├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ ├── config.yml │ └── feature_request.md ├── actions │ └── setup-test-tools │ │ └── action.yaml ├── dependabot.yml └── workflows │ ├── acceptance.yaml │ ├── lint-chart.yml │ ├── release-chart.yml │ └── tests.yaml ├── .gitignore ├── CHANGELOG.md ├── CONTRIBUTING.md ├── LICENSE ├── Makefile ├── README.md ├── charts └── openbao │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── csi-agent-configmap.yaml │ ├── csi-clusterrole.yaml │ ├── csi-clusterrolebinding.yaml │ ├── csi-daemonset.yaml │ ├── csi-role.yaml │ ├── csi-rolebinding.yaml │ ├── csi-serviceaccount.yaml │ ├── injector-certs-secret.yaml │ ├── injector-clusterrole.yaml │ ├── injector-clusterrolebinding.yaml │ ├── injector-deployment.yaml │ ├── injector-disruptionbudget.yaml │ ├── injector-mutating-webhook.yaml │ ├── injector-network-policy.yaml │ ├── injector-psp-role.yaml │ ├── injector-psp-rolebinding.yaml │ ├── injector-psp.yaml │ ├── injector-role.yaml │ ├── injector-rolebinding.yaml │ ├── injector-service.yaml │ ├── injector-serviceaccount.yaml │ ├── prometheus-prometheusrules.yaml │ ├── prometheus-servicemonitor.yaml │ ├── server-clusterrolebinding.yaml │ ├── server-config-configmap.yaml │ ├── server-discovery-role.yaml │ ├── server-discovery-rolebinding.yaml │ ├── server-disruptionbudget.yaml │ ├── server-ha-active-service.yaml │ ├── server-ha-standby-service.yaml │ ├── server-headless-service.yaml │ ├── server-ingress.yaml │ ├── server-network-policy.yaml │ ├── server-psp-role.yaml │ ├── server-psp-rolebinding.yaml │ ├── server-psp.yaml │ ├── server-route.yaml │ ├── server-service.yaml │ ├── server-serviceaccount-secret.yaml │ ├── server-serviceaccount.yaml │ ├── server-statefulset.yaml │ ├── tests │ │ └── server-test.yaml │ └── ui-service.yaml │ ├── values.openshift.yaml │ ├── values.schema.json │ └── values.yaml └── test ├── README.md ├── acceptance ├── _helpers.bash ├── csi-test │ ├── nginx.yaml │ ├── openbao-kv-secretproviderclass.yaml │ └── openbao-policy.hcl ├── csi.bats ├── helm-test.bats ├── injector-leader-elector.bats ├── injector-test │ ├── bootstrap.sh │ ├── job.yaml │ ├── pg-deployment.yaml │ └── pgdump-policy.hcl ├── injector.bats ├── server-annotations.bats ├── server-dev.bats ├── server-ha-raft.bats ├── server-telemetry.bats ├── server-test │ ├── annotations-overrides.yaml │ └── telemetry.yaml └── server.bats ├── chart ├── _helpers.bash └── verifier.bats ├── docker └── Test.dockerfile ├── kind └── config.yaml ├── terraform ├── .gitignore ├── main.tf ├── outputs.tf └── variables.tf └── unit ├── _helpers.bash ├── csi-agent-configmap.bats ├── csi-clusterrole.bats ├── csi-clusterrolebinding.bats ├── csi-daemonset.bats ├── csi-role.bats ├── csi-rolebinding.bats ├── csi-serviceaccount.bats ├── injector-clusterrole.bats ├── injector-clusterrolebinding.bats ├── injector-deployment.bats ├── injector-disruptionbudget.bats ├── injector-leader-elector.bats ├── injector-mutating-webhook.bats ├── injector-psp-role.bats ├── injector-psp-rolebinding.bats ├── injector-psp.bats ├── injector-service.bats ├── injector-serviceaccount.bats ├── prometheus-prometheusrules.bats ├── prometheus-servicemonitor.bats ├── schema.bats ├── server-clusterrolebinding.bats ├── server-configmap.bats ├── server-dev-statefulset.bats ├── server-discovery-role.bats ├── server-discovery-rolebinding.bats ├── server-ha-active-service.bats ├── server-ha-disruptionbudget.bats ├── server-ha-standby-service.bats ├── server-ha-statefulset.bats ├── server-headless-service.bats ├── server-ingress.bats ├── server-network-policy.bats ├── server-psp-role.bats ├── server-psp-rolebinding.bats ├── server-psp.bats ├── server-route.bats ├── server-service.bats ├── server-serviceaccount-secret.bats ├── server-serviceaccount.bats ├── server-statefulset.bats ├── server-test.bats └── ui-service.bats /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Let us know about a bug! 4 | title: '' 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | 17 | 18 | **Describe the bug** 19 | A clear and concise description of what the bug is. 20 | 21 | **To Reproduce** 22 | Steps to reproduce the behavior: 23 | 1. Install chart 24 | 2. Run bao command 25 | 3. See error (openbao logs, etc.) 26 | 27 | Other useful info to include: openbao pod logs, `kubectl describe statefulset openbao` and `kubectl get statefulset openbao -o yaml` output 28 | 29 | **Expected behavior** 30 | A clear and concise description of what you expected to happen. 31 | 32 | **Environment** 33 | * Kubernetes version: 34 | * Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.): 35 | * Other configuration options or runtime services (istio, etc.): 36 | * openbao-helm version: 37 | 38 | Chart values: 39 | 40 | ```yaml 41 | # Paste your user-supplied values here (`helm get values `). 42 | # Be sure to scrub any sensitive values! 43 | ``` 44 | 45 | **Additional context** 46 | Add any other context about the problem here. 47 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | contact_links: 5 | - name: Ask a question 6 | url: https://chat.lfx.linuxfoundation.org/#/room/#openbao-questions:chat.lfx.linuxfoundation.org 7 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/actions/setup-test-tools/action.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | name: Setup common testing tools 5 | description: Install bats and python-yq 6 | runs: 7 | using: "composite" 8 | steps: 9 | - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 10 | with: 11 | node-version: '16' 12 | - run: npm install -g bats@${BATS_VERSION} 13 | shell: bash 14 | env: 15 | BATS_VERSION: '1.8.2' 16 | - run: bats -v 17 | shell: bash 18 | - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 19 | with: 20 | python-version: '3.10' 21 | - run: pip install yq 22 | shell: bash 23 | permissions: 24 | contents: read 25 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | 3 | updates: 4 | - package-ecosystem: "github-actions" 5 | directory: "/" 6 | schedule: 7 | interval: "daily" -------------------------------------------------------------------------------- /.github/workflows/acceptance.yaml: -------------------------------------------------------------------------------- 1 | name: Acceptance Tests 2 | on: [push, workflow_dispatch, pull_request] 3 | jobs: 4 | kind: 5 | strategy: 6 | fail-fast: false 7 | matrix: 8 | kind-k8s-version: [1.30.10, 1.31.6, 1.32.2] 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 12 | - name: Setup test tools 13 | uses: ./.github/actions/setup-test-tools 14 | - name: Create K8s Kind Cluster 15 | uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0 16 | with: 17 | config: test/kind/config.yaml 18 | node_image: kindest/node:v${{ matrix.kind-k8s-version }} 19 | version: v0.22.0 20 | - run: bats --tap --timing ./test/acceptance 21 | permissions: 22 | contents: read 23 | -------------------------------------------------------------------------------- /.github/workflows/lint-chart.yml: -------------------------------------------------------------------------------- 1 | name: Lint and Test Chart 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - "charts/**" 7 | 8 | permissions: 9 | contents: read 10 | 11 | jobs: 12 | lint: 13 | name: Lint 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Checkout 17 | uses: actions/checkout@v4 18 | with: 19 | fetch-depth: "0" 20 | 21 | - name: Install Helm 22 | uses: azure/setup-helm@v4 23 | 24 | - name: Set up chart-testing 25 | uses: helm/chart-testing-action@v2.6.1 26 | 27 | - name: Run chart-testing (list-changed) 28 | id: list-changed 29 | run: | 30 | changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) 31 | if [[ -n "$changed" ]]; then 32 | echo "changed=true" >> "$GITHUB_OUTPUT" 33 | fi 34 | 35 | - name: Run chart-testing (lint) 36 | id: lint 37 | if: steps.list-changed.outputs.changed == 'true' 38 | run: ct lint --target-branch ${{ github.event.repository.default_branch }} 39 | 40 | - name: Create kind cluster 41 | uses: helm/kind-action@v1.10.0 42 | with: 43 | node_image: kindest/node:v1.30.8 44 | if: steps.list-changed.outputs.changed == 'true' 45 | 46 | - name: Run chart-testing (install) 47 | id: install 48 | if: steps.list-changed.outputs.changed == 'true' 49 | run: ct install --target-branch ${{ github.event.repository.default_branch }} 50 | -------------------------------------------------------------------------------- /.github/workflows/release-chart.yml: -------------------------------------------------------------------------------- 1 | name: Release 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | paths: 8 | - 'charts/**' 9 | 10 | jobs: 11 | release: 12 | environment: helm-release 13 | permissions: 14 | contents: write 15 | runs-on: ubuntu-latest 16 | steps: 17 | - name: Checkout 18 | uses: actions/checkout@v4 19 | with: 20 | fetch-depth: 0 21 | 22 | - name: Configure Git 23 | run: | 24 | git config user.name "$GITHUB_ACTOR" 25 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 26 | 27 | - name: Install Helm 28 | uses: azure/setup-helm@v3.5 29 | id: helm-install 30 | with: 31 | token: ${{ secrets.GITHUB_TOKEN }} 32 | 33 | - name: Run chart-releaser 34 | id: helm-release 35 | uses: helm/chart-releaser-action@v1.6.0 36 | env: 37 | CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 38 | CR_GENERATE_RELEASE_NOTES: true 39 | -------------------------------------------------------------------------------- /.github/workflows/tests.yaml: -------------------------------------------------------------------------------- 1 | name: Tests 2 | on: [push, workflow_dispatch, pull_request] 3 | jobs: 4 | bats-unit-tests: 5 | runs-on: ubuntu-latest 6 | steps: 7 | - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 8 | - uses: ./.github/actions/setup-test-tools 9 | - run: bats --tap --timing ./test/unit 10 | chart-verifier: 11 | runs-on: ubuntu-latest 12 | env: 13 | CHART_VERIFIER_VERSION: "1.13.9" 14 | steps: 15 | - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 16 | - name: Setup test tools 17 | uses: ./.github/actions/setup-test-tools 18 | - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 19 | with: 20 | go-version: "1.22.5" 21 | - run: go install "github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}" 22 | - run: bats --tap --timing ./test/chart 23 | permissions: 24 | contents: read 25 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .terraform/ 3 | .terraform.tfstate* 4 | terraform.tfstate* 5 | terraform.tfvars 6 | values.dev.yaml 7 | vaul-helm-dev-creds.json 8 | ./test/acceptance/vaul-helm-dev-creds.json 9 | ./test/terraform/vaul-helm-dev-creds.json 10 | ./test/unit/vaul-helm-dev-creds.json 11 | ./test/acceptance/values.yaml 12 | ./test/acceptance/values.yml 13 | .idea 14 | scratch/ 15 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | TEST_IMAGE?=openbao-helm-test 2 | GOOGLE_CREDENTIALS?=openbao-helm-test.json 3 | CLOUDSDK_CORE_PROJECT?=openbao-helm-dev-246514 4 | # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats 5 | ACCEPTANCE_TESTS?=acceptance 6 | 7 | # filter bats unit tests to run. 8 | UNIT_TESTS_FILTER?='.*' 9 | 10 | # set to 'true' to run acceptance tests locally in a kind cluster 11 | LOCAL_ACCEPTANCE_TESTS?=false 12 | 13 | # kind cluster name 14 | KIND_CLUSTER_NAME?=openbao-helm 15 | 16 | # kind k8s version 17 | KIND_K8S_VERSION?=v1.30.10 18 | 19 | # Generate json schema for chart values. See test/README.md for more details. 20 | values-schema: 21 | helm schema-gen values.yaml > values.schema.json 22 | 23 | test-image: 24 | @docker build --rm -t $(TEST_IMAGE) -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR) 25 | 26 | test-unit: 27 | @docker run --rm -it -v ${PWD}:/helm-test $(TEST_IMAGE) bats -f $(UNIT_TESTS_FILTER) /helm-test/test/unit 28 | 29 | test-bats: test-unit test-acceptance 30 | 31 | test: test-image test-bats 32 | 33 | # run acceptance tests on GKE 34 | # set google project/credential vars above 35 | test-acceptance: 36 | ifeq ($(LOCAL_ACCEPTANCE_TESTS),true) 37 | make setup-kind acceptance 38 | else 39 | @docker run -it -v ${PWD}:/helm-test \ 40 | -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ 41 | -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ 42 | -e KUBECONFIG=/helm-test/.kube/config \ 43 | -w /helm-test \ 44 | $(TEST_IMAGE) \ 45 | make acceptance 46 | endif 47 | 48 | # destroy GKE cluster using terraform 49 | test-destroy: 50 | @docker run -it -v ${PWD}:/helm-test \ 51 | -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ 52 | -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ 53 | -w /helm-test \ 54 | $(TEST_IMAGE) \ 55 | make destroy-cluster 56 | 57 | # provision GKE cluster using terraform 58 | test-provision: 59 | @docker run -it -v ${PWD}:/helm-test \ 60 | -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ 61 | -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ 62 | -e KUBECONFIG=/helm-test/.kube/config \ 63 | -w /helm-test \ 64 | $(TEST_IMAGE) \ 65 | make provision-cluster 66 | 67 | # this target is for running the acceptance tests 68 | # it is run in the docker container above when the test-acceptance target is invoked 69 | acceptance: 70 | ifneq ($(LOCAL_ACCEPTANCE_TESTS),true) 71 | gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} 72 | endif 73 | bats --tap --timing test/${ACCEPTANCE_TESTS} 74 | 75 | # this target is for provisioning the GKE cluster 76 | # it is run in the docker container above when the test-provision target is invoked 77 | provision-cluster: 78 | gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} 79 | terraform init test/terraform 80 | terraform apply -var project=${CLOUDSDK_CORE_PROJECT} -var init_cli=true -auto-approve test/terraform 81 | 82 | # this target is for removing the GKE cluster 83 | # it is run in the docker container above when the test-destroy target is invoked 84 | destroy-cluster: 85 | terraform destroy -auto-approve 86 | 87 | # create a kind cluster for running the acceptance tests locally 88 | setup-kind: 89 | kind get clusters | grep -q "^${KIND_CLUSTER_NAME}$$" || \ 90 | kind create cluster \ 91 | --image kindest/node:${KIND_K8S_VERSION} \ 92 | --name ${KIND_CLUSTER_NAME} \ 93 | --config $(CURDIR)/test/kind/config.yaml 94 | kubectl config use-context kind-${KIND_CLUSTER_NAME} 95 | 96 | # delete the kind cluster 97 | delete-kind: 98 | kind delete cluster --name ${KIND_CLUSTER_NAME} || : 99 | 100 | .PHONY: values-schema test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster 101 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OpenBao Helm Chart 2 | 3 | > :warning: **Please note**: We take OpenBao's security and our users' trust very seriously. If 4 | > you believe you have found a security issue in OpenBao Helm, _please responsibly disclose_ 5 | > by contacting us at [openbao-security@lists.lfedge.org](mailto:openbao-security@lists.lfedge.org). 6 | 7 | This repository contains the OpenBao Helm chart for installing 8 | and configuring OpenBao on Kubernetes. This chart supports multiple use 9 | cases of OpenBao on Kubernetes depending on the values provided. 10 | 11 | ## Prerequisites 12 | 13 | To use the charts here, [Helm](https://helm.sh/) must be configured for your 14 | Kubernetes cluster. Setting up Kubernetes and Helm is outside the scope of 15 | this README. Please refer to the Kubernetes and Helm documentation. 16 | 17 | The versions required are: 18 | 19 | - **Helm 3.12+** - Earliest verison tested 20 | - **Kubernetes 1.30+** - This is the earliest version of Kubernetes tested. 21 | It is possible that this chart works with earlier versions but it is 22 | untested. 23 | 24 | ## Usage 25 | 26 | To install the latest version of this chart, add the OpenBao helm repository and run `helm install`: 27 | 28 | ```console 29 | helm repo add openbao https://openbao.github.io/openbao-helm 30 | 31 | helm install openbao openbao/openbao 32 | ``` 33 | 34 | Please see the many options supported in the [`values.yaml`](./charts/openbao/values.yaml) file. These are also fully documented directly in the [openbao README](./charts/openbao/README.md) along with more detailed installation instructions. 35 | -------------------------------------------------------------------------------- /charts/openbao/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .terraform/ 9 | .bzr/ 10 | .bzrignore 11 | .hg/ 12 | .hgignore 13 | .svn/ 14 | # Common backup files 15 | *.swp 16 | *.bak 17 | *.tmp 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | 24 | # CI and test 25 | .circleci/ 26 | .github/ 27 | .gitlab-ci.yml 28 | test/ 29 | -------------------------------------------------------------------------------- /charts/openbao/Chart.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | apiVersion: v2 5 | name: openbao 6 | version: 0.12.0 7 | appVersion: v2.2.0 8 | kubeVersion: ">= 1.30.0-0" 9 | description: Official OpenBao Chart 10 | home: https://github.com/openbao/openbao-helm 11 | icon: https://github.com/openbao/artwork/blob/main/color/openbao-color.svg 12 | keywords: 13 | [ 14 | "vault", 15 | "openbao", 16 | "security", 17 | "encryption", 18 | "secrets", 19 | "management", 20 | "automation", 21 | "infrastructure", 22 | ] 23 | sources: 24 | - https://github.com/openbao/openbao-helm 25 | annotations: 26 | charts.openshift.io/name: Openbao 27 | 28 | maintainers: 29 | - name: OpenBao 30 | email: openbao-security@lists.lfedge.org 31 | url: https://openbao.org 32 | -------------------------------------------------------------------------------- /charts/openbao/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 2 | Thank you for installing OpenBao! 3 | 4 | Now that you have deployed OpenBao, you should look over the docs on using 5 | OpenBao with Kubernetes available here: 6 | 7 | https://openbao.org/docs/ 8 | 9 | 10 | Your release is named {{ .Release.Name }}. To learn more about the release, try: 11 | 12 | $ helm status {{ .Release.Name }} 13 | $ helm get manifest {{ .Release.Name }} 14 | 15 | -------------------------------------------------------------------------------- /charts/openbao/templates/csi-agent-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.csiEnabled" . -}} 7 | {{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}} 8 | apiVersion: v1 9 | kind: ConfigMap 10 | metadata: 11 | name: {{ template "openbao.fullname" . }}-csi-provider-agent-config 12 | namespace: {{ include "openbao.namespace" . }} 13 | labels: 14 | helm.sh/chart: {{ include "openbao.chart" . }} 15 | app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | app.kubernetes.io/managed-by: {{ .Release.Service }} 18 | data: 19 | config.hcl: | 20 | vault { 21 | {{- if include "openbao.externalAddr" . }} 22 | "address" = "{{ include "openbao.externalAddr" . }}" 23 | {{- else }} 24 | "address" = "{{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}" 25 | {{- end }} 26 | } 27 | 28 | cache {} 29 | 30 | listener "unix" { 31 | address = "/var/run/vault/agent.sock" 32 | tls_disable = true 33 | } 34 | {{- end }} 35 | -------------------------------------------------------------------------------- /charts/openbao/templates/csi-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.csiEnabled" . -}} 7 | {{- if .csiEnabled -}} 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | kind: ClusterRole 10 | metadata: 11 | name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole 12 | labels: 13 | app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider 14 | app.kubernetes.io/instance: {{ .Release.Name }} 15 | app.kubernetes.io/managed-by: {{ .Release.Service }} 16 | rules: 17 | - apiGroups: 18 | - "" 19 | resources: 20 | - serviceaccounts/token 21 | verbs: 22 | - create 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /charts/openbao/templates/csi-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.csiEnabled" . -}} 7 | {{- if .csiEnabled -}} 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | kind: ClusterRoleBinding 10 | metadata: 11 | name: {{ template "openbao.fullname" . }}-csi-provider-clusterrolebinding 12 | labels: 13 | app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider 14 | app.kubernetes.io/instance: {{ .Release.Name }} 15 | app.kubernetes.io/managed-by: {{ .Release.Service }} 16 | roleRef: 17 | apiGroup: rbac.authorization.k8s.io 18 | kind: ClusterRole 19 | name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole 20 | subjects: 21 | - kind: ServiceAccount 22 | name: {{ template "openbao.fullname" . }}-csi-provider 23 | namespace: {{ include "openbao.namespace" . }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /charts/openbao/templates/csi-daemonset.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.csiEnabled" . -}} 7 | {{- if .csiEnabled -}} 8 | apiVersion: apps/v1 9 | kind: DaemonSet 10 | metadata: 11 | name: {{ template "openbao.fullname" . }}-csi-provider 12 | namespace: {{ include "openbao.namespace" . }} 13 | labels: 14 | app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | app.kubernetes.io/managed-by: {{ .Release.Service }} 17 | {{- if .Values.csi.daemonSet.extraLabels -}} 18 | {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}} 19 | {{- end -}} 20 | {{ template "csi.daemonSet.annotations" . }} 21 | spec: 22 | updateStrategy: 23 | type: {{ .Values.csi.daemonSet.updateStrategy.type }} 24 | {{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }} 25 | rollingUpdate: 26 | maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }} 27 | {{- end }} 28 | selector: 29 | matchLabels: 30 | app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider 31 | app.kubernetes.io/instance: {{ .Release.Name }} 32 | template: 33 | metadata: 34 | labels: 35 | app.kubernetes.io/name: {{ template "openbao.name" . }}-csi-provider 36 | app.kubernetes.io/instance: {{ .Release.Name }} 37 | {{- if .Values.csi.pod.extraLabels -}} 38 | {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}} 39 | {{- end -}} 40 | {{ template "csi.pod.annotations" . }} 41 | spec: 42 | {{ template "csi.daemonSet.securityContext.pod" . }} 43 | {{- if .Values.csi.priorityClassName }} 44 | priorityClassName: {{ .Values.csi.priorityClassName }} 45 | {{- end }} 46 | serviceAccountName: {{ template "openbao.fullname" . }}-csi-provider 47 | {{- template "csi.pod.tolerations" . }} 48 | {{- template "csi.pod.nodeselector" . }} 49 | {{- template "csi.pod.affinity" . }} 50 | containers: 51 | - name: {{ include "openbao.name" . }}-csi-provider 52 | {{ template "csi.resources" . }} 53 | {{ template "csi.daemonSet.securityContext.container" . }} 54 | image: "{{ .Values.csi.image.registry | default "docker.io" }}/{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" 55 | imagePullPolicy: {{ .Values.csi.image.pullPolicy }} 56 | args: 57 | - --endpoint=/provider/vault.sock 58 | - --debug={{ .Values.csi.debug }} 59 | {{- if .Values.csi.hmacSecretName }} 60 | - --hmac-secret-name={{ .Values.csi.hmacSecretName }} 61 | {{- else }} 62 | - --hmac-secret-name={{- include "openbao.name" . }}-csi-provider-hmac-key 63 | {{- end }} 64 | {{- if .Values.csi.extraArgs }} 65 | {{- toYaml .Values.csi.extraArgs | nindent 12 }} 66 | {{- end }} 67 | env: 68 | - name: VAULT_ADDR 69 | {{- if eq (.Values.csi.agent.enabled | toString) "true" }} 70 | value: "unix:///var/run/vault/agent.sock" 71 | {{- else if include "openbao.externalAddr" . }} 72 | value: "{{ include "openbao.externalAddr" . }}" 73 | {{- else }} 74 | value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }} 75 | {{- end }} 76 | volumeMounts: 77 | - name: providervol 78 | mountPath: "/provider" 79 | {{- if eq (.Values.csi.agent.enabled | toString) "true" }} 80 | - name: agent-unix-socket 81 | mountPath: /var/run/vault 82 | {{- end }} 83 | {{- if .Values.csi.volumeMounts }} 84 | {{- toYaml .Values.csi.volumeMounts | nindent 12}} 85 | {{- end }} 86 | livenessProbe: 87 | httpGet: 88 | path: /health/ready 89 | port: 8080 90 | failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }} 91 | initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }} 92 | periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }} 93 | successThreshold: {{ .Values.csi.livenessProbe.successThreshold }} 94 | timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }} 95 | readinessProbe: 96 | httpGet: 97 | path: /health/ready 98 | port: 8080 99 | failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }} 100 | initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }} 101 | periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} 102 | successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} 103 | timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} 104 | {{- if eq (.Values.csi.agent.enabled | toString) "true" }} 105 | - name: {{ include "openbao.name" . }}-agent 106 | image: "{{ .Values.csi.agent.image.registry | default "docker.io" }}/{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}" 107 | imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }} 108 | {{ template "csi.agent.resources" . }} 109 | command: 110 | - bao 111 | args: 112 | - agent 113 | - -config=/etc/vault/config.hcl 114 | {{- if .Values.csi.agent.extraArgs }} 115 | {{- toYaml .Values.csi.agent.extraArgs | nindent 12 }} 116 | {{- end }} 117 | ports: 118 | - containerPort: 8200 119 | env: 120 | - name: BAO_LOG_LEVEL 121 | value: "{{ .Values.csi.agent.logLevel }}" 122 | - name: BAO_LOG_FORMAT 123 | value: "{{ .Values.csi.agent.logFormat }}" 124 | securityContext: 125 | runAsNonRoot: true 126 | allowPrivilegeEscalation: false 127 | readOnlyRootFilesystem: true 128 | runAsUser: 100 129 | runAsGroup: 1000 130 | volumeMounts: 131 | - name: agent-config 132 | mountPath: /etc/vault/config.hcl 133 | subPath: config.hcl 134 | readOnly: true 135 | - name: agent-unix-socket 136 | mountPath: /var/run/vault 137 | {{- if .Values.csi.volumeMounts }} 138 | {{- toYaml .Values.csi.volumeMounts | nindent 12 }} 139 | {{- end }} 140 | {{- end }} 141 | volumes: 142 | - name: providervol 143 | hostPath: 144 | path: {{ .Values.csi.daemonSet.providersDir }} 145 | {{- if eq (.Values.csi.agent.enabled | toString) "true" }} 146 | - name: agent-config 147 | configMap: 148 | name: {{ template "openbao.fullname" . }}-csi-provider-agent-config 149 | - name: agent-unix-socket 150 | emptyDir: 151 | medium: Memory 152 | {{- end }} 153 | {{- if .Values.csi.volumes }} 154 | {{- toYaml .Values.csi.volumes | nindent 8}} 155 | {{- end }} 156 | {{- include "imagePullSecrets" . | nindent 6 }} 157 | {{- end }} 158 | -------------------------------------------------------------------------------- /charts/openbao/templates/csi-role.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.csiEnabled" . -}} 7 | {{- if .csiEnabled -}} 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | kind: Role 10 | metadata: 11 | name: {{ template "openbao.fullname" . }}-csi-provider-role 12 | namespace: {{ include "openbao.namespace" . }} 13 | labels: 14 | app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | app.kubernetes.io/managed-by: {{ .Release.Service }} 17 | rules: 18 | - apiGroups: [""] 19 | resources: ["secrets"] 20 | verbs: ["get"] 21 | resourceNames: 22 | {{- if .Values.csi.hmacSecretName }} 23 | - {{ .Values.csi.hmacSecretName }} 24 | {{- else }} 25 | - {{ include "openbao.name" . }}-csi-provider-hmac-key 26 | {{- end }} 27 | # 'create' permissions cannot be restricted by resource name: 28 | # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources 29 | - apiGroups: [""] 30 | resources: ["secrets"] 31 | verbs: ["create"] 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /charts/openbao/templates/csi-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.csiEnabled" . -}} 7 | {{- if .csiEnabled -}} 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | kind: RoleBinding 10 | metadata: 11 | name: {{ template "openbao.fullname" . }}-csi-provider-rolebinding 12 | namespace: {{ include "openbao.namespace" . }} 13 | labels: 14 | app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | app.kubernetes.io/managed-by: {{ .Release.Service }} 17 | roleRef: 18 | apiGroup: rbac.authorization.k8s.io 19 | kind: Role 20 | name: {{ template "openbao.fullname" . }}-csi-provider-role 21 | subjects: 22 | - kind: ServiceAccount 23 | name: {{ template "openbao.fullname" . }}-csi-provider 24 | namespace: {{ include "openbao.namespace" . }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /charts/openbao/templates/csi-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.csiEnabled" . -}} 7 | {{- if .csiEnabled -}} 8 | apiVersion: v1 9 | kind: ServiceAccount 10 | metadata: 11 | name: {{ template "openbao.fullname" . }}-csi-provider 12 | namespace: {{ include "openbao.namespace" . }} 13 | labels: 14 | app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | app.kubernetes.io/managed-by: {{ .Release.Service }} 17 | {{- if .Values.csi.serviceAccount.extraLabels -}} 18 | {{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}} 19 | {{- end -}} 20 | {{ template "csi.serviceAccount.annotations" . }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /charts/openbao/templates/injector-certs-secret.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.injectorEnabled" . -}} 7 | {{- if .injectorEnabled -}} 8 | {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} 9 | apiVersion: v1 10 | kind: Secret 11 | metadata: 12 | name: openbao-injector-certs 13 | namespace: {{ include "openbao.namespace" . }} 14 | labels: 15 | app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | app.kubernetes.io/managed-by: {{ .Release.Service }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/openbao/templates/injector-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.injectorEnabled" . -}} 7 | {{- if .injectorEnabled -}} 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | kind: ClusterRole 10 | metadata: 11 | name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole 12 | labels: 13 | app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector 14 | app.kubernetes.io/instance: {{ .Release.Name }} 15 | app.kubernetes.io/managed-by: {{ .Release.Service }} 16 | rules: 17 | - apiGroups: ["admissionregistration.k8s.io"] 18 | resources: ["mutatingwebhookconfigurations"] 19 | verbs: 20 | - "get" 21 | - "list" 22 | - "watch" 23 | - "patch" 24 | {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} 25 | - apiGroups: [""] 26 | resources: ["nodes"] 27 | verbs: 28 | - "get" 29 | {{ end }} 30 | {{ end }} 31 | -------------------------------------------------------------------------------- /charts/openbao/templates/injector-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.injectorEnabled" . -}} 7 | {{- if .injectorEnabled -}} 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | kind: ClusterRoleBinding 10 | metadata: 11 | name: {{ template "openbao.fullname" . }}-agent-injector-binding 12 | labels: 13 | app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector 14 | app.kubernetes.io/instance: {{ .Release.Name }} 15 | app.kubernetes.io/managed-by: {{ .Release.Service }} 16 | roleRef: 17 | apiGroup: rbac.authorization.k8s.io 18 | kind: ClusterRole 19 | name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole 20 | subjects: 21 | - kind: ServiceAccount 22 | name: {{ template "openbao.fullname" . }}-agent-injector 23 | namespace: {{ include "openbao.namespace" . }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /charts/openbao/templates/injector-disruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- if .Values.injector.podDisruptionBudget }} 7 | apiVersion: policy/v1 8 | kind: PodDisruptionBudget 9 | metadata: 10 | name: {{ template "openbao.fullname" . }}-agent-injector 11 | namespace: {{ include "openbao.namespace" . }} 12 | labels: 13 | helm.sh/chart: {{ include "openbao.chart" . }} 14 | app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | app.kubernetes.io/managed-by: {{ .Release.Service }} 17 | component: webhook 18 | spec: 19 | selector: 20 | matchLabels: 21 | app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector 22 | app.kubernetes.io/instance: {{ .Release.Name }} 23 | component: webhook 24 | {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }} 25 | {{- end -}} 26 | -------------------------------------------------------------------------------- /charts/openbao/templates/injector-mutating-webhook.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.injectorEnabled" . -}} 7 | {{- if .injectorEnabled -}} 8 | {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} 9 | apiVersion: admissionregistration.k8s.io/v1 10 | {{- else }} 11 | apiVersion: admissionregistration.k8s.io/v1beta1 12 | {{- end }} 13 | kind: MutatingWebhookConfiguration 14 | metadata: 15 | name: {{ template "openbao.fullname" . }}-agent-injector-cfg 16 | labels: 17 | app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector 18 | app.kubernetes.io/instance: {{ .Release.Name }} 19 | app.kubernetes.io/managed-by: {{ .Release.Service }} 20 | {{- template "injector.webhookAnnotations" . }} 21 | webhooks: 22 | - name: vault.hashicorp.com 23 | failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }} 24 | matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }} 25 | sideEffects: None 26 | timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }} 27 | admissionReviewVersions: ["v1", "v1beta1"] 28 | clientConfig: 29 | service: 30 | name: {{ template "openbao.fullname" . }}-agent-injector-svc 31 | namespace: {{ include "openbao.namespace" . }} 32 | path: "/mutate" 33 | caBundle: {{ .Values.injector.certs.caBundle | quote }} 34 | rules: 35 | - operations: ["CREATE", "UPDATE"] 36 | apiGroups: [""] 37 | apiVersions: ["v1"] 38 | resources: ["pods"] 39 | {{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }} 40 | namespaceSelector: 41 | {{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}} 42 | {{ end }} 43 | {{- template "injector.objectSelector" . -}} 44 | {{ end }} 45 | -------------------------------------------------------------------------------- /charts/openbao/templates/injector-network-policy.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.injectorEnabled" . -}} 7 | {{- if .injectorEnabled -}} 8 | {{- if eq (.Values.global.openshift | toString) "true" }} 9 | apiVersion: networking.k8s.io/v1 10 | kind: NetworkPolicy 11 | metadata: 12 | name: {{ template "openbao.fullname" . }}-agent-injector 13 | labels: 14 | app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | spec: 17 | podSelector: 18 | matchLabels: 19 | app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector 20 | app.kubernetes.io/instance: {{ .Release.Name }} 21 | component: webhook 22 | ingress: 23 | - from: 24 | - namespaceSelector: {} 25 | ports: 26 | - port: 8080 27 | protocol: TCP 28 | {{ end }} 29 | {{ end }} 30 | -------------------------------------------------------------------------------- /charts/openbao/templates/injector-psp-role.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.injectorEnabled" . -}} 7 | {{- if .injectorEnabled -}} 8 | {{- if eq (.Values.global.psp.enable | toString) "true" }} 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | kind: Role 11 | metadata: 12 | name: {{ template "openbao.fullname" . }}-agent-injector-psp 13 | namespace: {{ include "openbao.namespace" . }} 14 | labels: 15 | app.kubernetes.io/name: {{ include "openbao.name" . }} 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | app.kubernetes.io/managed-by: {{ .Release.Service }} 18 | rules: 19 | - apiGroups: ['policy'] 20 | resources: ['podsecuritypolicies'] 21 | verbs: ['use'] 22 | resourceNames: 23 | - {{ template "openbao.fullname" . }}-agent-injector 24 | {{- end }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /charts/openbao/templates/injector-psp-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.injectorEnabled" . -}} 7 | {{- if .injectorEnabled -}} 8 | {{- if eq (.Values.global.psp.enable | toString) "true" }} 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | kind: RoleBinding 11 | metadata: 12 | name: {{ template "openbao.fullname" . }}-agent-injector-psp 13 | namespace: {{ include "openbao.namespace" . }} 14 | labels: 15 | app.kubernetes.io/name: {{ include "openbao.name" . }} 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | app.kubernetes.io/managed-by: {{ .Release.Service }} 18 | roleRef: 19 | kind: Role 20 | name: {{ template "openbao.fullname" . }}-agent-injector-psp 21 | apiGroup: rbac.authorization.k8s.io 22 | subjects: 23 | - kind: ServiceAccount 24 | name: {{ template "openbao.fullname" . }}-agent-injector 25 | {{- end }} 26 | {{- end }} -------------------------------------------------------------------------------- /charts/openbao/templates/injector-psp.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.injectorEnabled" . -}} 7 | {{- if .injectorEnabled -}} 8 | {{- if eq (.Values.global.psp.enable | toString) "true" }} 9 | apiVersion: policy/v1beta1 10 | kind: PodSecurityPolicy 11 | metadata: 12 | name: {{ template "openbao.fullname" . }}-agent-injector 13 | labels: 14 | app.kubernetes.io/name: {{ include "openbao.name" . }} 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | app.kubernetes.io/managed-by: {{ .Release.Service }} 17 | {{- template "openbao.psp.annotations" . }} 18 | spec: 19 | privileged: false 20 | # Required to prevent escalations to root. 21 | allowPrivilegeEscalation: false 22 | volumes: 23 | - configMap 24 | - emptyDir 25 | - projected 26 | - secret 27 | - downwardAPI 28 | hostNetwork: false 29 | hostIPC: false 30 | hostPID: false 31 | runAsUser: 32 | # Require the container to run without root privileges. 33 | rule: MustRunAsNonRoot 34 | seLinux: 35 | # This policy assumes the nodes are using AppArmor rather than SELinux. 36 | rule: RunAsAny 37 | supplementalGroups: 38 | rule: MustRunAs 39 | ranges: 40 | # Forbid adding the root group. 41 | - min: 1 42 | max: 65535 43 | fsGroup: 44 | rule: MustRunAs 45 | ranges: 46 | # Forbid adding the root group. 47 | - min: 1 48 | max: 65535 49 | readOnlyRootFilesystem: false 50 | {{- end }} 51 | {{- end }} -------------------------------------------------------------------------------- /charts/openbao/templates/injector-role.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.injectorEnabled" . -}} 7 | {{- if .injectorEnabled -}} 8 | {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | kind: Role 11 | metadata: 12 | name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role 13 | namespace: {{ include "openbao.namespace" . }} 14 | labels: 15 | app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | app.kubernetes.io/managed-by: {{ .Release.Service }} 18 | rules: 19 | - apiGroups: [""] 20 | resources: ["secrets", "configmaps"] 21 | verbs: 22 | - "create" 23 | - "get" 24 | - "watch" 25 | - "list" 26 | - "update" 27 | - apiGroups: [""] 28 | resources: ["pods"] 29 | verbs: 30 | - "get" 31 | - "patch" 32 | - "delete" 33 | {{- end }} 34 | {{- end }} -------------------------------------------------------------------------------- /charts/openbao/templates/injector-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.injectorEnabled" . -}} 7 | {{- if .injectorEnabled -}} 8 | {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | kind: RoleBinding 11 | metadata: 12 | name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-binding 13 | namespace: {{ include "openbao.namespace" . }} 14 | labels: 15 | app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | app.kubernetes.io/managed-by: {{ .Release.Service }} 18 | roleRef: 19 | apiGroup: rbac.authorization.k8s.io 20 | kind: Role 21 | name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role 22 | subjects: 23 | - kind: ServiceAccount 24 | name: {{ template "openbao.fullname" . }}-agent-injector 25 | namespace: {{ include "openbao.namespace" . }} 26 | {{- end }} 27 | {{- end }} -------------------------------------------------------------------------------- /charts/openbao/templates/injector-service.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.injectorEnabled" . -}} 7 | {{- if .injectorEnabled -}} 8 | apiVersion: v1 9 | kind: Service 10 | metadata: 11 | name: {{ template "openbao.fullname" . }}-agent-injector-svc 12 | namespace: {{ include "openbao.namespace" . }} 13 | labels: 14 | app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | app.kubernetes.io/managed-by: {{ .Release.Service }} 17 | {{ template "injector.service.annotations" . }} 18 | spec: 19 | ports: 20 | - name: https 21 | port: 443 22 | targetPort: {{ .Values.injector.port }} 23 | selector: 24 | app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector 25 | app.kubernetes.io/instance: {{ .Release.Name }} 26 | component: webhook 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /charts/openbao/templates/injector-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- template "openbao.injectorEnabled" . -}} 7 | {{- if .injectorEnabled -}} 8 | apiVersion: v1 9 | kind: ServiceAccount 10 | metadata: 11 | name: {{ template "openbao.fullname" . }}-agent-injector 12 | namespace: {{ include "openbao.namespace" . }} 13 | labels: 14 | app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | app.kubernetes.io/managed-by: {{ .Release.Service }} 17 | {{ template "injector.serviceAccount.annotations" . }} 18 | {{ end }} 19 | -------------------------------------------------------------------------------- /charts/openbao/templates/prometheus-prometheusrules.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ if and (.Values.serverTelemetry.prometheusRules.rules) 7 | (or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) ) 8 | }} 9 | --- 10 | apiVersion: monitoring.coreos.com/v1 11 | kind: PrometheusRule 12 | metadata: 13 | name: {{ template "openbao.fullname" . }} 14 | labels: 15 | helm.sh/chart: {{ include "openbao.chart" . }} 16 | app.kubernetes.io/name: {{ include "openbao.name" . }} 17 | app.kubernetes.io/instance: {{ .Release.Name }} 18 | app.kubernetes.io/managed-by: {{ .Release.Service }} 19 | {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} 20 | {{- $selectors := .Values.serverTelemetry.prometheusRules.selectors }} 21 | {{- if $selectors }} 22 | {{- toYaml $selectors | nindent 4 }} 23 | {{- else }} 24 | release: prometheus 25 | {{- end }} 26 | spec: 27 | groups: 28 | - name: {{ include "openbao.fullname" . }} 29 | rules: 30 | {{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /charts/openbao/templates/prometheus-servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.mode" . }} 7 | {{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }} 8 | --- 9 | apiVersion: monitoring.coreos.com/v1 10 | kind: ServiceMonitor 11 | metadata: 12 | name: {{ template "openbao.fullname" . }} 13 | labels: 14 | helm.sh/chart: {{ include "openbao.chart" . }} 15 | app.kubernetes.io/name: {{ include "openbao.name" . }} 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | app.kubernetes.io/managed-by: {{ .Release.Service }} 18 | {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} 19 | {{- $selectors := .Values.serverTelemetry.serviceMonitor.selectors }} 20 | {{- if $selectors }} 21 | {{- toYaml $selectors | nindent 4 }} 22 | {{- else }} 23 | release: prometheus 24 | {{- end }} 25 | spec: 26 | {{- if .Values.serverTelemetry.serviceMonitor.scrapeClass }} 27 | scrapeClass: {{ .Values.serverTelemetry.serviceMonitor.scrapeClass }} 28 | {{- end }} 29 | selector: 30 | matchLabels: 31 | app.kubernetes.io/name: {{ template "openbao.name" . }} 32 | app.kubernetes.io/instance: {{ .Release.Name }} 33 | {{- if eq .mode "ha" }} 34 | openbao-active: "true" 35 | {{- else }} 36 | openbao-internal: "true" 37 | {{- end }} 38 | endpoints: 39 | - port: {{ include "openbao.scheme" . }} 40 | interval: {{ .Values.serverTelemetry.serviceMonitor.interval }} 41 | scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }} 42 | scheme: {{ include "openbao.scheme" . | lower }} 43 | path: /v1/sys/metrics 44 | params: 45 | format: 46 | - prometheus 47 | {{- with .Values.serverTelemetry.serviceMonitor.tlsConfig }} 48 | tlsConfig: 49 | {{- toYaml . | nindent 6 }} 50 | {{- else }} 51 | tlsConfig: 52 | insecureSkipVerify: true 53 | {{- end }} 54 | {{- with .Values.serverTelemetry.serviceMonitor.authorization }} 55 | authorization: 56 | {{- toYaml . | nindent 6 }} 57 | {{- end }} 58 | namespaceSelector: 59 | matchNames: 60 | - {{ include "openbao.namespace" . }} 61 | {{ end }} 62 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.serverAuthDelegator" . }} 7 | {{- if .serverAuthDelegator -}} 8 | {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | {{- else }} 11 | apiVersion: rbac.authorization.k8s.io/v1beta1 12 | {{- end }} 13 | kind: ClusterRoleBinding 14 | metadata: 15 | name: {{ template "openbao.fullname" . }}-server-binding 16 | labels: 17 | helm.sh/chart: {{ include "openbao.chart" . }} 18 | app.kubernetes.io/name: {{ include "openbao.name" . }} 19 | app.kubernetes.io/instance: {{ .Release.Name }} 20 | app.kubernetes.io/managed-by: {{ .Release.Service }} 21 | roleRef: 22 | apiGroup: rbac.authorization.k8s.io 23 | kind: ClusterRole 24 | name: system:auth-delegator 25 | subjects: 26 | - kind: ServiceAccount 27 | name: {{ template "openbao.serviceAccount.name" . }} 28 | namespace: {{ include "openbao.namespace" . }} 29 | {{ end }} 30 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-config-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.mode" . }} 7 | {{- if ne .mode "external" }} 8 | {{- if .serverEnabled -}} 9 | {{- if ne .mode "dev" -}} 10 | {{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} 11 | apiVersion: v1 12 | kind: ConfigMap 13 | metadata: 14 | name: {{ template "openbao.fullname" . }}-config 15 | namespace: {{ include "openbao.namespace" . }} 16 | labels: 17 | helm.sh/chart: {{ include "openbao.chart" . }} 18 | app.kubernetes.io/name: {{ include "openbao.name" . }} 19 | app.kubernetes.io/instance: {{ .Release.Name }} 20 | app.kubernetes.io/managed-by: {{ .Release.Service }} 21 | {{- if .Values.server.configAnnotation }} 22 | annotations: 23 | vault.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }} 24 | {{- end }} 25 | data: 26 | extraconfig-from-values.hcl: |- 27 | {{ template "openbao.config" . }} 28 | {{- end }} 29 | {{- end }} 30 | {{- end }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-discovery-role.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.mode" . }} 7 | {{- if .serverEnabled -}} 8 | {{- if eq .mode "ha" }} 9 | {{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} 10 | apiVersion: rbac.authorization.k8s.io/v1 11 | kind: Role 12 | metadata: 13 | namespace: {{ include "openbao.namespace" . }} 14 | name: {{ template "openbao.fullname" . }}-discovery-role 15 | labels: 16 | helm.sh/chart: {{ include "openbao.chart" . }} 17 | app.kubernetes.io/name: {{ include "openbao.name" . }} 18 | app.kubernetes.io/instance: {{ .Release.Name }} 19 | app.kubernetes.io/managed-by: {{ .Release.Service }} 20 | rules: 21 | - apiGroups: [""] 22 | resources: ["pods"] 23 | verbs: ["get", "watch", "list", "update", "patch"] 24 | {{ end }} 25 | {{ end }} 26 | {{ end }} 27 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-discovery-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.mode" . }} 7 | {{- if .serverEnabled -}} 8 | {{- if eq .mode "ha" }} 9 | {{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} 10 | {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | {{- else }} 13 | apiVersion: rbac.authorization.k8s.io/v1beta1 14 | {{- end }} 15 | kind: RoleBinding 16 | metadata: 17 | name: {{ template "openbao.fullname" . }}-discovery-rolebinding 18 | namespace: {{ include "openbao.namespace" . }} 19 | labels: 20 | helm.sh/chart: {{ include "openbao.chart" . }} 21 | app.kubernetes.io/name: {{ include "openbao.name" . }} 22 | app.kubernetes.io/instance: {{ .Release.Name }} 23 | app.kubernetes.io/managed-by: {{ .Release.Service }} 24 | roleRef: 25 | apiGroup: rbac.authorization.k8s.io 26 | kind: Role 27 | name: {{ template "openbao.fullname" . }}-discovery-role 28 | subjects: 29 | - kind: ServiceAccount 30 | name: {{ template "openbao.serviceAccount.name" . }} 31 | namespace: {{ include "openbao.namespace" . }} 32 | {{ end }} 33 | {{ end }} 34 | {{ end }} 35 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-disruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.mode" . }} 7 | {{- if ne .mode "external" -}} 8 | {{- if .serverEnabled -}} 9 | {{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} 10 | # PodDisruptionBudget to prevent degrading the server cluster through 11 | # voluntary cluster changes. 12 | apiVersion: policy/v1 13 | kind: PodDisruptionBudget 14 | metadata: 15 | name: {{ template "openbao.fullname" . }} 16 | namespace: {{ include "openbao.namespace" . }} 17 | labels: 18 | helm.sh/chart: {{ include "openbao.chart" . }} 19 | app.kubernetes.io/name: {{ include "openbao.name" . }} 20 | app.kubernetes.io/instance: {{ .Release.Name }} 21 | app.kubernetes.io/managed-by: {{ .Release.Service }} 22 | spec: 23 | maxUnavailable: {{ template "openbao.pdb.maxUnavailable" . }} 24 | selector: 25 | matchLabels: 26 | app.kubernetes.io/name: {{ include "openbao.name" . }} 27 | app.kubernetes.io/instance: {{ .Release.Name }} 28 | component: server 29 | {{- end -}} 30 | {{- end -}} 31 | {{- end -}} 32 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-ha-active-service.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.mode" . }} 7 | {{- if ne .mode "external" }} 8 | {{- template "openbao.serverServiceEnabled" . -}} 9 | {{- if .serverServiceEnabled -}} 10 | {{- if eq .mode "ha" }} 11 | {{- if eq (.Values.server.service.active.enabled | toString) "true" }} 12 | # Service for active OpenBao pod 13 | apiVersion: v1 14 | kind: Service 15 | metadata: 16 | name: {{ template "openbao.fullname" . }}-active 17 | namespace: {{ include "openbao.namespace" . }} 18 | labels: 19 | helm.sh/chart: {{ include "openbao.chart" . }} 20 | app.kubernetes.io/name: {{ include "openbao.name" . }} 21 | app.kubernetes.io/instance: {{ .Release.Name }} 22 | app.kubernetes.io/managed-by: {{ .Release.Service }} 23 | openbao-active: "true" 24 | annotations: 25 | {{- template "openbao.service.active.annotations" . }} 26 | {{- template "openbao.service.annotations" . }} 27 | spec: 28 | {{- if .Values.server.service.type}} 29 | type: {{ .Values.server.service.type }} 30 | {{- end}} 31 | {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} 32 | {{- if .Values.server.service.ipFamilyPolicy }} 33 | ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} 34 | {{- end }} 35 | {{- if .Values.server.service.ipFamilies }} 36 | ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} 37 | {{- end }} 38 | {{- end }} 39 | {{- if .Values.server.service.clusterIP }} 40 | clusterIP: {{ .Values.server.service.clusterIP }} 41 | {{- end }} 42 | {{- include "service.externalTrafficPolicy" .Values.server.service }} 43 | publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} 44 | ports: 45 | - name: {{ include "openbao.scheme" . }} 46 | port: {{ .Values.server.service.port }} 47 | targetPort: {{ .Values.server.service.targetPort }} 48 | {{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} 49 | nodePort: {{ .Values.server.service.activeNodePort }} 50 | {{- end }} 51 | - name: https-internal 52 | port: 8201 53 | targetPort: 8201 54 | selector: 55 | app.kubernetes.io/name: {{ include "openbao.name" . }} 56 | {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} 57 | app.kubernetes.io/instance: {{ .Release.Name }} 58 | {{- end }} 59 | component: server 60 | openbao-active: "true" 61 | {{- end }} 62 | {{- end }} 63 | {{- end }} 64 | {{- end }} 65 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-ha-standby-service.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.mode" . }} 7 | {{- if ne .mode "external" }} 8 | {{- template "openbao.serverServiceEnabled" . -}} 9 | {{- if .serverServiceEnabled -}} 10 | {{- if eq .mode "ha" }} 11 | {{- if eq (.Values.server.service.standby.enabled | toString) "true" }} 12 | # Service for standby OpenBao pod 13 | apiVersion: v1 14 | kind: Service 15 | metadata: 16 | name: {{ template "openbao.fullname" . }}-standby 17 | namespace: {{ include "openbao.namespace" . }} 18 | labels: 19 | helm.sh/chart: {{ include "openbao.chart" . }} 20 | app.kubernetes.io/name: {{ include "openbao.name" . }} 21 | app.kubernetes.io/instance: {{ .Release.Name }} 22 | app.kubernetes.io/managed-by: {{ .Release.Service }} 23 | annotations: 24 | {{- template "openbao.service.standby.annotations" . }} 25 | {{- template "openbao.service.annotations" . }} 26 | spec: 27 | {{- if .Values.server.service.type}} 28 | type: {{ .Values.server.service.type }} 29 | {{- end}} 30 | {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} 31 | {{- if .Values.server.service.ipFamilyPolicy }} 32 | ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} 33 | {{- end }} 34 | {{- if .Values.server.service.ipFamilies }} 35 | ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} 36 | {{- end }} 37 | {{- end }} 38 | {{- if .Values.server.service.clusterIP }} 39 | clusterIP: {{ .Values.server.service.clusterIP }} 40 | {{- end }} 41 | {{- include "service.externalTrafficPolicy" .Values.server.service }} 42 | publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} 43 | ports: 44 | - name: {{ include "openbao.scheme" . }} 45 | port: {{ .Values.server.service.port }} 46 | targetPort: {{ .Values.server.service.targetPort }} 47 | {{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} 48 | nodePort: {{ .Values.server.service.standbyNodePort }} 49 | {{- end }} 50 | - name: https-internal 51 | port: 8201 52 | targetPort: 8201 53 | selector: 54 | app.kubernetes.io/name: {{ include "openbao.name" . }} 55 | {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} 56 | app.kubernetes.io/instance: {{ .Release.Name }} 57 | {{- end }} 58 | component: server 59 | openbao-active: "false" 60 | {{- end }} 61 | {{- end }} 62 | {{- end }} 63 | {{- end }} 64 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-headless-service.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.mode" . }} 7 | {{- if ne .mode "external" }} 8 | {{- template "openbao.serverServiceEnabled" . -}} 9 | {{- if .serverServiceEnabled -}} 10 | # Service for OpenBao cluster 11 | apiVersion: v1 12 | kind: Service 13 | metadata: 14 | name: {{ template "openbao.fullname" . }}-internal 15 | namespace: {{ include "openbao.namespace" . }} 16 | labels: 17 | helm.sh/chart: {{ include "openbao.chart" . }} 18 | app.kubernetes.io/name: {{ include "openbao.name" . }} 19 | app.kubernetes.io/instance: {{ .Release.Name }} 20 | app.kubernetes.io/managed-by: {{ .Release.Service }} 21 | openbao-internal: "true" 22 | annotations: 23 | {{ template "openbao.service.annotations" .}} 24 | spec: 25 | {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} 26 | {{- if .Values.server.service.ipFamilyPolicy }} 27 | ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} 28 | {{- end }} 29 | {{- if .Values.server.service.ipFamilies }} 30 | ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} 31 | {{- end }} 32 | {{- end }} 33 | clusterIP: None 34 | publishNotReadyAddresses: true 35 | ports: 36 | - name: "{{ include "openbao.scheme" . }}" 37 | port: {{ .Values.server.service.port }} 38 | targetPort: {{ .Values.server.service.targetPort }} 39 | - name: https-internal 40 | port: 8201 41 | targetPort: 8201 42 | selector: 43 | app.kubernetes.io/name: {{ include "openbao.name" . }} 44 | app.kubernetes.io/instance: {{ .Release.Name }} 45 | component: server 46 | {{- end }} 47 | {{- end }} 48 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-ingress.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- if not .Values.global.openshift }} 7 | {{ template "openbao.mode" . }} 8 | {{- if ne .mode "external" }} 9 | {{- if .Values.server.ingress.enabled -}} 10 | {{- $extraPaths := .Values.server.ingress.extraPaths -}} 11 | {{- $serviceName := include "openbao.fullname" . -}} 12 | {{- template "openbao.serverServiceEnabled" . -}} 13 | {{- if .serverServiceEnabled -}} 14 | {{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }} 15 | {{- $serviceName = printf "%s-%s" $serviceName "active" -}} 16 | {{- end }} 17 | {{- $servicePort := .Values.server.service.port -}} 18 | {{- $pathType := .Values.server.ingress.pathType -}} 19 | {{- $kubeVersion := .Capabilities.KubeVersion.Version }} 20 | apiVersion: networking.k8s.io/v1 21 | kind: Ingress 22 | metadata: 23 | name: {{ template "openbao.fullname" . }} 24 | namespace: {{ include "openbao.namespace" . }} 25 | labels: 26 | helm.sh/chart: {{ include "openbao.chart" . }} 27 | app.kubernetes.io/name: {{ include "openbao.name" . }} 28 | app.kubernetes.io/instance: {{ .Release.Name }} 29 | app.kubernetes.io/managed-by: {{ .Release.Service }} 30 | {{- with .Values.server.ingress.labels }} 31 | {{- toYaml . | nindent 4 }} 32 | {{- end }} 33 | {{- template "openbao.ingress.annotations" . }} 34 | spec: 35 | {{- if .Values.server.ingress.tls }} 36 | tls: 37 | {{- range .Values.server.ingress.tls }} 38 | - hosts: 39 | {{- range .hosts }} 40 | - {{ . | quote }} 41 | {{- end }} 42 | secretName: {{ .secretName }} 43 | {{- end }} 44 | {{- end }} 45 | {{- if .Values.server.ingress.ingressClassName }} 46 | ingressClassName: {{ .Values.server.ingress.ingressClassName }} 47 | {{- end }} 48 | rules: 49 | {{- range .Values.server.ingress.hosts }} 50 | - host: {{ .host | quote }} 51 | http: 52 | paths: 53 | {{ if $extraPaths }} 54 | {{ toYaml $extraPaths | indent 10 }} 55 | {{- end }} 56 | {{- range (.paths | default (list "/")) }} 57 | - path: {{ . }} 58 | pathType: {{ $pathType }} 59 | backend: 60 | service: 61 | name: {{ $serviceName }} 62 | port: 63 | number: {{ $servicePort }} 64 | {{- end }} 65 | {{- end }} 66 | {{- end }} 67 | {{- end }} 68 | {{- end }} 69 | {{- end }} 70 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-network-policy.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }} 7 | apiVersion: networking.k8s.io/v1 8 | kind: NetworkPolicy 9 | metadata: 10 | name: {{ template "openbao.fullname" . }} 11 | labels: 12 | app.kubernetes.io/name: {{ template "openbao.name" . }} 13 | app.kubernetes.io/instance: {{ .Release.Name }} 14 | spec: 15 | podSelector: 16 | matchLabels: 17 | app.kubernetes.io/name: {{ template "openbao.name" . }} 18 | app.kubernetes.io/instance: {{ .Release.Name }} 19 | ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }} 20 | {{- if .Values.server.networkPolicy.egress }} 21 | egress: 22 | {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }} 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-psp-role.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.mode" . }} 7 | {{- if .serverEnabled -}} 8 | {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | kind: Role 11 | metadata: 12 | name: {{ template "openbao.fullname" . }}-psp 13 | namespace: {{ include "openbao.namespace" . }} 14 | labels: 15 | app.kubernetes.io/name: {{ include "openbao.name" . }} 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | app.kubernetes.io/managed-by: {{ .Release.Service }} 18 | rules: 19 | - apiGroups: ['policy'] 20 | resources: ['podsecuritypolicies'] 21 | verbs: ['use'] 22 | resourceNames: 23 | - {{ template "openbao.fullname" . }} 24 | {{- end }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-psp-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.mode" . }} 7 | {{- if .serverEnabled -}} 8 | {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | kind: RoleBinding 11 | metadata: 12 | name: {{ template "openbao.fullname" . }}-psp 13 | namespace: {{ include "openbao.namespace" . }} 14 | labels: 15 | app.kubernetes.io/name: {{ include "openbao.name" . }} 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | app.kubernetes.io/managed-by: {{ .Release.Service }} 18 | roleRef: 19 | kind: Role 20 | name: {{ template "openbao.fullname" . }}-psp 21 | apiGroup: rbac.authorization.k8s.io 22 | subjects: 23 | - kind: ServiceAccount 24 | name: {{ template "openbao.fullname" . }} 25 | {{- end }} 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-psp.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.mode" . }} 7 | {{- if .serverEnabled -}} 8 | {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} 9 | apiVersion: policy/v1beta1 10 | kind: PodSecurityPolicy 11 | metadata: 12 | name: {{ template "openbao.fullname" . }} 13 | labels: 14 | app.kubernetes.io/name: {{ include "openbao.name" . }} 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | app.kubernetes.io/managed-by: {{ .Release.Service }} 17 | {{- template "openbao.psp.annotations" . }} 18 | spec: 19 | privileged: false 20 | # Required to prevent escalations to root. 21 | allowPrivilegeEscalation: false 22 | volumes: 23 | - configMap 24 | - emptyDir 25 | - projected 26 | - secret 27 | - downwardAPI 28 | {{- if eq (.Values.server.dataStorage.enabled | toString) "true" }} 29 | - persistentVolumeClaim 30 | {{- end }} 31 | hostNetwork: false 32 | hostIPC: false 33 | hostPID: false 34 | runAsUser: 35 | # Require the container to run without root privileges. 36 | rule: MustRunAsNonRoot 37 | seLinux: 38 | # This policy assumes the nodes are using AppArmor rather than SELinux. 39 | rule: RunAsAny 40 | supplementalGroups: 41 | rule: MustRunAs 42 | ranges: 43 | # Forbid adding the root group. 44 | - min: 1 45 | max: 65535 46 | fsGroup: 47 | rule: MustRunAs 48 | ranges: 49 | # Forbid adding the root group. 50 | - min: 1 51 | max: 65535 52 | readOnlyRootFilesystem: false 53 | {{- end }} 54 | {{- end }} 55 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-route.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{- if .Values.global.openshift }} 7 | {{- if ne .mode "external" }} 8 | {{- if .Values.server.route.enabled -}} 9 | {{- $serviceName := include "openbao.fullname" . -}} 10 | {{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }} 11 | {{- $serviceName = printf "%s-%s" $serviceName "active" -}} 12 | {{- end }} 13 | kind: Route 14 | apiVersion: route.openshift.io/v1 15 | metadata: 16 | name: {{ template "openbao.fullname" . }} 17 | namespace: {{ include "openbao.namespace" . }} 18 | labels: 19 | helm.sh/chart: {{ include "openbao.chart" . }} 20 | app.kubernetes.io/name: {{ include "openbao.name" . }} 21 | app.kubernetes.io/instance: {{ .Release.Name }} 22 | app.kubernetes.io/managed-by: {{ .Release.Service }} 23 | {{- with .Values.server.route.labels }} 24 | {{- toYaml . | nindent 4 }} 25 | {{- end }} 26 | {{- template "openbao.route.annotations" . }} 27 | spec: 28 | host: {{ .Values.server.route.host }} 29 | to: 30 | kind: Service 31 | name: {{ $serviceName }} 32 | weight: 100 33 | port: 34 | targetPort: 8200 35 | tls: 36 | {{- toYaml .Values.server.route.tls | nindent 4 }} 37 | {{- end }} 38 | {{- end }} 39 | {{- end }} 40 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-service.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.mode" . }} 7 | {{- if ne .mode "external" }} 8 | {{- template "openbao.serverServiceEnabled" . -}} 9 | {{- if .serverServiceEnabled -}} 10 | # Service for OpenBao cluster 11 | apiVersion: v1 12 | kind: Service 13 | metadata: 14 | name: {{ template "openbao.fullname" . }} 15 | namespace: {{ include "openbao.namespace" . }} 16 | labels: 17 | helm.sh/chart: {{ include "openbao.chart" . }} 18 | app.kubernetes.io/name: {{ include "openbao.name" . }} 19 | app.kubernetes.io/instance: {{ .Release.Name }} 20 | app.kubernetes.io/managed-by: {{ .Release.Service }} 21 | annotations: 22 | {{ template "openbao.service.annotations" .}} 23 | spec: 24 | {{- if .Values.server.service.type}} 25 | type: {{ .Values.server.service.type }} 26 | {{- end}} 27 | {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} 28 | {{- if .Values.server.service.ipFamilyPolicy }} 29 | ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} 30 | {{- end }} 31 | {{- if .Values.server.service.ipFamilies }} 32 | ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} 33 | {{- end }} 34 | {{- end }} 35 | {{- if .Values.server.service.clusterIP }} 36 | clusterIP: {{ .Values.server.service.clusterIP }} 37 | {{- end }} 38 | {{- include "service.externalTrafficPolicy" .Values.server.service }} 39 | # We want the servers to become available even if they're not ready 40 | # since this DNS is also used for join operations. 41 | publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} 42 | ports: 43 | - name: {{ include "openbao.scheme" . }} 44 | port: {{ .Values.server.service.port }} 45 | targetPort: {{ .Values.server.service.targetPort }} 46 | {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} 47 | nodePort: {{ .Values.server.service.nodePort }} 48 | {{- end }} 49 | - name: https-internal 50 | port: 8201 51 | targetPort: 8201 52 | selector: 53 | app.kubernetes.io/name: {{ include "openbao.name" . }} 54 | {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} 55 | app.kubernetes.io/instance: {{ .Release.Name }} 56 | {{- end }} 57 | component: server 58 | {{- end }} 59 | {{- end }} 60 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-serviceaccount-secret.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.serverServiceAccountSecretCreationEnabled" . }} 7 | {{- if .serverServiceAccountSecretCreationEnabled -}} 8 | apiVersion: v1 9 | kind: Secret 10 | metadata: 11 | name: {{ template "openbao.serviceAccount.name" . }}-token 12 | namespace: {{ include "openbao.namespace" . }} 13 | annotations: 14 | kubernetes.io/service-account.name: {{ template "openbao.serviceAccount.name" . }} 15 | labels: 16 | helm.sh/chart: {{ include "openbao.chart" . }} 17 | app.kubernetes.io/name: {{ include "openbao.name" . }} 18 | app.kubernetes.io/instance: {{ .Release.Name }} 19 | app.kubernetes.io/managed-by: {{ .Release.Service }} 20 | type: kubernetes.io/service-account-token 21 | {{ end }} 22 | -------------------------------------------------------------------------------- /charts/openbao/templates/server-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.serverServiceAccountEnabled" . }} 7 | {{- if .serverServiceAccountEnabled -}} 8 | apiVersion: v1 9 | kind: ServiceAccount 10 | metadata: 11 | name: {{ template "openbao.serviceAccount.name" . }} 12 | namespace: {{ include "openbao.namespace" . }} 13 | labels: 14 | helm.sh/chart: {{ include "openbao.chart" . }} 15 | app.kubernetes.io/name: {{ include "openbao.name" . }} 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | app.kubernetes.io/managed-by: {{ .Release.Service }} 18 | {{- if .Values.server.serviceAccount.extraLabels -}} 19 | {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}} 20 | {{- end -}} 21 | {{ template "openbao.serviceAccount.annotations" . }} 22 | {{ end }} 23 | -------------------------------------------------------------------------------- /charts/openbao/templates/tests/server-test.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.mode" . }} 7 | {{- if ne .mode "external" }} 8 | {{- if .serverEnabled -}} 9 | apiVersion: v1 10 | kind: Pod 11 | metadata: 12 | name: {{ template "openbao.fullname" . }}-server-test 13 | namespace: {{ include "openbao.namespace" . }} 14 | annotations: 15 | "helm.sh/hook": test 16 | spec: 17 | {{- include "imagePullSecrets" . | nindent 2 }} 18 | containers: 19 | - name: {{ .Release.Name }}-server-test 20 | image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} 21 | imagePullPolicy: {{ .Values.server.image.pullPolicy }} 22 | env: 23 | - name: VAULT_ADDR 24 | value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }} 25 | {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 8 }} 26 | command: 27 | - /bin/sh 28 | - -c 29 | - | 30 | echo "Checking for sealed info in 'bao status' output" 31 | ATTEMPTS=10 32 | n=0 33 | until [ "$n" -ge $ATTEMPTS ] 34 | do 35 | echo "Attempt" $n... 36 | bao status -format yaml | grep -E '^sealed: (true|false)' && break 37 | n=$((n+1)) 38 | sleep 5 39 | done 40 | if [ $n -ge $ATTEMPTS ]; then 41 | echo "timed out looking for sealed info in 'bao status' output" 42 | exit 1 43 | fi 44 | 45 | exit 0 46 | volumeMounts: 47 | {{- if .Values.server.volumeMounts }} 48 | {{- toYaml .Values.server.volumeMounts | nindent 8}} 49 | {{- end }} 50 | volumes: 51 | {{- if .Values.server.volumes }} 52 | {{- toYaml .Values.server.volumes | nindent 4}} 53 | {{- end }} 54 | restartPolicy: Never 55 | {{- end }} 56 | {{- end }} 57 | -------------------------------------------------------------------------------- /charts/openbao/templates/ui-service.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Copyright (c) HashiCorp, Inc. 3 | SPDX-License-Identifier: MPL-2.0 4 | */}} 5 | 6 | {{ template "openbao.mode" . }} 7 | {{- if ne .mode "external" }} 8 | {{- template "openbao.uiEnabled" . -}} 9 | {{- if .uiEnabled -}} 10 | 11 | apiVersion: v1 12 | kind: Service 13 | metadata: 14 | name: {{ template "openbao.fullname" . }}-ui 15 | namespace: {{ include "openbao.namespace" . }} 16 | labels: 17 | helm.sh/chart: {{ include "openbao.chart" . }} 18 | app.kubernetes.io/name: {{ include "openbao.name" . }}-ui 19 | app.kubernetes.io/instance: {{ .Release.Name }} 20 | app.kubernetes.io/managed-by: {{ .Release.Service }} 21 | {{- template "openbao.ui.annotations" . }} 22 | spec: 23 | {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} 24 | {{- if .Values.ui.serviceIPFamilyPolicy }} 25 | ipFamilyPolicy: {{ .Values.ui.serviceIPFamilyPolicy }} 26 | {{- end }} 27 | {{- if .Values.ui.serviceIPFamilies }} 28 | ipFamilies: {{ .Values.ui.serviceIPFamilies | toYaml | nindent 2 }} 29 | {{- end }} 30 | {{- end }} 31 | selector: 32 | app.kubernetes.io/name: {{ include "openbao.name" . }} 33 | app.kubernetes.io/instance: {{ .Release.Name }} 34 | component: server 35 | {{- if and (.Values.ui.activeOpenbaoPodOnly) (eq .mode "ha") }} 36 | openbao-active: "true" 37 | {{- end }} 38 | publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }} 39 | ports: 40 | - name: {{ include "openbao.scheme" . }} 41 | port: {{ .Values.ui.externalPort }} 42 | targetPort: {{ .Values.ui.targetPort }} 43 | {{- if .Values.ui.serviceNodePort }} 44 | nodePort: {{ .Values.ui.serviceNodePort }} 45 | {{- end }} 46 | type: {{ .Values.ui.serviceType }} 47 | {{- include "service.externalTrafficPolicy" .Values.ui }} 48 | {{- include "service.loadBalancer" .Values.ui }} 49 | {{- end -}} 50 | {{- end }} 51 | -------------------------------------------------------------------------------- /charts/openbao/values.openshift.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | # These overrides are appropriate defaults for deploying this chart on OpenShift 5 | 6 | global: 7 | openshift: true 8 | 9 | injector: 10 | image: 11 | repository: "registry.connect.redhat.com/hashicorp/vault-k8s" 12 | tag: "1.3.1-ubi" 13 | 14 | agentImage: 15 | registry: "quay.io" 16 | repository: "openbao/openbao" 17 | tag: "v2.2.0-ubi" 18 | 19 | server: 20 | image: 21 | registry: "quay.io" 22 | repository: "openbao/openbao" 23 | tag: "v2.2.0-ubi" 24 | 25 | readinessProbe: 26 | path: "/v1/sys/health?uninitcode=204" 27 | -------------------------------------------------------------------------------- /test/README.md: -------------------------------------------------------------------------------- 1 | # OpenBao Helm Tests 2 | 3 | ## Running OpenBao Helm Acceptance tests 4 | 5 | The Makefile at the top level of this repo contains a few target that should help with running acceptance tests in your own GKE instance or in a kind cluster. 6 | 7 | ### Running in a GKE cluster 8 | 9 | * Set the `GOOGLE_CREDENTIALS` and `CLOUDSDK_CORE_PROJECT` variables at the top of the file. `GOOGLE_CREDENTIALS` should contain the local path to your Google Cloud Platform account credentials in JSON format. `CLOUDSDK_CORE_PROJECT` should be set to the ID of your GCP project. 10 | * Run `make test-image` to create the docker image (with dependencies installed) that will be re-used in the below steps. 11 | * Run `make test-provision` to provision the GKE cluster using terraform. 12 | * Run `make test-acceptance` to run the acceptance tests in this already provisioned cluster. 13 | * You can choose to only run certain tests by setting the ACCEPTANCE_TESTS variable and re-running the above target. 14 | * Run `make test-destroy` when you have finished testing and want to tear-down and remove the cluster. 15 | 16 | ### Running in a kind cluster 17 | 18 | * Run `make test-acceptance LOCAL_ACCEPTANCE_TESTS=true` 19 | * You can choose to only run certain tests by setting the `ACCEPTANCE_TESTS` variable and re-running the above target. 20 | * Run `make delete-kind` when you have finished testing and want to tear-down and remove the cluster. 21 | * You can set an alternate kind cluster name by specifying the `KIND_CLUSTER_NAME` variable for any of the above targets. 22 | * You can set an alternate K8S version by specifying the `KIND_K8S_VERSION` variable for any of the above targets. 23 | 24 | See [kind-quick-start](https://kind.sigs.k8s.io/docs/user/quick-start/) if you don't have kind installed on your system. 25 | 26 | ## Running chart verification tests 27 | 28 | If [chart-verifier](https://github.com/redhat-certification/chart-verifier) is built and available in your PATH, run: 29 | 30 | bats test/chart/verifier.bats 31 | 32 | Or if you'd rather use the latest chart-verifier docker container, set 33 | USE_DOCKER: 34 | 35 | USE_DOCKER=true bats test/chart/verifier.bats 36 | 37 | ## Generating the values json schema 38 | 39 | There is a make target for generating values.schema.json: 40 | 41 | make values-schema 42 | 43 | It relies on the helm [schema-gen plugin][schema-gen]. Note that some manual 44 | editing will be required, since several properties accept multiple data types. 45 | 46 | [schema-gen]: https://github.com/karuppiah7890/helm-schema-gen 47 | 48 | ## Helm test 49 | 50 | OpenBao Helm also contains a simple helm test under 51 | [templates/tests/](../templates/tests/) that may be run against a helm release: 52 | 53 | helm test 54 | -------------------------------------------------------------------------------- /test/acceptance/_helpers.bash: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | # name_prefix returns the prefix of the resources within Kubernetes. 5 | name_prefix() { 6 | printf "openbao" 7 | } 8 | 9 | # chart_dir returns the directory for the chart 10 | chart_dir() { 11 | echo ${BATS_TEST_DIRNAME}/../../charts/openbao 12 | } 13 | 14 | # helm_install installs the openbao chart. This will source overridable 15 | # values from the "values.yaml" file in this directory. This can be set 16 | # by CI or other environments to do test-specific overrides. Note that its 17 | # easily possible to break tests this way so be careful. 18 | helm_install() { 19 | local values="${BATS_TEST_DIRNAME}/values.yaml" 20 | if [ ! -f "${values}" ]; then 21 | touch $values 22 | fi 23 | 24 | helm install -f ${values} \ 25 | --name openbao \ 26 | ${BATS_TEST_DIRNAME}/../../charts/openbao 27 | } 28 | 29 | # helm_install_ha installs the openbao chart using HA mode. This will source 30 | # overridable values from the "values.yaml" file in this directory. This can be 31 | # set by CI or other environments to do test-specific overrides. Note that its 32 | # easily possible to break tests this way so be careful. 33 | helm_install_ha() { 34 | local values="${BATS_TEST_DIRNAME}/values.yaml" 35 | if [ ! -f "${values}" ]; then 36 | touch $values 37 | fi 38 | 39 | helm install -f ${values} \ 40 | --name openbao \ 41 | --set 'server.enabled=false' \ 42 | --set 'serverHA.enabled=true' \ 43 | ${BATS_TEST_DIRNAME}/../../charts/openbao 44 | } 45 | 46 | # wait for consul to be ready 47 | wait_for_running_consul() { 48 | kubectl wait --for=condition=Ready --timeout=5m pod -l app=consul,component=client 49 | } 50 | 51 | wait_for_sealed_vault() { 52 | POD_NAME=$1 53 | 54 | check() { 55 | sealed_status=$(kubectl exec $1 -- bao status -format=json | jq -r '.sealed') 56 | if [ "$sealed_status" == "true" ]; then 57 | return 0 58 | fi 59 | return 1 60 | } 61 | 62 | for i in $(seq 60); do 63 | if check ${POD_NAME}; then 64 | echo "OpenBao on ${POD_NAME} is running." 65 | return 66 | fi 67 | 68 | echo "Waiting for OpenBao on ${POD_NAME} to be running..." 69 | sleep 2 70 | done 71 | 72 | echo "OpenBao on ${POD_NAME} never became running." 73 | return 1 74 | } 75 | 76 | # wait for a pod to be running 77 | wait_for_running() { 78 | POD_NAME=$1 79 | 80 | check() { 81 | # This requests the pod and checks whether the status is running 82 | # and the ready state is true. If so, it outputs the name. Otherwise 83 | # it outputs empty. Therefore, to check for success, check for nonzero 84 | # string length. 85 | kubectl get pods $1 -o json | \ 86 | jq -r 'select( 87 | .status.phase == "Running" and 88 | ([ .status.conditions[] | select(.type == "Ready" and .status == "False") ] | length) == 1 89 | ) | .metadata.namespace + "/" + .metadata.name' 90 | } 91 | 92 | for i in $(seq 60); do 93 | if [ -n "$(check ${POD_NAME})" ]; then 94 | echo "${POD_NAME} is ready." 95 | sleep 5 96 | return 97 | fi 98 | 99 | echo "Waiting for ${POD_NAME} to be ready..." 100 | sleep 2 101 | done 102 | 103 | echo "${POD_NAME} never became ready." 104 | return 1 105 | } 106 | 107 | wait_for_ready() { 108 | POD_NAME=$1 109 | 110 | check() { 111 | # This requests the pod and checks whether the status is running 112 | # and the ready state is true. If so, it outputs the name. Otherwise 113 | # it outputs empty. Therefore, to check for success, check for nonzero 114 | # string length. 115 | kubectl get pods $1 -o json | \ 116 | jq -r 'select( 117 | .status.phase == "Running" and 118 | ([ .status.conditions[] | select(.type == "Ready" and .status == "True") ] | length) == 1 119 | ) | .metadata.namespace + "/" + .metadata.name' 120 | } 121 | 122 | for i in $(seq 60); do 123 | if [ -n "$(check ${POD_NAME})" ]; then 124 | echo "${POD_NAME} is ready." 125 | sleep 5 126 | return 127 | fi 128 | 129 | echo "Waiting for ${POD_NAME} to be ready..." 130 | sleep 2 131 | done 132 | 133 | echo "${POD_NAME} never became ready." 134 | return 1 135 | } 136 | 137 | wait_for_complete_job() { 138 | POD_NAME=$1 139 | 140 | check() { 141 | # This requests the pod and checks whether the status is running 142 | # and the ready state is true. If so, it outputs the name. Otherwise 143 | # it outputs empty. Therefore, to check for success, check for nonzero 144 | # string length. 145 | kubectl get job $1 -o json | \ 146 | jq -r 'select( 147 | .status.succeeded == 1 148 | ) | .metadata.namespace + "/" + .metadata.name' 149 | } 150 | 151 | for i in $(seq 60); do 152 | if [ -n "$(check ${POD_NAME})" ]; then 153 | echo "${POD_NAME} is complete." 154 | sleep 5 155 | return 156 | fi 157 | 158 | echo "Waiting for ${POD_NAME} to be complete..." 159 | sleep 2 160 | done 161 | 162 | echo "${POD_NAME} never completed." 163 | return 1 164 | } 165 | -------------------------------------------------------------------------------- /test/acceptance/csi-test/nginx.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | --- 5 | apiVersion: v1 6 | kind: ServiceAccount 7 | metadata: 8 | name: nginx 9 | --- 10 | kind: Pod 11 | apiVersion: v1 12 | metadata: 13 | name: nginx 14 | spec: 15 | terminationGracePeriodSeconds: 0 16 | serviceAccountName: nginx 17 | containers: 18 | - image: docker.mirror.hashicorp.services/nginx 19 | name: nginx 20 | volumeMounts: 21 | - name: secrets-store-inline 22 | mountPath: "/mnt/secrets-store" 23 | readOnly: true 24 | volumes: 25 | - name: secrets-store-inline 26 | csi: 27 | driver: secrets-store.csi.k8s.io 28 | readOnly: true 29 | volumeAttributes: 30 | secretProviderClass: "vault-kv" 31 | -------------------------------------------------------------------------------- /test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | # The "Hello World" OpenBao SecretProviderClass 5 | apiVersion: secrets-store.csi.x-k8s.io/v1 6 | kind: SecretProviderClass 7 | metadata: 8 | name: vault-kv 9 | spec: 10 | provider: vault 11 | parameters: 12 | roleName: "kv-role" 13 | objects: | 14 | - objectName: "bar" 15 | secretPath: "secret/data/kv1" 16 | secretKey: "bar1" 17 | -------------------------------------------------------------------------------- /test/acceptance/csi-test/openbao-policy.hcl: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | path "secret/data/kv1" { 5 | capabilities = ["read"] 6 | } -------------------------------------------------------------------------------- /test/acceptance/csi.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "csi: testing deployment" { 6 | cd `chart_dir` 7 | 8 | kubectl delete namespace acceptance --ignore-not-found=true 9 | kubectl create namespace acceptance 10 | 11 | # Install Secrets Store CSI driver 12 | # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly 13 | # so we can see Agent's cache working. 14 | CSI_DRIVER_VERSION=1.3.2 15 | helm install secrets-store-csi-driver secrets-store-csi-driver \ 16 | --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ 17 | --version=$CSI_DRIVER_VERSION \ 18 | --wait --timeout=5m \ 19 | --namespace=acceptance \ 20 | --set linux.image.pullPolicy="IfNotPresent" \ 21 | --set tokenRequests[0].audience="openbao" \ 22 | --set enableSecretRotation=true \ 23 | --set rotationPollInterval=5s 24 | # Install OpenBao and OpenBao provider 25 | helm install openbao \ 26 | --wait --timeout=5m \ 27 | --namespace=acceptance \ 28 | --set="server.dev.enabled=true" \ 29 | --set="csi.enabled=true" \ 30 | --set="csi.debug=true" \ 31 | --set="csi.agent.logLevel=debug" \ 32 | --set="injector.enabled=false" \ 33 | . 34 | kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao 35 | kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider 36 | 37 | # Set up k8s auth and a kv secret. 38 | cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy - 39 | kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes 40 | kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \ 41 | kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' 42 | kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \ 43 | bound_service_account_names=nginx \ 44 | bound_service_account_namespaces=acceptance \ 45 | policies=kv-policy \ 46 | ttl=20m 47 | kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1 48 | 49 | kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml 50 | kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml 51 | kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx 52 | 53 | result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) 54 | [[ "$result" == "hello1" ]] 55 | 56 | for i in $(seq 10); do 57 | sleep 2 58 | if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then 59 | echo "Agent returned a cached login response" 60 | return 61 | fi 62 | 63 | echo "Waiting to confirm the Agent is renewing CSI's auth token..." 64 | done 65 | 66 | # Print the logs and fail the test 67 | echo "Failed to find a log for the Agent renewing CSI's auth token" 68 | kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent 69 | kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider 70 | exit 1 71 | } 72 | 73 | # Clean up 74 | teardown() { 75 | if [[ ${CLEANUP:-true} == "true" ]] 76 | then 77 | echo "helm/pvc teardown" 78 | helm --namespace=acceptance delete openbao 79 | helm --namespace=acceptance delete secrets-store-csi-driver 80 | kubectl delete --all pvc 81 | kubectl delete namespace acceptance 82 | fi 83 | } 84 | -------------------------------------------------------------------------------- /test/acceptance/helm-test.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "helm/test: running helm test" { 6 | cd `chart_dir` 7 | 8 | kubectl delete namespace acceptance --ignore-not-found=true 9 | kubectl create namespace acceptance 10 | kubectl config set-context --current --namespace=acceptance 11 | 12 | helm install "$(name_prefix)" . 13 | wait_for_running $(name_prefix)-0 14 | 15 | helm test "$(name_prefix)" 16 | } 17 | 18 | # Clean up 19 | teardown() { 20 | if [[ ${CLEANUP:-true} == "true" ]] 21 | then 22 | echo "helm/pvc teardown" 23 | helm delete openbao 24 | kubectl delete --all pvc 25 | kubectl delete namespace acceptance --ignore-not-found=true 26 | fi 27 | } 28 | -------------------------------------------------------------------------------- /test/acceptance/injector-leader-elector.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "injector: testing leader elector" { 6 | cd `chart_dir` 7 | 8 | kubectl delete namespace acceptance --ignore-not-found=true 9 | kubectl create namespace acceptance 10 | kubectl config set-context --current --namespace=acceptance 11 | 12 | helm install "$(name_prefix)" \ 13 | --wait \ 14 | --timeout=5m \ 15 | --set="injector.replicas=3" . 16 | kubectl wait --for condition=Ready pod -l app.kubernetes.io/name=openbao-agent-injector --timeout=5m 17 | 18 | pods=($(kubectl get pods -l app.kubernetes.io/name=openbao-agent-injector -o json | jq -r '.items[] | .metadata.name')) 19 | [ "${#pods[@]}" == 3 ] 20 | 21 | leader='' 22 | tries=0 23 | until [ $tries -ge 60 ] 24 | do 25 | owner=$(kubectl get configmaps vault-k8s-leader -o json | jq -r .metadata.ownerReferences\[0\].name) 26 | leader=$(kubectl get pods $owner -o json | jq -r .metadata.name) 27 | [ -n "${leader}" ] && [ "${leader}" != "null" ] && break 28 | ((++tries)) 29 | sleep .5 30 | done 31 | 32 | # Check the leader name is valid - i.e. one of the 3 pods 33 | [[ " ${pods[@]} " =~ " ${leader} " ]] 34 | 35 | } 36 | 37 | setup() { 38 | kubectl delete namespace acceptance --ignore-not-found=true 39 | kubectl create namespace acceptance 40 | kubectl config set-context --current --namespace=acceptance 41 | } 42 | 43 | # Clean up 44 | teardown() { 45 | if [[ ${CLEANUP:-true} == "true" ]] 46 | then 47 | echo "helm/pvc teardown" 48 | helm delete openbao 49 | kubectl delete --all pvc 50 | kubectl delete namespace acceptance 51 | fi 52 | } 53 | -------------------------------------------------------------------------------- /test/acceptance/injector-test/bootstrap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Copyright (c) HashiCorp, Inc. 3 | # SPDX-License-Identifier: MPL-2.0 4 | 5 | 6 | OUTPUT=/tmp/output.txt 7 | 8 | bao operator init -n 1 -t 1 >> ${OUTPUT?} 9 | 10 | unseal=$(cat ${OUTPUT?} | grep "Unseal Key 1:" | sed -e "s/Unseal Key 1: //g") 11 | root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g") 12 | 13 | bao operator unseal ${unseal?} 14 | 15 | bao login -no-print ${root?} 16 | 17 | bao policy write db-backup /openbao/userconfig/test/pgdump-policy.hcl 18 | 19 | bao auth enable kubernetes 20 | 21 | bao write auth/kubernetes/config \ 22 | token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ 23 | kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \ 24 | kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt 25 | 26 | bao write auth/kubernetes/role/db-backup \ 27 | bound_service_account_names=pgdump \ 28 | bound_service_account_namespaces=acceptance \ 29 | policies=db-backup \ 30 | ttl=1h 31 | 32 | bao secrets enable database 33 | 34 | bao write database/config/postgresql \ 35 | plugin_name=postgresql-database-plugin \ 36 | allowed_roles="db-backup" \ 37 | connection_url="postgresql://{{username}}:{{password}}@postgres:5432/mydb?sslmode=disable" \ 38 | username="openbao" \ 39 | password="openbao" 40 | 41 | bao write database/roles/db-backup \ 42 | db_name=postgresql \ 43 | creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ 44 | GRANT CONNECT ON DATABASE mydb TO \"{{name}}\"; \ 45 | GRANT USAGE ON SCHEMA app TO \"{{name}}\"; \ 46 | GRANT SELECT ON ALL TABLES IN SCHEMA app TO \"{{name}}\";" \ 47 | revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\ 48 | default_ttl="1h" \ 49 | max_ttl="24h" 50 | -------------------------------------------------------------------------------- /test/acceptance/injector-test/job.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | --- 5 | apiVersion: v1 6 | kind: ServiceAccount 7 | metadata: 8 | name: pgdump 9 | labels: 10 | app: pgdump 11 | --- 12 | apiVersion: batch/v1 13 | kind: Job 14 | metadata: 15 | name: pgdump 16 | spec: 17 | backoffLimit: 0 18 | template: 19 | metadata: 20 | name: pgdump 21 | labels: 22 | app: pgdump 23 | annotations: 24 | vault.hashicorp.com/agent-inject: "true" 25 | vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/db-backup" 26 | vault.hashicorp.com/agent-inject-template-db-creds: | 27 | {{- with secret "database/creds/db-backup" -}} 28 | postgresql://{{ .Data.username }}:{{ .Data.password }}@postgres.acceptance.svc.cluster.local:5432/mydb 29 | {{- end }} 30 | vault.hashicorp.com/role: "db-backup" 31 | vault.hashicorp.com/agent-pre-populate-only: "true" 32 | spec: 33 | serviceAccountName: pgdump 34 | containers: 35 | - name: pgdump 36 | image: postgres:11.5 37 | command: 38 | - "/bin/sh" 39 | - "-ec" 40 | args: 41 | - "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout" 42 | restartPolicy: Never 43 | -------------------------------------------------------------------------------- /test/acceptance/injector-test/pg-deployment.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | --- 5 | apiVersion: v1 6 | kind: Service 7 | metadata: 8 | name: postgres 9 | labels: 10 | app: postgres 11 | spec: 12 | type: ClusterIP 13 | ports: 14 | - port: 5432 15 | targetPort: 5432 16 | selector: 17 | app: postgres 18 | --- 19 | apiVersion: apps/v1 20 | kind: Deployment 21 | metadata: 22 | name: postgres 23 | spec: 24 | replicas: 1 25 | selector: 26 | matchLabels: 27 | app: postgres 28 | template: 29 | metadata: 30 | labels: 31 | service: postgres 32 | app: postgres 33 | spec: 34 | containers: 35 | - name: postgres 36 | image: postgres:11.5 37 | ports: 38 | - containerPort: 5432 39 | env: 40 | - name: POSTGRES_DB 41 | value: mydb 42 | - name: POSTGRES_USER 43 | value: postgres 44 | - name: POSTGRES_PASSWORD 45 | value: password 46 | volumeMounts: 47 | - mountPath: "/var/lib/postgresql" 48 | name: "pgdata" 49 | - mountPath: "/docker-entrypoint-initdb.d" 50 | name: "pgconf" 51 | volumes: 52 | - name: pgdata 53 | emptyDir: {} 54 | - name: pgconf 55 | configMap: 56 | name: "pg-init" 57 | --- 58 | apiVersion: v1 59 | kind: ConfigMap 60 | metadata: 61 | name: pg-init 62 | labels: 63 | app: postgres 64 | data: 65 | setup.sql: | 66 | CREATE ROLE openbao; 67 | ALTER ROLE openbao WITH SUPERUSER LOGIN PASSWORD 'openbao'; 68 | 69 | \c mydb 70 | CREATE SCHEMA app; 71 | CREATE TABLE app.inventory(id int); 72 | INSERT INTO app.inventory(id) VALUES (0); 73 | -------------------------------------------------------------------------------- /test/acceptance/injector-test/pgdump-policy.hcl: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | path "database/creds/db-backup" { 5 | capabilities = ["read"] 6 | } 7 | -------------------------------------------------------------------------------- /test/acceptance/injector.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "injector: testing deployment" { 6 | cd `chart_dir` 7 | 8 | kubectl delete namespace acceptance --ignore-not-found=true 9 | kubectl create namespace acceptance 10 | kubectl config set-context --current --namespace=acceptance 11 | 12 | kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml 13 | sleep 5 14 | wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}") 15 | 16 | kubectl create secret generic test \ 17 | --from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \ 18 | --from-file ../../test/acceptance/injector-test/bootstrap.sh 19 | 20 | kubectl label secret test app=openbao-agent-demo 21 | 22 | helm install "$(name_prefix)" \ 23 | --set="server.extraVolumes[0].type=secret" \ 24 | --set="server.extraVolumes[0].name=test" . 25 | wait_for_running $(name_prefix)-0 26 | 27 | wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}") 28 | 29 | kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" 30 | sleep 5 31 | 32 | # Sealed, not initialized 33 | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | 34 | jq -r '.sealed' ) 35 | [ "${sealed_status}" == "false" ] 36 | 37 | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | 38 | jq -r '.initialized') 39 | [ "${init_status}" == "true" ] 40 | 41 | 42 | kubectl create -f ../../test/acceptance/injector-test/job.yaml 43 | wait_for_complete_job "pgdump" 44 | } 45 | 46 | # Clean up 47 | teardown() { 48 | if [[ ${CLEANUP:-true} == "true" ]] 49 | then 50 | echo "helm/pvc teardown" 51 | helm delete openbao 52 | kubectl delete --all pvc 53 | kubectl delete secret test 54 | kubectl delete job pgdump 55 | kubectl delete deployment postgres 56 | kubectl delete namespace acceptance 57 | fi 58 | } 59 | -------------------------------------------------------------------------------- /test/acceptance/server-annotations.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/annotations: testing yaml and yaml-formatted string formats" { 6 | cd `chart_dir` 7 | kubectl delete namespace acceptance --ignore-not-found=true 8 | kubectl create namespace acceptance 9 | kubectl config set-context --current --namespace=acceptance 10 | 11 | helm install "$(name_prefix)" -f ../../test/acceptance/server-test/annotations-overrides.yaml . 12 | wait_for_running $(name_prefix)-0 13 | 14 | # service annotations 15 | local awesome=$(kubectl get service "$(name_prefix)" --output json | 16 | jq -r '.metadata.annotations.active') 17 | [ "${awesome}" == "sometimes" ] 18 | 19 | local pickMe=$(kubectl get service "$(name_prefix)" --output json | 20 | jq -r '.metadata.annotations.pickMe') 21 | [ "${pickMe}" == "please" ] 22 | 23 | local environment=$(kubectl get statefulset "$(name_prefix)" --output json | 24 | jq -r '.spec.template.metadata.annotations.environment') 25 | [ "${environment}" == "production" ] 26 | 27 | local milk=$(kubectl get statefulset "$(name_prefix)" --output json | 28 | jq -r '.spec.template.metadata.annotations.milk') 29 | [ "${milk}" == "oat" ] 30 | 31 | local myName=$(kubectl get statefulset "$(name_prefix)" --output json | 32 | jq -r '.spec.template.metadata.annotations.myName') 33 | [ "${myName}" == "$(name_prefix)" ] 34 | 35 | } 36 | 37 | # Clean up 38 | teardown() { 39 | if [[ ${CLEANUP:-true} == "true" ]] 40 | then 41 | echo "helm/pvc teardown" 42 | helm delete $(name_prefix) 43 | kubectl delete --all pvc 44 | kubectl delete namespace acceptance --ignore-not-found=true 45 | fi 46 | } 47 | -------------------------------------------------------------------------------- /test/acceptance/server-dev.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/dev: testing deployment" { 6 | cd `chart_dir` 7 | kubectl delete namespace acceptance --ignore-not-found=true 8 | kubectl create namespace acceptance 9 | kubectl config set-context --current --namespace=acceptance 10 | 11 | helm install "$(name_prefix)" --set='server.dev.enabled=true' . 12 | wait_for_running $(name_prefix)-0 13 | 14 | # Replicas 15 | local replicas=$(kubectl get statefulset "$(name_prefix)" --output json | 16 | jq -r '.spec.replicas') 17 | [ "${replicas}" == "1" ] 18 | 19 | # Volume Mounts 20 | local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | 21 | jq -r '.spec.template.spec.containers[0].volumeMounts | length') 22 | [ "${volumeCount}" == "1" ] 23 | 24 | # Service 25 | local service=$(kubectl get service "$(name_prefix)" --output json | 26 | jq -r '.spec.clusterIP') 27 | [ "${service}" != "None" ] 28 | 29 | local service=$(kubectl get service "$(name_prefix)" --output json | 30 | jq -r '.spec.type') 31 | [ "${service}" == "ClusterIP" ] 32 | 33 | local ports=$(kubectl get service "$(name_prefix)" --output json | 34 | jq -r '.spec.ports | length') 35 | [ "${ports}" == "2" ] 36 | 37 | local ports=$(kubectl get service "$(name_prefix)" --output json | 38 | jq -r '.spec.ports[0].port') 39 | [ "${ports}" == "8200" ] 40 | 41 | local ports=$(kubectl get service "$(name_prefix)" --output json | 42 | jq -r '.spec.ports[1].port') 43 | [ "${ports}" == "8201" ] 44 | 45 | # Sealed, not initialized 46 | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | 47 | jq -r '.sealed' ) 48 | [ "${sealed_status}" == "false" ] 49 | 50 | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | 51 | jq -r '.initialized') 52 | [ "${init_status}" == "true" ] 53 | } 54 | 55 | # Clean up 56 | teardown() { 57 | if [[ ${CLEANUP:-true} == "true" ]] 58 | then 59 | echo "helm/pvc teardown" 60 | helm delete openbao 61 | kubectl delete --all pvc 62 | kubectl delete namespace acceptance --ignore-not-found=true 63 | fi 64 | } 65 | -------------------------------------------------------------------------------- /test/acceptance/server-ha-raft.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/ha-raft: testing deployment" { 6 | cd `chart_dir` 7 | 8 | helm install "$(name_prefix)" \ 9 | --set='server.ha.enabled=true' \ 10 | --set='server.ha.raft.enabled=true' . 11 | wait_for_running $(name_prefix)-0 12 | 13 | # Sealed, not initialized 14 | wait_for_sealed_vault $(name_prefix)-0 15 | 16 | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | 17 | jq -r '.initialized') 18 | [ "${init_status}" == "false" ] 19 | 20 | # Replicas 21 | local replicas=$(kubectl get statefulset "$(name_prefix)" --output json | 22 | jq -r '.spec.replicas') 23 | [ "${replicas}" == "3" ] 24 | 25 | # Volume Mounts 26 | local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | 27 | jq -r '.spec.template.spec.containers[0].volumeMounts | length') 28 | [ "${volumeCount}" == "3" ] 29 | 30 | # Volumes 31 | local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | 32 | jq -r '.spec.template.spec.volumes | length') 33 | [ "${volumeCount}" == "2" ] 34 | 35 | local volume=$(kubectl get statefulset "$(name_prefix)" --output json | 36 | jq -r '.spec.template.spec.volumes[0].configMap.name') 37 | [ "${volume}" == "$(name_prefix)-config" ] 38 | 39 | # Service 40 | local service=$(kubectl get service "$(name_prefix)" --output json | 41 | jq -r '.spec.clusterIP') 42 | [ "${service}" != "None" ] 43 | 44 | local service=$(kubectl get service "$(name_prefix)" --output json | 45 | jq -r '.spec.type') 46 | [ "${service}" == "ClusterIP" ] 47 | 48 | local ports=$(kubectl get service "$(name_prefix)" --output json | 49 | jq -r '.spec.ports | length') 50 | [ "${ports}" == "2" ] 51 | 52 | local ports=$(kubectl get service "$(name_prefix)" --output json | 53 | jq -r '.spec.ports[0].port') 54 | [ "${ports}" == "8200" ] 55 | 56 | local ports=$(kubectl get service "$(name_prefix)" --output json | 57 | jq -r '.spec.ports[1].port') 58 | [ "${ports}" == "8201" ] 59 | 60 | # OpenBao Init 61 | local init=$(kubectl exec -ti "$(name_prefix)-0" -- \ 62 | bao operator init -format=json -n 1 -t 1) 63 | 64 | local token=$(echo ${init} | jq -r '.unseal_keys_b64[0]') 65 | [ "${token}" != "" ] 66 | 67 | local root=$(echo ${init} | jq -r '.root_token') 68 | [ "${root}" != "" ] 69 | 70 | kubectl exec -ti openbao-0 -- bao operator unseal ${token} 71 | wait_for_ready "$(name_prefix)-0" 72 | 73 | sleep 5 74 | 75 | # OpenBao Unseal 76 | local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) 77 | for pod in "${pods[@]}" 78 | do 79 | if [[ ${pod?} != "$(name_prefix)-0" ]] 80 | then 81 | kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200 82 | kubectl exec -ti ${pod} -- bao operator unseal ${token} 83 | wait_for_ready "${pod}" 84 | fi 85 | done 86 | 87 | # Sealed, not initialized 88 | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | 89 | jq -r '.sealed' ) 90 | [ "${sealed_status}" == "false" ] 91 | 92 | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | 93 | jq -r '.initialized') 94 | [ "${init_status}" == "true" ] 95 | 96 | kubectl exec "$(name_prefix)-0" -- bao login ${root} 97 | 98 | local raft_status=$(kubectl exec "$(name_prefix)-0" -- bao operator raft list-peers -format=json | 99 | jq -r '.data.config.servers | length') 100 | [ "${raft_status}" == "3" ] 101 | } 102 | 103 | setup() { 104 | kubectl delete namespace acceptance --ignore-not-found=true 105 | kubectl create namespace acceptance 106 | kubectl config set-context --current --namespace=acceptance 107 | } 108 | 109 | #cleanup 110 | teardown() { 111 | if [[ ${CLEANUP:-true} == "true" ]] 112 | then 113 | # If the test failed, print some debug output 114 | if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then 115 | kubectl logs -l app.kubernetes.io/name=openbao 116 | fi 117 | helm delete openbao 118 | kubectl delete --all pvc 119 | kubectl delete namespace acceptance --ignore-not-found=true 120 | fi 121 | } 122 | -------------------------------------------------------------------------------- /test/acceptance/server-telemetry.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/telemetry: prometheusOperator" { 6 | cd `chart_dir` 7 | helm --namespace acceptance uninstall $(name_prefix) || : 8 | helm --namespace acceptance uninstall prometheus || : 9 | kubectl delete namespace acceptance --ignore-not-found=true 10 | kubectl create namespace acceptance 11 | kubectl config set-context --current --namespace=acceptance 12 | 13 | helm repo add prometheus-community https://prometheus-community.github.io/helm-charts 14 | helm repo update 15 | helm install \ 16 | --wait \ 17 | --version 39.6.0 \ 18 | prometheus prometheus-community/kube-prometheus-stack 19 | 20 | helm install \ 21 | --wait \ 22 | --values ../../test/acceptance/server-test/telemetry.yaml \ 23 | "$(name_prefix)" . 24 | 25 | wait_for_running $(name_prefix)-0 26 | 27 | # Sealed, not initialized 28 | wait_for_sealed_vault $(name_prefix)-0 29 | 30 | # OpenBao Init 31 | local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ 32 | bao operator init -format=json -n 1 -t 1 | \ 33 | jq -r '.unseal_keys_b64[0]') 34 | [ "${token}" != "" ] 35 | 36 | # OpenBao Unseal 37 | local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) 38 | for pod in "${pods[@]}" 39 | do 40 | kubectl exec -ti ${pod} -- bao operator unseal ${token} 41 | done 42 | 43 | wait_for_ready "$(name_prefix)-0" 44 | 45 | # Unsealed, initialized 46 | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | 47 | jq -r '.sealed' ) 48 | [ "${sealed_status}" == "false" ] 49 | 50 | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | 51 | jq -r '.initialized') 52 | [ "${init_status}" == "true" ] 53 | 54 | # unfortunately it can take up to 2 minutes for the openbao prometheus job to appear 55 | # TODO: investigate how reduce this. 56 | local job_labels 57 | local tries=0 58 | until [ $tries -ge 240 ] 59 | do 60 | job_labels=$( (kubectl exec -n acceptance svc/prometheus-kube-prometheus-prometheus \ 61 | -c prometheus \ 62 | -- wget -q -O - http://127.0.0.1:9090/api/v1/label/job/values) | tee /dev/stderr ) 63 | 64 | # Ensure the expected job label was picked up by Prometheus 65 | [ "$(echo "${job_labels}" | jq 'any(.data[]; . == "openbao-internal")')" = "true" ] && break 66 | 67 | ((++tries)) 68 | sleep .5 69 | done 70 | 71 | 72 | # Ensure the expected job is "up" 73 | local job_up=$( ( kubectl exec -n acceptance svc/prometheus-kube-prometheus-prometheus \ 74 | -c prometheus \ 75 | -- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="openbao-internal"}' ) | \ 76 | tee /dev/stderr ) 77 | [ "$(echo "${job_up}" | jq '.data.result[0].value[1]')" = \"1\" ] 78 | } 79 | 80 | # Clean up 81 | teardown() { 82 | if [[ ${CLEANUP:-true} == "true" ]] 83 | then 84 | echo "helm/pvc teardown" 85 | helm uninstall $(name_prefix) 86 | helm uninstall prometheus 87 | kubectl delete --all pvc 88 | kubectl delete namespace acceptance --ignore-not-found=true 89 | fi 90 | } 91 | -------------------------------------------------------------------------------- /test/acceptance/server-test/annotations-overrides.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | server: 5 | annotations: | 6 | environment: production 7 | milk: oat 8 | myName: "{{ .Release.Name }}" 9 | service: 10 | annotations: 11 | active: sometimes 12 | pickMe: please 13 | -------------------------------------------------------------------------------- /test/acceptance/server-test/telemetry.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | server: 5 | standalone: 6 | config: | 7 | ui = true 8 | 9 | listener "tcp" { 10 | tls_disable = 1 11 | address = "[::]:8200" 12 | cluster_address = "[::]:8201" 13 | # Enable unauthenticated metrics access (necessary for Prometheus Operator) 14 | telemetry { 15 | unauthenticated_metrics_access = "true" 16 | } 17 | } 18 | 19 | storage "file" { 20 | path = "/openbao/data" 21 | } 22 | 23 | telemetry { 24 | prometheus_retention_time = "30s" 25 | disable_hostname = true 26 | } 27 | 28 | serverTelemetry: 29 | serviceMonitor: 30 | enabled: true 31 | interval: 15s 32 | -------------------------------------------------------------------------------- /test/acceptance/server.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/standalone: testing deployment" { 6 | cd `chart_dir` 7 | 8 | kubectl delete namespace acceptance --ignore-not-found=true 9 | kubectl create namespace acceptance 10 | kubectl config set-context --current --namespace=acceptance 11 | 12 | helm install "$(name_prefix)" . 13 | wait_for_running $(name_prefix)-0 14 | 15 | # Sealed, not initialized 16 | wait_for_sealed_vault $(name_prefix)-0 17 | 18 | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | 19 | jq -r '.initialized') 20 | [ "${init_status}" == "false" ] 21 | 22 | # Replicas 23 | local replicas=$(kubectl get statefulset "$(name_prefix)" --output json | 24 | jq -r '.spec.replicas') 25 | [ "${replicas}" == "1" ] 26 | 27 | # Affinity 28 | local affinity=$(kubectl get statefulset "$(name_prefix)" --output json | 29 | jq -r '.spec.template.spec.affinity') 30 | [ "${affinity}" != "null" ] 31 | 32 | # Volume Mounts 33 | local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | 34 | jq -r '.spec.template.spec.containers[0].volumeMounts | length') 35 | [ "${volumeCount}" == "3" ] 36 | 37 | local mountName=$(kubectl get statefulset "$(name_prefix)" --output json | 38 | jq -r '.spec.template.spec.containers[0].volumeMounts[0].name') 39 | [ "${mountName}" == "data" ] 40 | 41 | local mountPath=$(kubectl get statefulset "$(name_prefix)" --output json | 42 | jq -r '.spec.template.spec.containers[0].volumeMounts[0].mountPath') 43 | [ "${mountPath}" == "/openbao/data" ] 44 | 45 | # Volumes 46 | local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json | 47 | jq -r '.spec.template.spec.volumes | length') 48 | [ "${volumeCount}" == "2" ] 49 | 50 | local volume=$(kubectl get statefulset "$(name_prefix)" --output json | 51 | jq -r '.spec.template.spec.volumes[0].configMap.name') 52 | [ "${volume}" == "$(name_prefix)-config" ] 53 | 54 | # Service 55 | local service=$(kubectl get service "$(name_prefix)" --output json | 56 | jq -r '.spec.clusterIP') 57 | [ "${service}" != "None" ] 58 | 59 | local service=$(kubectl get service "$(name_prefix)" --output json | 60 | jq -r '.spec.type') 61 | [ "${service}" == "ClusterIP" ] 62 | 63 | local ports=$(kubectl get service "$(name_prefix)" --output json | 64 | jq -r '.spec.ports | length') 65 | [ "${ports}" == "2" ] 66 | 67 | local ports=$(kubectl get service "$(name_prefix)" --output json | 68 | jq -r '.spec.ports[0].port') 69 | [ "${ports}" == "8200" ] 70 | 71 | local ports=$(kubectl get service "$(name_prefix)" --output json | 72 | jq -r '.spec.ports[1].port') 73 | [ "${ports}" == "8201" ] 74 | 75 | # OpenBao Init 76 | local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ 77 | bao operator init -format=json -n 1 -t 1 | \ 78 | jq -r '.unseal_keys_b64[0]') 79 | [ "${token}" != "" ] 80 | 81 | # OpenBao Unseal 82 | local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) 83 | for pod in "${pods[@]}" 84 | do 85 | kubectl exec -ti ${pod} -- bao operator unseal ${token} 86 | done 87 | 88 | wait_for_ready "$(name_prefix)-0" 89 | 90 | # Unsealed, initialized 91 | local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | 92 | jq -r '.sealed' ) 93 | [ "${sealed_status}" == "false" ] 94 | 95 | local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | 96 | jq -r '.initialized') 97 | [ "${init_status}" == "true" ] 98 | } 99 | 100 | # Clean up 101 | teardown() { 102 | if [[ ${CLEANUP:-true} == "true" ]] 103 | then 104 | echo "helm/pvc teardown" 105 | helm delete openbao 106 | kubectl delete --all pvc 107 | kubectl delete namespace acceptance --ignore-not-found=true 108 | fi 109 | } 110 | -------------------------------------------------------------------------------- /test/chart/_helpers.bash: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | # chart_dir returns the directory for the chart 5 | chart_dir() { 6 | echo ${BATS_TEST_DIRNAME}/../../charts/openbao 7 | } 8 | 9 | # check_result checks if the specified test passed 10 | # results schema example: 11 | # { 12 | # "check": "has-minkubeversion", 13 | # "type": "Mandatory", 14 | # "outcome": "PASS", 15 | # "reason": "Minimum Kubernetes version specified" 16 | # } 17 | check_result() { 18 | local -r var="$1" 19 | local check=$(cat $VERIFY_OUTPUT | jq -r ".results[] | select(.check==\"${var}\").outcome") 20 | [ "$check" = "PASS" ] 21 | } 22 | -------------------------------------------------------------------------------- /test/chart/verifier.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | setup_file() { 6 | cd `chart_dir` 7 | export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json" 8 | export CHART_VOLUME=openbao-helm-chart-src 9 | local IMAGE="quay.io/redhat-certification/chart-verifier:1.13.9" 10 | # chart-verifier requires an openshift version if a cluster isn't available 11 | local OPENSHIFT_VERSION="4.12" 12 | local DISABLED_TESTS="chart-testing" 13 | 14 | local run_cmd="chart-verifier" 15 | local chart_src="." 16 | 17 | if [ ! -e $USE_DOCKER ]; then 18 | chart_src="/chart" 19 | # Create a dummy container which will hold a volume with chart source 20 | docker create -v $chart_src --name $CHART_VOLUME alpine:3 /bin/true 21 | # Copy the chart source into this volume 22 | docker cp . $CHART_VOLUME:$chart_src 23 | # Make sure we have the latest version of chart-verifier 24 | docker pull $IMAGE 25 | # Start chart-verifier using this volume 26 | run_cmd="docker run --rm --volumes-from $CHART_VOLUME -w $chart_src $IMAGE" 27 | fi 28 | 29 | $run_cmd verify $chart_src \ 30 | --output json \ 31 | --openshift-version $OPENSHIFT_VERSION \ 32 | --disable $DISABLED_TESTS \ 33 | --chart-values values.openshift.yaml 2>&1 | tee $VERIFY_OUTPUT 34 | } 35 | 36 | teardown_file() { 37 | if [ ! -e $USE_DOCKER ]; then 38 | docker rm $CHART_VOLUME 39 | fi 40 | } 41 | 42 | @test "has-kubeversion" { 43 | check_result v1.1/has-kubeversion 44 | } 45 | 46 | @test "is-helm-v3" { 47 | check_result v1.0/is-helm-v3 48 | } 49 | 50 | @test "not-contains-crds" { 51 | check_result v1.0/not-contains-crds 52 | } 53 | 54 | @test "helm-lint" { 55 | check_result v1.0/helm-lint 56 | } 57 | 58 | @test "not-contain-csi-objects" { 59 | check_result v1.0/not-contain-csi-objects 60 | } 61 | 62 | @test "has-readme" { 63 | check_result v1.0/has-readme 64 | } 65 | 66 | @test "contains-values" { 67 | check_result v1.0/contains-values 68 | } 69 | 70 | @test "contains-values-schema" { 71 | check_result v1.0/contains-values-schema 72 | } 73 | 74 | @test "contains-test" { 75 | check_result v1.0/contains-test 76 | } 77 | 78 | @test "images-are-certified" { 79 | check_result v1.1/images-are-certified 80 | } 81 | 82 | @test "required-annotations-present" { 83 | check_result v1.0/required-annotations-present 84 | } 85 | 86 | @test "chart-testing" { 87 | skip "Skipping since this test requires a kubernetes/openshift cluster" 88 | check_result v1.0/chart-testing 89 | } 90 | 91 | @test "signature-is-valid" { 92 | skip "Chart is not signed : Signature verification not required" 93 | check_result v1.0/signature-is-valid 94 | } 95 | -------------------------------------------------------------------------------- /test/docker/Test.dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | # This Dockerfile installs all the dependencies necessary to run the unit and 5 | # acceptance tests. This image also contains gcloud so you can run tests 6 | # against a GKE cluster easily. 7 | # 8 | # This image has no automatic entrypoint. It is expected that you'll run 9 | # a script to configure kubectl, potentially install Helm, and run the tests 10 | # manually. This image only has the dependencies pre-installed. 11 | 12 | FROM docker.mirror.hashicorp.services/alpine:latest 13 | WORKDIR /root 14 | 15 | ENV BATS_VERSION "1.3.0" 16 | ENV TERRAFORM_VERSION "0.12.10" 17 | 18 | # base packages 19 | RUN apk update && apk add --no-cache --virtual .build-deps \ 20 | ca-certificates \ 21 | curl \ 22 | tar \ 23 | bash \ 24 | openssl \ 25 | py-pip \ 26 | git \ 27 | make \ 28 | jq 29 | 30 | # yq 31 | RUN python3 -m venv venv && \ 32 | . venv/bin/activate && \ 33 | pip install yq && \ 34 | ln -s $PWD/venv/bin/yq /usr/local/bin/yq && \ 35 | deactivate 36 | 37 | # gcloud 38 | RUN curl -OL https://dl.google.com/dl/cloudsdk/channels/rapid/install_google_cloud_sdk.bash && \ 39 | bash install_google_cloud_sdk.bash --disable-prompts --install-dir='/root/' && \ 40 | ln -s /root/google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud 41 | 42 | # terraform 43 | RUN curl -sSL https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip -o /tmp/tf.zip \ 44 | && unzip /tmp/tf.zip \ 45 | && ln -s /root/terraform /usr/local/bin/terraform 46 | 47 | # kubectl 48 | RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && \ 49 | chmod +x ./kubectl && \ 50 | mv ./kubectl /usr/local/bin/kubectl 51 | 52 | # helm 53 | RUN curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash 54 | 55 | # bats 56 | RUN curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz \ 57 | && tar -zxf /tmp/bats.tgz -C /tmp \ 58 | && /bin/bash /tmp/bats-core-$BATS_VERSION/install.sh /usr/local 59 | -------------------------------------------------------------------------------- /test/kind/config.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | kind: Cluster 5 | apiVersion: kind.x-k8s.io/v1alpha4 6 | nodes: 7 | - role: control-plane 8 | - role: worker 9 | - role: worker 10 | - role: worker 11 | # These apiServer settings are included for running the CSI provider on K8s 12 | # prior to 1.21 13 | kubeadmConfigPatches: 14 | - | 15 | apiVersion: kubeadm.k8s.io/v1beta2 16 | kind: ClusterConfiguration 17 | metadata: 18 | name: config 19 | apiServer: 20 | extraArgs: 21 | "service-account-issuer": "https://kubernetes.default.svc.cluster.local" 22 | "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" 23 | "service-account-api-audiences": "https://kubernetes.default.svc.cluster.local" 24 | -------------------------------------------------------------------------------- /test/terraform/.gitignore: -------------------------------------------------------------------------------- 1 | vault-helm-dev-creds.json 2 | -------------------------------------------------------------------------------- /test/terraform/main.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | provider "google" { 5 | project = "${var.project}" 6 | } 7 | 8 | resource "random_id" "suffix" { 9 | byte_length = 4 10 | } 11 | 12 | data "google_container_engine_versions" "main" { 13 | location = "${var.zone}" 14 | version_prefix = "1.19." 15 | } 16 | 17 | data "google_service_account" "gcpapi" { 18 | account_id = "${var.gcp_service_account}" 19 | } 20 | 21 | resource "google_container_cluster" "cluster" { 22 | name = "openbao-helm-dev-${random_id.suffix.dec}" 23 | project = "${var.project}" 24 | enable_legacy_abac = true 25 | initial_node_count = 3 26 | location = "${var.zone}" 27 | min_master_version = "${data.google_container_engine_versions.main.latest_master_version}" 28 | node_version = "${data.google_container_engine_versions.main.latest_node_version}" 29 | 30 | node_config { 31 | #service account for nodes to use 32 | oauth_scopes = [ 33 | "https://www.googleapis.com/auth/cloud-platform", 34 | "https://www.googleapis.com/auth/compute", 35 | "https://www.googleapis.com/auth/devstorage.read_write", 36 | "https://www.googleapis.com/auth/logging.write", 37 | "https://www.googleapis.com/auth/monitoring", 38 | "https://www.googleapis.com/auth/service.management.readonly", 39 | "https://www.googleapis.com/auth/servicecontrol", 40 | "https://www.googleapis.com/auth/trace.append", 41 | ] 42 | 43 | service_account = "${data.google_service_account.gcpapi.email}" 44 | } 45 | } 46 | 47 | resource "null_resource" "kubectl" { 48 | count = "${var.init_cli ? 1 : 0 }" 49 | 50 | triggers = { 51 | cluster = "${google_container_cluster.cluster.id}" 52 | } 53 | 54 | # On creation, we want to setup the kubectl credentials. The easiest way 55 | # to do this is to shell out to gcloud. 56 | provisioner "local-exec" { 57 | command = "gcloud container clusters get-credentials --zone=${var.zone} ${google_container_cluster.cluster.name}" 58 | } 59 | 60 | # On destroy we want to try to clean up the kubectl credentials. This 61 | # might fail if the credentials are already cleaned up or something so we 62 | # want this to continue on failure. Generally, this works just fine since 63 | # it only operates on local data. 64 | provisioner "local-exec" { 65 | when = "destroy" 66 | on_failure = "continue" 67 | command = "kubectl config get-clusters | grep ${google_container_cluster.cluster.name} | xargs -n1 kubectl config delete-cluster" 68 | } 69 | 70 | provisioner "local-exec" { 71 | when = "destroy" 72 | on_failure = "continue" 73 | command = "kubectl config get-contexts | grep ${google_container_cluster.cluster.name} | xargs -n1 kubectl config delete-context" 74 | } 75 | } 76 | -------------------------------------------------------------------------------- /test/terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | output "cluster_id" { 5 | value = "${google_container_cluster.cluster.id}" 6 | } 7 | 8 | output "cluster_name" { 9 | value = "${google_container_cluster.cluster.name}" 10 | } 11 | -------------------------------------------------------------------------------- /test/terraform/variables.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | variable "project" { 5 | default = "openbao-helm-dev-246514" 6 | 7 | description = < 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "csi/Agent-ConfigMap: name" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | --show-only templates/csi-agent-configmap.yaml \ 18 | --set "csi.enabled=true" \ 19 | . | tee /dev/stderr | 20 | yq -r '.metadata.name' | tee /dev/stderr) 21 | [ "${actual}" = "release-name-openbao-csi-provider-agent-config" ] 22 | } 23 | 24 | @test "csi/Agent-ConfigMap: namespace" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | --show-only templates/csi-agent-configmap.yaml \ 28 | --set "csi.enabled=true" \ 29 | --namespace foo \ 30 | . | tee /dev/stderr | 31 | yq -r '.metadata.namespace' | tee /dev/stderr) 32 | [ "${actual}" = "foo" ] 33 | local actual=$(helm template \ 34 | --show-only templates/csi-agent-configmap.yaml \ 35 | --set "csi.enabled=true" \ 36 | --set 'global.namespace=bar' \ 37 | --namespace foo \ 38 | . | tee /dev/stderr | 39 | yq -r '.metadata.namespace' | tee /dev/stderr) 40 | [ "${actual}" = "bar" ] 41 | } 42 | 43 | @test "csi/Agent-ConfigMap: OpenBao addr not affected by injector setting" { 44 | cd `chart_dir` 45 | local actual=$(helm template \ 46 | --show-only templates/csi-agent-configmap.yaml \ 47 | --set "csi.enabled=true" \ 48 | --release-name not-external-test \ 49 | --set 'injector.externalVaultAddr=http://openbao-outside' \ 50 | . | tee /dev/stderr | 51 | yq -r '.data["config.hcl"]' | tee /dev/stderr) 52 | echo "${actual}" | grep "http://not-external-test-openbao.default.svc:8200" 53 | } 54 | 55 | @test "csi/Agent-ConfigMap: OpenBao addr correctly set for externalVaultAddr" { 56 | cd `chart_dir` 57 | local actual=$(helm template \ 58 | --show-only templates/csi-agent-configmap.yaml \ 59 | --set "csi.enabled=true" \ 60 | --set 'global.externalVaultAddr=http://openbao-outside' \ 61 | . | tee /dev/stderr | 62 | yq -r '.data["config.hcl"]' | tee /dev/stderr) 63 | echo "${actual}" | grep "http://openbao-outside" 64 | } 65 | 66 | @test "csi/Agent-ConfigMap: OpenBao addr correctly set for externalBaoAddr" { 67 | cd `chart_dir` 68 | local actual=$(helm template \ 69 | --show-only templates/csi-agent-configmap.yaml \ 70 | --set "csi.enabled=true" \ 71 | --set 'global.externalBaoAddr=http://openbao-outside' \ 72 | . | tee /dev/stderr | 73 | yq -r '.data["config.hcl"]' | tee /dev/stderr) 74 | echo "${actual}" | grep "http://openbao-outside" 75 | } 76 | 77 | @test "csi/Agent-ConfigMap: OpenBao addr correctly set for externalBaoAddr, verify if externalBaoAddr takes precendece over externalVaultAddr" { 78 | cd `chart_dir` 79 | local actual=$(helm template \ 80 | --show-only templates/csi-agent-configmap.yaml \ 81 | --set "csi.enabled=true" \ 82 | --set 'global.externalBaoAddr=http://openbao-outside' \ 83 | --set 'global.externalVaultAddr=http://vault-outside' \ 84 | . | tee /dev/stderr | 85 | yq -r '.data["config.hcl"]' | tee /dev/stderr) 86 | echo "${actual}" | grep "http://openbao-outside" 87 | } -------------------------------------------------------------------------------- /test/unit/csi-clusterrole.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "csi/ClusterRole: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/csi-clusterrole.yaml \ 9 | . || echo "---") | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "csi/ClusterRole: enabled with csi.enabled" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | --show-only templates/csi-clusterrole.yaml \ 18 | --set 'csi.enabled=true' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "true" ] 22 | } 23 | 24 | # ClusterRole name 25 | @test "csi/ClusterRole: name" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | --show-only templates/csi-clusterrole.yaml \ 29 | --set "csi.enabled=true" \ 30 | . | tee /dev/stderr | 31 | yq -r '.metadata.name' | tee /dev/stderr) 32 | [ "${actual}" = "release-name-openbao-csi-provider-clusterrole" ] 33 | } 34 | -------------------------------------------------------------------------------- /test/unit/csi-clusterrolebinding.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "csi/ClusterRoleBinding: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/csi-clusterrolebinding.yaml \ 9 | . || echo "---")| tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "csi/ClusterRoleBinding: enabled with csi.enabled" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | --show-only templates/csi-clusterrolebinding.yaml \ 18 | --set 'csi.enabled=true' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "true" ] 22 | } 23 | 24 | # ClusterRoleBinding cluster role ref name 25 | @test "csi/ClusterRoleBinding: cluster role ref name" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | --show-only templates/csi-clusterrolebinding.yaml \ 29 | --set "csi.enabled=true" \ 30 | . | tee /dev/stderr | 31 | yq -r '.roleRef.name' | tee /dev/stderr) 32 | [ "${actual}" = "release-name-openbao-csi-provider-clusterrole" ] 33 | } 34 | 35 | # ClusterRoleBinding service account name 36 | @test "csi/ClusterRoleBinding: service account name" { 37 | cd `chart_dir` 38 | local actual=$(helm template \ 39 | --show-only templates/csi-clusterrolebinding.yaml \ 40 | --set "csi.enabled=true" \ 41 | . | tee /dev/stderr | 42 | yq -r '.subjects[0].name' | tee /dev/stderr) 43 | [ "${actual}" = "release-name-openbao-csi-provider" ] 44 | } 45 | 46 | # ClusterRoleBinding service account namespace 47 | @test "csi/ClusterRoleBinding: service account namespace" { 48 | cd `chart_dir` 49 | local actual=$(helm template \ 50 | --show-only templates/csi-clusterrolebinding.yaml \ 51 | --set "csi.enabled=true" \ 52 | --namespace foo \ 53 | . | tee /dev/stderr | 54 | yq -r '.subjects[0].namespace' | tee /dev/stderr) 55 | [ "${actual}" = "foo" ] 56 | local actual=$(helm template \ 57 | --show-only templates/csi-clusterrolebinding.yaml \ 58 | --set "csi.enabled=true" \ 59 | --set 'global.namespace=bar' \ 60 | --namespace foo \ 61 | . | tee /dev/stderr | 62 | yq -r '.subjects[0].namespace' | tee /dev/stderr) 63 | [ "${actual}" = "bar" ] 64 | } 65 | -------------------------------------------------------------------------------- /test/unit/csi-role.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "csi/Role: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/csi-role.yaml \ 9 | . || echo "---") | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "csi/Role: names" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | --show-only templates/csi-role.yaml \ 18 | --set "csi.enabled=true" \ 19 | . | tee /dev/stderr | 20 | yq -r '.metadata.name' | tee /dev/stderr) 21 | [ "${actual}" = "release-name-openbao-csi-provider-role" ] 22 | local actual=$(helm template \ 23 | --show-only templates/csi-role.yaml \ 24 | --set "csi.enabled=true" \ 25 | . | tee /dev/stderr | 26 | yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr) 27 | [ "${actual}" = "openbao-csi-provider-hmac-key" ] 28 | } 29 | 30 | @test "csi/Role: namespace" { 31 | cd `chart_dir` 32 | local actual=$(helm template \ 33 | --show-only templates/csi-role.yaml \ 34 | --set "csi.enabled=true" \ 35 | --namespace foo \ 36 | . | tee /dev/stderr | 37 | yq -r '.metadata.namespace' | tee /dev/stderr) 38 | [ "${actual}" = "foo" ] 39 | local actual=$(helm template \ 40 | --show-only templates/csi-role.yaml \ 41 | --set "csi.enabled=true" \ 42 | --set 'global.namespace=bar' \ 43 | --namespace foo \ 44 | . | tee /dev/stderr | 45 | yq -r '.metadata.namespace' | tee /dev/stderr) 46 | [ "${actual}" = "bar" ] 47 | } 48 | 49 | @test "csi/Role: HMAC secret name configurable" { 50 | cd `chart_dir` 51 | local actual=$(helm template \ 52 | --show-only templates/csi-role.yaml \ 53 | --set "csi.enabled=true" \ 54 | --set 'csi.hmacSecretName=foo' \ 55 | . | tee /dev/stderr | 56 | yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr) 57 | [ "${actual}" = "foo" ] 58 | } 59 | -------------------------------------------------------------------------------- /test/unit/csi-rolebinding.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "csi/RoleBinding: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/csi-rolebinding.yaml \ 9 | . || echo "---") | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "csi/RoleBinding: name" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | --show-only templates/csi-rolebinding.yaml \ 18 | --set "csi.enabled=true" \ 19 | . | tee /dev/stderr | 20 | yq -r '.metadata.name' | tee /dev/stderr) 21 | [ "${actual}" = "release-name-openbao-csi-provider-rolebinding" ] 22 | } 23 | 24 | @test "csi/RoleBinding: namespace" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | --show-only templates/csi-rolebinding.yaml \ 28 | --set "csi.enabled=true" \ 29 | --namespace foo \ 30 | . | tee /dev/stderr | 31 | yq -r '.metadata.namespace' | tee /dev/stderr) 32 | [ "${actual}" = "foo" ] 33 | local actual=$(helm template \ 34 | --show-only templates/csi-rolebinding.yaml \ 35 | --set "csi.enabled=true" \ 36 | --set 'global.namespace=bar' \ 37 | --namespace foo \ 38 | . | tee /dev/stderr | 39 | yq -r '.metadata.namespace' | tee /dev/stderr) 40 | [ "${actual}" = "bar" ] 41 | } 42 | -------------------------------------------------------------------------------- /test/unit/csi-serviceaccount.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "csi/ServiceAccount: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/csi-serviceaccount.yaml \ 9 | . || echo "---") | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "csi/ServiceAccount: enable with csi.enabled" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | --show-only templates/csi-serviceaccount.yaml \ 18 | --set 'csi.enabled=true' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "true" ] 22 | } 23 | 24 | # serviceAccountName reference name 25 | @test "csi/daemonset: serviceAccountName name" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | --show-only templates/csi-serviceaccount.yaml \ 29 | --set "csi.enabled=true" \ 30 | . | tee /dev/stderr | 31 | yq -r '.metadata.name' | tee /dev/stderr) 32 | [ "${actual}" = "release-name-openbao-csi-provider" ] 33 | } 34 | 35 | # serviceAccountNamespace namespace 36 | @test "csi/daemonset: serviceAccountNamespace namespace" { 37 | cd `chart_dir` 38 | local actual=$(helm template \ 39 | --show-only templates/csi-serviceaccount.yaml \ 40 | --set "csi.enabled=true" \ 41 | --namespace foo \ 42 | . | tee /dev/stderr | 43 | yq -r '.metadata.namespace' | tee /dev/stderr) 44 | [ "${actual}" = "foo" ] 45 | local actual=$(helm template \ 46 | --show-only templates/csi-serviceaccount.yaml \ 47 | --set "csi.enabled=true" \ 48 | --set 'global.namespace=bar' \ 49 | --namespace foo \ 50 | . | tee /dev/stderr | 51 | yq -r '.metadata.namespace' | tee /dev/stderr) 52 | [ "${actual}" = "bar" ] 53 | } 54 | 55 | @test "csi/serviceAccount: specify annotations" { 56 | cd `chart_dir` 57 | local actual=$(helm template \ 58 | --show-only templates/server-serviceaccount.yaml \ 59 | --set 'csi.enabled=true' \ 60 | . | tee /dev/stderr | 61 | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) 62 | [ "${actual}" = "null" ] 63 | 64 | local actual=$(helm template \ 65 | --show-only templates/server-serviceaccount.yaml \ 66 | --set 'csi.enabled=true' \ 67 | --set 'csi.serviceAccount.annotations=foo: bar' \ 68 | . | tee /dev/stderr | 69 | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) 70 | [ "${actual}" = "null" ] 71 | 72 | local actual=$(helm template \ 73 | --show-only templates/server-serviceaccount.yaml \ 74 | --set 'csi.enabled=true' \ 75 | --set 'server.serviceAccount.annotations.foo=bar' \ 76 | . | tee /dev/stderr | 77 | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) 78 | [ "${actual}" = "bar" ] 79 | } 80 | 81 | # serviceAccount extraLabels 82 | 83 | @test "csi/serviceAccount: specify csi.serviceAccount.extraLabels" { 84 | cd `chart_dir` 85 | local actual=$(helm template \ 86 | --show-only templates/csi-serviceaccount.yaml \ 87 | --set 'csi.enabled=true' \ 88 | --set 'csi.serviceAccount.extraLabels.foo=bar' \ 89 | . | tee /dev/stderr | 90 | yq -r '.metadata.labels.foo' | tee /dev/stderr) 91 | [ "${actual}" = "bar" ] 92 | } 93 | 94 | 95 | -------------------------------------------------------------------------------- /test/unit/injector-clusterrole.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "injector/ClusterRole: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | --show-only templates/injector-clusterrole.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "injector/ClusterRole: disable with global.enabled" { 15 | cd `chart_dir` 16 | local actual=$( (helm template \ 17 | --show-only templates/injector-clusterrole.yaml \ 18 | --set 'global.enabled=false' \ 19 | . || echo "---") | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "injector/ClusterRole: no nodes permissions when replicas=1" { 25 | cd `chart_dir` 26 | local rules=$(helm template \ 27 | --show-only templates/injector-clusterrole.yaml \ 28 | --set 'injector.replicas=1' \ 29 | . | tee /dev/stderr | 30 | yq '.rules' | tee /dev/stderr) 31 | rules_length=$(echo "${rules}" | yq 'length') 32 | [ "${rules_length}" = "1" ] 33 | resources_length=$(echo "${rules}" | yq '.[0].resources | length') 34 | [ "${resources_length}" = "1" ] 35 | resource=$(echo "${rules}" | yq -r '.[0].resources[0]') 36 | [ "${resource}" = "mutatingwebhookconfigurations" ] 37 | } 38 | 39 | @test "injector/ClusterRole: nodes permissions when replicas=2" { 40 | cd `chart_dir` 41 | local rules=$(helm template \ 42 | --show-only templates/injector-clusterrole.yaml \ 43 | --set 'injector.replicas=2' \ 44 | . | tee /dev/stderr | 45 | yq '.rules' | tee /dev/stderr) 46 | rules_length=$(echo "${rules}" | yq 'length') 47 | [ "${rules_length}" = "2" ] 48 | resources_length=$(echo "${rules}" | yq '.[1].resources | length') 49 | [ "${resources_length}" = "1" ] 50 | resource=$(echo "${rules}" | yq -r '.[1].resources[0]') 51 | [ "${resource}" = "nodes" ] 52 | } 53 | -------------------------------------------------------------------------------- /test/unit/injector-clusterrolebinding.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "injector/ClusterRoleBinding: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | --show-only templates/injector-clusterrolebinding.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "injector/ClusterRoleBinding: disable with global.enabled" { 15 | cd `chart_dir` 16 | local actual=$( (helm template \ 17 | --show-only templates/injector-clusterrolebinding.yaml \ 18 | --set 'global.enabled=false' \ 19 | . || echo "---") | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "injector/ClusterRoleBinding: service account namespace" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | --show-only templates/injector-clusterrolebinding.yaml \ 28 | --set "injector.enabled=true" \ 29 | --namespace foo \ 30 | . | tee /dev/stderr | 31 | yq -r '.subjects[0].namespace' | tee /dev/stderr) 32 | [ "${actual}" = "foo" ] 33 | local actual=$(helm template \ 34 | --show-only templates/injector-clusterrolebinding.yaml \ 35 | --set "injector.enabled=true" \ 36 | --set 'global.namespace=bar' \ 37 | --namespace foo \ 38 | . | tee /dev/stderr | 39 | yq -r '.subjects[0].namespace' | tee /dev/stderr) 40 | [ "${actual}" = "bar" ] 41 | } 42 | -------------------------------------------------------------------------------- /test/unit/injector-disruptionbudget.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "injector/DisruptionBudget: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/injector-disruptionbudget.yaml \ 9 | . || echo "---") | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "injector/DisruptionBudget: namespace" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | --show-only templates/injector-disruptionbudget.yaml \ 18 | --set 'injector.podDisruptionBudget.minAvailable=2' \ 19 | --namespace foo \ 20 | . | tee /dev/stderr | 21 | yq -r '.metadata.namespace' | tee /dev/stderr) 22 | [ "${actual}" = "foo" ] 23 | local actual=$(helm template \ 24 | --show-only templates/injector-disruptionbudget.yaml \ 25 | --set 'injector.podDisruptionBudget.minAvailable=2' \ 26 | --set 'global.namespace=bar' \ 27 | --namespace foo \ 28 | . | tee /dev/stderr | 29 | yq -r '.metadata.namespace' | tee /dev/stderr) 30 | [ "${actual}" = "bar" ] 31 | } 32 | 33 | @test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { 34 | cd `chart_dir` 35 | local actual=$(helm template \ 36 | --show-only templates/injector-disruptionbudget.yaml \ 37 | --set 'injector.podDisruptionBudget.minAvailable=2' \ 38 | . | tee /dev/stderr | 39 | yq '.spec.minAvailable == 2' | tee /dev/stderr) 40 | [ "${actual}" = "true" ] 41 | } 42 | 43 | @test "injector/DisruptionBudget: configure with injector.podDisruptionBudget maxUnavailable" { 44 | cd `chart_dir` 45 | local actual=$(helm template \ 46 | --show-only templates/injector-disruptionbudget.yaml \ 47 | --set 'injector.podDisruptionBudget.maxUnavailable=3' \ 48 | . | tee /dev/stderr | 49 | yq '.spec.maxUnavailable == 3' | tee /dev/stderr) 50 | [ "${actual}" = "true" ] 51 | } 52 | -------------------------------------------------------------------------------- /test/unit/injector-psp-role.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "injector/PodSecurityPolicy-Role: PodSecurityPolicy-Role not enabled by default" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/injector-psp-role.yaml \ 9 | . || echo "---" ) | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "injector/PodSecurityPolicy-Role: enable with injector.enabled and global.psp.enable" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | --show-only templates/injector-psp-role.yaml \ 18 | --set 'injector.enabled=true' \ 19 | --set 'global.psp.enable=true' \ 20 | . | tee /dev/stderr | 21 | yq 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "true" ] 23 | } 24 | 25 | @test "injector/PodSecurityPolicy-Role: ignore global.enabled" { 26 | cd `chart_dir` 27 | local actual=$( (helm template \ 28 | --show-only templates/injector-psp-role.yaml \ 29 | --set 'global.enabled=false' \ 30 | --set 'injector.enabled=true' \ 31 | --set 'global.psp.enable=true' \ 32 | . || echo "---") | tee /dev/stderr | 33 | yq 'length > 0' | tee /dev/stderr) 34 | [ "${actual}" = "true" ] 35 | } 36 | 37 | @test "injector/PodSecurityPolicy-Role: namespace" { 38 | cd `chart_dir` 39 | local actual=$(helm template \ 40 | --show-only templates/injector-psp-role.yaml \ 41 | --set 'injector.enabled=true' \ 42 | --set 'global.psp.enable=true' \ 43 | --namespace foo \ 44 | . | tee /dev/stderr | 45 | yq -r '.metadata.namespace' | tee /dev/stderr) 46 | [ "${actual}" = "foo" ] 47 | local actual=$(helm template \ 48 | --show-only templates/injector-psp-role.yaml \ 49 | --set 'injector.enabled=true' \ 50 | --set 'global.psp.enable=true' \ 51 | --set 'global.namespace=bar' \ 52 | --namespace foo \ 53 | . | tee /dev/stderr | 54 | yq -r '.metadata.namespace' | tee /dev/stderr) 55 | [ "${actual}" = "bar" ] 56 | } 57 | -------------------------------------------------------------------------------- /test/unit/injector-psp-rolebinding.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "injector/PodSecurityPolicy-RoleBinding: PodSecurityPolicy-RoleBinding not enabled by default" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/injector-psp-rolebinding.yaml \ 9 | . || echo "---" ) | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "injector/PodSecurityPolicy-RoleBinding: enable with injector.enabled and global.psp.enable" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | --show-only templates/injector-psp-rolebinding.yaml \ 18 | --set 'injector.enabled=true' \ 19 | --set 'global.psp.enable=true' \ 20 | . | tee /dev/stderr | 21 | yq 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "true" ] 23 | } 24 | 25 | @test "injector/PodSecurityPolicy-RoleBinding: ignore global.enabled" { 26 | cd `chart_dir` 27 | local actual=$( (helm template \ 28 | --show-only templates/injector-psp-rolebinding.yaml \ 29 | --set 'global.enabled=false' \ 30 | --set 'injector.enabled=true' \ 31 | --set 'global.psp.enable=true' \ 32 | . || echo "---") | tee /dev/stderr | 33 | yq 'length > 0' | tee /dev/stderr) 34 | [ "${actual}" = "true" ] 35 | } 36 | 37 | @test "injector/PodSecurityPolicy-RoleBinding: namespace" { 38 | cd `chart_dir` 39 | local actual=$(helm template \ 40 | --show-only templates/injector-psp-rolebinding.yaml \ 41 | --set 'injector.enabled=true' \ 42 | --set 'global.psp.enable=true' \ 43 | --namespace foo \ 44 | . | tee /dev/stderr | 45 | yq -r '.metadata.namespace' | tee /dev/stderr) 46 | [ "${actual}" = "foo" ] 47 | local actual=$(helm template \ 48 | --show-only templates/injector-psp-rolebinding.yaml \ 49 | --set 'injector.enabled=true' \ 50 | --set 'global.psp.enable=true' \ 51 | --set 'global.namespace=bar' \ 52 | --namespace foo \ 53 | . | tee /dev/stderr | 54 | yq -r '.metadata.namespace' | tee /dev/stderr) 55 | [ "${actual}" = "bar" ] 56 | } 57 | -------------------------------------------------------------------------------- /test/unit/injector-psp.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "injector/PodSecurityPolicy: PodSecurityPolicy not enabled by default" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/injector-psp.yaml \ 9 | . || echo "---") | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "injector/PodSecurityPolicy: enable with injector.enabled and global.psp.enable" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | --show-only templates/injector-psp.yaml \ 18 | --set 'injector.enabled=true' \ 19 | --set 'global.psp.enable=true' \ 20 | . | tee /dev/stderr | 21 | yq 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "true" ] 23 | } 24 | 25 | @test "injector/PodSecurityPolicy: ignore global.enabled" { 26 | cd `chart_dir` 27 | local actual=$( (helm template \ 28 | --show-only templates/injector-psp.yaml \ 29 | --set 'global.enabled=false' \ 30 | --set 'injector.enabled=true' \ 31 | --set 'global.psp.enable=true' \ 32 | . || echo "---") | tee /dev/stderr | 33 | yq 'length > 0' | tee /dev/stderr) 34 | [ "${actual}" = "true" ] 35 | } 36 | 37 | @test "injector/PodSecurityPolicy: annotations are templated correctly by default" { 38 | cd `chart_dir` 39 | local actual=$(helm template \ 40 | --show-only templates/injector-psp.yaml \ 41 | --set 'injector.enabled=true' \ 42 | --set 'global.psp.enable=true' \ 43 | . | tee /dev/stderr | 44 | yq '.metadata.annotations | length == 4' | tee /dev/stderr) 45 | [ "${actual}" = "true" ] 46 | } 47 | 48 | @test "injector/PodSecurityPolicy: annotations are added - string" { 49 | cd `chart_dir` 50 | local actual=$(helm template \ 51 | --show-only templates/injector-psp.yaml \ 52 | --set 'injector.enabled=true' \ 53 | --set 'global.psp.enable=true' \ 54 | --set 'global.psp.annotations=openbao-is: amazing' \ 55 | . | tee /dev/stderr | 56 | yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) 57 | [ "${actual}" = "amazing" ] 58 | } 59 | 60 | @test "injector/PodSecurityPolicy: annotations are added - object" { 61 | cd `chart_dir` 62 | local actual=$(helm template \ 63 | --show-only templates/injector-psp.yaml \ 64 | --set 'injector.enabled=true' \ 65 | --set 'global.psp.enable=true' \ 66 | --set 'global.psp.annotations.openbao-is=amazing' \ 67 | . | tee /dev/stderr | 68 | yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) 69 | [ "${actual}" = "amazing" ] 70 | } 71 | -------------------------------------------------------------------------------- /test/unit/injector-service.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "injector/Service: service enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | --show-only templates/injector-service.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | 13 | local actual=$(helm template \ 14 | --show-only templates/injector-service.yaml \ 15 | --set 'injector.enabled=true' \ 16 | . | tee /dev/stderr | 17 | yq 'length > 0' | tee /dev/stderr) 18 | [ "${actual}" = "true" ] 19 | } 20 | 21 | @test "injector/Service: namespace" { 22 | cd `chart_dir` 23 | local actual=$(helm template \ 24 | --show-only templates/injector-service.yaml \ 25 | --namespace foo \ 26 | . | tee /dev/stderr | 27 | yq -r '.metadata.namespace' | tee /dev/stderr) 28 | [ "${actual}" = "foo" ] 29 | local actual=$(helm template \ 30 | --show-only templates/injector-service.yaml \ 31 | --set 'global.namespace=bar' \ 32 | --namespace foo \ 33 | . | tee /dev/stderr | 34 | yq -r '.metadata.namespace' | tee /dev/stderr) 35 | [ "${actual}" = "bar" ] 36 | } 37 | 38 | @test "injector/Service: service with default port" { 39 | cd `chart_dir` 40 | local actual=$(helm template \ 41 | --show-only templates/injector-service.yaml \ 42 | . | tee /dev/stderr | 43 | yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) 44 | [ "${actual}" = "8080" ] 45 | } 46 | 47 | @test "injector/Service: service with custom port" { 48 | cd `chart_dir` 49 | local actual=$(helm template \ 50 | --show-only templates/injector-service.yaml \ 51 | --set 'injector.port=8443' \ 52 | . | tee /dev/stderr | 53 | yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) 54 | [ "${actual}" = "8443" ] 55 | } 56 | 57 | @test "injector/Service: disable with global.enabled false" { 58 | cd `chart_dir` 59 | local actual=$( (helm template \ 60 | --show-only templates/injector-service.yaml \ 61 | --set 'global.enabled=false' \ 62 | . || echo "---") | tee /dev/stderr | 63 | yq 'length > 0' | tee /dev/stderr) 64 | [ "${actual}" = "false" ] 65 | 66 | local actual=$( (helm template \ 67 | --show-only templates/injector-service.yaml \ 68 | --set 'global.enabled=false' \ 69 | --set 'injector.enabled=true' \ 70 | . || echo "---") | tee /dev/stderr | 71 | yq 'length > 0' | tee /dev/stderr) 72 | [ "${actual}" = "true" ] 73 | } 74 | 75 | @test "injector/Service: generic annotations" { 76 | cd `chart_dir` 77 | local actual=$(helm template \ 78 | --show-only templates/injector-service.yaml \ 79 | --set 'injector.service.annotations=openBaoIsAwesome: true' \ 80 | . | tee /dev/stderr | 81 | yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) 82 | [ "${actual}" = "true" ] 83 | } 84 | -------------------------------------------------------------------------------- /test/unit/injector-serviceaccount.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "injector/ServiceAccount: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | --show-only templates/injector-serviceaccount.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "injector/ServiceAccount: disable with global.enabled" { 15 | cd `chart_dir` 16 | local actual=$( (helm template \ 17 | --show-only templates/injector-serviceaccount.yaml \ 18 | --set 'global.enabled=false' \ 19 | . || echo "---") | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "injector/ServiceAccount: namespace" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | --show-only templates/injector-serviceaccount.yaml \ 28 | --namespace foo \ 29 | . | tee /dev/stderr | 30 | yq -r '.metadata.namespace' | tee /dev/stderr) 31 | [ "${actual}" = "foo" ] 32 | local actual=$(helm template \ 33 | --show-only templates/injector-serviceaccount.yaml \ 34 | --set 'global.namespace=bar' \ 35 | --namespace foo \ 36 | . | tee /dev/stderr | 37 | yq -r '.metadata.namespace' | tee /dev/stderr) 38 | [ "${actual}" = "bar" ] 39 | } 40 | 41 | @test "injector/ServiceAccount: generic annotations" { 42 | cd `chart_dir` 43 | local actual=$(helm template \ 44 | --show-only templates/injector-serviceaccount.yaml \ 45 | --set 'injector.serviceAccount.annotations=openBaoIsAwesome: true' \ 46 | . | tee /dev/stderr | 47 | yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) 48 | [ "${actual}" = "true" ] 49 | } 50 | -------------------------------------------------------------------------------- /test/unit/prometheus-prometheusrules.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "prometheus/PrometheusRules-server: assertDisabled by default" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/prometheus-prometheusrules.yaml \ 9 | --set 'serverTelemetry.prometheusRules.rules[0].foo=bar' \ 10 | . || echo "---") | tee /dev/stderr | 11 | yq 'length > 0' | tee /dev/stderr) 12 | [ "${actual}" = "false" ] 13 | } 14 | 15 | @test "prometheus/PrometheusRules-server: assertDisabled with rules-defined=false" { 16 | cd `chart_dir` 17 | local actual=$( (helm template \ 18 | --show-only templates/prometheus-prometheusrules.yaml \ 19 | --set 'serverTelemetry.prometheusRules.enabled=true' \ 20 | . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | 24 | @test "prometheus/PrometheusRules-server: assertEnabled with rules-defined=true" { 25 | cd `chart_dir` 26 | local output=$( (helm template \ 27 | --show-only templates/prometheus-prometheusrules.yaml \ 28 | --set 'serverTelemetry.prometheusRules.enabled=true' \ 29 | --set 'serverTelemetry.prometheusRules.rules[0].foo=bar' \ 30 | --set 'serverTelemetry.prometheusRules.rules[1].baz=qux' \ 31 | .) | tee /dev/stderr ) 32 | 33 | [ "$(echo "$output" | yq -r '.spec.groups | length')" = "1" ] 34 | [ "$(echo "$output" | yq -r '.spec.groups[0] | length')" = "2" ] 35 | [ "$(echo "$output" | yq -r '.spec.groups[0].name')" = "release-name-openbao" ] 36 | [ "$(echo "$output" | yq -r '.spec.groups[0].rules | length')" = "2" ] 37 | [ "$(echo "$output" | yq -r '.spec.groups[0].rules[0].foo')" = "bar" ] 38 | [ "$(echo "$output" | yq -r '.spec.groups[0].rules[1].baz')" = "qux" ] 39 | } 40 | 41 | @test "prometheus/PrometheusRules-server: assertSelectors default" { 42 | cd `chart_dir` 43 | local output=$( (helm template \ 44 | --show-only templates/prometheus-prometheusrules.yaml \ 45 | --set 'serverTelemetry.prometheusRules.enabled=true' \ 46 | --set 'serverTelemetry.prometheusRules.rules[0].foo=bar' \ 47 | . ) | tee /dev/stderr) 48 | 49 | [ "$(echo "$output" | yq -r '.metadata.labels | length')" = "5" ] 50 | [ "$(echo "$output" | yq -r '.metadata.labels.release')" = "prometheus" ] 51 | } 52 | 53 | @test "prometheus/PrometheusRules-server: assertSelectors overrides" { 54 | cd `chart_dir` 55 | local output=$( (helm template \ 56 | --show-only templates/prometheus-prometheusrules.yaml \ 57 | --set 'serverTelemetry.prometheusRules.enabled=true' \ 58 | --set 'serverTelemetry.prometheusRules.rules[0].foo=bar' \ 59 | --set 'serverTelemetry.prometheusRules.selectors.baz=qux' \ 60 | --set 'serverTelemetry.prometheusRules.selectors.bar=foo' \ 61 | . ) | tee /dev/stderr) 62 | 63 | [ "$(echo "$output" | yq -r '.metadata.labels | length')" = "6" ] 64 | [ "$(echo "$output" | yq -r '.metadata.labels | has("app")')" = "false" ] 65 | [ "$(echo "$output" | yq -r '.metadata.labels | has("kube-prometheus-stack")')" = "false" ] 66 | [ "$(echo "$output" | yq -r '.metadata.labels.baz')" = "qux" ] 67 | [ "$(echo "$output" | yq -r '.metadata.labels.bar')" = "foo" ] 68 | } 69 | -------------------------------------------------------------------------------- /test/unit/prometheus-servicemonitor.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "prometheus/ServiceMonitor-server: assertDisabled by default" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/prometheus-servicemonitor.yaml \ 9 | . || echo "---") | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "prometheus/ServiceMonitor-server: assertEnabled global" { 15 | cd `chart_dir` 16 | local actual=$( (helm template \ 17 | --show-only templates/prometheus-servicemonitor.yaml \ 18 | --set 'serverTelemetry.serviceMonitor.enabled=false' \ 19 | --set 'global.serverTelemetry.prometheusOperator=true' \ 20 | . || echo "---") | tee /dev/stderr | 21 | yq 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "true" ] 23 | } 24 | 25 | @test "prometheus/ServiceMonitor-server: assertEnabled" { 26 | cd `chart_dir` 27 | local actual=$( (helm template \ 28 | --show-only templates/prometheus-servicemonitor.yaml \ 29 | --set 'serverTelemetry.serviceMonitor.enabled=true' \ 30 | . || echo "---") | tee /dev/stderr | 31 | yq 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "true" ] 33 | } 34 | 35 | @test "prometheus/ServiceMonitor-server: assertScrapeTimeout default" { 36 | cd `chart_dir` 37 | local actual=$( (helm template \ 38 | --show-only templates/prometheus-servicemonitor.yaml \ 39 | --set 'serverTelemetry.serviceMonitor.enabled=true' \ 40 | .) | tee /dev/stderr | 41 | yq -r '.spec.endpoints[0].scrapeTimeout' | tee /dev/stderr) 42 | [ "${actual}" = "10s" ] 43 | } 44 | 45 | @test "prometheus/ServiceMonitor-server: assertScrapeTimeout update" { 46 | cd `chart_dir` 47 | local actual=$( (helm template \ 48 | --show-only templates/prometheus-servicemonitor.yaml \ 49 | --set 'serverTelemetry.serviceMonitor.enabled=true' \ 50 | --set 'serverTelemetry.serviceMonitor.scrapeTimeout=60s' \ 51 | .) | tee /dev/stderr | 52 | yq -r '.spec.endpoints[0].scrapeTimeout' | tee /dev/stderr) 53 | [ "${actual}" = "60s" ] 54 | } 55 | 56 | @test "prometheus/ServiceMonitor-server: assertInterval default" { 57 | cd `chart_dir` 58 | local actual=$( (helm template \ 59 | --show-only templates/prometheus-servicemonitor.yaml \ 60 | --set 'serverTelemetry.serviceMonitor.enabled=true' \ 61 | .) | tee /dev/stderr | 62 | yq -r '.spec.endpoints[0].interval' | tee /dev/stderr) 63 | [ "${actual}" = "30s" ] 64 | } 65 | 66 | @test "prometheus/ServiceMonitor-server: assertInterval update" { 67 | cd `chart_dir` 68 | local output=$( (helm template \ 69 | --show-only templates/prometheus-servicemonitor.yaml \ 70 | --set 'serverTelemetry.serviceMonitor.enabled=true' \ 71 | --set 'serverTelemetry.serviceMonitor.interval=60s' \ 72 | .) | tee /dev/stderr) 73 | 74 | [ "$(echo "$output" | yq -r '.spec.endpoints[0].interval')" = "60s" ] 75 | } 76 | 77 | @test "prometheus/ServiceMonitor-server: assertSelectors default" { 78 | cd `chart_dir` 79 | local output=$( (helm template \ 80 | --show-only templates/prometheus-servicemonitor.yaml \ 81 | --set 'serverTelemetry.serviceMonitor.enabled=true' \ 82 | .) | tee /dev/stderr) 83 | 84 | [ "$(echo "$output" | yq -r '.metadata.labels | length')" = "5" ] 85 | [ "$(echo "$output" | yq -r '.metadata.labels.release')" = "prometheus" ] 86 | } 87 | 88 | @test "prometheus/ServiceMonitor-server: assertSelectors override" { 89 | cd `chart_dir` 90 | local output=$( (helm template \ 91 | --show-only templates/prometheus-servicemonitor.yaml \ 92 | --set 'serverTelemetry.serviceMonitor.enabled=true' \ 93 | --set 'serverTelemetry.serviceMonitor.selectors.baz=qux' \ 94 | --set 'serverTelemetry.serviceMonitor.selectors.bar=foo' \ 95 | .) | tee /dev/stderr) 96 | 97 | [ "$(echo "$output" | yq -r '.metadata.labels | length')" = "6" ] 98 | [ "$(echo "$output" | yq -r '.metadata.labels | has("app")')" = "false" ] 99 | [ "$(echo "$output" | yq -r '.metadata.labels.baz')" = "qux" ] 100 | [ "$(echo "$output" | yq -r '.metadata.labels.bar')" = "foo" ] 101 | } 102 | 103 | @test "prometheus/ServiceMonitor-server: assertEndpoints noTLS" { 104 | cd `chart_dir` 105 | local output=$( (helm template \ 106 | --show-only templates/prometheus-servicemonitor.yaml \ 107 | --set 'global.tlsDisable=true' \ 108 | --set 'serverTelemetry.serviceMonitor.enabled=true' \ 109 | .) | tee /dev/stderr) 110 | 111 | [ "$(echo "$output" | yq -r '.spec.endpoints | length')" = "1" ] 112 | [ "$(echo "$output" | yq -r '.spec.endpoints[0].port')" = "http" ] 113 | } 114 | 115 | @test "prometheus/ServiceMonitor-server: assertEndpoints TLS" { 116 | cd `chart_dir` 117 | local output=$( (helm template \ 118 | --show-only templates/prometheus-servicemonitor.yaml \ 119 | --set 'global.tlsDisable=false' \ 120 | --set 'serverTelemetry.serviceMonitor.enabled=true' \ 121 | .) | tee /dev/stderr) 122 | 123 | [ "$(echo "$output" | yq -r '.spec.endpoints | length')" = "1" ] 124 | [ "$(echo "$output" | yq -r '.spec.endpoints[0].port')" = "https" ] 125 | } 126 | 127 | @test "prometheus/ServiceMonitor-server: tlsConfig default" { 128 | cd `chart_dir` 129 | local output=$( (helm template \ 130 | --show-only templates/prometheus-servicemonitor.yaml \ 131 | --set 'serverTelemetry.serviceMonitor.enabled=true' \ 132 | .) | tee /dev/stderr) 133 | 134 | [ "$(echo "$output" | yq -r '.spec.endpoints[0].tlsConfig.insecureSkipVerify')" = "true" ] 135 | } 136 | 137 | @test "prometheus/ServiceMonitor-server: tlsConfig override" { 138 | cd `chart_dir` 139 | local output=$( (helm template \ 140 | --show-only templates/prometheus-servicemonitor.yaml \ 141 | --set 'serverTelemetry.serviceMonitor.tlsConfig.ca=ca.crt' \ 142 | --set 'serverTelemetry.serviceMonitor.enabled=true' \ 143 | .) | tee /dev/stderr) 144 | 145 | [ "$(echo "$output" | yq -r '.spec.endpoints[0].tlsConfig.ca')" = "ca.crt" ] 146 | } 147 | 148 | @test "prometheus/ServiceMonitor-server: authorization default" { 149 | cd `chart_dir` 150 | local output=$( (helm template \ 151 | --show-only templates/prometheus-servicemonitor.yaml \ 152 | --set 'serverTelemetry.serviceMonitor.enabled=true' \ 153 | .) | tee /dev/stderr) 154 | 155 | [ "$(echo "$output" | yq -r '.spec.endpoints[0] | has("bearerTokenFile")')" = "false" ] 156 | } 157 | 158 | @test "prometheus/ServiceMonitor-server: authorization set" { 159 | cd `chart_dir` 160 | local output=$( (helm template \ 161 | --show-only templates/prometheus-servicemonitor.yaml \ 162 | --set 'serverTelemetry.serviceMonitor.enabled=true' \ 163 | --set 'serverTelemetry.serviceMonitor.authorization.credentials.key=secretkey' \ 164 | --set 'serverTelemetry.serviceMonitor.authorization.credentials.name=secretname' \ 165 | .) | tee /dev/stderr) 166 | 167 | [ "$(echo "$output" | yq -r '.spec.endpoints[0].authorization.credentials.key')" = "secretkey" ] 168 | [ "$(echo "$output" | yq -r '.spec.endpoints[0].authorization.credentials.name')" = "secretname" ] 169 | } 170 | 171 | @test "prometheus/ServiceMonitor-server: scrapeClass set" { 172 | cd `chart_dir` 173 | local output=$( (helm template \ 174 | --show-only templates/prometheus-servicemonitor.yaml \ 175 | --set 'serverTelemetry.serviceMonitor.enabled=true' \ 176 | --set 'serverTelemetry.serviceMonitor.scrapeClass=foo' \ 177 | .) | tee /dev/stderr) 178 | 179 | [ "$(echo "$output" | yq -r '.spec.scrapeClass')" = "foo" ] 180 | } 181 | -------------------------------------------------------------------------------- /test/unit/schema.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | # These tests are just to verify there is a schema file used in the chart. Since 6 | # .enabled is defined as a boolean type for each of the top-level blocks in the 7 | # schema, setting it as a string fails 'helm template'. 8 | @test "schema: csi enabled datatype" { 9 | cd `chart_dir` 10 | run helm template . --set csi.enabled="123" 11 | [ "$status" -eq 1 ] 12 | [ "${lines[2]}" = "- csi.enabled: Invalid type. Expected: [boolean,string], given: integer" ] 13 | 14 | run helm template . --set csi.enabled=true 15 | [ "$status" -eq 0 ] 16 | } 17 | 18 | @test "schema: injector enabled datatype" { 19 | cd `chart_dir` 20 | run helm template . --set injector.enabled="123" 21 | [ "$status" -eq 1 ] 22 | [ "${lines[2]}" = "- injector.enabled: Invalid type. Expected: [boolean,string], given: integer" ] 23 | 24 | run helm template . --set injector.enabled=true 25 | [ "$status" -eq 0 ] 26 | } 27 | 28 | @test "schema: server enabled datatype" { 29 | cd `chart_dir` 30 | run helm template . --set server.enabled="123" 31 | [ "$status" -eq 1 ] 32 | [ "${lines[2]}" = "- server.enabled: Invalid type. Expected: [boolean,string], given: integer" ] 33 | 34 | run helm template . --set server.enabled=true 35 | [ "$status" -eq 0 ] 36 | } 37 | 38 | @test "schema: ui enabled datatype" { 39 | cd `chart_dir` 40 | run helm template . --set ui.enabled="123" 41 | [ "$status" -eq 1 ] 42 | [ "${lines[2]}" = "- ui.enabled: Invalid type. Expected: [boolean,string], given: integer" ] 43 | 44 | run helm template . --set ui.enabled=true 45 | [ "$status" -eq 0 ] 46 | } 47 | -------------------------------------------------------------------------------- /test/unit/server-clusterrolebinding.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/ClusterRoleBinding: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/server-clusterrolebinding.yaml \ 9 | --set 'server.dev.enabled=true' \ 10 | . || echo "---") | tee /dev/stderr | 11 | yq 'length > 0' | tee /dev/stderr) 12 | [ "${actual}" = "true" ] 13 | 14 | local actual=$( (helm template \ 15 | --show-only templates/server-clusterrolebinding.yaml \ 16 | --set 'server.ha.enabled=true' \ 17 | . || echo "---") | tee /dev/stderr | 18 | yq 'length > 0' | tee /dev/stderr) 19 | [ "${actual}" = "true" ] 20 | 21 | local actual=$( (helm template \ 22 | --show-only templates/server-clusterrolebinding.yaml \ 23 | . || echo "---") | tee /dev/stderr | 24 | yq 'length > 0' | tee /dev/stderr) 25 | [ "${actual}" = "true" ] 26 | } 27 | 28 | @test "server/ClusterRoleBinding: disable with global.enabled" { 29 | cd `chart_dir` 30 | local actual=$( (helm template \ 31 | --show-only templates/server-clusterrolebinding.yaml \ 32 | --set 'global.enabled=false' \ 33 | . || echo "---") | tee /dev/stderr | 34 | yq 'length > 0' | tee /dev/stderr) 35 | [ "${actual}" = "false" ] 36 | } 37 | 38 | @test "server/ClusterRoleBinding: can disable with server.authDelegator" { 39 | cd `chart_dir` 40 | local actual=$( (helm template \ 41 | --show-only templates/server-clusterrolebinding.yaml \ 42 | --set 'server.authDelegator.enabled=false' \ 43 | . || echo "---") | tee /dev/stderr | 44 | yq 'length > 0' | tee /dev/stderr) 45 | [ "${actual}" = "false" ] 46 | 47 | local actual=$( (helm template \ 48 | --show-only templates/server-clusterrolebinding.yaml \ 49 | --set 'server.authDelegator.enabled=false' \ 50 | --set 'server.ha.enabled=true' \ 51 | . || echo "---") | tee /dev/stderr | 52 | yq 'length > 0' | tee /dev/stderr) 53 | [ "${actual}" = "false" ] 54 | 55 | local actual=$( (helm template \ 56 | --show-only templates/server-clusterrolebinding.yaml \ 57 | --set 'server.authDelegator.enabled=false' \ 58 | --set 'server.dev.enabled=true' \ 59 | . || echo "---") | tee /dev/stderr | 60 | yq 'length > 0' | tee /dev/stderr) 61 | [ "${actual}" = "false" ] 62 | } 63 | 64 | @test "server/ClusterRoleBinding: also deploy with injector.externalVaultAddr" { 65 | cd `chart_dir` 66 | local actual=$( (helm template \ 67 | --show-only templates/server-clusterrolebinding.yaml \ 68 | --set 'server.enabled=false' \ 69 | --set 'injector.externalVaultAddr=http://openbao-outside' \ 70 | . || echo "---") | tee /dev/stderr | 71 | yq 'length > 0' | tee /dev/stderr) 72 | [ "${actual}" = "true" ] 73 | } 74 | 75 | @test "server/ClusterRoleBinding: service account namespace" { 76 | cd `chart_dir` 77 | local actual=$(helm template \ 78 | --show-only templates/server-clusterrolebinding.yaml \ 79 | --namespace foo \ 80 | . | tee /dev/stderr | 81 | yq -r '.subjects[0].namespace' | tee /dev/stderr) 82 | [ "${actual}" = "foo" ] 83 | local actual=$(helm template \ 84 | --show-only templates/server-clusterrolebinding.yaml \ 85 | --set 'global.namespace=bar' \ 86 | --namespace foo \ 87 | . | tee /dev/stderr | 88 | yq -r '.subjects[0].namespace' | tee /dev/stderr) 89 | [ "${actual}" = "bar" ] 90 | } 91 | -------------------------------------------------------------------------------- /test/unit/server-configmap.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/ConfigMap: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | --show-only templates/server-config-configmap.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | 13 | local actual=$(helm template \ 14 | --show-only templates/server-config-configmap.yaml \ 15 | --set 'server.ha.enabled=true' \ 16 | . | tee /dev/stderr | 17 | yq 'length > 0' | tee /dev/stderr) 18 | [ "${actual}" = "true" ] 19 | 20 | local actual=$(helm template \ 21 | --show-only templates/server-config-configmap.yaml \ 22 | --set 'server.ha.enabled=true' \ 23 | --set 'server.ha.raft.enabled=true' \ 24 | . | tee /dev/stderr | 25 | yq 'length > 0' | tee /dev/stderr) 26 | [ "${actual}" = "true" ] 27 | 28 | local actual=$(helm template \ 29 | --show-only templates/server-config-configmap.yaml \ 30 | --set 'server.standalone.enabled=true' \ 31 | . | tee /dev/stderr | 32 | yq 'length > 0' | tee /dev/stderr) 33 | [ "${actual}" = "true" ] 34 | } 35 | 36 | @test "server/ConfigMap: raft config disabled by default" { 37 | cd `chart_dir` 38 | local actual=$(helm template \ 39 | --show-only templates/server-config-configmap.yaml \ 40 | --set 'server.ha.enabled=true' \ 41 | . | tee /dev/stderr | 42 | grep "raft" | yq 'length > 0' | tee /dev/stderr) 43 | [ "${actual}" != "true" ] 44 | } 45 | 46 | @test "server/ConfigMap: raft config can be enabled" { 47 | cd `chart_dir` 48 | local actual=$(helm template \ 49 | --show-only templates/server-config-configmap.yaml \ 50 | --set 'server.ha.enabled=true' \ 51 | --set 'server.ha.raft.enabled=true' \ 52 | . | tee /dev/stderr | 53 | grep "raft" | yq 'length > 0' | tee /dev/stderr) 54 | [ "${actual}" = "true" ] 55 | } 56 | 57 | 58 | @test "server/ConfigMap: disabled by server.dev.enabled true" { 59 | cd `chart_dir` 60 | local actual=$( (helm template \ 61 | --show-only templates/server-config-configmap.yaml \ 62 | --set 'server.dev.enabled=true' \ 63 | . || echo "---") | tee /dev/stderr | 64 | yq 'length > 0' | tee /dev/stderr) 65 | [ "${actual}" = "false" ] 66 | } 67 | 68 | @test "server/ConfigMap: disable with global.enabled" { 69 | cd `chart_dir` 70 | local actual=$( (helm template \ 71 | --show-only templates/server-config-configmap.yaml \ 72 | --set 'global.enabled=false' \ 73 | . || echo "---") | tee /dev/stderr | 74 | yq 'length > 0' | tee /dev/stderr) 75 | [ "${actual}" = "false" ] 76 | } 77 | 78 | @test "server/ConfigMap: namespace" { 79 | cd `chart_dir` 80 | local actual=$(helm template \ 81 | --show-only templates/server-config-configmap.yaml \ 82 | --namespace foo \ 83 | . | tee /dev/stderr | 84 | yq -r '.metadata.namespace' | tee /dev/stderr) 85 | [ "${actual}" = "foo" ] 86 | local actual=$(helm template \ 87 | --show-only templates/server-config-configmap.yaml \ 88 | --set 'global.namespace=bar' \ 89 | --namespace foo \ 90 | . | tee /dev/stderr | 91 | yq -r '.metadata.namespace' | tee /dev/stderr) 92 | [ "${actual}" = "bar" ] 93 | } 94 | 95 | @test "server/ConfigMap: standalone extraConfig is set" { 96 | cd `chart_dir` 97 | local actual=$(helm template \ 98 | --show-only templates/server-config-configmap.yaml \ 99 | --set 'server.standalone.enabled=true' \ 100 | --set 'server.standalone.config="{\"hello\": \"world\"}"' \ 101 | . | tee /dev/stderr | 102 | yq '.data["extraconfig-from-values.hcl"] | match("world") | length' | tee /dev/stderr) 103 | [ ! -z "${actual}" ] 104 | 105 | local actual=$(helm template \ 106 | --show-only templates/server-config-configmap.yaml \ 107 | --set 'server.standalone.enabled=true' \ 108 | --set 'server.standalone.config="{\"foo\": \"bar\"}"' \ 109 | . | tee /dev/stderr | 110 | yq '.data["extraconfig-from-values.hcl"] | match("bar") | length' | tee /dev/stderr) 111 | [ ! -z "${actual}" ] 112 | } 113 | 114 | @test "server/ConfigMap: ha extraConfig is set" { 115 | cd `chart_dir` 116 | local actual=$(helm template \ 117 | --show-only templates/server-config-configmap.yaml \ 118 | --set 'server.ha.enabled=true' \ 119 | --set 'server.ha.config="{\"hello\": \"world\"}"' \ 120 | . | tee /dev/stderr | 121 | yq '.data["extraconfig-from-values.hcl"] | match("world") | length' | tee /dev/stderr) 122 | [ ! -z "${actual}" ] 123 | 124 | local actual=$(helm template \ 125 | --show-only templates/server-config-configmap.yaml \ 126 | --set 'server.ha.enabled=true' \ 127 | --set 'server.ha.config="{\"foo\": \"bar\"}"' \ 128 | . | tee /dev/stderr | 129 | yq '.data["extraconfig-from-values.hcl"] | match("bar") | length' | tee /dev/stderr) 130 | [ ! -z "${actual}" ] 131 | } 132 | 133 | @test "server/ConfigMap: disabled by injector.externalVaultAddr" { 134 | cd `chart_dir` 135 | local actual=$( (helm template \ 136 | --show-only templates/server-config-configmap.yaml \ 137 | --set 'injector.externalVaultAddr=http://openbao-outside' \ 138 | . || echo "---") | tee /dev/stderr | 139 | yq 'length > 0' | tee /dev/stderr) 140 | [ "${actual}" = "false" ] 141 | } 142 | 143 | @test "server/ConfigMap: config checksum annotation defaults to off" { 144 | cd `chart_dir` 145 | local actual=$(helm template \ 146 | --show-only templates/server-config-configmap.yaml \ 147 | . | tee /dev/stderr | 148 | yq '.metadata.annotations["vault.hashicorp.com/config-checksum"] == null' | tee /dev/stderr) 149 | [ "${actual}" = "true" ] 150 | } 151 | 152 | @test "server/ConfigMap: config checksum annotation can be enabled" { 153 | cd `chart_dir` 154 | local actual=$(helm template \ 155 | --show-only templates/server-config-configmap.yaml \ 156 | --set 'server.configAnnotation=true' \ 157 | . | tee /dev/stderr | 158 | yq '.metadata.annotations["vault.hashicorp.com/config-checksum"] == null' | tee /dev/stderr) 159 | [ "${actual}" = "false" ] 160 | } 161 | -------------------------------------------------------------------------------- /test/unit/server-discovery-role.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/DiscoveryRole: enabled by default with ha" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/server-discovery-role.yaml \ 9 | . || echo "---") | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | 13 | local actual=$( (helm template \ 14 | --show-only templates/server-discovery-role.yaml \ 15 | --set 'server.ha.enabled=true' \ 16 | . || echo "---") | tee /dev/stderr | 17 | yq 'length > 0' | tee /dev/stderr) 18 | [ "${actual}" = "true" ] 19 | } 20 | 21 | @test "server/DiscoveryRole: can disable with server.enabled false" { 22 | cd `chart_dir` 23 | local actual=$( (helm template \ 24 | --show-only templates/server-discovery-role.yaml \ 25 | --set 'server.enabled=false' \ 26 | --set 'server.ha.enabled=true' \ 27 | . || echo "---") | tee /dev/stderr | 28 | yq 'length > 0' | tee /dev/stderr) 29 | [ "${actual}" = "false" ] 30 | } 31 | 32 | @test "server/DiscoveryRole: can disable with server.serviceAccount.serviceDiscovery.enabled false" { 33 | cd `chart_dir` 34 | local actual=$( (helm template \ 35 | --show-only templates/server-discovery-role.yaml \ 36 | --set 'server.ha.enabled=true' \ 37 | --set 'server.serviceAccount.serviceDiscovery.enabled=false' \ 38 | . || echo "---") | tee /dev/stderr | 39 | yq 'length > 0' | tee /dev/stderr) 40 | [ "${actual}" = "false" ] 41 | } 42 | 43 | @test "server/DiscoveryRole: namespace" { 44 | cd `chart_dir` 45 | local actual=$(helm template \ 46 | --show-only templates/server-discovery-role.yaml \ 47 | --set 'server.ha.enabled=true' \ 48 | --namespace foo \ 49 | . | tee /dev/stderr | 50 | yq -r '.metadata.namespace' | tee /dev/stderr) 51 | [ "${actual}" = "foo" ] 52 | local actual=$(helm template \ 53 | --show-only templates/server-discovery-role.yaml \ 54 | --set 'server.ha.enabled=true' \ 55 | --set 'global.namespace=bar' \ 56 | --namespace foo \ 57 | . | tee /dev/stderr | 58 | yq -r '.metadata.namespace' | tee /dev/stderr) 59 | [ "${actual}" = "bar" ] 60 | } 61 | -------------------------------------------------------------------------------- /test/unit/server-discovery-rolebinding.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/DiscoveryRoleBinding: enabled by default with ha" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/server-discovery-rolebinding.yaml \ 9 | . || echo "---") | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | 13 | local actual=$( (helm template \ 14 | --show-only templates/server-discovery-rolebinding.yaml \ 15 | --set 'server.ha.enabled=true' \ 16 | . || echo "---") | tee /dev/stderr | 17 | yq 'length > 0' | tee /dev/stderr) 18 | [ "${actual}" = "true" ] 19 | } 20 | 21 | @test "server/DiscoveryRoleBinding: can disable with server.enabled false" { 22 | cd `chart_dir` 23 | local actual=$( (helm template \ 24 | --show-only templates/server-discovery-rolebinding.yaml \ 25 | --set 'server.enabled=false' \ 26 | --set 'server.ha.enabled=true' \ 27 | . || echo "---") | tee /dev/stderr | 28 | yq 'length > 0' | tee /dev/stderr) 29 | [ "${actual}" = "false" ] 30 | } 31 | 32 | @test "server/DiscoveryRoleBinding: can disable with server.serviceAccount.serviceDiscovery.enabled false" { 33 | cd `chart_dir` 34 | local actual=$( (helm template \ 35 | --show-only templates/server-discovery-rolebinding.yaml \ 36 | --set 'server.ha.enabled=true' \ 37 | --set 'server.serviceAccount.serviceDiscovery.enabled=false' \ 38 | . || echo "---") | tee /dev/stderr | 39 | yq 'length > 0' | tee /dev/stderr) 40 | [ "${actual}" = "false" ] 41 | } 42 | 43 | @test "server/DiscoveryRoleBinding: namespace" { 44 | cd `chart_dir` 45 | local actual=$(helm template \ 46 | --show-only templates/server-discovery-rolebinding.yaml \ 47 | --set 'server.ha.enabled=true' \ 48 | --namespace foo \ 49 | . | tee /dev/stderr | 50 | yq -r '.metadata.namespace' | tee /dev/stderr) 51 | [ "${actual}" = "foo" ] 52 | local actual=$(helm template \ 53 | --show-only templates/server-discovery-rolebinding.yaml \ 54 | --set 'server.ha.enabled=true' \ 55 | --set 'global.namespace=bar' \ 56 | --namespace foo \ 57 | . | tee /dev/stderr | 58 | yq -r '.metadata.namespace' | tee /dev/stderr) 59 | [ "${actual}" = "bar" ] 60 | } 61 | -------------------------------------------------------------------------------- /test/unit/server-ha-disruptionbudget.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/DisruptionBudget: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | --show-only templates/server-disruptionbudget.yaml \ 9 | --set 'server.ha.enabled=true' \ 10 | . | tee /dev/stderr | 11 | yq 'length > 0' | tee /dev/stderr) 12 | [ "${actual}" = "true" ] 13 | } 14 | 15 | @test "server/DisruptionBudget: disable with server.enabled" { 16 | cd `chart_dir` 17 | local actual=$( (helm template \ 18 | --show-only templates/server-disruptionbudget.yaml \ 19 | --set 'global.enabled=false' \ 20 | --set 'server.ha.enabled=false' \ 21 | . || echo "---") | tee /dev/stderr | 22 | yq 'length > 0' | tee /dev/stderr) 23 | [ "${actual}" = "false" ] 24 | } 25 | 26 | @test "server/DisruptionBudget: disable with server.disruptionBudget.enabled" { 27 | cd `chart_dir` 28 | local actual=$( (helm template \ 29 | --show-only templates/server-disruptionbudget.yaml \ 30 | --set 'server.ha.disruptionBudget.enabled=false' \ 31 | . || echo "---") | tee /dev/stderr | 32 | yq 'length > 0' | tee /dev/stderr) 33 | [ "${actual}" = "false" ] 34 | } 35 | 36 | @test "server/DisruptionBudget: disable with global.enabled" { 37 | cd `chart_dir` 38 | local actual=$( (helm template \ 39 | --show-only templates/server-disruptionbudget.yaml \ 40 | --set 'global.enabled=false' \ 41 | . || echo "---") | tee /dev/stderr | 42 | yq 'length > 0' | tee /dev/stderr) 43 | [ "${actual}" = "false" ] 44 | } 45 | 46 | @test "server/DisruptionBudget: disable with injector.exernalVaultAddr" { 47 | cd `chart_dir` 48 | local actual=$( (helm template \ 49 | --show-only templates/server-disruptionbudget.yaml \ 50 | --set 'injector.externalVaultAddr=http://openbao-outside' \ 51 | . || echo "---") | tee /dev/stderr | 52 | yq 'length > 0' | tee /dev/stderr) 53 | [ "${actual}" = "false" ] 54 | } 55 | 56 | @test "server/DisruptionBudget: namespace" { 57 | cd `chart_dir` 58 | local actual=$(helm template \ 59 | --show-only templates/server-disruptionbudget.yaml \ 60 | --set 'server.ha.enabled=true' \ 61 | --namespace foo \ 62 | . | tee /dev/stderr | 63 | yq -r '.metadata.namespace' | tee /dev/stderr) 64 | [ "${actual}" = "foo" ] 65 | local actual=$(helm template \ 66 | --show-only templates/server-disruptionbudget.yaml \ 67 | --set 'server.ha.enabled=true' \ 68 | --set 'global.namespace=bar' \ 69 | --namespace foo \ 70 | . | tee /dev/stderr | 71 | yq -r '.metadata.namespace' | tee /dev/stderr) 72 | [ "${actual}" = "bar" ] 73 | } 74 | 75 | @test "server/DisruptionBudget: correct maxUnavailable with n=1" { 76 | cd `chart_dir` 77 | local actual=$(helm template \ 78 | --show-only templates/server-disruptionbudget.yaml \ 79 | --set 'server.ha.enabled=true' \ 80 | --set 'server.ha.replicas=1' \ 81 | . | tee /dev/stderr | 82 | yq '.spec.maxUnavailable' | tee /dev/stderr) 83 | [ "${actual}" = "0" ] 84 | } 85 | 86 | @test "server/DisruptionBudget: correct maxUnavailable with n=3" { 87 | cd `chart_dir` 88 | local actual=$(helm template \ 89 | --show-only templates/server-disruptionbudget.yaml \ 90 | --set 'server.ha.enabled=true' \ 91 | --set 'server.ha.replicas=3' \ 92 | . | tee /dev/stderr | 93 | yq '.spec.maxUnavailable' | tee /dev/stderr) 94 | [ "${actual}" = "1" ] 95 | } 96 | 97 | @test "server/DisruptionBudget: correct maxUnavailable with n=5" { 98 | cd `chart_dir` 99 | local actual=$(helm template \ 100 | --show-only templates/server-disruptionbudget.yaml \ 101 | --set 'server.ha.enabled=true' \ 102 | --set 'server.ha.replicas=5' \ 103 | . | tee /dev/stderr | 104 | yq '.spec.maxUnavailable' | tee /dev/stderr) 105 | [ "${actual}" = "2" ] 106 | } 107 | 108 | @test "server/DisruptionBudget: correct maxUnavailable with custom value" { 109 | cd `chart_dir` 110 | local actual=$(helm template \ 111 | --show-only templates/server-disruptionbudget.yaml \ 112 | --set 'server.ha.enabled=true' \ 113 | --set 'server.ha.replicas=3' \ 114 | --set 'server.ha.disruptionBudget.maxUnavailable=2' \ 115 | . | tee /dev/stderr | 116 | yq '.spec.maxUnavailable' | tee /dev/stderr) 117 | [ "${actual}" = "2" ] 118 | } 119 | -------------------------------------------------------------------------------- /test/unit/server-headless-service.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/headless-Service: publishNotReadyAddresses cannot be changed" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | --show-only templates/server-headless-service.yaml \ 9 | . | tee /dev/stderr | 10 | yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | 13 | local actual=$(helm template \ 14 | --show-only templates/server-headless-service.yaml \ 15 | --set 'server.service.publishNotReadyAddresses=false' \ 16 | . | tee /dev/stderr | 17 | yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) 18 | [ "${actual}" = "true" ] 19 | } 20 | 21 | @test "server/headless-Service: instance selector cannot be disabled" { 22 | cd `chart_dir` 23 | local actual=$(helm template \ 24 | --show-only templates/server-headless-service.yaml \ 25 | --set 'server.ha.enabled=true' \ 26 | . | tee /dev/stderr | 27 | yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) 28 | [ "${actual}" = "release-name" ] 29 | 30 | local actual=$(helm template \ 31 | --show-only templates/server-headless-service.yaml \ 32 | --set 'server.ha.enabled=true' \ 33 | --set 'server.service.instanceSelector.enabled=false' \ 34 | . | tee /dev/stderr | 35 | yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) 36 | [ "${actual}" = "release-name" ] 37 | } 38 | 39 | @test "server/headless-Service: namespace" { 40 | cd `chart_dir` 41 | local actual=$(helm template \ 42 | --show-only templates/server-headless-service.yaml \ 43 | --set 'server.ha.enabled=true' \ 44 | --namespace foo \ 45 | . | tee /dev/stderr | 46 | yq -r '.metadata.namespace' | tee /dev/stderr) 47 | [ "${actual}" = "foo" ] 48 | local actual=$(helm template \ 49 | --show-only templates/server-headless-service.yaml \ 50 | --set 'server.ha.enabled=true' \ 51 | --set 'global.namespace=bar' \ 52 | --namespace foo \ 53 | . | tee /dev/stderr | 54 | yq -r '.metadata.namespace' | tee /dev/stderr) 55 | [ "${actual}" = "bar" ] 56 | } 57 | 58 | @test "server/headless-Service: Assert ipFamilyPolicy set" { 59 | cd `chart_dir` 60 | local actual=$(helm template \ 61 | --show-only templates/server-headless-service.yaml \ 62 | --set 'server.service.ipFamilyPolicy=PreferDualStack' \ 63 | . | tee /dev/stderr | 64 | yq -r '.spec.ipFamilyPolicy' | tee /dev/stderr) 65 | [ "${actual}" = "PreferDualStack" ] 66 | } 67 | 68 | @test "server/headless-Service: Assert ipFamilies set" { 69 | cd `chart_dir` 70 | local actual=$(helm template \ 71 | --show-only templates/server-headless-service.yaml \ 72 | --set 'server.service.ipFamilies={IPv4,IPv6}' \ 73 | . | tee /dev/stderr | 74 | yq '.spec.ipFamilies' -c | tee /dev/stderr) 75 | [ "${actual}" = '["IPv4","IPv6"]' ] 76 | } 77 | -------------------------------------------------------------------------------- /test/unit/server-network-policy.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/network-policy: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/server-network-policy.yaml \ 9 | . || echo "---") | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "server/network-policy: enabled by server.networkPolicy.enabled" { 15 | cd `chart_dir` 16 | local actual=$( (helm template \ 17 | --set 'server.networkPolicy.enabled=true' \ 18 | --show-only templates/server-network-policy.yaml \ 19 | . || echo "---") | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "true" ] 22 | } 23 | 24 | @test "server/network-policy: ingress changed by server.networkPolicy.ingress" { 25 | cd `chart_dir` 26 | local actual=$(helm template \ 27 | --set 'server.networkPolicy.enabled=true' \ 28 | --set 'server.networkPolicy.ingress[0].from[0].podSelector.matchLabels.foo=bar' \ 29 | --show-only templates/server-network-policy.yaml \ 30 | . | tee /dev/stderr | 31 | yq -r '.spec.ingress[0].from[0].podSelector.matchLabels.foo' | tee /dev/stderr) 32 | [ "${actual}" = "bar" ] 33 | } 34 | 35 | @test "server/network-policy: egress enabled by server.networkPolicy.egress" { 36 | cd `chart_dir` 37 | local actual=$(helm template \ 38 | --set 'server.networkPolicy.enabled=true' \ 39 | --set 'server.networkPolicy.egress[0].to[0].ipBlock.cidr=10.0.0.0/24' \ 40 | --set 'server.networkPolicy.egress[0].ports[0].protocol=TCP' \ 41 | --set 'server.networkPolicy.egress[0].ports[0].port=443' \ 42 | --show-only templates/server-network-policy.yaml \ 43 | . | tee /dev/stderr | 44 | yq -r '.spec.egress[0].to[0].ipBlock.cidr' | tee /dev/stderr) 45 | [ "${actual}" = "10.0.0.0/24" ] 46 | } 47 | -------------------------------------------------------------------------------- /test/unit/server-psp-role.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/PSP-Role: PSP-Role not enabled by default" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/server-psp-role.yaml \ 9 | --set 'server.dev.enabled=true' \ 10 | . || echo "---") | tee /dev/stderr | 11 | yq 'length > 0' | tee /dev/stderr) 12 | [ "${actual}" = "false" ] 13 | 14 | local actual=$( (helm template \ 15 | --show-only templates/server-psp-role.yaml \ 16 | --set 'server.ha.enabled=true' \ 17 | . || echo "---") | tee /dev/stderr | 18 | yq 'length > 0' | tee /dev/stderr) 19 | [ "${actual}" = "false" ] 20 | 21 | local actual=$( (helm template \ 22 | --show-only templates/server-psp-role.yaml \ 23 | --set 'server.standalone.enabled=true' \ 24 | . || echo "---") | tee /dev/stderr | 25 | yq 'length > 0' | tee /dev/stderr) 26 | [ "${actual}" = "false" ] 27 | } 28 | 29 | @test "server/PSP-Role: PSP-Role can be enabled" { 30 | cd `chart_dir` 31 | local actual=$(helm template \ 32 | --show-only templates/server-psp-role.yaml \ 33 | --set 'server.dev.enabled=true' \ 34 | --set 'global.psp.enable=true' \ 35 | . | tee /dev/stderr | 36 | yq 'length > 0' | tee /dev/stderr) 37 | [ "${actual}" = "true" ] 38 | 39 | local actual=$(helm template \ 40 | --show-only templates/server-psp-role.yaml \ 41 | --set 'server.ha.enabled=true' \ 42 | --set 'global.psp.enable=true' \ 43 | . | tee /dev/stderr | 44 | yq 'length > 0' | tee /dev/stderr) 45 | [ "${actual}" = "true" ] 46 | 47 | local actual=$(helm template \ 48 | --show-only templates/server-psp-role.yaml \ 49 | --set 'server.standalone.enabled=true' \ 50 | --set 'global.psp.enable=true' \ 51 | . | tee /dev/stderr | 52 | yq 'length > 0' | tee /dev/stderr) 53 | [ "${actual}" = "true" ] 54 | } 55 | 56 | @test "server/PSP-Role: disable with global.enabled false" { 57 | cd `chart_dir` 58 | local actual=$( (helm template \ 59 | --show-only templates/server-psp-role.yaml \ 60 | --set 'server.dev.enabled=true' \ 61 | --set 'global.enabled=false' \ 62 | --set 'global.psp.enable=true' \ 63 | . || echo "---") | tee /dev/stderr | 64 | yq 'length > 0' | tee /dev/stderr) 65 | [ "${actual}" = "false" ] 66 | 67 | local actual=$( (helm template \ 68 | --show-only templates/server-psp-role.yaml \ 69 | --set 'server.ha.enabled=true' \ 70 | --set 'global.enabled=false' \ 71 | --set 'global.psp.enable=true' \ 72 | . || echo "---") | tee /dev/stderr | 73 | yq 'length > 0' | tee /dev/stderr) 74 | [ "${actual}" = "false" ] 75 | 76 | local actual=$( (helm template \ 77 | --show-only templates/server-psp-role.yaml \ 78 | --set 'server.standalone.enabled=true' \ 79 | --set 'global.enabled=false' \ 80 | --set 'global.psp.enable=true' \ 81 | . || echo "---") | tee /dev/stderr | 82 | yq 'length > 0' | tee /dev/stderr) 83 | [ "${actual}" = "false" ] 84 | } 85 | 86 | @test "server/PSP-Role: disable with global.psp.enable false" { 87 | cd `chart_dir` 88 | local actual=$( (helm template \ 89 | --show-only templates/server-psp-role.yaml \ 90 | --set 'server.dev.enabled=true' \ 91 | --set 'global.psp.enable=false' \ 92 | . || echo "---") | tee /dev/stderr | 93 | yq 'length > 0' | tee /dev/stderr) 94 | [ "${actual}" = "false" ] 95 | 96 | local actual=$( (helm template \ 97 | --show-only templates/server-psp-role.yaml \ 98 | --set 'server.ha.enabled=true' \ 99 | --set 'global.psp.enable=false' \ 100 | . || echo "---") | tee /dev/stderr | 101 | yq 'length > 0' | tee /dev/stderr) 102 | [ "${actual}" = "false" ] 103 | 104 | local actual=$( (helm template \ 105 | --show-only templates/server-psp-role.yaml \ 106 | --set 'server.standalone.enabled=true' \ 107 | --set 'global.psp.enable=false' \ 108 | . || echo "---") | tee /dev/stderr | 109 | yq 'length > 0' | tee /dev/stderr) 110 | [ "${actual}" = "false" ] 111 | } 112 | 113 | @test "server/PSP-Role: namespace" { 114 | cd `chart_dir` 115 | local actual=$(helm template \ 116 | --show-only templates/server-psp-role.yaml \ 117 | --set 'global.psp.enable=true' \ 118 | --namespace foo \ 119 | . | tee /dev/stderr | 120 | yq -r '.metadata.namespace' | tee /dev/stderr) 121 | [ "${actual}" = "foo" ] 122 | local actual=$(helm template \ 123 | --show-only templates/server-psp-role.yaml \ 124 | --set 'global.psp.enable=true' \ 125 | --set 'global.namespace=bar' \ 126 | --namespace foo \ 127 | . | tee /dev/stderr | 128 | yq -r '.metadata.namespace' | tee /dev/stderr) 129 | [ "${actual}" = "bar" ] 130 | } 131 | -------------------------------------------------------------------------------- /test/unit/server-psp-rolebinding.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/PSP-RoleBinding: PSP-RoleBinding not enabled by default" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --show-only templates/server-psp-rolebinding.yaml \ 9 | --set 'server.dev.enabled=true' \ 10 | . || echo "---") | tee /dev/stderr | 11 | yq 'length > 0' | tee /dev/stderr) 12 | [ "${actual}" = "false" ] 13 | 14 | local actual=$( (helm template \ 15 | --show-only templates/server-psp-rolebinding.yaml \ 16 | --set 'server.ha.enabled=true' \ 17 | . || echo "---") | tee /dev/stderr | 18 | yq 'length > 0' | tee /dev/stderr) 19 | [ "${actual}" = "false" ] 20 | 21 | local actual=$( (helm template \ 22 | --show-only templates/server-psp-rolebinding.yaml \ 23 | --set 'server.standalone.enabled=true' \ 24 | . || echo "---") | tee /dev/stderr | 25 | yq 'length > 0' | tee /dev/stderr) 26 | [ "${actual}" = "false" ] 27 | } 28 | 29 | @test "server/PSP-RoleBinding: PSP-RoleBinding can be enabled" { 30 | cd `chart_dir` 31 | local actual=$(helm template \ 32 | --show-only templates/server-psp-rolebinding.yaml \ 33 | --set 'server.dev.enabled=true' \ 34 | --set 'global.psp.enable=true' \ 35 | . | tee /dev/stderr | 36 | yq 'length > 0' | tee /dev/stderr) 37 | [ "${actual}" = "true" ] 38 | 39 | local actual=$(helm template \ 40 | --show-only templates/server-psp-rolebinding.yaml \ 41 | --set 'server.ha.enabled=true' \ 42 | --set 'global.psp.enable=true' \ 43 | . | tee /dev/stderr | 44 | yq 'length > 0' | tee /dev/stderr) 45 | [ "${actual}" = "true" ] 46 | 47 | local actual=$(helm template \ 48 | --show-only templates/server-psp-rolebinding.yaml \ 49 | --set 'server.standalone.enabled=true' \ 50 | --set 'global.psp.enable=true' \ 51 | . | tee /dev/stderr | 52 | yq 'length > 0' | tee /dev/stderr) 53 | [ "${actual}" = "true" ] 54 | } 55 | 56 | @test "server/PSP-RoleBinding: disable with global.enabled false" { 57 | cd `chart_dir` 58 | local actual=$( (helm template \ 59 | --show-only templates/server-psp-rolebinding.yaml \ 60 | --set 'server.dev.enabled=true' \ 61 | --set 'global.enabled=false' \ 62 | --set 'global.psp.enable=true' \ 63 | . || echo "---") | tee /dev/stderr | 64 | yq 'length > 0' | tee /dev/stderr) 65 | [ "${actual}" = "false" ] 66 | 67 | local actual=$( (helm template \ 68 | --show-only templates/server-psp-rolebinding.yaml \ 69 | --set 'server.ha.enabled=true' \ 70 | --set 'global.enabled=false' \ 71 | --set 'global.psp.enable=true' \ 72 | . || echo "---") | tee /dev/stderr | 73 | yq 'length > 0' | tee /dev/stderr) 74 | [ "${actual}" = "false" ] 75 | 76 | local actual=$( (helm template \ 77 | --show-only templates/server-psp-rolebinding.yaml \ 78 | --set 'server.standalone.enabled=true' \ 79 | --set 'global.enabled=false' \ 80 | --set 'global.psp.enable=true' \ 81 | . || echo "---") | tee /dev/stderr | 82 | yq 'length > 0' | tee /dev/stderr) 83 | [ "${actual}" = "false" ] 84 | } 85 | 86 | @test "server/PSP-RoleBinding: disable with global.psp.enable false" { 87 | cd `chart_dir` 88 | local actual=$( (helm template \ 89 | --show-only templates/server-psp-rolebinding.yaml \ 90 | --set 'server.dev.enabled=true' \ 91 | --set 'global.psp.enable=false' \ 92 | . || echo "---") | tee /dev/stderr | 93 | yq 'length > 0' | tee /dev/stderr) 94 | [ "${actual}" = "false" ] 95 | 96 | local actual=$( (helm template \ 97 | --show-only templates/server-psp-rolebinding.yaml \ 98 | --set 'server.ha.enabled=true' \ 99 | --set 'global.psp.enable=false' \ 100 | . || echo "---") | tee /dev/stderr | 101 | yq 'length > 0' | tee /dev/stderr) 102 | [ "${actual}" = "false" ] 103 | 104 | local actual=$( (helm template \ 105 | --show-only templates/server-psp-rolebinding.yaml \ 106 | --set 'server.standalone.enabled=true' \ 107 | --set 'global.psp.enable=false' \ 108 | . || echo "---") | tee /dev/stderr | 109 | yq 'length > 0' | tee /dev/stderr) 110 | [ "${actual}" = "false" ] 111 | } 112 | 113 | @test "server/PSP-RoleBinding: namespace" { 114 | cd `chart_dir` 115 | local actual=$(helm template \ 116 | --show-only templates/server-psp-rolebinding.yaml \ 117 | --set 'global.psp.enable=true' \ 118 | --namespace foo \ 119 | . | tee /dev/stderr | 120 | yq -r '.metadata.namespace' | tee /dev/stderr) 121 | [ "${actual}" = "foo" ] 122 | local actual=$(helm template \ 123 | --show-only templates/server-psp-rolebinding.yaml \ 124 | --set 'global.psp.enable=true' \ 125 | --set 'global.namespace=bar' \ 126 | --namespace foo \ 127 | . | tee /dev/stderr | 128 | yq -r '.metadata.namespace' | tee /dev/stderr) 129 | [ "${actual}" = "bar" ] 130 | } 131 | -------------------------------------------------------------------------------- /test/unit/server-route.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/route: OpenShift - disabled by default" { 6 | cd `chart_dir` 7 | local actual=$( (helm template \ 8 | --set 'global.openshift=true' \ 9 | --show-only templates/server-route.yaml \ 10 | . || echo "---") | tee /dev/stderr | 11 | yq 'length > 0' | tee /dev/stderr) 12 | [ "${actual}" = "false" ] 13 | } 14 | 15 | @test "server/route: OpenShift -disable by injector.externalVaultAddr" { 16 | cd `chart_dir` 17 | local actual=$( (helm template \ 18 | --show-only templates/server-route.yaml \ 19 | --set 'global.openshift=true' \ 20 | --set 'server.route.enabled=true' \ 21 | --set 'injector.externalVaultAddr=http://openbao-outside' \ 22 | . || echo "---") | tee /dev/stderr | 23 | yq 'length > 0' | tee /dev/stderr) 24 | [ "${actual}" = "false" ] 25 | } 26 | 27 | @test "server/route: namespace" { 28 | cd `chart_dir` 29 | local actual=$(helm template \ 30 | --show-only templates/server-route.yaml \ 31 | --set 'global.openshift=true' \ 32 | --set 'server.route.enabled=true' \ 33 | --namespace foo \ 34 | . | tee /dev/stderr | 35 | yq -r '.metadata.namespace' | tee /dev/stderr) 36 | [ "${actual}" = "foo" ] 37 | local actual=$(helm template \ 38 | --show-only templates/server-route.yaml \ 39 | --set 'global.openshift=true' \ 40 | --set 'server.route.enabled=true' \ 41 | --set 'global.namespace=bar' \ 42 | --namespace foo \ 43 | . | tee /dev/stderr | 44 | yq -r '.metadata.namespace' | tee /dev/stderr) 45 | [ "${actual}" = "bar" ] 46 | } 47 | 48 | @test "server/route: OpenShift - checking host entry gets added and path is /" { 49 | cd `chart_dir` 50 | local actual=$(helm template \ 51 | --show-only templates/server-route.yaml \ 52 | --set 'global.openshift=true' \ 53 | --set 'server.route.enabled=true' \ 54 | --set 'server.route.host=test.com' \ 55 | . | tee /dev/stderr | 56 | yq -r '.spec.host' | tee /dev/stderr) 57 | [ "${actual}" = 'test.com' ] 58 | } 59 | 60 | @test "server/route: OpenShift - openbao backend should be added when I specify a path" { 61 | cd `chart_dir` 62 | 63 | local actual=$(helm template \ 64 | --show-only templates/server-route.yaml \ 65 | --set 'global.openshift=true' \ 66 | --set 'server.route.enabled=true' \ 67 | --set 'server.route.host=test.com' \ 68 | . | tee /dev/stderr | 69 | yq -r '.spec.to.name | length > 0' | tee /dev/stderr) 70 | [ "${actual}" = "true" ] 71 | 72 | } 73 | 74 | @test "server/route: OpenShift - labels gets added to object" { 75 | cd `chart_dir` 76 | 77 | local actual=$(helm template \ 78 | --show-only templates/server-route.yaml \ 79 | --set 'global.openshift=true' \ 80 | --set 'server.route.enabled=true' \ 81 | --set 'server.route.labels.traffic=external' \ 82 | --set 'server.route.labels.team=dev' \ 83 | . | tee /dev/stderr | 84 | yq -r '.metadata.labels.traffic' | tee /dev/stderr) 85 | [ "${actual}" = "external" ] 86 | } 87 | 88 | @test "server/route: OpenShift - annotations added to object - string" { 89 | cd `chart_dir` 90 | 91 | local actual=$(helm template \ 92 | --show-only templates/server-route.yaml \ 93 | --set 'global.openshift=true' \ 94 | --set 'server.route.enabled=true' \ 95 | --set 'server.route.annotations=kubernetes.io/route.class: haproxy' \ 96 | . | tee /dev/stderr | 97 | yq -r '.metadata.annotations["kubernetes.io/route.class"]' | tee /dev/stderr) 98 | [ "${actual}" = "haproxy" ] 99 | } 100 | 101 | @test "server/route: OpenShift - annotations added to object - yaml" { 102 | cd `chart_dir` 103 | 104 | local actual=$(helm template \ 105 | --show-only templates/server-route.yaml \ 106 | --set 'global.openshift=true' \ 107 | --set 'server.route.enabled=true' \ 108 | --set server.route.annotations."kubernetes\.io/route\.class"=haproxy \ 109 | . | tee /dev/stderr | 110 | yq -r '.metadata.annotations["kubernetes.io/route.class"]' | tee /dev/stderr) 111 | [ "${actual}" = "haproxy" ] 112 | } 113 | 114 | @test "server/route: OpenShift - route points to main service by default" { 115 | cd `chart_dir` 116 | 117 | local actual=$(helm template \ 118 | --show-only templates/server-route.yaml \ 119 | --set 'global.openshift=true' \ 120 | --set 'server.route.enabled=true' \ 121 | . | tee /dev/stderr | 122 | yq -r '.spec.to.name' | tee /dev/stderr) 123 | [ "${actual}" = "release-name-openbao" ] 124 | } 125 | 126 | @test "server/route: OpenShift - route points to main service when not ha and activeService is true" { 127 | cd `chart_dir` 128 | 129 | local actual=$(helm template \ 130 | --show-only templates/server-route.yaml \ 131 | --set 'global.openshift=true' \ 132 | --set 'server.route.enabled=true' \ 133 | --set 'server.route.activeService=true' \ 134 | . | tee /dev/stderr | 135 | yq -r '.spec.to.name' | tee /dev/stderr) 136 | [ "${actual}" = "release-name-openbao" ] 137 | } 138 | 139 | @test "server/route: OpenShift - route points to active service by when HA by default" { 140 | cd `chart_dir` 141 | 142 | local actual=$(helm template \ 143 | --show-only templates/server-route.yaml \ 144 | --set 'global.openshift=true' \ 145 | --set 'server.route.enabled=true' \ 146 | --set 'server.ha.enabled=true' \ 147 | . | tee /dev/stderr | 148 | yq -r '.spec.to.name' | tee /dev/stderr) 149 | [ "${actual}" = "release-name-openbao-active" ] 150 | } 151 | 152 | @test "server/route: OpenShift - route points to general service by when HA when configured" { 153 | cd `chart_dir` 154 | 155 | local actual=$(helm template \ 156 | --show-only templates/server-route.yaml \ 157 | --set 'global.openshift=true' \ 158 | --set 'server.route.enabled=true' \ 159 | --set 'server.route.activeService=false' \ 160 | --set 'server.ha.enabled=true' \ 161 | . | tee /dev/stderr | 162 | yq -r '.spec.to.name' | tee /dev/stderr) 163 | [ "${actual}" = "release-name-openbao" ] 164 | } 165 | 166 | @test "server/route: OpenShift - route termination mode set to default passthrough" { 167 | cd `chart_dir` 168 | 169 | local actual=$(helm template \ 170 | --show-only templates/server-route.yaml \ 171 | --set 'global.openshift=true' \ 172 | --set 'server.route.enabled=true' \ 173 | . | tee /dev/stderr | 174 | yq -r '.spec.tls.termination' | tee /dev/stderr) 175 | [ "${actual}" = "passthrough" ] 176 | } 177 | 178 | @test "server/route: OpenShift - route termination mode set to edge" { 179 | cd `chart_dir` 180 | 181 | local actual=$(helm template \ 182 | --show-only templates/server-route.yaml \ 183 | --set 'global.openshift=true' \ 184 | --set 'server.route.enabled=true' \ 185 | --set 'server.route.tls.termination=edge' \ 186 | . | tee /dev/stderr | 187 | yq -r '.spec.tls.termination' | tee /dev/stderr) 188 | [ "${actual}" = "edge" ] 189 | } 190 | 191 | @test "server/route: OpenShift - route custom tls entry" { 192 | cd `chart_dir` 193 | 194 | local actual=$(helm template \ 195 | --show-only templates/server-route.yaml \ 196 | --set 'global.openshift=true' \ 197 | --set 'server.route.enabled=true' \ 198 | --set 'server.route.tls.insecureEdgeTerminationPolicy=Redirect' \ 199 | . | tee /dev/stderr | 200 | yq -r '.spec.tls.insecureEdgeTerminationPolicy' | tee /dev/stderr) 201 | [ "${actual}" = "Redirect" ] 202 | } 203 | -------------------------------------------------------------------------------- /test/unit/server-serviceaccount-secret.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/ServiceAccountSecret: verify service account name match" { 6 | cd `chart_dir` 7 | 8 | local actual=$( (helm template \ 9 | --show-only templates/server-serviceaccount-secret.yaml \ 10 | --set 'server.dev.enabled=true' \ 11 | --set 'server.serviceAccount.create=false' \ 12 | . || echo "---") | tee /dev/stderr | 13 | yq 'length > 0' | tee /dev/stderr) 14 | [ "${actual}" = "false" ] 15 | 16 | local actual=$(helm template \ 17 | --show-only templates/server-serviceaccount-secret.yaml \ 18 | --set 'server.dev.enabled=true' \ 19 | --set 'server.serviceAccount.name=user-defined-ksa' \ 20 | --set 'server.serviceAccount.createSecret=true' \ 21 | . | tee /dev/stderr | 22 | yq -r '.metadata.name' | tee /dev/stderr) 23 | [ "${actual}" = "user-defined-ksa-token" ] 24 | 25 | local actual=$(helm template \ 26 | --show-only templates/server-serviceaccount-secret.yaml \ 27 | --set 'server.dev.enabled=true' \ 28 | --set 'server.serviceAccount.createSecret=true' \ 29 | . | tee /dev/stderr | 30 | yq -r '.metadata.name' | tee /dev/stderr) 31 | [ "${actual}" = "release-name-openbao-token" ] 32 | 33 | } 34 | 35 | @test "server/ServiceAccountSecret: annotation mapping to service account" { 36 | cd `chart_dir` 37 | 38 | local actual=$(helm template \ 39 | --show-only templates/server-serviceaccount-secret.yaml \ 40 | --set 'server.dev.enabled=true' \ 41 | --set 'server.serviceAccount.name=user-defined-ksa' \ 42 | --set 'server.serviceAccount.createSecret=true' \ 43 | . | tee /dev/stderr | 44 | yq -r '.metadata.annotations["kubernetes.io/service-account.name"]' | tee /dev/stderr) 45 | [ "${actual}" = "user-defined-ksa" ] 46 | 47 | local actual=$(helm template \ 48 | --show-only templates/server-serviceaccount-secret.yaml \ 49 | --set 'server.dev.enabled=true' \ 50 | --set 'server.serviceAccount.createSecret=true' \ 51 | . | tee /dev/stderr | 52 | yq -r '.metadata.annotations["kubernetes.io/service-account.name"]' | tee /dev/stderr) 53 | [ "${actual}" = "release-name-openbao" ] 54 | 55 | } 56 | 57 | @test "server/ServiceAccountSecret: namespace" { 58 | cd `chart_dir` 59 | local actual=$(helm template \ 60 | --show-only templates/server-serviceaccount-secret.yaml \ 61 | --set 'server.serviceAccount.create=true' \ 62 | --set 'server.serviceAccount.createSecret=true' \ 63 | --namespace foo \ 64 | . | tee /dev/stderr | 65 | yq -r '.metadata.namespace' | tee /dev/stderr) 66 | [ "${actual}" = "foo" ] 67 | local actual=$(helm template \ 68 | --show-only templates/server-serviceaccount-secret.yaml \ 69 | --set 'server.serviceAccount.create=true' \ 70 | --set 'server.serviceAccount.createSecret=true' \ 71 | --set 'global.namespace=bar' \ 72 | --namespace foo \ 73 | . | tee /dev/stderr | 74 | yq -r '.metadata.namespace' | tee /dev/stderr) 75 | [ "${actual}" = "bar" ] 76 | } 77 | 78 | -------------------------------------------------------------------------------- /test/unit/server-serviceaccount.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/ServiceAccount: specify service account name" { 6 | cd `chart_dir` 7 | 8 | local actual=$( (helm template \ 9 | --show-only templates/server-serviceaccount.yaml \ 10 | --set 'server.dev.enabled=true' \ 11 | --set 'server.serviceAccount.create=false' \ 12 | . || echo "---") | tee /dev/stderr | 13 | yq 'length > 0' | tee /dev/stderr) 14 | [ "${actual}" = "false" ] 15 | 16 | local actual=$(helm template \ 17 | --show-only templates/server-serviceaccount.yaml \ 18 | --set 'server.dev.enabled=true' \ 19 | --set 'server.serviceAccount.name=user-defined-ksa' \ 20 | . | tee /dev/stderr | 21 | yq -r '.metadata.name' | tee /dev/stderr) 22 | [ "${actual}" = "user-defined-ksa" ] 23 | 24 | local actual=$(helm template \ 25 | --show-only templates/server-serviceaccount.yaml \ 26 | --set 'server.dev.enabled=true' \ 27 | . | tee /dev/stderr | 28 | yq -r '.metadata.name' | tee /dev/stderr) 29 | [ "${actual}" = "release-name-openbao" ] 30 | 31 | } 32 | 33 | @test "server/ServiceAccount: namespace" { 34 | cd `chart_dir` 35 | local actual=$(helm template \ 36 | --show-only templates/server-serviceaccount.yaml \ 37 | --set 'server.serviceAccount.create=true' \ 38 | --namespace foo \ 39 | . | tee /dev/stderr | 40 | yq -r '.metadata.namespace' | tee /dev/stderr) 41 | [ "${actual}" = "foo" ] 42 | local actual=$(helm template \ 43 | --show-only templates/server-serviceaccount.yaml \ 44 | --set 'server.serviceAccount.create=true' \ 45 | --set 'global.namespace=bar' \ 46 | --namespace foo \ 47 | . | tee /dev/stderr | 48 | yq -r '.metadata.namespace' | tee /dev/stderr) 49 | [ "${actual}" = "bar" ] 50 | } 51 | 52 | @test "server/ServiceAccount: specify annotations" { 53 | cd `chart_dir` 54 | local actual=$(helm template \ 55 | --show-only templates/server-serviceaccount.yaml \ 56 | --set 'server.dev.enabled=true' \ 57 | --set 'server.serviceAccount.annotations=foo: bar' \ 58 | . | tee /dev/stderr | 59 | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) 60 | [ "${actual}" = "null" ] 61 | 62 | local actual=$(helm template \ 63 | --show-only templates/server-serviceaccount.yaml \ 64 | --set 'server.ha.enabled=true' \ 65 | --set 'server.serviceAccount.annotations=foo: bar' \ 66 | . | tee /dev/stderr | 67 | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) 68 | [ "${actual}" = "bar" ] 69 | 70 | local actual=$(helm template \ 71 | --show-only templates/server-serviceaccount.yaml \ 72 | --set 'server.ha.enabled=true' \ 73 | --set 'server.serviceAccount.annotations.foo=bar' \ 74 | . | tee /dev/stderr | 75 | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) 76 | [ "${actual}" = "bar" ] 77 | 78 | local actual=$(helm template \ 79 | --show-only templates/server-serviceaccount.yaml \ 80 | --set 'server.ha.enabled=true' \ 81 | . | tee /dev/stderr | 82 | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) 83 | [ "${actual}" = "null" ] 84 | } 85 | 86 | @test "server/ServiceAccount: disable with global.enabled false" { 87 | cd `chart_dir` 88 | local actual=$( (helm template \ 89 | --show-only templates/server-service.yaml \ 90 | --set 'server.dev.enabled=true' \ 91 | --set 'global.enabled=false' \ 92 | . || echo "---") | tee /dev/stderr | 93 | yq 'length > 0' | tee /dev/stderr) 94 | [ "${actual}" = "false" ] 95 | 96 | local actual=$( (helm template \ 97 | --show-only templates/server-service.yaml \ 98 | --set 'server.ha.enabled=true' \ 99 | --set 'global.enabled=false' \ 100 | . || echo "---") | tee /dev/stderr | 101 | yq 'length > 0' | tee /dev/stderr) 102 | [ "${actual}" = "false" ] 103 | 104 | local actual=$( (helm template \ 105 | --show-only templates/server-service.yaml \ 106 | --set 'server.standalone.enabled=true' \ 107 | --set 'global.enabled=false' \ 108 | . || echo "---") | tee /dev/stderr | 109 | yq 'length > 0' | tee /dev/stderr) 110 | [ "${actual}" = "false" ] 111 | } 112 | 113 | @test "server/ServiceAccount: disable by injector.externalVaultAddr" { 114 | cd `chart_dir` 115 | local actual=$( (helm template \ 116 | --show-only templates/server-service.yaml \ 117 | --set 'server.dev.enabled=true' \ 118 | --set 'injector.externalVaultAddr=http://openbao-outside' \ 119 | . || echo "---") | tee /dev/stderr | 120 | yq 'length > 0' | tee /dev/stderr) 121 | [ "${actual}" = "false" ] 122 | 123 | local actual=$( (helm template \ 124 | --show-only templates/server-service.yaml \ 125 | --set 'server.ha.enabled=true' \ 126 | --set 'injector.externalVaultAddr=http://openbao-outside' \ 127 | . || echo "---") | tee /dev/stderr | 128 | yq 'length > 0' | tee /dev/stderr) 129 | [ "${actual}" = "false" ] 130 | 131 | local actual=$( (helm template \ 132 | --show-only templates/server-service.yaml \ 133 | --set 'server.standalone.enabled=true' \ 134 | --set 'injector.externalVaultAddr=http://openbao-outside' \ 135 | . || echo "---") | tee /dev/stderr | 136 | yq 'length > 0' | tee /dev/stderr) 137 | [ "${actual}" = "false" ] 138 | } 139 | 140 | @test "server/serviceAccount: specify server.serviceAccount.extraLabels" { 141 | cd `chart_dir` 142 | local actual=$(helm template \ 143 | --show-only templates/server-serviceaccount.yaml \ 144 | --set 'server.serviceAccount.extraLabels.foo=bar' \ 145 | . | tee /dev/stderr | 146 | yq -r '.metadata.labels.foo' | tee /dev/stderr) 147 | [ "${actual}" = "bar" ] 148 | } 149 | --------------------------------------------------------------------------------