Merge pull request #19 from openbao/bao-2-0-2

Update OpenBao to v2.0.2

charts/openbao/Chart.yaml

@@ -3,8 +3,8 @@
 
 apiVersion: v2
 name: openbao
-version: 0.5.1
-appVersion: v2.0.1
+version: 0.6.0
+appVersion: v2.0.2
 kubeVersion: ">= 1.27.0-0"
 description: Official OpenBao Chart
 home: https://github.com/openbao/openbao-helm

charts/openbao/README.md

@@ -1,6 +1,6 @@
 # openbao
 
-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![AppVersion: v2.0.1](https://img.shields.io/badge/AppVersion-v2.0.1-informational?style=flat-square)
+![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: v2.0.2](https://img.shields.io/badge/AppVersion-v2.0.2-informational?style=flat-square)
 
 Official OpenBao Chart
 

charts/openbao/values.openshift.yaml

@@ -14,13 +14,13 @@ injector:
   agentImage:
     registry: "quay.io"
     repository: "openbao/openbao"
-    tag: "v2.0.1-ubi"
+    tag: "v2.0.2-ubi"
 
 server:
   image:
     registry: "quay.io"
     repository: "openbao/openbao"
-    tag: "v2.0.1-ubi"
+    tag: "v2.0.2-ubi"
 
   readinessProbe:
     path: "/v1/sys/health?uninitcode=204"

charts/openbao/values.yaml

@@ -71,7 +71,7 @@ injector:
     # -- image repo to use for k8s image
     repository: "hashicorp/vault-k8s"
     # -- image tag to use for k8s image
-    tag: "1.3.1"
+    tag: "1.4.2"
     # -- image pull policy to use for k8s image. if tag is "latest", set to "Always"
     pullPolicy: IfNotPresent
 
@@ -84,7 +84,7 @@ injector:
     # -- image repo to use for agent image
     repository: "openbao/openbao"
     # -- image tag to use for agent image
-    tag: "2.0.1"
+    tag: "2.0.2"
     # -- image pull policy to use for agent image. if tag is "latest", set to "Always"
     pullPolicy: IfNotPresent
 
@@ -288,7 +288,8 @@ injector:
 
   # extraEnvironmentVars is a list of extra environment variables to set in the
   # injector deployment.
-  extraEnvironmentVars: {}
+  extraEnvironmentVars:
+    {}
     # KUBERNETES_SERVICE_HOST: kubernetes.default.svc
 
   # Affinity Settings for injector pods
@@ -379,7 +380,7 @@ server:
     # -- image repo to use for server image
     repository: "openbao/openbao"
     # -- image tag to use for server image
-    tag: "2.0.1"
+    tag: "2.0.2"
     # -- image pull policy to use for server image. if tag is "latest", set to "Always"
     pullPolicy: IfNotPresent
 
@@ -410,9 +411,11 @@ server:
   # In order to expose the service, use the route section below
   ingress:
     enabled: false
-    labels: {}
+    labels:
+      {}
       # traffic: external
-    annotations: {}
+    annotations:
+      {}
       # |
       # kubernetes.io/ingress.class: nginx
       # kubernetes.io/tls-acme: "true"
@@ -480,7 +483,8 @@ server:
   # -- extraInitContainers is a list of init containers. Specified as a YAML list.
   # This is useful if you need to run a script to provision TLS certificates or
   # write out configuration files in a dynamic way.
-  extraInitContainers: []
+  extraInitContainers:
+    []
     # # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder,
     # # which is defined in the volumes value.
     # - name: oauthapp
@@ -508,7 +512,8 @@ server:
 
   # -- extraPorts is a list of extra ports. Specified as a YAML list.
   # This is useful if you need to add additional ports to the statefulset in dynamic way.
-  extraPorts: []
+  extraPorts:
+    []
     # - containerPort: 8300
     #   name: http-monitoring
 
@@ -570,14 +575,16 @@ server:
 
   # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
   # used to include variables required for auto-unseal.
-  extraEnvironmentVars: {}
+  extraEnvironmentVars:
+    {}
     # GOOGLE_REGION: global
     # GOOGLE_PROJECT: myproject
     # GOOGLE_APPLICATION_CREDENTIALS: /openbao/userconfig/myproject/myproject-creds.json
 
   # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set.
   # These variables take value from existing Secret objects.
-  extraSecretEnvironmentVars: []
+  extraSecretEnvironmentVars:
+    []
     # - envName: AWS_SECRET_ACCESS_KEY
     #   secretName: openbao
     #   secretKey: AWS_SECRET_ACCESS_KEY
@@ -586,7 +593,8 @@ server:
   # extraVolumes is a list of extra volumes to mount. These will be exposed
   # to OpenBao in the path `/openbao/userconfig/<name>/`. The value below is
   # an array of objects, examples are shown below.
-  extraVolumes: []
+  extraVolumes:
+    []
     # - type: secret (or "configMap")
     #   name: my-secret
     #   path: null # default is `/openbao/userconfig`
@@ -651,12 +659,12 @@ server:
     #     port: 443
     ingress:
       - from:
-        - namespaceSelector: {}
+          - namespaceSelector: {}
         ports:
-        - port: 8200
-          protocol: TCP
-        - port: 8201
-          protocol: TCP
+          - port: 8200
+            protocol: TCP
+          - port: 8201
+            protocol: TCP
 
   # Priority class for server pods
   priorityClassName: ""
@@ -893,7 +901,6 @@ server:
     # persistent volumes for OpenBao to store data according to the configuration under server.dataStorage.
     # The OpenBao cluster will coordinate leader elections and failovers internally.
     raft:
-
       # Enables Raft integrated storage
       enabled: false
       # Set the Node Raft ID to the name of the pod
@@ -968,8 +975,8 @@ server:
     disruptionBudget:
       enabled: true
 
-    # maxUnavailable will default to (n/2)-1 where n is the number of
-    # replicas. If you'd like a custom value, you can specify an override here.
+      # maxUnavailable will default to (n/2)-1 where n is the number of
+      # replicas. If you'd like a custom value, you can specify an override here.
       maxUnavailable: null
 
   # Definition of the serviceAccount used to run Vault.
@@ -1093,7 +1100,7 @@ csi:
     # -- image repo to use for csi image
     repository: "hashicorp/vault-csi-provider"
     # -- image tag to use for csi image
-    tag: "1.4.1"
+    tag: "1.4.0"
     # -- image pull policy to use for csi image. if tag is "latest", set to "Always"
     pullPolicy: IfNotPresent
 
@@ -1183,7 +1190,7 @@ csi:
       # -- image repo to use for agent image
       repository: "openbao/openbao"
       # -- image tag to use for agent image
-      tag: "2.0.1"
+      tag: "2.0.2"
       # -- image pull policy to use for agent image. if tag is "latest", set to "Always"
       pullPolicy: IfNotPresent
 

test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml

@@ -5,9 +5,9 @@
 apiVersion: secrets-store.csi.x-k8s.io/v1
 kind: SecretProviderClass
 metadata:
-  name: openbao-kv
+  name: vault-kv
 spec:
-  provider: openbao
+  provider: vault
   parameters:
     roleName: "kv-role"
     objects: |

test/acceptance/csi.bats

@@ -2,73 +2,73 @@
 
 load _helpers
 
-# @test "csi: testing deployment" {
-#   cd `chart_dir`
+@test "csi: testing deployment" {
+  cd `chart_dir`
 
-#   kubectl delete namespace acceptance --ignore-not-found=true
-#   kubectl create namespace acceptance
+  kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl create namespace acceptance
 
-#   # Install Secrets Store CSI driver
-#   # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly
-#   # so we can see Agent's cache working.
-#   CSI_DRIVER_VERSION=1.3.2
-#   helm install secrets-store-csi-driver secrets-store-csi-driver \
-#     --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \
-#     --version=$CSI_DRIVER_VERSION \
-#     --wait --timeout=5m \
-#     --namespace=acceptance \
-#     --set linux.image.pullPolicy="IfNotPresent" \
-#     --set tokenRequests[0].audience="openbao" \
-#     --set enableSecretRotation=true \
-#     --set rotationPollInterval=5s
-#   # Install OpenBao and OpenBao provider
-#   helm install openbao \
-#     --wait --timeout=5m \
-#     --namespace=acceptance \
-#     --set="server.dev.enabled=true" \
-#     --set="csi.enabled=true" \
-#     --set="csi.debug=true" \
-#     --set="csi.agent.logLevel=debug" \
-#     --set="injector.enabled=false" \
-#     .
-#   kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao
-#   kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider
+  # Install Secrets Store CSI driver
+  # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly
+  # so we can see Agent's cache working.
+  CSI_DRIVER_VERSION=1.3.2
+  helm install secrets-store-csi-driver secrets-store-csi-driver \
+    --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \
+    --version=$CSI_DRIVER_VERSION \
+    --wait --timeout=5m \
+    --namespace=acceptance \
+    --set linux.image.pullPolicy="IfNotPresent" \
+    --set tokenRequests[0].audience="openbao" \
+    --set enableSecretRotation=true \
+    --set rotationPollInterval=5s
+  # Install OpenBao and OpenBao provider
+  helm install openbao \
+    --wait --timeout=5m \
+    --namespace=acceptance \
+    --set="server.dev.enabled=true" \
+    --set="csi.enabled=true" \
+    --set="csi.debug=true" \
+    --set="csi.agent.logLevel=debug" \
+    --set="injector.enabled=false" \
+    .
+  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao
+  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider
 
-#   # Set up k8s auth and a kv secret.
-#   cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy -
-#   kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
-#   kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
-#     kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
-#   kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \
-#     bound_service_account_names=nginx \
-#     bound_service_account_namespaces=acceptance \
-#     policies=kv-policy \
-#     ttl=20m
-#   kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1
+  # Set up k8s auth and a kv secret.
+  cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy -
+  kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
+  kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
+    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
+  kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \
+    bound_service_account_names=nginx \
+    bound_service_account_namespaces=acceptance \
+    policies=kv-policy \
+    ttl=20m
+  kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1
 
-#   kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
-#   kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml
-#   kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx
+  kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
+  kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml
+  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx
 
-#   result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar)
-#   [[ "$result" == "hello1" ]]
+  result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar)
+  [[ "$result" == "hello1" ]]
 
-#   for i in $(seq 10); do
-#     sleep 2
-#     if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
-#         echo "Agent returned a cached login response"
-#         return
-#     fi
+  for i in $(seq 10); do
+    sleep 2
+    if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
+        echo "Agent returned a cached login response"
+        return
+    fi
 
-#     echo "Waiting to confirm the Agent is renewing CSI's auth token..."
-#   done
+    echo "Waiting to confirm the Agent is renewing CSI's auth token..."
+  done
 
-#   # Print the logs and fail the test
-#   echo "Failed to find a log for the Agent renewing CSI's auth token"
-#   kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent
-#   kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider
-#   exit 1
-# }
+  # Print the logs and fail the test
+  echo "Failed to find a log for the Agent renewing CSI's auth token"
+  kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent
+  kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider
+  exit 1
+}
 
 # Clean up
 teardown() {

test/acceptance/injector-test/job.yaml

@@ -32,11 +32,11 @@ spec:
     spec:
       serviceAccountName: pgdump
       containers:
-      - name: pgdump
-        image: postgres:11.5
-        command:
-          - "/bin/sh"
-          - "-ec"
-        args:
-          - "/usr/bin/pg_dump $(cat /openbao/secrets/db-creds) --no-owner > /dev/stdout"
+        - name: pgdump
+          image: postgres:11.5
+          command:
+            - "/bin/sh"
+            - "-ec"
+          args:
+            - "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout"
       restartPolicy: Never