Merge pull request #22 from claudiol/hashicorp-vault-chart

Initial hashicorp vault chart

Author: claudiol

charts/hashicorp-vault/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+description: A Helm chart to configure Hashicorp's vault
+keywords:
+- pattern
+name: hashicorp-vault
+version: 0.0.1
+dependencies:
+  - name: vault
+    version: "0.24.1"
+    repository: "https://helm.releases.hashicorp.com"
+maintainers:
+  - name: michele
+    email: [email protected]
+  - name: claudiol
+    email: [email protected]

charts/hashicorp-vault/README.md

@@ -0,0 +1,31 @@
+# VP hashicorp-vault
+
+## Updating the chart
+
+1. Edit Chart.yaml with the new version
+2. In the hashicorp-vault folder, run: `helm dependency update .`
+3. Run `./update-helm-dependency.sh`
+4. Check that the images in ./values.yaml are the same version as [upstream](https://github.com/hashicorp/vault-helm/blob/main/values.openshift.yaml)
+5. Git add the new chart in `./charts/vault-<version>.tgz`
+
+## Patches
+
+### Issue 9136
+
+**IMPORTANT**: Due to the fact that 'null' values do not work in helm charts
+([GH#9136](https://github.com/helm/helm/issues/9136)), we need to patch the
+chart to skip setting the host.
+
+### Issue 674
+
+In order to be able to use vault ssl we need to patch the helm chart to fix
+upstream issue 674.
+
+Make sure to run "./update-helm-dependency.sh" after you updated the subchart
+(by calling helm dependency update .)
+
+We can drop this local patch when any one the two conditions is true:
+
+- [1] is fixed in helm and we can require the version that for installs
+- [PR#779](https://github.com/hashicorp/vault-helm/pull/779) is merged in vault-helm *and* our minimum supported OCP version
+  is OCP 4.11 (route subdomain is broken in OCP < 4.11 due to missing [commit](https://github.com/openshift/router/commit/6f730c7cae966f0ed8def50c81d1bf10fe9eb77b)

charts/hashicorp-vault/charts/vault-0.24.1.tgz

@@ -0,0 +1,28 @@
+diff -up vault/values.yaml.orig vault/values.yaml
+--- vault/values.yaml.orig	2022-09-05 20:42:02.468428184 +0200
++++ vault/values.yaml	2022-09-05 20:42:05.218435871 +0200
+@@ -406,7 +406,8 @@ server:
+ 
+     labels: {}
+     annotations: {}
+-    host: chart-example.local
++    #host: chart-example.local
++    host: null
+     # tls will be passed directly to the route's TLS config, which
+     # can be used to configure other termination methods that terminate
+     # TLS at the router
+diff -up vault/values.schema.json.orig vault/values.schema.json
+--- vault/values.schema.json.orig	2022-09-11 21:00:34.834334961 +0200
++++ vault/values.schema.json	2022-09-11 21:00:57.190368032 +0200
+@@ -838,7 +838,10 @@
+                             "type": "boolean"
+                         },
+                         "host": {
+-                            "type": "string"
++                            "type": [
++                                "null",
++                                "string"
++                            ]
+                         },
+                         "labels": {
+                             "type": "object"

charts/hashicorp-vault/local-patches/0001-patch-server-route.patch

@@ -0,0 +1,310 @@
+From f62623030374c55410624a00755e9a3c07a411da Mon Sep 17 00:00:00 2001
+From: Michele Baldessari <[email protected]>
+Date: Tue, 29 Nov 2022 20:06:09 +0100
+Subject: [PATCH] Allow per-service annotations
+
+We add the 'annotations' field to the existing
+vault.service.{active,standby} dictionaries which are relevant for the
+active/standby vault ha services. We also add
+vault.service.{nonha,internal}.annotations in order to allow per-service
+annotations when using the non-ha variant.
+
+We had to choose 'nonha' as we cannot reuse the existing
+vault.service.annotations key, because that gets still applied to all
+services and we do not want to break existing installations.
+
+WIP as we need to add some more docs and maybe some more tests.
+---
+ templates/_helpers.tpl                   | 57 ++++++++++++++++++++++++
+ templates/server-ha-active-service.yaml  |  3 +-
+ templates/server-ha-standby-service.yaml |  1 +
+ templates/server-headless-service.yaml   |  1 +
+ templates/server-service.yaml            |  1 +
+ test/unit/server-ha-active-service.bats  | 11 +++++
+ test/unit/server-ha-standby-service.bats | 11 +++++
+ test/unit/server-service.bats            | 10 +++++
+ values.schema.json                       | 34 ++++++++++++++
+ values.yaml                              | 22 +++++++++
+ 10 files changed, 150 insertions(+), 1 deletion(-)
+
+diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
+index 3897391..9e98c0b 100644
+--- a/templates/_helpers.tpl
++++ b/templates/_helpers.tpl
+@@ -683,6 +683,63 @@ Sets extra vault server Service annotations
+   {{- end }}
+ {{- end -}}
+ 
++{{/*
++Sets extra vault server Service active annotations
++*/}}
++{{- define "vault.service.active.annotations" -}}
++  {{- if .Values.server.service.active.annotations }}
++    {{- $tp := typeOf .Values.server.service.active.annotations }}
++    {{- if eq $tp "string" }}
++      {{- tpl .Values.server.service.active.annotations . | nindent 4 }}
++    {{- else }}
++      {{- toYaml .Values.server.service.active.annotations | nindent 4 }}
++    {{- end }}
++  {{- end }}
++{{- end -}}
++
++{{/*
++Sets extra vault server Service standby annotations
++*/}}
++{{- define "vault.service.standby.annotations" -}}
++  {{- if .Values.server.service.standby.annotations }}
++    {{- $tp := typeOf .Values.server.service.standby.annotations }}
++    {{- if eq $tp "string" }}
++      {{- tpl .Values.server.service.standby.annotations . | nindent 4 }}
++    {{- else }}
++      {{- toYaml .Values.server.service.standby.annotations | nindent 4 }}
++    {{- end }}
++  {{- end }}
++{{- end -}}
++
++{{/*
++Sets extra vault server Service internal annotations
++*/}}
++{{- define "vault.service.internal.annotations" -}}
++  {{- if .Values.server.service.internal.annotations }}
++    {{- $tp := typeOf .Values.server.service.internal.annotations }}
++    {{- if eq $tp "string" }}
++      {{- tpl .Values.server.service.internal.annotations . | nindent 4 }}
++    {{- else }}
++      {{- toYaml .Values.server.service.internal.annotations | nindent 4 }}
++    {{- end }}
++  {{- end }}
++{{- end -}}
++{{/*
++Sets extra vault server Service nonha annotations
++Note: We call it 'nonha' as we need to differentiate the "vault.service.annotations" which are
++      applied to all services
++*/}}
++{{- define "vault.service.nonha.annotations" -}}
++  {{- if .Values.server.service.nonha.annotations }}
++    {{- $tp := typeOf .Values.server.service.nonha.annotations }}
++    {{- if eq $tp "string" }}
++      {{- tpl .Values.server.service.nonha.annotations . | nindent 4 }}
++    {{- else }}
++      {{- toYaml .Values.server.service.nonha.annotations | nindent 4 }}
++    {{- end }}
++  {{- end }}
++{{- end -}}
++
+ {{/*
+ Sets PodSecurityPolicy annotations
+ */}}
+diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml
+index 7def2a0..649ffb8 100644
+--- a/templates/server-ha-active-service.yaml
++++ b/templates/server-ha-active-service.yaml
+@@ -18,8 +18,9 @@ metadata:
+     vault-active: "true"
+   annotations:
+ {{ template "vault.service.annotations" .}}
++{{ template "vault.service.active.annotations" .}}
+ spec:
+-  {{- if .Values.server.service.type}}
++  {{- if .Values.server.service.type }}
+   type: {{ .Values.server.service.type }}
+   {{- end}}
+   {{- if .Values.server.service.clusterIP }}
+diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml
+index 50fca4b..cdbfcad 100644
+--- a/templates/server-ha-standby-service.yaml
++++ b/templates/server-ha-standby-service.yaml
+@@ -17,6 +17,7 @@ metadata:
+     app.kubernetes.io/managed-by: {{ .Release.Service }}
+   annotations:
+ {{ template "vault.service.annotations" .}}
++{{ template "vault.service.standby.annotations" .}}
+ spec:
+   {{- if .Values.server.service.type}}
+   type: {{ .Values.server.service.type }}
+diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml
+index b03f491..25aaa8d 100644
+--- a/templates/server-headless-service.yaml
++++ b/templates/server-headless-service.yaml
+@@ -16,6 +16,7 @@ metadata:
+     vault-internal: "true"
+   annotations:
+ {{ template "vault.service.annotations" .}}
++{{ template "vault.service.internal.annotations" .}}
+ spec:
+   clusterIP: None
+   publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
+diff --git a/templates/server-service.yaml b/templates/server-service.yaml
+index 913b569..02a1ccd 100644
+--- a/templates/server-service.yaml
++++ b/templates/server-service.yaml
+@@ -15,6 +15,7 @@ metadata:
+     app.kubernetes.io/managed-by: {{ .Release.Service }}
+   annotations:
+ {{ template "vault.service.annotations" .}}
++{{ template "vault.service.nonha.annotations" .}}
+ spec:
+   {{- if .Values.server.service.type}}
+   type: {{ .Values.server.service.type }}
+diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats
+index d78f5d4..13b5271 100755
+--- a/test/unit/server-ha-active-service.bats
++++ b/test/unit/server-ha-active-service.bats
+@@ -13,6 +13,17 @@ load _helpers
+   [ "${actual}" = "true" ]
+ }
+ 
++@test "server/ha-active-Service: specific annotations" {
++  cd `chart_dir`
++  local actual=$(helm template \
++      --show-only templates/server-ha-active-service.yaml \
++      --set 'server.ha.enabled=true' \
++      --set 'server.service.active.annotations=vaultIsAwesome: true' \
++      . | tee /dev/stderr |
++      yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
++  [ "${actual}" = "true" ]
++}
++
+ @test "server/ha-active-Service: disable with ha.enabled false" {
+   cd `chart_dir`
+   local actual=$( (helm template \
+diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats
+index 6698314..6244565 100755
+--- a/test/unit/server-ha-standby-service.bats
++++ b/test/unit/server-ha-standby-service.bats
+@@ -13,6 +13,17 @@ load _helpers
+   [ "${actual}" = "true" ]
+ }
+ 
++@test "server/ha-standby-Service: specific annotations string" {
++  cd `chart_dir`
++  local actual=$(helm template \
++      --show-only templates/server-ha-standby-service.yaml \
++      --set 'server.ha.enabled=true' \
++      --set 'server.service.standby.annotations=vaultIsAwesome: true' \
++      . | tee /dev/stderr |
++      yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
++  [ "${actual}" = "true" ]
++}
++
+ @test "server/ha-standby-Service: generic annotations yaml" {
+   cd `chart_dir`
+   local actual=$(helm template \
+diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats
+index 70a5445..cc66987 100755
+--- a/test/unit/server-service.bats
++++ b/test/unit/server-service.bats
+@@ -153,6 +153,16 @@ load _helpers
+   [ "${actual}" = "true" ]
+ }
+ 
++@test "server/Service: specific annotations" {
++  cd `chart_dir`
++  local actual=$(helm template \
++      --show-only templates/server-service.yaml \
++      --set 'server.service.nonha.annotations=vaultIsAwesome: true' \
++      . | tee /dev/stderr |
++      yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
++  [ "${actual}" = "true" ]
++}
++
+ @test "server/Service: publish not ready" {
+   cd `chart_dir`
+   local actual=$(helm template \
+diff --git a/values.schema.json b/values.schema.json
+index c183957..d0dca34 100644
+--- a/values.schema.json
++++ b/values.schema.json
+@@ -854,11 +854,39 @@
+                         "active": {
+                             "type": "object",
+                             "properties": {
++                                "annotations" : {
++                                    "type": [
++                                        "object",
++                                        "string"
++                                    ]
++                                },
+                                 "enabled": {
+                                     "type": "boolean"
+                                 }
+                             }
+                         },
++                        "internal": {
++                            "type": "object",
++                            "properties": {
++                                "annotations": {
++                                    "type": [
++                                        "object",
++                                        "string"
++                                    ]
++                                }
++                            }
++                        },
++                        "nonha": {
++                            "type": "object",
++                            "properties": {
++                                "annotations": {
++                                    "type": [
++                                        "object",
++                                        "string"
++                                    ]
++                                }
++                            }
++                        },
+                         "annotations": {
+                             "type": [
+                                 "object",
+@@ -890,6 +918,12 @@
+                             "properties": {
+                                 "enabled": {
+                                     "type": "boolean"
++                                },
++                                "annotations": {
++                                    "type": [
++                                        "object",
++                                        "string"
++                                    ]
+                                 }
+                             }
+                         },
+diff --git a/values.yaml b/values.yaml
+index 2c3d9e2..32d8ea1 100644
+--- a/values.yaml
++++ b/values.yaml
+@@ -600,10 +600,32 @@ server:
+     # have labelled themselves as the cluster leader with `vault-active: "true"`
+     active:
+       enabled: true
++      # Extra annotations for the service definition. This can either be YAML or a
++      # YAML-formatted multi-line templated string map of the annotations to apply
++      # to the service.
++      annotations: {}
++
+     # Enable or disable the vault-standby service, which selects Vault pods that
+     # have labelled themselves as a cluster follower with `vault-active: "false"`
+     standby:
+       enabled: true
++      # Extra annotations for the service definition. This can either be YAML or a
++      # YAML-formatted multi-line templated string map of the annotations to apply
++      # to the service.
++      annotations: {}
++
++    nonha:
++      # Extra annotations for the service definition. This can either be YAML or a
++      # YAML-formatted multi-line templated string map of the annotations to apply
++      # to the service.
++      annotations: {}
++
++    internal:
++      # Extra annotations for the service definition. This can either be YAML or a
++      # YAML-formatted multi-line templated string map of the annotations to apply
++      # to the service.
++      annotations: {}
++
+     # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}`
+     # When disabled, services may select Vault pods not deployed from the chart.
+     # Does not affect the headless vault-internal service with `ClusterIP: None`
+-- 
+2.38.1
+