp-sidecar.yaml 7 | 8 | kubectl rollout status deployment/exampleapp-sidecar -------------------------------------------------------------------------------- /scripts/11-deploy-mysql.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash - 2 | set -Eeuo pipefail 3 | 4 | source "$(pwd)/scripts/__helpers.sh" 5 | 6 | kubectl apply -f kubernetes/mysql.yaml 7 | 8 | kubectl rollout status deployment/mysql 9 | 10 | PODNAME=$(kubectl get pods --no-headers -o custom-columns=":metadata.name" -l app=mysql) 11 | 12 | external_ip=""; while [ -z $external_ip ]; do echo "Waiting for end point..."; external_ip=$(kubectl get svc mysql --template="{{range .status.loadBalancer.ingress}}{{.ip}}{{end}}"); [ -z "$external_ip" ] && sleep 10; done; echo "End point ready-" && echo $external_ip 13 | 14 | kubectl exec -it $PODNAME -- mysql -u root -posc0n2019 -e "create database exampleapp"; -------------------------------------------------------------------------------- /scripts/12-dynamic-db-secret.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash - 2 | set -Eeuo pipefail 3 | 4 | source "$(pwd)/scripts/__helpers.sh" 5 | 6 | export VAULT_ADDR="http://localhost:8200" 7 | 8 | unset VAULT_TOKEN 9 | 10 | export VAULT_TOKEN="$(kubectl get secrets/vault-tokens -n $(namespace) -o jsonpath={.data.admin} | base64 --decode)" 11 | export INSTANCE_IP=$(kubectl get svc mysql --template="{{range .status.loadBalancer.ingress}}{{.ip}}{{end}}") 12 | 13 | echo "${INSTANCE_IP}" 14 | 15 | # Enable the database secrets engine 16 | vault secrets enable database 17 | 18 | # Configure the database secrets engine TTLs 19 | vault write database/config/exampleapp \ 20 | plugin_name="mysql-legacy-database-plugin" \ 21 | connection_url="{{username}}:{{password}}@tcp(${INSTANCE_IP}:3306)/" \ 22 | allowed_roles="readonly" \ 23 | username="root" \ 24 | password="osc0n2019" 25 | 26 | # Create a role which will create a readonly user 27 | vault write database/roles/readonly \ 28 | db_name="exampleapp" \ 29 | creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON *.* TO '{{name}}'@'%';" \ 30 | default_ttl="30s" \ 31 | max_ttl="1m" 32 | 33 | # Create a new policy which allows generating these dynamic credentials 34 | vault policy write exampleapp-db -</dev/null 40 | ) 41 | } 42 | 43 | # google-region returns the region in which resources should be created. This 44 | # variable must be changed before running any commands. 45 | google-region() { 46 | ( 47 | echo "us-west1" 48 | ) 49 | } 50 | 51 | vault-service-account() { 52 | ( 53 | echo "vault-server" 54 | ) 55 | } 56 | 57 | vault-service-account-email() { 58 | ( 59 | echo "$(vault-service-account)@$(google-project).iam.gserviceaccount.com" 60 | ) 61 | } 62 | 63 | keyring() { 64 | ( 65 | echo "vault" 66 | ) 67 | } 68 | 69 | key() { 70 | ( 71 | echo "init" 72 | ) 73 | } 74 | 75 | cluster-name() { 76 | ( 77 | local cluster_name="${CLUSTER_NAME:-}" 78 | if [ -z "${cluster_name:-}" ]; then 79 | echo "vault-on-kubernetes" 80 | return 0 81 | fi 82 | echo "${cluster_name}" 83 | ) 84 | } 85 | 86 | namespace() { 87 | ( 88 | echo "prod" 89 | ) 90 | } 91 | 92 | consul-release() { 93 | ( 94 | echo "consul" 95 | ) 96 | } 97 | 98 | vault-release() { 99 | ( 100 | echo "vault" 101 | ) 102 | } -------------------------------------------------------------------------------- /scripts/clean-all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash - 2 | set -Eeuo pipefail 3 | 4 | source "$(pwd)/scripts/__helpers.sh" 5 | 6 | kubectl delete -f kubernetes/exampleapp-database-sidecar.yaml --ignore-not-found 7 | kubectl delete -f kubernetes/mysql.yaml --ignore-not-found 8 | kubectl delete -f kubernetes/exampleapp-sidecar.yaml --ignore-not-found 9 | kubectl delete -f kubernetes/exampleapp-simple.yaml --ignore-not-found 10 | 11 | gcloud container clusters delete "$(cluster-name)" --async --quiet --project="$(google-project)" --region="$(google-region)" 12 | 13 | rm -rf tls/ 14 | rm -f vault-config.yaml 15 | 16 | pgrep kubectl | while read -r pid ; do 17 | kill ${pid} 18 | done -------------------------------------------------------------------------------- /scripts/clean-kubernetes.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash - 2 | set -Eeuo pipefail 3 | 4 | source "$(pwd)/scripts/__helpers.sh" 5 | 6 | pgrep kubectl | while read -r pid ; do 7 | kill ${pid} 8 | done 9 | 10 | kubectl delete -f kubernetes/exampleapp-database-sidecar.yaml --ignore-not-found 11 | kubectl delete -f kubernetes/mysql.yaml --ignore-not-found 12 | kubectl delete -f kubernetes/exampleapp-sidecar.yaml --ignore-not-found 13 | kubectl delete -f kubernetes/exampleapp-simple.yaml --ignore-not-found 14 | 15 | kubectl delete configmap $(vault-release)-service-config --ignore-not-found 16 | kubectl delete serviceaccount vault-auth --ignore-not-found 17 | 18 | helm del --purge vault-acl || true 19 | helm del --purge vault || true 20 | helm del --purge consul || true 21 | kubectl delete ns $(namespace) --------------------------------------------------------------------------------