From 3dd2dec9e34a8d93704f30a517fa0024e3ccd2fa Mon Sep 17 00:00:00 2001 From: Jan Martens Date: Sun, 6 Oct 2024 22:48:11 +0200 Subject: [PATCH 1/4] update OpenBao to v2.0.2 Signed-off-by: Jan Martens --- charts/openbao/README.md | 2 +- charts/openbao/values.openshift.yaml | 4 +-- charts/openbao/values.yaml | 45 ++++++++++++++++------------ 3 files changed, 29 insertions(+), 22 deletions(-) diff --git a/charts/openbao/README.md b/charts/openbao/README.md index ca7ae18c..7aac1763 100644 --- a/charts/openbao/README.md +++ b/charts/openbao/README.md @@ -1,6 +1,6 @@ # openbao -![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![AppVersion: v2.0.1](https://img.shields.io/badge/AppVersion-v2.0.1-informational?style=flat-square) +![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: v2.0.2](https://img.shields.io/badge/AppVersion-v2.0.2-informational?style=flat-square) Official OpenBao Chart diff --git a/charts/openbao/values.openshift.yaml b/charts/openbao/values.openshift.yaml index b63f5482..04bed039 100644 --- a/charts/openbao/values.openshift.yaml +++ b/charts/openbao/values.openshift.yaml @@ -14,13 +14,13 @@ injector: agentImage: registry: "quay.io" repository: "openbao/openbao" - tag: "v2.0.1-ubi" + tag: "v2.0.2-ubi" server: image: registry: "quay.io" repository: "openbao/openbao" - tag: "v2.0.1-ubi" + tag: "v2.0.2-ubi" readinessProbe: path: "/v1/sys/health?uninitcode=204" diff --git a/charts/openbao/values.yaml b/charts/openbao/values.yaml index 99b6eb6a..3e241102 100644 --- a/charts/openbao/values.yaml +++ b/charts/openbao/values.yaml @@ -84,7 +84,7 @@ injector: # -- image repo to use for agent image repository: "openbao/openbao" # -- image tag to use for agent image - tag: "2.0.1" + tag: "2.0.2" # -- image pull policy to use for agent image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent @@ -288,7 +288,8 @@ injector: # extraEnvironmentVars is a list of extra environment variables to set in the # injector deployment. - extraEnvironmentVars: {} + extraEnvironmentVars: + {} # KUBERNETES_SERVICE_HOST: kubernetes.default.svc # Affinity Settings for injector pods @@ -379,7 +380,7 @@ server: # -- image repo to use for server image repository: "openbao/openbao" # -- image tag to use for server image - tag: "2.0.1" + tag: "2.0.2" # -- image pull policy to use for server image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent @@ -410,9 +411,11 @@ server: # In order to expose the service, use the route section below ingress: enabled: false - labels: {} + labels: + {} # traffic: external - annotations: {} + annotations: + {} # | # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" @@ -480,7 +483,8 @@ server: # -- extraInitContainers is a list of init containers. Specified as a YAML list. # This is useful if you need to run a script to provision TLS certificates or # write out configuration files in a dynamic way. - extraInitContainers: [] + extraInitContainers: + [] # # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder, # # which is defined in the volumes value. # - name: oauthapp @@ -508,7 +512,8 @@ server: # -- extraPorts is a list of extra ports. Specified as a YAML list. # This is useful if you need to add additional ports to the statefulset in dynamic way. - extraPorts: [] + extraPorts: + [] # - containerPort: 8300 # name: http-monitoring @@ -570,14 +575,16 @@ server: # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be # used to include variables required for auto-unseal. - extraEnvironmentVars: {} + extraEnvironmentVars: + {} # GOOGLE_REGION: global # GOOGLE_PROJECT: myproject # GOOGLE_APPLICATION_CREDENTIALS: /openbao/userconfig/myproject/myproject-creds.json # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set. # These variables take value from existing Secret objects. - extraSecretEnvironmentVars: [] + extraSecretEnvironmentVars: + [] # - envName: AWS_SECRET_ACCESS_KEY # secretName: openbao # secretKey: AWS_SECRET_ACCESS_KEY @@ -586,7 +593,8 @@ server: # extraVolumes is a list of extra volumes to mount. These will be exposed # to OpenBao in the path `/openbao/userconfig//`. The value below is # an array of objects, examples are shown below. - extraVolumes: [] + extraVolumes: + [] # - type: secret (or "configMap") # name: my-secret # path: null # default is `/openbao/userconfig` @@ -651,12 +659,12 @@ server: # port: 443 ingress: - from: - - namespaceSelector: {} + - namespaceSelector: {} ports: - - port: 8200 - protocol: TCP - - port: 8201 - protocol: TCP + - port: 8200 + protocol: TCP + - port: 8201 + protocol: TCP # Priority class for server pods priorityClassName: "" @@ -893,7 +901,6 @@ server: # persistent volumes for OpenBao to store data according to the configuration under server.dataStorage. # The OpenBao cluster will coordinate leader elections and failovers internally. raft: - # Enables Raft integrated storage enabled: false # Set the Node Raft ID to the name of the pod @@ -968,8 +975,8 @@ server: disruptionBudget: enabled: true - # maxUnavailable will default to (n/2)-1 where n is the number of - # replicas. If you'd like a custom value, you can specify an override here. + # maxUnavailable will default to (n/2)-1 where n is the number of + # replicas. If you'd like a custom value, you can specify an override here. maxUnavailable: null # Definition of the serviceAccount used to run Vault. @@ -1183,7 +1190,7 @@ csi: # -- image repo to use for agent image repository: "openbao/openbao" # -- image tag to use for agent image - tag: "2.0.1" + tag: "2.0.2" # -- image pull policy to use for agent image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent From c5b02f372f399d67fcda2eca58da9c52a62734bc Mon Sep 17 00:00:00 2001 From: Jan Martens Date: Sun, 6 Oct 2024 22:48:48 +0200 Subject: [PATCH 2/4] fix secret injector integration Signed-off-by: Jan Martens --- charts/openbao/values.yaml | 2 +- test/acceptance/injector-test/job.yaml | 14 +++---- test/acceptance/injector.bats | 58 +++++++++++++------------- 3 files changed, 37 insertions(+), 37 deletions(-) diff --git a/charts/openbao/values.yaml b/charts/openbao/values.yaml index 3e241102..cde4c492 100644 --- a/charts/openbao/values.yaml +++ b/charts/openbao/values.yaml @@ -71,7 +71,7 @@ injector: # -- image repo to use for k8s image repository: "hashicorp/vault-k8s" # -- image tag to use for k8s image - tag: "1.3.1" + tag: "1.4.2" # -- image pull policy to use for k8s image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent diff --git a/test/acceptance/injector-test/job.yaml b/test/acceptance/injector-test/job.yaml index b40b57b8..30e6ee20 100644 --- a/test/acceptance/injector-test/job.yaml +++ b/test/acceptance/injector-test/job.yaml @@ -32,11 +32,11 @@ spec: spec: serviceAccountName: pgdump containers: - - name: pgdump - image: postgres:11.5 - command: - - "/bin/sh" - - "-ec" - args: - - "/usr/bin/pg_dump $(cat /openbao/secrets/db-creds) --no-owner > /dev/stdout" + - name: pgdump + image: postgres:11.5 + command: + - "/bin/sh" + - "-ec" + args: + - "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout" restartPolicy: Never diff --git a/test/acceptance/injector.bats b/test/acceptance/injector.bats index e093157f..21565973 100644 --- a/test/acceptance/injector.bats +++ b/test/acceptance/injector.bats @@ -2,46 +2,46 @@ load _helpers -# @test "injector: testing deployment" { -# cd `chart_dir` +@test "injector: testing deployment" { + cd `chart_dir` -# kubectl delete namespace acceptance --ignore-not-found=true -# kubectl create namespace acceptance -# kubectl config set-context --current --namespace=acceptance + kubectl delete namespace acceptance --ignore-not-found=true + kubectl create namespace acceptance + kubectl config set-context --current --namespace=acceptance -# kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml -# sleep 5 -# wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}") + kubectl create -f ../../test/acceptance/injector-test/pg-deployment.yaml + sleep 5 + wait_for_ready $(kubectl get pod -l app=postgres -o jsonpath="{.items[0].metadata.name}") -# kubectl create secret generic test \ -# --from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \ -# --from-file ../../test/acceptance/injector-test/bootstrap.sh + kubectl create secret generic test \ + --from-file ../../test/acceptance/injector-test/pgdump-policy.hcl \ + --from-file ../../test/acceptance/injector-test/bootstrap.sh -# kubectl label secret test app=openbao-agent-demo + kubectl label secret test app=openbao-agent-demo -# helm install "$(name_prefix)" \ -# --set="server.extraVolumes[0].type=secret" \ -# --set="server.extraVolumes[0].name=test" . -# wait_for_running $(name_prefix)-0 + helm install "$(name_prefix)" \ + --set="server.extraVolumes[0].type=secret" \ + --set="server.extraVolumes[0].name=test" . + wait_for_running $(name_prefix)-0 -# wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}") + wait_for_ready $(kubectl get pod -l component=webhook -o jsonpath="{.items[0].metadata.name}") -# kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" -# sleep 5 + kubectl exec -ti "$(name_prefix)-0" -- /bin/sh -c "cp /openbao/userconfig/test/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh" + sleep 5 -# # Sealed, not initialized -# local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | -# jq -r '.sealed' ) -# [ "${sealed_status}" == "false" ] + # Sealed, not initialized + local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | + jq -r '.sealed' ) + [ "${sealed_status}" == "false" ] -# local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | -# jq -r '.initialized') -# [ "${init_status}" == "true" ] + local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json | + jq -r '.initialized') + [ "${init_status}" == "true" ] -# kubectl create -f ../../test/acceptance/injector-test/job.yaml -# wait_for_complete_job "pgdump" -# } + kubectl create -f ../../test/acceptance/injector-test/job.yaml + wait_for_complete_job "pgdump" +} # Clean up teardown() { From 4549ad2b101b873320103dca8b463bd20f8595f6 Mon Sep 17 00:00:00 2001 From: Jan Martens Date: Sun, 6 Oct 2024 22:49:13 +0200 Subject: [PATCH 3/4] fix CSI driver integration Signed-off-by: Jan Martens --- charts/openbao/values.yaml | 2 +- .../openbao-kv-secretproviderclass.yaml | 4 +- test/acceptance/csi.bats | 118 +++++++++--------- test/unit/csi-daemonset.bats | 6 +- 4 files changed, 65 insertions(+), 65 deletions(-) diff --git a/charts/openbao/values.yaml b/charts/openbao/values.yaml index cde4c492..50c6859d 100644 --- a/charts/openbao/values.yaml +++ b/charts/openbao/values.yaml @@ -1100,7 +1100,7 @@ csi: # -- image repo to use for csi image repository: "hashicorp/vault-csi-provider" # -- image tag to use for csi image - tag: "1.4.1" + tag: "1.4.0" # -- image pull policy to use for csi image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent diff --git a/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml b/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml index 300676df..2c8339a6 100644 --- a/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml +++ b/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml @@ -5,9 +5,9 @@ apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: - name: openbao-kv + name: vault-kv spec: - provider: openbao + provider: vault parameters: roleName: "kv-role" objects: | diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index c4b53273..d95af151 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -2,73 +2,73 @@ load _helpers -# @test "csi: testing deployment" { -# cd `chart_dir` +@test "csi: testing deployment" { + cd `chart_dir` -# kubectl delete namespace acceptance --ignore-not-found=true -# kubectl create namespace acceptance + kubectl delete namespace acceptance --ignore-not-found=true + kubectl create namespace acceptance -# # Install Secrets Store CSI driver -# # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly -# # so we can see Agent's cache working. -# CSI_DRIVER_VERSION=1.3.2 -# helm install secrets-store-csi-driver secrets-store-csi-driver \ -# --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ -# --version=$CSI_DRIVER_VERSION \ -# --wait --timeout=5m \ -# --namespace=acceptance \ -# --set linux.image.pullPolicy="IfNotPresent" \ -# --set tokenRequests[0].audience="openbao" \ -# --set enableSecretRotation=true \ -# --set rotationPollInterval=5s -# # Install OpenBao and OpenBao provider -# helm install openbao \ -# --wait --timeout=5m \ -# --namespace=acceptance \ -# --set="server.dev.enabled=true" \ -# --set="csi.enabled=true" \ -# --set="csi.debug=true" \ -# --set="csi.agent.logLevel=debug" \ -# --set="injector.enabled=false" \ -# . -# kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao -# kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider + # Install Secrets Store CSI driver + # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly + # so we can see Agent's cache working. + CSI_DRIVER_VERSION=1.3.2 + helm install secrets-store-csi-driver secrets-store-csi-driver \ + --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \ + --version=$CSI_DRIVER_VERSION \ + --wait --timeout=5m \ + --namespace=acceptance \ + --set linux.image.pullPolicy="IfNotPresent" \ + --set tokenRequests[0].audience="openbao" \ + --set enableSecretRotation=true \ + --set rotationPollInterval=5s + # Install OpenBao and OpenBao provider + helm install openbao \ + --wait --timeout=5m \ + --namespace=acceptance \ + --set="server.dev.enabled=true" \ + --set="csi.enabled=true" \ + --set="csi.debug=true" \ + --set="csi.agent.logLevel=debug" \ + --set="injector.enabled=false" \ + . + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider -# # Set up k8s auth and a kv secret. -# cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy - -# kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes -# kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \ -# kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' -# kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \ -# bound_service_account_names=nginx \ -# bound_service_account_namespaces=acceptance \ -# policies=kv-policy \ -# ttl=20m -# kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1 + # Set up k8s auth and a kv secret. + cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy - + kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes + kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \ + kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' + kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \ + bound_service_account_names=nginx \ + bound_service_account_namespaces=acceptance \ + policies=kv-policy \ + ttl=20m + kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1 -# kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml -# kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml -# kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx + kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml + kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml + kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx -# result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) -# [[ "$result" == "hello1" ]] + result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar) + [[ "$result" == "hello1" ]] -# for i in $(seq 10); do -# sleep 2 -# if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then -# echo "Agent returned a cached login response" -# return -# fi + for i in $(seq 10); do + sleep 2 + if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then + echo "Agent returned a cached login response" + return + fi -# echo "Waiting to confirm the Agent is renewing CSI's auth token..." -# done + echo "Waiting to confirm the Agent is renewing CSI's auth token..." + done -# # Print the logs and fail the test -# echo "Failed to find a log for the Agent renewing CSI's auth token" -# kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent -# kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider -# exit 1 -# } + # Print the logs and fail the test + echo "Failed to find a log for the Agent renewing CSI's auth token" + kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent + kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider + exit 1 +} # Clean up teardown() { diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 78daa800..4f4e759d 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -107,7 +107,7 @@ load _helpers [ "${actual}" = "PullPolicy1" ] local actual=$(echo $object | yq -r '.[1].image' | tee /dev/stderr) - [ "${actual}" = "Image2:0.0.2" ] + [ "${actual}" = "quay.io/Image2:0.0.2" ] local actual=$(echo $object | yq -r '.[1].imagePullPolicy' | tee /dev/stderr) [ "${actual}" = "PullPolicy2" ] @@ -796,7 +796,7 @@ load _helpers yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_LOG_LEVEL")) | .[] .value' | tee /dev/stderr) [ "${value}" = "error" ] } @@ -810,7 +810,7 @@ load _helpers yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr) local value=$(echo $object | - yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) + yq -r 'map(select(.name=="BAO_LOG_FORMAT")) | .[] .value' | tee /dev/stderr) [ "${value}" = "json" ] } From 2e7c23ce626a1ab64ad7df143d1446826e330a40 Mon Sep 17 00:00:00 2001 From: Jan Martens Date: Sun, 6 Oct 2024 22:51:18 +0200 Subject: [PATCH 4/4] update chart version Signed-off-by: Jan Martens --- charts/openbao/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/openbao/Chart.yaml b/charts/openbao/Chart.yaml index a1f2d439..f57d37f0 100644 --- a/charts/openbao/Chart.yaml +++ b/charts/openbao/Chart.yaml @@ -3,8 +3,8 @@ apiVersion: v2 name: openbao -version: 0.5.1 -appVersion: v2.0.1 +version: 0.6.0 +appVersion: v2.0.2 kubeVersion: ">= 1.27.0-0" description: Official OpenBao Chart home: https://github.com/openbao/openbao-helm