From 0cc2558e63fe9d5ad157078b7eeec53b65f36cac Mon Sep 17 00:00:00 2001 From: Ramiz Polic Date: Mon, 26 Jun 2023 14:23:24 +0200 Subject: [PATCH 1/8] chore: reconfigure deploy path structure Signed-off-by: Ramiz Polic --- .dockerignore | 13 +- .github/workflows/artifacts.yaml | 6 +- .github/workflows/ci.yaml | 2 +- .yamlignore | 10 +- Makefile | 24 ++-- .../charts}/vault-operator/.helmignore | 0 .../charts}/vault-operator/Chart.yaml | 0 .../charts}/vault-operator/README.md | 0 .../charts}/vault-operator/README.md.gotmpl | 0 .../charts}/vault-operator/crds/crd.yaml | 117 ++++++++++++++++++ .../vault-operator/templates/_helpers.tpl | 0 .../vault-operator/templates/deployment.yaml | 0 .../charts}/vault-operator/templates/psp.yaml | 0 .../vault-operator/templates/role.yaml | 0 .../vault-operator/templates/rolebinding.yaml | 0 .../charts}/vault-operator/templates/sa.yaml | 0 .../vault-operator/templates/service.yaml | 0 .../templates/servicemonitor.yaml | 0 .../charts}/vault-operator/values.yaml | 0 .../{ => crd}/aws-server-side-encryption.yaml | 0 deploy/{ => crd}/config-jwt-groups.yaml | 0 deploy/{ => crd}/config.yaml | 0 deploy/{ => crd}/cr-alibaba.yaml | 0 deploy/{ => crd}/cr-audit.yaml | 0 deploy/{ => crd}/cr-aws.yaml | 0 deploy/{ => crd}/cr-awskms.yaml | 0 deploy/{ => crd}/cr-azure.yaml | 0 deploy/{ => crd}/cr-cert-manager.yaml | 0 deploy/{ => crd}/cr-containers.yaml | 0 deploy/{ => crd}/cr-credentialFromSecret.yaml | 0 deploy/{ => crd}/cr-customports.yaml | 0 .../cr-disabled-root-token-storage.yaml | 0 deploy/{ => crd}/cr-file.yaml | 0 deploy/{ => crd}/cr-gcpkms.yaml | 0 deploy/{ => crd}/cr-gcs-ha-autounseal.yaml | 0 deploy/{ => crd}/cr-gcs-ha.yaml | 0 deploy/{ => crd}/cr-hsm-nitrokey.yaml | 0 deploy/{ => crd}/cr-hsm-softhsm.yaml | 0 deploy/{ => crd}/cr-init-containers.yaml | 0 deploy/{ => crd}/cr-k8s-startup-secret.yaml | 0 deploy/{ => crd}/cr-kvv2.yaml | 0 deploy/{ => crd}/cr-mysql-ha.yaml | 0 deploy/{ => crd}/cr-nodeAffinity.yaml | 0 deploy/{ => crd}/cr-oidc.yaml | 0 deploy/{ => crd}/cr-podAntiAffinity.yaml | 0 deploy/{ => crd}/cr-policy-with-accessor.yaml | 0 deploy/{ => crd}/cr-priority.yaml | 0 deploy/{ => crd}/cr-prometheus.yaml | 0 deploy/{ => crd}/cr-raft-1.yaml | 0 deploy/{ => crd}/cr-raft-ha-storage.yaml | 0 deploy/{ => crd}/cr-raft.yaml | 0 deploy/{ => crd}/cr-resource.yaml | 0 deploy/{ => crd}/cr-statsd.yaml | 0 deploy/{ => crd}/cr-transit-unseal.yaml | 0 deploy/{ => crd}/cr-vault-kv-unseal.yaml | 0 deploy/{ => crd}/cr.yaml | 0 deploy/{ => crd}/crd.yaml | 117 ++++++++++++++++++ deploy/{ => crd}/issuer.yaml | 0 deploy/{ => crd}/openshift-vault-scc.yaml | 0 deploy/{ => crd}/priorityclass.yaml | 0 deploy/{ => crd}/rbac.yaml | 0 deploy/{ => crd}/secret.yaml | 0 .../examples}/backup/backup.yaml | 0 .../examples}/backup/schedule.yaml | 0 .../examples}/dev/microk8s/README.md | 2 +- .../examples}/dev/microk8s/dev.yaml | 0 .../examples}/dev/microk8s/pvc.yaml | 0 .../examples}/dev/microk8s/rbac.yaml | 0 {examples => deploy/examples}/istio/app.yaml | 0 .../examples}/istio/cr-istio.yaml | 0 {examples => deploy/examples}/istio/rbac.yaml | 0 {examples => deploy/examples}/tls/config.json | 0 {examples => deploy/examples}/tls/csr.json | 0 {examples => deploy/examples}/tls/server.json | 0 deploy/multi-dc/aws/multi-dc-raft.sh | 2 +- deploy/multi-dc/test/multi-dc-raft.sh | 2 +- .../scripts}/custom-boilerplate.go.txt | 0 {scripts => hack/scripts}/update-codegen.sh | 2 +- .../validate-config-crud.sh | 2 +- .../validate-config-crud/vault-config.yml | 0 test/acceptance_test.go | 20 +-- 81 files changed, 279 insertions(+), 40 deletions(-) rename {charts => deploy/charts}/vault-operator/.helmignore (100%) rename {charts => deploy/charts}/vault-operator/Chart.yaml (100%) rename {charts => deploy/charts}/vault-operator/README.md (100%) rename {charts => deploy/charts}/vault-operator/README.md.gotmpl (100%) rename {charts => deploy/charts}/vault-operator/crds/crd.yaml (98%) rename {charts => deploy/charts}/vault-operator/templates/_helpers.tpl (100%) rename {charts => deploy/charts}/vault-operator/templates/deployment.yaml (100%) rename {charts => deploy/charts}/vault-operator/templates/psp.yaml (100%) rename {charts => deploy/charts}/vault-operator/templates/role.yaml (100%) rename {charts => deploy/charts}/vault-operator/templates/rolebinding.yaml (100%) rename {charts => deploy/charts}/vault-operator/templates/sa.yaml (100%) rename {charts => deploy/charts}/vault-operator/templates/service.yaml (100%) rename {charts => deploy/charts}/vault-operator/templates/servicemonitor.yaml (100%) rename {charts => deploy/charts}/vault-operator/values.yaml (100%) rename deploy/{ => crd}/aws-server-side-encryption.yaml (100%) rename deploy/{ => crd}/config-jwt-groups.yaml (100%) rename deploy/{ => crd}/config.yaml (100%) rename deploy/{ => crd}/cr-alibaba.yaml (100%) rename deploy/{ => crd}/cr-audit.yaml (100%) rename deploy/{ => crd}/cr-aws.yaml (100%) rename deploy/{ => crd}/cr-awskms.yaml (100%) rename deploy/{ => crd}/cr-azure.yaml (100%) rename deploy/{ => crd}/cr-cert-manager.yaml (100%) rename deploy/{ => crd}/cr-containers.yaml (100%) rename deploy/{ => crd}/cr-credentialFromSecret.yaml (100%) rename deploy/{ => crd}/cr-customports.yaml (100%) rename deploy/{ => crd}/cr-disabled-root-token-storage.yaml (100%) rename deploy/{ => crd}/cr-file.yaml (100%) rename deploy/{ => crd}/cr-gcpkms.yaml (100%) rename deploy/{ => crd}/cr-gcs-ha-autounseal.yaml (100%) rename deploy/{ => crd}/cr-gcs-ha.yaml (100%) rename deploy/{ => crd}/cr-hsm-nitrokey.yaml (100%) rename deploy/{ => crd}/cr-hsm-softhsm.yaml (100%) rename deploy/{ => crd}/cr-init-containers.yaml (100%) rename deploy/{ => crd}/cr-k8s-startup-secret.yaml (100%) rename deploy/{ => crd}/cr-kvv2.yaml (100%) rename deploy/{ => crd}/cr-mysql-ha.yaml (100%) rename deploy/{ => crd}/cr-nodeAffinity.yaml (100%) rename deploy/{ => crd}/cr-oidc.yaml (100%) rename deploy/{ => crd}/cr-podAntiAffinity.yaml (100%) rename deploy/{ => crd}/cr-policy-with-accessor.yaml (100%) rename deploy/{ => crd}/cr-priority.yaml (100%) rename deploy/{ => crd}/cr-prometheus.yaml (100%) rename deploy/{ => crd}/cr-raft-1.yaml (100%) rename deploy/{ => crd}/cr-raft-ha-storage.yaml (100%) rename deploy/{ => crd}/cr-raft.yaml (100%) rename deploy/{ => crd}/cr-resource.yaml (100%) rename deploy/{ => crd}/cr-statsd.yaml (100%) rename deploy/{ => crd}/cr-transit-unseal.yaml (100%) rename deploy/{ => crd}/cr-vault-kv-unseal.yaml (100%) rename deploy/{ => crd}/cr.yaml (100%) rename deploy/{ => crd}/crd.yaml (98%) rename deploy/{ => crd}/issuer.yaml (100%) rename deploy/{ => crd}/openshift-vault-scc.yaml (100%) rename deploy/{ => crd}/priorityclass.yaml (100%) rename deploy/{ => crd}/rbac.yaml (100%) rename deploy/{ => crd}/secret.yaml (100%) rename {examples => deploy/examples}/backup/backup.yaml (100%) rename {examples => deploy/examples}/backup/schedule.yaml (100%) rename {examples => deploy/examples}/dev/microk8s/README.md (82%) rename {examples => deploy/examples}/dev/microk8s/dev.yaml (100%) rename {examples => deploy/examples}/dev/microk8s/pvc.yaml (100%) rename {examples => deploy/examples}/dev/microk8s/rbac.yaml (100%) rename {examples => deploy/examples}/istio/app.yaml (100%) rename {examples => deploy/examples}/istio/cr-istio.yaml (100%) rename {examples => deploy/examples}/istio/rbac.yaml (100%) rename {examples => deploy/examples}/tls/config.json (100%) rename {examples => deploy/examples}/tls/csr.json (100%) rename {examples => deploy/examples}/tls/server.json (100%) rename {scripts => hack/scripts}/custom-boilerplate.go.txt (100%) rename {scripts => hack/scripts}/update-codegen.sh (95%) rename {scripts => hack/scripts}/validate-config-crud/validate-config-crud.sh (99%) rename {scripts => hack/scripts}/validate-config-crud/vault-config.yml (100%) diff --git a/.dockerignore b/.dockerignore index 7c4b7bb8..2c99b399 100644 --- a/.dockerignore +++ b/.dockerignore @@ -3,11 +3,14 @@ /.github/ /bin/ /build/ -/deploy/ /Dockerfile -/e2e/ -/charts/ -/examples/ -/scripts/ +/e2e/ /test/ + +/hack/scripts/ + +/deploy/crd/ +/deploy/charts/ +/deploy/examples/ +/deploy/multi-dc/ \ No newline at end of file diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml index cb283e03..e936331a 100644 --- a/.github/workflows/artifacts.yaml +++ b/.github/workflows/artifacts.yaml @@ -199,7 +199,7 @@ jobs: run: echo "value=${{ steps.oci-registry-name.outputs.value }}/${{ steps.chart-name.outputs.value }}" >> "$GITHUB_OUTPUT" - name: Helm lint - run: helm lint charts/${{ steps.chart-name.outputs.value }} + run: helm lint deploy/charts/${{ steps.chart-name.outputs.value }} - name: Determine raw version uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1 @@ -218,7 +218,7 @@ jobs: - name: Helm package id: build run: | - helm package charts/${{ steps.chart-name.outputs.value }} --version ${{ steps.version.outputs.value }} --app-version ${{ steps.raw-version.outputs.value }} + helm package deploy/charts/${{ steps.chart-name.outputs.value }} --version ${{ steps.version.outputs.value }} --app-version ${{ steps.raw-version.outputs.value }} echo "package=${{ steps.chart-name.outputs.value }}-${{ steps.version.outputs.value }}.tgz" >> "$GITHUB_OUTPUT" - name: Upload chart as artifact @@ -251,7 +251,7 @@ jobs: uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # 0.11.2 with: scan-type: config - scan-ref: charts/${{ steps.chart-name.outputs.value }} + scan-ref: deploy/charts/${{ steps.chart-name.outputs.value }} format: sarif output: trivy-results.sarif diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 93ad35a5..59ca9168 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -218,7 +218,7 @@ jobs: name: "[container-image] Docker tarball" - name: Build the Helm charts - run: nix develop --impure .#ci -c helm dep build ./charts/vault-operator + run: nix develop --impure .#ci -c helm dep build ./deploy/charts/vault-operator - name: Operator Multi-DC Raft test run: nix develop --impure .#ci -c ./deploy/multi-dc/test/multi-dc-raft.sh install diff --git a/.yamlignore b/.yamlignore index d2be3fe1..30e4aa0a 100644 --- a/.yamlignore +++ b/.yamlignore @@ -1,7 +1,9 @@ -/deploy/ +/test/ + /e2e/deploy/ /e2e/test/ -/charts/ -/examples/ -/test/ +/deploy/crd/ +/deploy/charts/ +/deploy/examples/ +/deploy/multi-dc/ diff --git a/Makefile b/Makefile index c8c095cb..d2f6d898 100644 --- a/Makefile +++ b/Makefile @@ -33,14 +33,14 @@ build: ## Build binary .PHONY: run run: ## Run the operator locally talking to a Kubernetes cluster - kubectl replace -f deploy/crd.yaml || kubectl create -f deploy/crd.yaml - kubectl apply -f deploy/rbac.yaml + kubectl replace -f deploy/crd/crd.yaml || kubectl create -f deploy/crd/crd.yaml + kubectl apply -f deploy/crd/rbac.yaml OPERATOR_NAME=vault-dev go run cmd/manager/main.go -verbose .PHONY: clean clean: ## Clean operator resources from a Kubernetes cluster - kubectl delete -f deploy/crd.yaml - kubectl delete -f deploy/rbac.yaml + kubectl delete -f deploy/crd/crd.yaml + kubectl delete -f deploy/crd/rbac.yaml .PHONY: artifacts artifacts: container-image helm-chart @@ -53,7 +53,7 @@ container-image: ## Build container image .PHONY: helm-chart helm-chart: ## Build Helm chart @mkdir -p build - helm package -d build/ charts/vault-operator + helm package -d build/ deploy/charts/vault-operator .PHONY: check check: test lint ## Run checks (tests and linters) @@ -76,7 +76,7 @@ lint-go: .PHONY: lint-helm lint-helm: - helm lint charts/vault-operator + helm lint deploy/charts/vault-operator .PHONY: lint-docker lint-docker: @@ -101,18 +101,18 @@ generate: ## Run generation jobs .PHONY: generate-code generate-code: ## Regenerate clientset, deepcopy funcs, listers and informers - ./scripts/update-codegen.sh v${CODE_GENERATOR_VERSION} + ./hack/scripts/update-codegen.sh v${CODE_GENERATOR_VERSION} .PHONY: generate-crds generate-crds: ## Regenerate CRDs in the Helm chart and examples - controller-gen crd:maxDescLen=0 paths=./pkg/... output:crd:artifacts:config=./deploy/ - cp deploy/vault.banzaicloud.com_vaults.yaml charts/vault-operator/crds/crd.yaml - cp deploy/vault.banzaicloud.com_vaults.yaml deploy/crd.yaml - rm deploy/vault.banzaicloud.com_vaults.yaml + controller-gen crd:maxDescLen=0 paths=./pkg/... output:crd:artifacts:config=./deploy/crd + cp deploy/crd/vault.banzaicloud.com_vaults.yaml deploy/charts/vault-operator/crds/crd.yaml + cp deploy/crd/vault.banzaicloud.com_vaults.yaml deploy/crd/crd.yaml + rm deploy/crd/vault.banzaicloud.com_vaults.yaml .PHONY: generate-helm-docs generate-helm-docs: - helm-docs -s file -c charts/ -t README.md.gotmpl + helm-docs -s file -c deploy/charts/ -t README.md.gotmpl deps: bin/golangci-lint bin/licensei bin/kind bin/kurun bin/controller-gen bin/helm-docs deps: ## Install dependencies diff --git a/charts/vault-operator/.helmignore b/deploy/charts/vault-operator/.helmignore similarity index 100% rename from charts/vault-operator/.helmignore rename to deploy/charts/vault-operator/.helmignore diff --git a/charts/vault-operator/Chart.yaml b/deploy/charts/vault-operator/Chart.yaml similarity index 100% rename from charts/vault-operator/Chart.yaml rename to deploy/charts/vault-operator/Chart.yaml diff --git a/charts/vault-operator/README.md b/deploy/charts/vault-operator/README.md similarity index 100% rename from charts/vault-operator/README.md rename to deploy/charts/vault-operator/README.md diff --git a/charts/vault-operator/README.md.gotmpl b/deploy/charts/vault-operator/README.md.gotmpl similarity index 100% rename from charts/vault-operator/README.md.gotmpl rename to deploy/charts/vault-operator/README.md.gotmpl diff --git a/charts/vault-operator/crds/crd.yaml b/deploy/charts/vault-operator/crds/crd.yaml similarity index 98% rename from charts/vault-operator/crds/crd.yaml rename to deploy/charts/vault-operator/crds/crd.yaml index 4c4e012c..2373e1cd 100644 --- a/charts/vault-operator/crds/crd.yaml +++ b/deploy/charts/vault-operator/crds/crd.yaml @@ -1958,6 +1958,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: @@ -2587,6 +2600,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: @@ -3223,6 +3249,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: @@ -4763,6 +4802,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: @@ -5367,6 +5419,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: @@ -6036,6 +6101,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: @@ -7017,6 +7095,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: @@ -7646,6 +7737,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: @@ -8282,6 +8386,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: diff --git a/charts/vault-operator/templates/_helpers.tpl b/deploy/charts/vault-operator/templates/_helpers.tpl similarity index 100% rename from charts/vault-operator/templates/_helpers.tpl rename to deploy/charts/vault-operator/templates/_helpers.tpl diff --git a/charts/vault-operator/templates/deployment.yaml b/deploy/charts/vault-operator/templates/deployment.yaml similarity index 100% rename from charts/vault-operator/templates/deployment.yaml rename to deploy/charts/vault-operator/templates/deployment.yaml diff --git a/charts/vault-operator/templates/psp.yaml b/deploy/charts/vault-operator/templates/psp.yaml similarity index 100% rename from charts/vault-operator/templates/psp.yaml rename to deploy/charts/vault-operator/templates/psp.yaml diff --git a/charts/vault-operator/templates/role.yaml b/deploy/charts/vault-operator/templates/role.yaml similarity index 100% rename from charts/vault-operator/templates/role.yaml rename to deploy/charts/vault-operator/templates/role.yaml diff --git a/charts/vault-operator/templates/rolebinding.yaml b/deploy/charts/vault-operator/templates/rolebinding.yaml similarity index 100% rename from charts/vault-operator/templates/rolebinding.yaml rename to deploy/charts/vault-operator/templates/rolebinding.yaml diff --git a/charts/vault-operator/templates/sa.yaml b/deploy/charts/vault-operator/templates/sa.yaml similarity index 100% rename from charts/vault-operator/templates/sa.yaml rename to deploy/charts/vault-operator/templates/sa.yaml diff --git a/charts/vault-operator/templates/service.yaml b/deploy/charts/vault-operator/templates/service.yaml similarity index 100% rename from charts/vault-operator/templates/service.yaml rename to deploy/charts/vault-operator/templates/service.yaml diff --git a/charts/vault-operator/templates/servicemonitor.yaml b/deploy/charts/vault-operator/templates/servicemonitor.yaml similarity index 100% rename from charts/vault-operator/templates/servicemonitor.yaml rename to deploy/charts/vault-operator/templates/servicemonitor.yaml diff --git a/charts/vault-operator/values.yaml b/deploy/charts/vault-operator/values.yaml similarity index 100% rename from charts/vault-operator/values.yaml rename to deploy/charts/vault-operator/values.yaml diff --git a/deploy/aws-server-side-encryption.yaml b/deploy/crd/aws-server-side-encryption.yaml similarity index 100% rename from deploy/aws-server-side-encryption.yaml rename to deploy/crd/aws-server-side-encryption.yaml diff --git a/deploy/config-jwt-groups.yaml b/deploy/crd/config-jwt-groups.yaml similarity index 100% rename from deploy/config-jwt-groups.yaml rename to deploy/crd/config-jwt-groups.yaml diff --git a/deploy/config.yaml b/deploy/crd/config.yaml similarity index 100% rename from deploy/config.yaml rename to deploy/crd/config.yaml diff --git a/deploy/cr-alibaba.yaml b/deploy/crd/cr-alibaba.yaml similarity index 100% rename from deploy/cr-alibaba.yaml rename to deploy/crd/cr-alibaba.yaml diff --git a/deploy/cr-audit.yaml b/deploy/crd/cr-audit.yaml similarity index 100% rename from deploy/cr-audit.yaml rename to deploy/crd/cr-audit.yaml diff --git a/deploy/cr-aws.yaml b/deploy/crd/cr-aws.yaml similarity index 100% rename from deploy/cr-aws.yaml rename to deploy/crd/cr-aws.yaml diff --git a/deploy/cr-awskms.yaml b/deploy/crd/cr-awskms.yaml similarity index 100% rename from deploy/cr-awskms.yaml rename to deploy/crd/cr-awskms.yaml diff --git a/deploy/cr-azure.yaml b/deploy/crd/cr-azure.yaml similarity index 100% rename from deploy/cr-azure.yaml rename to deploy/crd/cr-azure.yaml diff --git a/deploy/cr-cert-manager.yaml b/deploy/crd/cr-cert-manager.yaml similarity index 100% rename from deploy/cr-cert-manager.yaml rename to deploy/crd/cr-cert-manager.yaml diff --git a/deploy/cr-containers.yaml b/deploy/crd/cr-containers.yaml similarity index 100% rename from deploy/cr-containers.yaml rename to deploy/crd/cr-containers.yaml diff --git a/deploy/cr-credentialFromSecret.yaml b/deploy/crd/cr-credentialFromSecret.yaml similarity index 100% rename from deploy/cr-credentialFromSecret.yaml rename to deploy/crd/cr-credentialFromSecret.yaml diff --git a/deploy/cr-customports.yaml b/deploy/crd/cr-customports.yaml similarity index 100% rename from deploy/cr-customports.yaml rename to deploy/crd/cr-customports.yaml diff --git a/deploy/cr-disabled-root-token-storage.yaml b/deploy/crd/cr-disabled-root-token-storage.yaml similarity index 100% rename from deploy/cr-disabled-root-token-storage.yaml rename to deploy/crd/cr-disabled-root-token-storage.yaml diff --git a/deploy/cr-file.yaml b/deploy/crd/cr-file.yaml similarity index 100% rename from deploy/cr-file.yaml rename to deploy/crd/cr-file.yaml diff --git a/deploy/cr-gcpkms.yaml b/deploy/crd/cr-gcpkms.yaml similarity index 100% rename from deploy/cr-gcpkms.yaml rename to deploy/crd/cr-gcpkms.yaml diff --git a/deploy/cr-gcs-ha-autounseal.yaml b/deploy/crd/cr-gcs-ha-autounseal.yaml similarity index 100% rename from deploy/cr-gcs-ha-autounseal.yaml rename to deploy/crd/cr-gcs-ha-autounseal.yaml diff --git a/deploy/cr-gcs-ha.yaml b/deploy/crd/cr-gcs-ha.yaml similarity index 100% rename from deploy/cr-gcs-ha.yaml rename to deploy/crd/cr-gcs-ha.yaml diff --git a/deploy/cr-hsm-nitrokey.yaml b/deploy/crd/cr-hsm-nitrokey.yaml similarity index 100% rename from deploy/cr-hsm-nitrokey.yaml rename to deploy/crd/cr-hsm-nitrokey.yaml diff --git a/deploy/cr-hsm-softhsm.yaml b/deploy/crd/cr-hsm-softhsm.yaml similarity index 100% rename from deploy/cr-hsm-softhsm.yaml rename to deploy/crd/cr-hsm-softhsm.yaml diff --git a/deploy/cr-init-containers.yaml b/deploy/crd/cr-init-containers.yaml similarity index 100% rename from deploy/cr-init-containers.yaml rename to deploy/crd/cr-init-containers.yaml diff --git a/deploy/cr-k8s-startup-secret.yaml b/deploy/crd/cr-k8s-startup-secret.yaml similarity index 100% rename from deploy/cr-k8s-startup-secret.yaml rename to deploy/crd/cr-k8s-startup-secret.yaml diff --git a/deploy/cr-kvv2.yaml b/deploy/crd/cr-kvv2.yaml similarity index 100% rename from deploy/cr-kvv2.yaml rename to deploy/crd/cr-kvv2.yaml diff --git a/deploy/cr-mysql-ha.yaml b/deploy/crd/cr-mysql-ha.yaml similarity index 100% rename from deploy/cr-mysql-ha.yaml rename to deploy/crd/cr-mysql-ha.yaml diff --git a/deploy/cr-nodeAffinity.yaml b/deploy/crd/cr-nodeAffinity.yaml similarity index 100% rename from deploy/cr-nodeAffinity.yaml rename to deploy/crd/cr-nodeAffinity.yaml diff --git a/deploy/cr-oidc.yaml b/deploy/crd/cr-oidc.yaml similarity index 100% rename from deploy/cr-oidc.yaml rename to deploy/crd/cr-oidc.yaml diff --git a/deploy/cr-podAntiAffinity.yaml b/deploy/crd/cr-podAntiAffinity.yaml similarity index 100% rename from deploy/cr-podAntiAffinity.yaml rename to deploy/crd/cr-podAntiAffinity.yaml diff --git a/deploy/cr-policy-with-accessor.yaml b/deploy/crd/cr-policy-with-accessor.yaml similarity index 100% rename from deploy/cr-policy-with-accessor.yaml rename to deploy/crd/cr-policy-with-accessor.yaml diff --git a/deploy/cr-priority.yaml b/deploy/crd/cr-priority.yaml similarity index 100% rename from deploy/cr-priority.yaml rename to deploy/crd/cr-priority.yaml diff --git a/deploy/cr-prometheus.yaml b/deploy/crd/cr-prometheus.yaml similarity index 100% rename from deploy/cr-prometheus.yaml rename to deploy/crd/cr-prometheus.yaml diff --git a/deploy/cr-raft-1.yaml b/deploy/crd/cr-raft-1.yaml similarity index 100% rename from deploy/cr-raft-1.yaml rename to deploy/crd/cr-raft-1.yaml diff --git a/deploy/cr-raft-ha-storage.yaml b/deploy/crd/cr-raft-ha-storage.yaml similarity index 100% rename from deploy/cr-raft-ha-storage.yaml rename to deploy/crd/cr-raft-ha-storage.yaml diff --git a/deploy/cr-raft.yaml b/deploy/crd/cr-raft.yaml similarity index 100% rename from deploy/cr-raft.yaml rename to deploy/crd/cr-raft.yaml diff --git a/deploy/cr-resource.yaml b/deploy/crd/cr-resource.yaml similarity index 100% rename from deploy/cr-resource.yaml rename to deploy/crd/cr-resource.yaml diff --git a/deploy/cr-statsd.yaml b/deploy/crd/cr-statsd.yaml similarity index 100% rename from deploy/cr-statsd.yaml rename to deploy/crd/cr-statsd.yaml diff --git a/deploy/cr-transit-unseal.yaml b/deploy/crd/cr-transit-unseal.yaml similarity index 100% rename from deploy/cr-transit-unseal.yaml rename to deploy/crd/cr-transit-unseal.yaml diff --git a/deploy/cr-vault-kv-unseal.yaml b/deploy/crd/cr-vault-kv-unseal.yaml similarity index 100% rename from deploy/cr-vault-kv-unseal.yaml rename to deploy/crd/cr-vault-kv-unseal.yaml diff --git a/deploy/cr.yaml b/deploy/crd/cr.yaml similarity index 100% rename from deploy/cr.yaml rename to deploy/crd/cr.yaml diff --git a/deploy/crd.yaml b/deploy/crd/crd.yaml similarity index 98% rename from deploy/crd.yaml rename to deploy/crd/crd.yaml index 4c4e012c..2373e1cd 100644 --- a/deploy/crd.yaml +++ b/deploy/crd/crd.yaml @@ -1958,6 +1958,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: @@ -2587,6 +2600,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: @@ -3223,6 +3249,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: @@ -4763,6 +4802,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: @@ -5367,6 +5419,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: @@ -6036,6 +6101,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: @@ -7017,6 +7095,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: @@ -7646,6 +7737,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: @@ -8282,6 +8386,19 @@ spec: format: int32 type: integer type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: properties: claims: diff --git a/deploy/issuer.yaml b/deploy/crd/issuer.yaml similarity index 100% rename from deploy/issuer.yaml rename to deploy/crd/issuer.yaml diff --git a/deploy/openshift-vault-scc.yaml b/deploy/crd/openshift-vault-scc.yaml similarity index 100% rename from deploy/openshift-vault-scc.yaml rename to deploy/crd/openshift-vault-scc.yaml diff --git a/deploy/priorityclass.yaml b/deploy/crd/priorityclass.yaml similarity index 100% rename from deploy/priorityclass.yaml rename to deploy/crd/priorityclass.yaml diff --git a/deploy/rbac.yaml b/deploy/crd/rbac.yaml similarity index 100% rename from deploy/rbac.yaml rename to deploy/crd/rbac.yaml diff --git a/deploy/secret.yaml b/deploy/crd/secret.yaml similarity index 100% rename from deploy/secret.yaml rename to deploy/crd/secret.yaml diff --git a/examples/backup/backup.yaml b/deploy/examples/backup/backup.yaml similarity index 100% rename from examples/backup/backup.yaml rename to deploy/examples/backup/backup.yaml diff --git a/examples/backup/schedule.yaml b/deploy/examples/backup/schedule.yaml similarity index 100% rename from examples/backup/schedule.yaml rename to deploy/examples/backup/schedule.yaml diff --git a/examples/dev/microk8s/README.md b/deploy/examples/dev/microk8s/README.md similarity index 82% rename from examples/dev/microk8s/README.md rename to deploy/examples/dev/microk8s/README.md index 78467b03..ee6fe267 100644 --- a/examples/dev/microk8s/README.md +++ b/deploy/examples/dev/microk8s/README.md @@ -25,5 +25,5 @@ you should be able to see your image now. Finally, you can deploy the operator using: ```bash -helm upgrade --install vault-operator charts/vault-operator --set=image.repository=ghcr.io/banzaicloud/vault-operator --set=image.tag= +helm upgrade --install vault-operator deploy/charts/vault-operator --set=image.repository=ghcr.io/banzaicloud/vault-operator --set=image.tag= ``` diff --git a/examples/dev/microk8s/dev.yaml b/deploy/examples/dev/microk8s/dev.yaml similarity index 100% rename from examples/dev/microk8s/dev.yaml rename to deploy/examples/dev/microk8s/dev.yaml diff --git a/examples/dev/microk8s/pvc.yaml b/deploy/examples/dev/microk8s/pvc.yaml similarity index 100% rename from examples/dev/microk8s/pvc.yaml rename to deploy/examples/dev/microk8s/pvc.yaml diff --git a/examples/dev/microk8s/rbac.yaml b/deploy/examples/dev/microk8s/rbac.yaml similarity index 100% rename from examples/dev/microk8s/rbac.yaml rename to deploy/examples/dev/microk8s/rbac.yaml diff --git a/examples/istio/app.yaml b/deploy/examples/istio/app.yaml similarity index 100% rename from examples/istio/app.yaml rename to deploy/examples/istio/app.yaml diff --git a/examples/istio/cr-istio.yaml b/deploy/examples/istio/cr-istio.yaml similarity index 100% rename from examples/istio/cr-istio.yaml rename to deploy/examples/istio/cr-istio.yaml diff --git a/examples/istio/rbac.yaml b/deploy/examples/istio/rbac.yaml similarity index 100% rename from examples/istio/rbac.yaml rename to deploy/examples/istio/rbac.yaml diff --git a/examples/tls/config.json b/deploy/examples/tls/config.json similarity index 100% rename from examples/tls/config.json rename to deploy/examples/tls/config.json diff --git a/examples/tls/csr.json b/deploy/examples/tls/csr.json similarity index 100% rename from examples/tls/csr.json rename to deploy/examples/tls/csr.json diff --git a/examples/tls/server.json b/deploy/examples/tls/server.json similarity index 100% rename from examples/tls/server.json rename to deploy/examples/tls/server.json diff --git a/deploy/multi-dc/aws/multi-dc-raft.sh b/deploy/multi-dc/aws/multi-dc-raft.sh index e41e3420..5b0e6fa8 100755 --- a/deploy/multi-dc/aws/multi-dc-raft.sh +++ b/deploy/multi-dc/aws/multi-dc-raft.sh @@ -90,7 +90,7 @@ if [ $COMMAND = "install" ]; then local REGION=$(get_region) - helm upgrade --install vault-operator charts/vault-operator --wait --set image.tag=latest --set image.pullPolicy=Always --set image.bankVaultsTag=latest + helm upgrade --install vault-operator deploy/charts/vault-operator --wait --set image.tag=latest --set image.pullPolicy=Always --set image.bankVaultsTag=latest create_aws_secret diff --git a/deploy/multi-dc/test/multi-dc-raft.sh b/deploy/multi-dc/test/multi-dc-raft.sh index d5e237af..81b7a9cb 100755 --- a/deploy/multi-dc/test/multi-dc-raft.sh +++ b/deploy/multi-dc/test/multi-dc-raft.sh @@ -81,7 +81,7 @@ function install_instance { kind load image-archive docker.tar --name "${INSTANCE}" - helm upgrade --install vault-operator ./charts/vault-operator --wait --set image.tag=${OPERATOR_VERSION} --set image.pullPolicy=Never --set image.bankVaultsTag=${BANK_VAULTS_VERSION} + helm upgrade --install vault-operator ./deploy/charts/vault-operator --wait --set image.tag=${OPERATOR_VERSION} --set image.pullPolicy=Never --set image.bankVaultsTag=${BANK_VAULTS_VERSION} kubectl apply -f deploy/rbac.yaml envtpl deploy/multi-dc/test/cr-"${INSTANCE}".yaml | kubectl apply -f - diff --git a/scripts/custom-boilerplate.go.txt b/hack/scripts/custom-boilerplate.go.txt similarity index 100% rename from scripts/custom-boilerplate.go.txt rename to hack/scripts/custom-boilerplate.go.txt diff --git a/scripts/update-codegen.sh b/hack/scripts/update-codegen.sh similarity index 95% rename from scripts/update-codegen.sh rename to hack/scripts/update-codegen.sh index 99adb2b4..dc1c5964 100755 --- a/scripts/update-codegen.sh +++ b/hack/scripts/update-codegen.sh @@ -38,4 +38,4 @@ cd ${CODEGEN_DIR} && git checkout $VERSION && cd - ${CODEGEN_DIR}/generate-groups.sh all \ github.com/banzaicloud/bank-vaults/vault-operator/pkg/client github.com/banzaicloud/bank-vaults/vault-operator/pkg/apis \ vault:v1alpha1 \ - --go-header-file ./scripts/custom-boilerplate.go.txt + --go-header-file ./hack/scripts/custom-boilerplate.go.txt diff --git a/scripts/validate-config-crud/validate-config-crud.sh b/hack/scripts/validate-config-crud/validate-config-crud.sh similarity index 99% rename from scripts/validate-config-crud/validate-config-crud.sh rename to hack/scripts/validate-config-crud/validate-config-crud.sh index 5e29ae0e..2eedef5f 100755 --- a/scripts/validate-config-crud/validate-config-crud.sh +++ b/hack/scripts/validate-config-crud/validate-config-crud.sh @@ -13,7 +13,7 @@ if [ "${log_level,,}" == 'debug' ]; then fi bank_vaults_config_key="${1}" -bank_vaults_config_file_orig="scripts/validate-config-crud/vault-config.yml" +bank_vaults_config_file_orig="hack/scripts/validate-config-crud/vault-config.yml" bank_vaults_config_file="${BANK_VAULTS_CONFIG_FILE:-/tmp/vault-config.yml}" # A hacky way to use "yq" to get a section from a YAML and keeping the key used in the query. diff --git a/scripts/validate-config-crud/vault-config.yml b/hack/scripts/validate-config-crud/vault-config.yml similarity index 100% rename from scripts/validate-config-crud/vault-config.yml rename to hack/scripts/validate-config-crud/vault-config.yml diff --git a/test/acceptance_test.go b/test/acceptance_test.go index d2d19a11..50aadad8 100644 --- a/test/acceptance_test.go +++ b/test/acceptance_test.go @@ -80,7 +80,7 @@ func TestMain(m *testing.M) { }, } - chart := "../charts/vault-operator" + chart := "../deploy/charts/vault-operator" if v := os.Getenv("HELM_CHART"); v != "" { chart = v } @@ -121,7 +121,7 @@ func TestKvv2(t *testing.T) { defer k8s.DeleteNamespace(t, kubectlOptions, kubectlOptions.Namespace) // Prepare and apply resources - resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/cr-kvv2.yaml", "rbac.yaml") + resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/crd/cr-kvv2.yaml", "rbac.yaml") require.NoError(t, err) for _, resource := range resources { k8s.KubectlApplyFromString(t, kubectlOptions, string(resource)) @@ -138,7 +138,7 @@ func TestStatsd(t *testing.T) { defer k8s.DeleteNamespace(t, kubectlOptions, kubectlOptions.Namespace) // Prepare and apply resources - resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/cr-statsd.yaml", "rbac.yaml") + resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/crd/cr-statsd.yaml", "rbac.yaml") require.NoError(t, err) for _, resource := range resources { k8s.KubectlApplyFromString(t, kubectlOptions, string(resource)) @@ -202,7 +202,7 @@ func TestRaft(t *testing.T) { defer k8s.DeleteNamespace(t, kubectlOptions, kubectlOptions.Namespace) // Prepare and apply resources - resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/cr-raft.yaml", "rbac.yaml") + resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/crd/cr-raft.yaml", "rbac.yaml") require.NoError(t, err) for _, resource := range resources { k8s.KubectlApplyFromString(t, kubectlOptions, string(resource)) @@ -221,7 +221,7 @@ func TestSoftHSM(t *testing.T) { defer k8s.DeleteNamespace(t, kubectlOptions, kubectlOptions.Namespace) // Prepare and apply resources - resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/cr-hsm-softhsm.yaml", "rbac.yaml") + resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/crd/cr-hsm-softhsm.yaml", "rbac.yaml") require.NoError(t, err) for _, resource := range resources { k8s.KubectlApplyFromString(t, kubectlOptions, string(resource)) @@ -238,7 +238,7 @@ func TestDisabledRootTokenStorage(t *testing.T) { defer k8s.DeleteNamespace(t, kubectlOptions, kubectlOptions.Namespace) // Prepare and apply resources - resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/cr-disabled-root-token-storage.yaml", "rbac.yaml") + resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/crd/cr-disabled-root-token-storage.yaml", "rbac.yaml") require.NoError(t, err) for _, resource := range resources { k8s.KubectlApplyFromString(t, kubectlOptions, string(resource)) @@ -276,8 +276,8 @@ func TestPriorityClass(t *testing.T) { resources, err := prepareResources( kubectlOptions.Namespace, vaultVersion, - "../deploy/priorityclass.yaml", - "../deploy/cr-priority.yaml", + "../deploy/crd/priorityclass.yaml", + "../deploy/crd/cr-priority.yaml", "rbac.yaml", ) require.NoError(t, err) @@ -308,7 +308,7 @@ func TestOIDC(t *testing.T) { kubectlOptions := k8s.NewKubectlOptions("", "", "default") // Prepare and apply resources - resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/cr-oidc.yaml", "rbac.yaml") + resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/crd/cr-oidc.yaml", "rbac.yaml") require.NoError(t, err) for _, resource := range resources { k8s.KubectlApplyFromString(t, kubectlOptions, string(resource)) @@ -326,7 +326,7 @@ func TestOIDC(t *testing.T) { waitUntilPodSucceeded(t, kubectlOptions, "oidc", 60, 10*time.Second) // Clean up - k8s.KubectlDelete(t, kubectlOptions, "../deploy/cr-oidc.yaml") + k8s.KubectlDelete(t, kubectlOptions, "../deploy/crd/cr-oidc.yaml") k8s.RunKubectl(t, kubectlOptions, "delete", "secret", "vault-unseal-keys") k8s.KubectlDelete(t, kubectlOptions, oidcPodFilePath) } From 7fd37319dc87c851f33c467bc919e01eaa340ee8 Mon Sep 17 00:00:00 2001 From: Ramiz Polic Date: Mon, 26 Jun 2023 15:21:58 +0200 Subject: [PATCH 2/8] chore: resolve pipeline paths Signed-off-by: Ramiz Polic --- deploy/multi-dc/test/multi-dc-raft.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/multi-dc/test/multi-dc-raft.sh b/deploy/multi-dc/test/multi-dc-raft.sh index 81b7a9cb..035061af 100755 --- a/deploy/multi-dc/test/multi-dc-raft.sh +++ b/deploy/multi-dc/test/multi-dc-raft.sh @@ -83,7 +83,7 @@ function install_instance { helm upgrade --install vault-operator ./deploy/charts/vault-operator --wait --set image.tag=${OPERATOR_VERSION} --set image.pullPolicy=Never --set image.bankVaultsTag=${BANK_VAULTS_VERSION} - kubectl apply -f deploy/rbac.yaml + kubectl apply -f deploy/crd/rbac.yaml envtpl deploy/multi-dc/test/cr-"${INSTANCE}".yaml | kubectl apply -f - echo "Waiting for for ${INSTANCE} vault instance..." From e87c97b744f6191a53dd9fc5349a49b99b3a8e51 Mon Sep 17 00:00:00 2001 From: Ramiz Polic Date: Tue, 27 Jun 2023 10:54:44 +0200 Subject: [PATCH 3/8] chore: expand microk8s deployment example Signed-off-by: Ramiz Polic --- deploy/examples/{dev => }/microk8s/README.md | 0 deploy/examples/{dev => }/microk8s/dev.yaml | 0 deploy/examples/{dev => }/microk8s/pvc.yaml | 0 deploy/examples/{dev => }/microk8s/rbac.yaml | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename deploy/examples/{dev => }/microk8s/README.md (100%) rename deploy/examples/{dev => }/microk8s/dev.yaml (100%) rename deploy/examples/{dev => }/microk8s/pvc.yaml (100%) rename deploy/examples/{dev => }/microk8s/rbac.yaml (100%) diff --git a/deploy/examples/dev/microk8s/README.md b/deploy/examples/microk8s/README.md similarity index 100% rename from deploy/examples/dev/microk8s/README.md rename to deploy/examples/microk8s/README.md diff --git a/deploy/examples/dev/microk8s/dev.yaml b/deploy/examples/microk8s/dev.yaml similarity index 100% rename from deploy/examples/dev/microk8s/dev.yaml rename to deploy/examples/microk8s/dev.yaml diff --git a/deploy/examples/dev/microk8s/pvc.yaml b/deploy/examples/microk8s/pvc.yaml similarity index 100% rename from deploy/examples/dev/microk8s/pvc.yaml rename to deploy/examples/microk8s/pvc.yaml diff --git a/deploy/examples/dev/microk8s/rbac.yaml b/deploy/examples/microk8s/rbac.yaml similarity index 100% rename from deploy/examples/dev/microk8s/rbac.yaml rename to deploy/examples/microk8s/rbac.yaml From 8db618a5ec78d191275a6aeb34c10befffbf7288 Mon Sep 17 00:00:00 2001 From: Ramiz Polic Date: Tue, 27 Jun 2023 13:03:05 +0200 Subject: [PATCH 4/8] chore: use new deploy resource paths Signed-off-by: Ramiz Polic --- .dockerignore | 11 +- .github/workflows/ci.yaml | 2 +- .yamlignore | 10 +- Makefile | 16 +-- deploy/crd/priorityclass.yaml | 7 -- deploy/{examples => dev}/microk8s/README.md | 0 deploy/{examples => dev}/microk8s/dev.yaml | 0 deploy/{examples => dev}/microk8s/pvc.yaml | 0 deploy/{examples => dev}/microk8s/rbac.yaml | 0 deploy/{ => dev}/multi-dc/aws/cr-primary.yaml | 0 .../{ => dev}/multi-dc/aws/cr-secondary.yaml | 0 .../{ => dev}/multi-dc/aws/cr-tertiary.yaml | 0 .../{ => dev}/multi-dc/aws/multi-dc-raft.sh | 2 +- .../{ => dev}/multi-dc/test/cr-primary.yaml | 0 .../{ => dev}/multi-dc/test/cr-secondary.yaml | 0 .../{ => dev}/multi-dc/test/cr-tertiary.yaml | 0 .../multi-dc/test/metallb-config.yaml | 0 .../{ => dev}/multi-dc/test/multi-dc-raft.sh | 6 +- deploy/examples/backup/backup.yaml | 53 --------- deploy/examples/backup/schedule.yaml | 57 --------- .../base}/config-jwt-groups.yaml | 0 deploy/{crd => examples/base}/config.yaml | 0 deploy/{crd => examples/base}/crd.yaml | 0 deploy/{crd => examples/base}/issuer.yaml | 0 deploy/{crd => examples/base}/rbac.yaml | 0 deploy/{crd => examples/base}/secret.yaml | 0 deploy/{crd => examples}/cr-alibaba.yaml | 0 deploy/{crd => examples}/cr-audit.yaml | 0 .../cr-aws-server-side-encryption.yaml} | 0 deploy/{crd => examples}/cr-aws.yaml | 0 deploy/{crd => examples}/cr-awskms.yaml | 0 deploy/{crd => examples}/cr-azure.yaml | 0 deploy/{crd => examples}/cr-cert-manager.yaml | 0 deploy/{crd => examples}/cr-containers.yaml | 0 .../cr-credentialFromSecret.yaml | 0 deploy/{crd => examples}/cr-customports.yaml | 0 .../cr-disabled-root-token-storage.yaml | 0 deploy/{crd => examples}/cr-file.yaml | 0 deploy/{crd => examples}/cr-gcpkms.yaml | 0 .../cr-gcs-ha-autounseal.yaml | 0 deploy/{crd => examples}/cr-gcs-ha.yaml | 0 deploy/{crd => examples}/cr-hsm-nitrokey.yaml | 0 deploy/{crd => examples}/cr-hsm-softhsm.yaml | 0 .../{crd => examples}/cr-init-containers.yaml | 0 deploy/examples/{istio => }/cr-istio.yaml | 96 +++++++++++++++ .../cr-k8s-startup-secret.yaml | 0 deploy/{crd => examples}/cr-kvv2.yaml | 0 deploy/{crd => examples}/cr-mysql-ha.yaml | 0 deploy/{crd => examples}/cr-nodeAffinity.yaml | 0 deploy/{crd => examples}/cr-oidc.yaml | 0 .../{crd => examples}/cr-podAntiAffinity.yaml | 0 .../cr-policy-with-accessor.yaml | 0 deploy/{crd => examples}/cr-priority.yaml | 9 ++ deploy/{crd => examples}/cr-prometheus.yaml | 0 deploy/{crd => examples}/cr-raft-1.yaml | 0 .../{crd => examples}/cr-raft-ha-storage.yaml | 0 deploy/{crd => examples}/cr-raft.yaml | 0 deploy/{crd => examples}/cr-resource.yaml | 0 deploy/{crd => examples}/cr-statsd.yaml | 0 .../{crd => examples}/cr-transit-unseal.yaml | 0 .../{crd => examples}/cr-vault-kv-unseal.yaml | 0 deploy/{crd => examples}/cr.yaml | 0 deploy/examples/istio/app.yaml | 43 ------- deploy/examples/istio/rbac.yaml | 52 -------- .../openshift-vault-scc.yaml | 0 deploy/examples/tls/config.json | 34 ------ deploy/examples/tls/csr.json | 15 --- deploy/examples/tls/server.json | 23 ---- deploy/examples/velero-backup.yaml | 112 ++++++++++++++++++ test/acceptance_test.go | 63 ++++++++-- 70 files changed, 286 insertions(+), 325 deletions(-) delete mode 100644 deploy/crd/priorityclass.yaml rename deploy/{examples => dev}/microk8s/README.md (100%) rename deploy/{examples => dev}/microk8s/dev.yaml (100%) rename deploy/{examples => dev}/microk8s/pvc.yaml (100%) rename deploy/{examples => dev}/microk8s/rbac.yaml (100%) rename deploy/{ => dev}/multi-dc/aws/cr-primary.yaml (100%) rename deploy/{ => dev}/multi-dc/aws/cr-secondary.yaml (100%) rename deploy/{ => dev}/multi-dc/aws/cr-tertiary.yaml (100%) rename deploy/{ => dev}/multi-dc/aws/multi-dc-raft.sh (98%) rename deploy/{ => dev}/multi-dc/test/cr-primary.yaml (100%) rename deploy/{ => dev}/multi-dc/test/cr-secondary.yaml (100%) rename deploy/{ => dev}/multi-dc/test/cr-tertiary.yaml (100%) rename deploy/{ => dev}/multi-dc/test/metallb-config.yaml (100%) rename deploy/{ => dev}/multi-dc/test/multi-dc-raft.sh (95%) delete mode 100644 deploy/examples/backup/backup.yaml delete mode 100644 deploy/examples/backup/schedule.yaml rename deploy/{crd => examples/base}/config-jwt-groups.yaml (100%) rename deploy/{crd => examples/base}/config.yaml (100%) rename deploy/{crd => examples/base}/crd.yaml (100%) rename deploy/{crd => examples/base}/issuer.yaml (100%) rename deploy/{crd => examples/base}/rbac.yaml (100%) rename deploy/{crd => examples/base}/secret.yaml (100%) rename deploy/{crd => examples}/cr-alibaba.yaml (100%) rename deploy/{crd => examples}/cr-audit.yaml (100%) rename deploy/{crd/aws-server-side-encryption.yaml => examples/cr-aws-server-side-encryption.yaml} (100%) rename deploy/{crd => examples}/cr-aws.yaml (100%) rename deploy/{crd => examples}/cr-awskms.yaml (100%) rename deploy/{crd => examples}/cr-azure.yaml (100%) rename deploy/{crd => examples}/cr-cert-manager.yaml (100%) rename deploy/{crd => examples}/cr-containers.yaml (100%) rename deploy/{crd => examples}/cr-credentialFromSecret.yaml (100%) rename deploy/{crd => examples}/cr-customports.yaml (100%) rename deploy/{crd => examples}/cr-disabled-root-token-storage.yaml (100%) rename deploy/{crd => examples}/cr-file.yaml (100%) rename deploy/{crd => examples}/cr-gcpkms.yaml (100%) rename deploy/{crd => examples}/cr-gcs-ha-autounseal.yaml (100%) rename deploy/{crd => examples}/cr-gcs-ha.yaml (100%) rename deploy/{crd => examples}/cr-hsm-nitrokey.yaml (100%) rename deploy/{crd => examples}/cr-hsm-softhsm.yaml (100%) rename deploy/{crd => examples}/cr-init-containers.yaml (100%) rename deploy/examples/{istio => }/cr-istio.yaml (74%) rename deploy/{crd => examples}/cr-k8s-startup-secret.yaml (100%) rename deploy/{crd => examples}/cr-kvv2.yaml (100%) rename deploy/{crd => examples}/cr-mysql-ha.yaml (100%) rename deploy/{crd => examples}/cr-nodeAffinity.yaml (100%) rename deploy/{crd => examples}/cr-oidc.yaml (100%) rename deploy/{crd => examples}/cr-podAntiAffinity.yaml (100%) rename deploy/{crd => examples}/cr-policy-with-accessor.yaml (100%) rename deploy/{crd => examples}/cr-priority.yaml (97%) rename deploy/{crd => examples}/cr-prometheus.yaml (100%) rename deploy/{crd => examples}/cr-raft-1.yaml (100%) rename deploy/{crd => examples}/cr-raft-ha-storage.yaml (100%) rename deploy/{crd => examples}/cr-raft.yaml (100%) rename deploy/{crd => examples}/cr-resource.yaml (100%) rename deploy/{crd => examples}/cr-statsd.yaml (100%) rename deploy/{crd => examples}/cr-transit-unseal.yaml (100%) rename deploy/{crd => examples}/cr-vault-kv-unseal.yaml (100%) rename deploy/{crd => examples}/cr.yaml (100%) delete mode 100644 deploy/examples/istio/app.yaml delete mode 100644 deploy/examples/istio/rbac.yaml rename deploy/{crd => examples}/openshift-vault-scc.yaml (100%) delete mode 100644 deploy/examples/tls/config.json delete mode 100644 deploy/examples/tls/csr.json delete mode 100644 deploy/examples/tls/server.json create mode 100644 deploy/examples/velero-backup.yaml diff --git a/.dockerignore b/.dockerignore index 2c99b399..a17d5ccb 100644 --- a/.dockerignore +++ b/.dockerignore @@ -3,14 +3,9 @@ /.github/ /bin/ /build/ -/Dockerfile - /e2e/ /test/ +/hack/ +/deploy/ -/hack/scripts/ - -/deploy/crd/ -/deploy/charts/ -/deploy/examples/ -/deploy/multi-dc/ \ No newline at end of file +/Dockerfile \ No newline at end of file diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 59ca9168..1c46c303 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -221,6 +221,6 @@ jobs: run: nix develop --impure .#ci -c helm dep build ./deploy/charts/vault-operator - name: Operator Multi-DC Raft test - run: nix develop --impure .#ci -c ./deploy/multi-dc/test/multi-dc-raft.sh install + run: nix develop --impure .#ci -c ./deploy/dev/multi-dc/test/multi-dc-raft.sh install env: OPERATOR_VERSION: ${{ needs.artifacts.outputs.container-image-tag }} diff --git a/.yamlignore b/.yamlignore index 30e4aa0a..39393980 100644 --- a/.yamlignore +++ b/.yamlignore @@ -1,9 +1,3 @@ /test/ - -/e2e/deploy/ -/e2e/test/ - -/deploy/crd/ -/deploy/charts/ -/deploy/examples/ -/deploy/multi-dc/ +/e2e/ +/deploy/ diff --git a/Makefile b/Makefile index d2f6d898..9ce43b0a 100644 --- a/Makefile +++ b/Makefile @@ -33,14 +33,14 @@ build: ## Build binary .PHONY: run run: ## Run the operator locally talking to a Kubernetes cluster - kubectl replace -f deploy/crd/crd.yaml || kubectl create -f deploy/crd/crd.yaml - kubectl apply -f deploy/crd/rbac.yaml + kubectl replace -f deploy/examples/base/crd.yaml || kubectl create -f deploy/examples/base/crd.yaml + kubectl apply -f deploy/examples/base/rbac.yaml OPERATOR_NAME=vault-dev go run cmd/manager/main.go -verbose .PHONY: clean clean: ## Clean operator resources from a Kubernetes cluster - kubectl delete -f deploy/crd/crd.yaml - kubectl delete -f deploy/crd/rbac.yaml + kubectl delete -f deploy/examples/base/crd.yaml + kubectl delete -f deploy/examples/base/rbac.yaml .PHONY: artifacts artifacts: container-image helm-chart @@ -105,10 +105,10 @@ generate-code: ## Regenerate clientset, deepcopy funcs, listers and informers .PHONY: generate-crds generate-crds: ## Regenerate CRDs in the Helm chart and examples - controller-gen crd:maxDescLen=0 paths=./pkg/... output:crd:artifacts:config=./deploy/crd - cp deploy/crd/vault.banzaicloud.com_vaults.yaml deploy/charts/vault-operator/crds/crd.yaml - cp deploy/crd/vault.banzaicloud.com_vaults.yaml deploy/crd/crd.yaml - rm deploy/crd/vault.banzaicloud.com_vaults.yaml + controller-gen crd:maxDescLen=0 paths=./pkg/... output:crd:artifacts:config=./deploy/examples/base + cp deploy/examples/base/vault.banzaicloud.com_vaults.yaml deploy/charts/vault-operator/crds/crd.yaml + cp deploy/examples/base/vault.banzaicloud.com_vaults.yaml deploy/examples/base/crd.yaml + rm deploy/examples/base/vault.banzaicloud.com_vaults.yaml .PHONY: generate-helm-docs generate-helm-docs: diff --git a/deploy/crd/priorityclass.yaml b/deploy/crd/priorityclass.yaml deleted file mode 100644 index 2b9cdc01..00000000 --- a/deploy/crd/priorityclass.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: scheduling.k8s.io/v1 -kind: PriorityClass -metadata: - name: high-priority -value: 1000000 -globalDefault: false -description: "test priority class" diff --git a/deploy/examples/microk8s/README.md b/deploy/dev/microk8s/README.md similarity index 100% rename from deploy/examples/microk8s/README.md rename to deploy/dev/microk8s/README.md diff --git a/deploy/examples/microk8s/dev.yaml b/deploy/dev/microk8s/dev.yaml similarity index 100% rename from deploy/examples/microk8s/dev.yaml rename to deploy/dev/microk8s/dev.yaml diff --git a/deploy/examples/microk8s/pvc.yaml b/deploy/dev/microk8s/pvc.yaml similarity index 100% rename from deploy/examples/microk8s/pvc.yaml rename to deploy/dev/microk8s/pvc.yaml diff --git a/deploy/examples/microk8s/rbac.yaml b/deploy/dev/microk8s/rbac.yaml similarity index 100% rename from deploy/examples/microk8s/rbac.yaml rename to deploy/dev/microk8s/rbac.yaml diff --git a/deploy/multi-dc/aws/cr-primary.yaml b/deploy/dev/multi-dc/aws/cr-primary.yaml similarity index 100% rename from deploy/multi-dc/aws/cr-primary.yaml rename to deploy/dev/multi-dc/aws/cr-primary.yaml diff --git a/deploy/multi-dc/aws/cr-secondary.yaml b/deploy/dev/multi-dc/aws/cr-secondary.yaml similarity index 100% rename from deploy/multi-dc/aws/cr-secondary.yaml rename to deploy/dev/multi-dc/aws/cr-secondary.yaml diff --git a/deploy/multi-dc/aws/cr-tertiary.yaml b/deploy/dev/multi-dc/aws/cr-tertiary.yaml similarity index 100% rename from deploy/multi-dc/aws/cr-tertiary.yaml rename to deploy/dev/multi-dc/aws/cr-tertiary.yaml diff --git a/deploy/multi-dc/aws/multi-dc-raft.sh b/deploy/dev/multi-dc/aws/multi-dc-raft.sh similarity index 98% rename from deploy/multi-dc/aws/multi-dc-raft.sh rename to deploy/dev/multi-dc/aws/multi-dc-raft.sh index 5b0e6fa8..c5c04d98 100755 --- a/deploy/multi-dc/aws/multi-dc-raft.sh +++ b/deploy/dev/multi-dc/aws/multi-dc-raft.sh @@ -95,7 +95,7 @@ if [ $COMMAND = "install" ]; then create_aws_secret kubectl apply -f operator/deploy/rbac.yaml - cat operator/deploy/multi-dc/aws/cr-${INSTANCE}.yaml | envtpl | kubectl apply -f - + cat operator/deploy/dev/multi-dc/aws/cr-${INSTANCE}.yaml | envtpl | kubectl apply -f - echo "Waiting for for ${INSTANCE} vault instance..." waitfor kubectl get pod/vault-${INSTANCE}-0 diff --git a/deploy/multi-dc/test/cr-primary.yaml b/deploy/dev/multi-dc/test/cr-primary.yaml similarity index 100% rename from deploy/multi-dc/test/cr-primary.yaml rename to deploy/dev/multi-dc/test/cr-primary.yaml diff --git a/deploy/multi-dc/test/cr-secondary.yaml b/deploy/dev/multi-dc/test/cr-secondary.yaml similarity index 100% rename from deploy/multi-dc/test/cr-secondary.yaml rename to deploy/dev/multi-dc/test/cr-secondary.yaml diff --git a/deploy/multi-dc/test/cr-tertiary.yaml b/deploy/dev/multi-dc/test/cr-tertiary.yaml similarity index 100% rename from deploy/multi-dc/test/cr-tertiary.yaml rename to deploy/dev/multi-dc/test/cr-tertiary.yaml diff --git a/deploy/multi-dc/test/metallb-config.yaml b/deploy/dev/multi-dc/test/metallb-config.yaml similarity index 100% rename from deploy/multi-dc/test/metallb-config.yaml rename to deploy/dev/multi-dc/test/metallb-config.yaml diff --git a/deploy/multi-dc/test/multi-dc-raft.sh b/deploy/dev/multi-dc/test/multi-dc-raft.sh similarity index 95% rename from deploy/multi-dc/test/multi-dc-raft.sh rename to deploy/dev/multi-dc/test/multi-dc-raft.sh index 035061af..96019847 100755 --- a/deploy/multi-dc/test/multi-dc-raft.sh +++ b/deploy/dev/multi-dc/test/multi-dc-raft.sh @@ -45,7 +45,7 @@ function metallb_setup { kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/${METALLB_VERSION}/config/manifests/metallb-native.yaml kubectl wait --namespace metallb-system --for condition=Available=true deploy --selector=app=metallb --timeout=90s kubectl wait --namespace metallb-system --for=condition=ready pod --selector=app=metallb --timeout=90s - envtpl deploy/multi-dc/test/metallb-config.yaml | kubectl apply -f - + envtpl deploy/dev/multi-dc/test/metallb-config.yaml | kubectl apply -f - } function cidr_range { @@ -83,8 +83,8 @@ function install_instance { helm upgrade --install vault-operator ./deploy/charts/vault-operator --wait --set image.tag=${OPERATOR_VERSION} --set image.pullPolicy=Never --set image.bankVaultsTag=${BANK_VAULTS_VERSION} - kubectl apply -f deploy/crd/rbac.yaml - envtpl deploy/multi-dc/test/cr-"${INSTANCE}".yaml | kubectl apply -f - + kubectl apply -f deploy/examples/base/rbac.yaml + envtpl deploy/dev/multi-dc/test/cr-"${INSTANCE}".yaml | kubectl apply -f - echo "Waiting for for ${INSTANCE} vault instance..." waitfor kubectl get pod/vault-"${INSTANCE}"-0 diff --git a/deploy/examples/backup/backup.yaml b/deploy/examples/backup/backup.yaml deleted file mode 100644 index fbeaff6c..00000000 --- a/deploy/examples/backup/backup.yaml +++ /dev/null @@ -1,53 +0,0 @@ -# Standard Kubernetes API Version declaration. Required. -apiVersion: velero.io/v1 -# Standard Kubernetes Kind declaration. Required. -kind: Backup -# Standard Kubernetes metadata. Required. -metadata: - # Backup name. May be any valid Kubernetes object name. Required. - name: vault-1 - # Backup namespace. Must be the namespace of the Velero server. Required. - namespace: velero -# Parameters about the backup. Required. -spec: - # Array of namespaces to include in the backup. If unspecified, all namespaces are included. - # Optional. - includedNamespaces: - - default - # Array of resources to include in the backup. Resources may be shortcuts (e.g. 'po' for 'pods') - # or fully-qualified. If unspecified, all resources are included. Optional. - includedResources: - - pv - - pvc - - secret - - vault - - configmap - - deployment - - service - - statefulset - - pod - - ingress - - replicaset - # Whether or not to include cluster-scoped resources. Valid values are true, false, and - # null/unset. If true, all cluster-scoped resources are included (subject to included/excluded - # resources and the label selector). If false, no cluster-scoped resources are included. If unset, - # all cluster-scoped resources are included if and only if all namespaces are included and there are - # no excluded namespaces. Otherwise, if there is at least one namespace specified in either - # includedNamespaces or excludedNamespaces, then the only cluster-scoped resources that are backed - # up are those associated with namespace-scoped resources included in the backup. For example, if a - # PersistentVolumeClaim is included in the backup, its associated PersistentVolume (which is - # cluster-scoped) would also be backed up. - includeClusterResources: true - # Individual objects must match this label selector to be included in the backup. Optional. - labelSelector: - matchLabels: - vault_cr: vault - # Whether or not to snapshot volumes. This only applies to PersistentVolumes for Azure, GCE, and - # AWS. Valid values are true, false, and null/unset. If unset, Velero performs snapshots as long as - # a persistent volume provider is configured for Velero. - snapshotVolumes: true - # Where to store the tarball and logs. - storageLocation: default - # The list of locations in which to store volume snapshots created for this backup. - volumeSnapshotLocations: - - default diff --git a/deploy/examples/backup/schedule.yaml b/deploy/examples/backup/schedule.yaml deleted file mode 100644 index f9988160..00000000 --- a/deploy/examples/backup/schedule.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# Standard Kubernetes API Version declaration. Required. -apiVersion: velero.io/v1 -# Standard Kubernetes Kind declaration. Required. -kind: Schedule -# Standard Kubernetes metadata. Required. -metadata: - # Backup name. May be any valid Kubernetes object name. Required. - name: vault-1 - # Backup namespace. Must be the namespace of the Velero server. Required. - namespace: velero -# Parameters about the backup. Required. -spec: - # Schedule is a Cron expression defining when to run the Backup, this means run every day. - schedule: 0 1 * * * - # Template is the spec that should be used for each backup triggered by this schedule. - template: - # Array of namespaces to include in the backup. If unspecified, all namespaces are included. - # Optional. - includedNamespaces: - - default - # Array of resources to include in the backup. Resources may be shortcuts (e.g. 'po' for 'pods') - # or fully-qualified. If unspecified, all resources are included. Optional. - includedResources: - - pv - - pvc - - secret - - vault - - configmap - - deployment - - service - - statefulset - - pod - - ingress - - replicaset - # Whether or not to include cluster-scoped resources. Valid values are true, false, and - # null/unset. If true, all cluster-scoped resources are included (subject to included/excluded - # resources and the label selector). If false, no cluster-scoped resources are included. If unset, - # all cluster-scoped resources are included if and only if all namespaces are included and there are - # no excluded namespaces. Otherwise, if there is at least one namespace specified in either - # includedNamespaces or excludedNamespaces, then the only cluster-scoped resources that are backed - # up are those associated with namespace-scoped resources included in the backup. For example, if a - # PersistentVolumeClaim is included in the backup, its associated PersistentVolume (which is - # cluster-scoped) would also be backed up. - includeClusterResources: true - # Individual objects must match this label selector to be included in the backup. Optional. - labelSelector: - matchLabels: - vault_cr: vault - # Whether or not to snapshot volumes. This only applies to PersistentVolumes for Azure, GCE, and - # AWS. Valid values are true, false, and null/unset. If unset, Velero performs snapshots as long as - # a persistent volume provider is configured for Velero. - snapshotVolumes: true - # Where to store the tarball and logs. - storageLocation: default - # The list of locations in which to store volume snapshots created for this backup. - volumeSnapshotLocations: - - default diff --git a/deploy/crd/config-jwt-groups.yaml b/deploy/examples/base/config-jwt-groups.yaml similarity index 100% rename from deploy/crd/config-jwt-groups.yaml rename to deploy/examples/base/config-jwt-groups.yaml diff --git a/deploy/crd/config.yaml b/deploy/examples/base/config.yaml similarity index 100% rename from deploy/crd/config.yaml rename to deploy/examples/base/config.yaml diff --git a/deploy/crd/crd.yaml b/deploy/examples/base/crd.yaml similarity index 100% rename from deploy/crd/crd.yaml rename to deploy/examples/base/crd.yaml diff --git a/deploy/crd/issuer.yaml b/deploy/examples/base/issuer.yaml similarity index 100% rename from deploy/crd/issuer.yaml rename to deploy/examples/base/issuer.yaml diff --git a/deploy/crd/rbac.yaml b/deploy/examples/base/rbac.yaml similarity index 100% rename from deploy/crd/rbac.yaml rename to deploy/examples/base/rbac.yaml diff --git a/deploy/crd/secret.yaml b/deploy/examples/base/secret.yaml similarity index 100% rename from deploy/crd/secret.yaml rename to deploy/examples/base/secret.yaml diff --git a/deploy/crd/cr-alibaba.yaml b/deploy/examples/cr-alibaba.yaml similarity index 100% rename from deploy/crd/cr-alibaba.yaml rename to deploy/examples/cr-alibaba.yaml diff --git a/deploy/crd/cr-audit.yaml b/deploy/examples/cr-audit.yaml similarity index 100% rename from deploy/crd/cr-audit.yaml rename to deploy/examples/cr-audit.yaml diff --git a/deploy/crd/aws-server-side-encryption.yaml b/deploy/examples/cr-aws-server-side-encryption.yaml similarity index 100% rename from deploy/crd/aws-server-side-encryption.yaml rename to deploy/examples/cr-aws-server-side-encryption.yaml diff --git a/deploy/crd/cr-aws.yaml b/deploy/examples/cr-aws.yaml similarity index 100% rename from deploy/crd/cr-aws.yaml rename to deploy/examples/cr-aws.yaml diff --git a/deploy/crd/cr-awskms.yaml b/deploy/examples/cr-awskms.yaml similarity index 100% rename from deploy/crd/cr-awskms.yaml rename to deploy/examples/cr-awskms.yaml diff --git a/deploy/crd/cr-azure.yaml b/deploy/examples/cr-azure.yaml similarity index 100% rename from deploy/crd/cr-azure.yaml rename to deploy/examples/cr-azure.yaml diff --git a/deploy/crd/cr-cert-manager.yaml b/deploy/examples/cr-cert-manager.yaml similarity index 100% rename from deploy/crd/cr-cert-manager.yaml rename to deploy/examples/cr-cert-manager.yaml diff --git a/deploy/crd/cr-containers.yaml b/deploy/examples/cr-containers.yaml similarity index 100% rename from deploy/crd/cr-containers.yaml rename to deploy/examples/cr-containers.yaml diff --git a/deploy/crd/cr-credentialFromSecret.yaml b/deploy/examples/cr-credentialFromSecret.yaml similarity index 100% rename from deploy/crd/cr-credentialFromSecret.yaml rename to deploy/examples/cr-credentialFromSecret.yaml diff --git a/deploy/crd/cr-customports.yaml b/deploy/examples/cr-customports.yaml similarity index 100% rename from deploy/crd/cr-customports.yaml rename to deploy/examples/cr-customports.yaml diff --git a/deploy/crd/cr-disabled-root-token-storage.yaml b/deploy/examples/cr-disabled-root-token-storage.yaml similarity index 100% rename from deploy/crd/cr-disabled-root-token-storage.yaml rename to deploy/examples/cr-disabled-root-token-storage.yaml diff --git a/deploy/crd/cr-file.yaml b/deploy/examples/cr-file.yaml similarity index 100% rename from deploy/crd/cr-file.yaml rename to deploy/examples/cr-file.yaml diff --git a/deploy/crd/cr-gcpkms.yaml b/deploy/examples/cr-gcpkms.yaml similarity index 100% rename from deploy/crd/cr-gcpkms.yaml rename to deploy/examples/cr-gcpkms.yaml diff --git a/deploy/crd/cr-gcs-ha-autounseal.yaml b/deploy/examples/cr-gcs-ha-autounseal.yaml similarity index 100% rename from deploy/crd/cr-gcs-ha-autounseal.yaml rename to deploy/examples/cr-gcs-ha-autounseal.yaml diff --git a/deploy/crd/cr-gcs-ha.yaml b/deploy/examples/cr-gcs-ha.yaml similarity index 100% rename from deploy/crd/cr-gcs-ha.yaml rename to deploy/examples/cr-gcs-ha.yaml diff --git a/deploy/crd/cr-hsm-nitrokey.yaml b/deploy/examples/cr-hsm-nitrokey.yaml similarity index 100% rename from deploy/crd/cr-hsm-nitrokey.yaml rename to deploy/examples/cr-hsm-nitrokey.yaml diff --git a/deploy/crd/cr-hsm-softhsm.yaml b/deploy/examples/cr-hsm-softhsm.yaml similarity index 100% rename from deploy/crd/cr-hsm-softhsm.yaml rename to deploy/examples/cr-hsm-softhsm.yaml diff --git a/deploy/crd/cr-init-containers.yaml b/deploy/examples/cr-init-containers.yaml similarity index 100% rename from deploy/crd/cr-init-containers.yaml rename to deploy/examples/cr-init-containers.yaml diff --git a/deploy/examples/istio/cr-istio.yaml b/deploy/examples/cr-istio.yaml similarity index 74% rename from deploy/examples/istio/cr-istio.yaml rename to deploy/examples/cr-istio.yaml index b486633c..de9375df 100644 --- a/deploy/examples/istio/cr-istio.yaml +++ b/deploy/examples/cr-istio.yaml @@ -209,3 +209,99 @@ spec: resources: requests: storage: 1Gi + +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: vault + namespace: vault + +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: vault-secrets + namespace: vault +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - "*" + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: vault-secrets + namespace: vault +roleRef: + kind: Role + name: vault-secrets + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: vault + +--- +# This binding allows the deployed Vault instance to authenticate clients +# through Kubernetes ServiceAccounts (if configured so). +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vault-auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: vault + namespace: vault + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app + namespace: app +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: app + template: + metadata: + labels: + app.kubernetes.io/name: app + annotations: + vault.security.banzaicloud.io/vault-addr: "https://vault.vault:8200" + vault.security.banzaicloud.io/vault-tls-secret: vault-tls + spec: + # initContainers only works if Vault is having PERMISSIVE authentication policy in Istio + initContainers: + - name: init-ubuntu + image: ubuntu + command: + [ + "sh", + "-c", + "echo $AWS_SECRET_ACCESS_KEY && echo initContainers ready", + ] + env: + - name: AWS_SECRET_ACCESS_KEY + value: vault:secret/data/accounts/aws#${.AWS_SECRET_ACCESS_KEY} # Go templates are also supported with ${} delimiters + containers: + - name: app + image: alpine + command: + [ + "sh", + "-c", + "echo $AWS_SECRET_ACCESS_KEY && echo going to sleep... && sleep 10000", + ] + env: + - name: AWS_SECRET_ACCESS_KEY + value: vault:secret/data/accounts/aws#AWS_SECRET_ACCESS_KEY diff --git a/deploy/crd/cr-k8s-startup-secret.yaml b/deploy/examples/cr-k8s-startup-secret.yaml similarity index 100% rename from deploy/crd/cr-k8s-startup-secret.yaml rename to deploy/examples/cr-k8s-startup-secret.yaml diff --git a/deploy/crd/cr-kvv2.yaml b/deploy/examples/cr-kvv2.yaml similarity index 100% rename from deploy/crd/cr-kvv2.yaml rename to deploy/examples/cr-kvv2.yaml diff --git a/deploy/crd/cr-mysql-ha.yaml b/deploy/examples/cr-mysql-ha.yaml similarity index 100% rename from deploy/crd/cr-mysql-ha.yaml rename to deploy/examples/cr-mysql-ha.yaml diff --git a/deploy/crd/cr-nodeAffinity.yaml b/deploy/examples/cr-nodeAffinity.yaml similarity index 100% rename from deploy/crd/cr-nodeAffinity.yaml rename to deploy/examples/cr-nodeAffinity.yaml diff --git a/deploy/crd/cr-oidc.yaml b/deploy/examples/cr-oidc.yaml similarity index 100% rename from deploy/crd/cr-oidc.yaml rename to deploy/examples/cr-oidc.yaml diff --git a/deploy/crd/cr-podAntiAffinity.yaml b/deploy/examples/cr-podAntiAffinity.yaml similarity index 100% rename from deploy/crd/cr-podAntiAffinity.yaml rename to deploy/examples/cr-podAntiAffinity.yaml diff --git a/deploy/crd/cr-policy-with-accessor.yaml b/deploy/examples/cr-policy-with-accessor.yaml similarity index 100% rename from deploy/crd/cr-policy-with-accessor.yaml rename to deploy/examples/cr-policy-with-accessor.yaml diff --git a/deploy/crd/cr-priority.yaml b/deploy/examples/cr-priority.yaml similarity index 97% rename from deploy/crd/cr-priority.yaml rename to deploy/examples/cr-priority.yaml index 3cc60d06..be066f8d 100644 --- a/deploy/crd/cr-priority.yaml +++ b/deploy/examples/cr-priority.yaml @@ -200,3 +200,12 @@ spec: # persistentVolumeReclaimPolicy: Recycle # hostPath: # path: /vault/file + +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: high-priority +value: 1000000 +globalDefault: false +description: "test priority class" diff --git a/deploy/crd/cr-prometheus.yaml b/deploy/examples/cr-prometheus.yaml similarity index 100% rename from deploy/crd/cr-prometheus.yaml rename to deploy/examples/cr-prometheus.yaml diff --git a/deploy/crd/cr-raft-1.yaml b/deploy/examples/cr-raft-1.yaml similarity index 100% rename from deploy/crd/cr-raft-1.yaml rename to deploy/examples/cr-raft-1.yaml diff --git a/deploy/crd/cr-raft-ha-storage.yaml b/deploy/examples/cr-raft-ha-storage.yaml similarity index 100% rename from deploy/crd/cr-raft-ha-storage.yaml rename to deploy/examples/cr-raft-ha-storage.yaml diff --git a/deploy/crd/cr-raft.yaml b/deploy/examples/cr-raft.yaml similarity index 100% rename from deploy/crd/cr-raft.yaml rename to deploy/examples/cr-raft.yaml diff --git a/deploy/crd/cr-resource.yaml b/deploy/examples/cr-resource.yaml similarity index 100% rename from deploy/crd/cr-resource.yaml rename to deploy/examples/cr-resource.yaml diff --git a/deploy/crd/cr-statsd.yaml b/deploy/examples/cr-statsd.yaml similarity index 100% rename from deploy/crd/cr-statsd.yaml rename to deploy/examples/cr-statsd.yaml diff --git a/deploy/crd/cr-transit-unseal.yaml b/deploy/examples/cr-transit-unseal.yaml similarity index 100% rename from deploy/crd/cr-transit-unseal.yaml rename to deploy/examples/cr-transit-unseal.yaml diff --git a/deploy/crd/cr-vault-kv-unseal.yaml b/deploy/examples/cr-vault-kv-unseal.yaml similarity index 100% rename from deploy/crd/cr-vault-kv-unseal.yaml rename to deploy/examples/cr-vault-kv-unseal.yaml diff --git a/deploy/crd/cr.yaml b/deploy/examples/cr.yaml similarity index 100% rename from deploy/crd/cr.yaml rename to deploy/examples/cr.yaml diff --git a/deploy/examples/istio/app.yaml b/deploy/examples/istio/app.yaml deleted file mode 100644 index 79839ed3..00000000 --- a/deploy/examples/istio/app.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: app - namespace: app -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: app - template: - metadata: - labels: - app.kubernetes.io/name: app - annotations: - vault.security.banzaicloud.io/vault-addr: "https://vault.vault:8200" - vault.security.banzaicloud.io/vault-tls-secret: vault-tls - spec: - # initContainers only works if Vault is having PERMISSIVE authentication policy in Istio - initContainers: - - name: init-ubuntu - image: ubuntu - command: - [ - "sh", - "-c", - "echo $AWS_SECRET_ACCESS_KEY && echo initContainers ready", - ] - env: - - name: AWS_SECRET_ACCESS_KEY - value: vault:secret/data/accounts/aws#${.AWS_SECRET_ACCESS_KEY} # Go templates are also supported with ${} delimiters - containers: - - name: app - image: alpine - command: - [ - "sh", - "-c", - "echo $AWS_SECRET_ACCESS_KEY && echo going to sleep... && sleep 10000", - ] - env: - - name: AWS_SECRET_ACCESS_KEY - value: vault:secret/data/accounts/aws#AWS_SECRET_ACCESS_KEY diff --git a/deploy/examples/istio/rbac.yaml b/deploy/examples/istio/rbac.yaml deleted file mode 100644 index ef2ff229..00000000 --- a/deploy/examples/istio/rbac.yaml +++ /dev/null @@ -1,52 +0,0 @@ -kind: ServiceAccount -apiVersion: v1 -metadata: - name: vault - namespace: vault - ---- - -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: vault-secrets - namespace: vault -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - "*" - ---- - -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: vault-secrets - namespace: vault -roleRef: - kind: Role - name: vault-secrets - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: vault - ---- - -# This binding allows the deployed Vault instance to authenticate clients -# through Kubernetes ServiceAccounts (if configured so). -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vault-auth-delegator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: - - kind: ServiceAccount - name: vault - namespace: vault diff --git a/deploy/crd/openshift-vault-scc.yaml b/deploy/examples/openshift-vault-scc.yaml similarity index 100% rename from deploy/crd/openshift-vault-scc.yaml rename to deploy/examples/openshift-vault-scc.yaml diff --git a/deploy/examples/tls/config.json b/deploy/examples/tls/config.json deleted file mode 100644 index dba73de8..00000000 --- a/deploy/examples/tls/config.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "signing": { - "default": { - "expiry": "43800h" - }, - "profiles": { - "server": { - "expiry": "43800h", - "usages": [ - "signing", - "key encipherment", - "server auth" - ] - }, - "client": { - "expiry": "43800h", - "usages": [ - "signing", - "key encipherment", - "client auth" - ] - }, - "peer": { - "expiry": "43800h", - "usages": [ - "signing", - "key encipherment", - "server auth", - "client auth" - ] - } - } - } -} diff --git a/deploy/examples/tls/csr.json b/deploy/examples/tls/csr.json deleted file mode 100644 index e2659952..00000000 --- a/deploy/examples/tls/csr.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "key": { - "algo": "ecdsa", - "size": 256 - }, - "names": [ - { - "C": "HU", - "L": "Budapest", - "O": "Banzai Cloud", - "OU": "WWW", - "ST": "Budapest" - } - ] -} diff --git a/deploy/examples/tls/server.json b/deploy/examples/tls/server.json deleted file mode 100644 index 4ed03f5c..00000000 --- a/deploy/examples/tls/server.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "CN": "vault", - "hosts": [ - "vault", - "vault.default", - "vault.default.svc", - "vault.default.svc.cluster.local", - "127.0.0.1" - ], - "key": { - "algo": "ecdsa", - "size": 256 - }, - "names": [ - { - "C": "HU", - "L": "Budapest", - "O": "Banzai Cloud", - "OU": "WWW", - "ST": "Budapest" - } - ] -} diff --git a/deploy/examples/velero-backup.yaml b/deploy/examples/velero-backup.yaml new file mode 100644 index 00000000..4bdda5aa --- /dev/null +++ b/deploy/examples/velero-backup.yaml @@ -0,0 +1,112 @@ +# Standard Kubernetes API Version declaration. Required. +apiVersion: velero.io/v1 +# Standard Kubernetes Kind declaration. Required. +kind: Backup +# Standard Kubernetes metadata. Required. +metadata: + # Backup name. May be any valid Kubernetes object name. Required. + name: vault-1 + # Backup namespace. Must be the namespace of the Velero server. Required. + namespace: velero +# Parameters about the backup. Required. +spec: + # Array of namespaces to include in the backup. If unspecified, all namespaces are included. + # Optional. + includedNamespaces: + - default + # Array of resources to include in the backup. Resources may be shortcuts (e.g. 'po' for 'pods') + # or fully-qualified. If unspecified, all resources are included. Optional. + includedResources: + - pv + - pvc + - secret + - vault + - configmap + - deployment + - service + - statefulset + - pod + - ingress + - replicaset + # Whether or not to include cluster-scoped resources. Valid values are true, false, and + # null/unset. If true, all cluster-scoped resources are included (subject to included/excluded + # resources and the label selector). If false, no cluster-scoped resources are included. If unset, + # all cluster-scoped resources are included if and only if all namespaces are included and there are + # no excluded namespaces. Otherwise, if there is at least one namespace specified in either + # includedNamespaces or excludedNamespaces, then the only cluster-scoped resources that are backed + # up are those associated with namespace-scoped resources included in the backup. For example, if a + # PersistentVolumeClaim is included in the backup, its associated PersistentVolume (which is + # cluster-scoped) would also be backed up. + includeClusterResources: true + # Individual objects must match this label selector to be included in the backup. Optional. + labelSelector: + matchLabels: + vault_cr: vault + # Whether or not to snapshot volumes. This only applies to PersistentVolumes for Azure, GCE, and + # AWS. Valid values are true, false, and null/unset. If unset, Velero performs snapshots as long as + # a persistent volume provider is configured for Velero. + snapshotVolumes: true + # Where to store the tarball and logs. + storageLocation: default + # The list of locations in which to store volume snapshots created for this backup. + volumeSnapshotLocations: + - default + +--- +# Standard Kubernetes API Version declaration. Required. +apiVersion: velero.io/v1 +# Standard Kubernetes Kind declaration. Required. +kind: Schedule +# Standard Kubernetes metadata. Required. +metadata: + # Backup name. May be any valid Kubernetes object name. Required. + name: vault-1 + # Backup namespace. Must be the namespace of the Velero server. Required. + namespace: velero +# Parameters about the backup. Required. +spec: + # Schedule is a Cron expression defining when to run the Backup, this means run every day. + schedule: 0 1 * * * + # Template is the spec that should be used for each backup triggered by this schedule. + template: + # Array of namespaces to include in the backup. If unspecified, all namespaces are included. + # Optional. + includedNamespaces: + - default + # Array of resources to include in the backup. Resources may be shortcuts (e.g. 'po' for 'pods') + # or fully-qualified. If unspecified, all resources are included. Optional. + includedResources: + - pv + - pvc + - secret + - vault + - configmap + - deployment + - service + - statefulset + - pod + - ingress + - replicaset + # Whether or not to include cluster-scoped resources. Valid values are true, false, and + # null/unset. If true, all cluster-scoped resources are included (subject to included/excluded + # resources and the label selector). If false, no cluster-scoped resources are included. If unset, + # all cluster-scoped resources are included if and only if all namespaces are included and there are + # no excluded namespaces. Otherwise, if there is at least one namespace specified in either + # includedNamespaces or excludedNamespaces, then the only cluster-scoped resources that are backed + # up are those associated with namespace-scoped resources included in the backup. For example, if a + # PersistentVolumeClaim is included in the backup, its associated PersistentVolume (which is + # cluster-scoped) would also be backed up. + includeClusterResources: true + # Individual objects must match this label selector to be included in the backup. Optional. + labelSelector: + matchLabels: + vault_cr: vault + # Whether or not to snapshot volumes. This only applies to PersistentVolumes for Azure, GCE, and + # AWS. Valid values are true, false, and null/unset. If unset, Velero performs snapshots as long as + # a persistent volume provider is configured for Velero. + snapshotVolumes: true + # Where to store the tarball and logs. + storageLocation: default + # The list of locations in which to store volume snapshots created for this backup. + volumeSnapshotLocations: + - default diff --git a/test/acceptance_test.go b/test/acceptance_test.go index 50aadad8..a948b61c 100644 --- a/test/acceptance_test.go +++ b/test/acceptance_test.go @@ -121,7 +121,12 @@ func TestKvv2(t *testing.T) { defer k8s.DeleteNamespace(t, kubectlOptions, kubectlOptions.Namespace) // Prepare and apply resources - resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/crd/cr-kvv2.yaml", "rbac.yaml") + resources, err := prepareResources( + kubectlOptions.Namespace, + vaultVersion, + "../deploy/examples/base/rbac.yaml", + "../deploy/examples/cr-kvv2.yaml", + ) require.NoError(t, err) for _, resource := range resources { k8s.KubectlApplyFromString(t, kubectlOptions, string(resource)) @@ -138,7 +143,12 @@ func TestStatsd(t *testing.T) { defer k8s.DeleteNamespace(t, kubectlOptions, kubectlOptions.Namespace) // Prepare and apply resources - resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/crd/cr-statsd.yaml", "rbac.yaml") + resources, err := prepareResources( + kubectlOptions.Namespace, + vaultVersion, + "../deploy/examples/base/rbac.yaml", + "../deploy/examples/cr-statsd.yaml", + ) require.NoError(t, err) for _, resource := range resources { k8s.KubectlApplyFromString(t, kubectlOptions, string(resource)) @@ -155,7 +165,12 @@ func TestExternalSecretsWatcherDeployment(t *testing.T) { defer k8s.DeleteNamespace(t, kubectlOptions, kubectlOptions.Namespace) // Prepare and apply resources - resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "deploy/test-external-secrets-watch-deployment.yaml", "rbac.yaml") + resources, err := prepareResources( + kubectlOptions.Namespace, + vaultVersion, + "deploy/test-external-secrets-watch-deployment.yaml", + "../deploy/examples/base/rbac.yaml", + ) require.NoError(t, err) for _, resource := range resources { k8s.KubectlApplyFromString(t, kubectlOptions, string(resource)) @@ -178,7 +193,12 @@ func TestExternalSecretsWatcherSecrets(t *testing.T) { k8s.KubectlApply(t, kubectlOptions, "deploy/test-external-secrets-watch-secrets.yaml") // Prepare and apply resources - resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "deploy/test-external-secrets-watch-deployment.yaml", "rbac.yaml") + resources, err := prepareResources( + kubectlOptions.Namespace, + vaultVersion, + "deploy/test-external-secrets-watch-deployment.yaml", + "../deploy/examples/base/rbac.yaml", + ) require.NoError(t, err) for _, resource := range resources { k8s.KubectlApplyFromString(t, kubectlOptions, string(resource)) @@ -202,7 +222,12 @@ func TestRaft(t *testing.T) { defer k8s.DeleteNamespace(t, kubectlOptions, kubectlOptions.Namespace) // Prepare and apply resources - resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/crd/cr-raft.yaml", "rbac.yaml") + resources, err := prepareResources( + kubectlOptions.Namespace, + vaultVersion, + "../deploy/examples/base/rbac.yaml", + "../deploy/examples/cr-raft.yaml", + ) require.NoError(t, err) for _, resource := range resources { k8s.KubectlApplyFromString(t, kubectlOptions, string(resource)) @@ -221,7 +246,12 @@ func TestSoftHSM(t *testing.T) { defer k8s.DeleteNamespace(t, kubectlOptions, kubectlOptions.Namespace) // Prepare and apply resources - resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/crd/cr-hsm-softhsm.yaml", "rbac.yaml") + resources, err := prepareResources( + kubectlOptions.Namespace, + vaultVersion, + "../deploy/examples/base/rbac.yaml", + "../deploy/examples/cr-hsm-softhsm.yaml", + ) require.NoError(t, err) for _, resource := range resources { k8s.KubectlApplyFromString(t, kubectlOptions, string(resource)) @@ -238,7 +268,12 @@ func TestDisabledRootTokenStorage(t *testing.T) { defer k8s.DeleteNamespace(t, kubectlOptions, kubectlOptions.Namespace) // Prepare and apply resources - resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/crd/cr-disabled-root-token-storage.yaml", "rbac.yaml") + resources, err := prepareResources( + kubectlOptions.Namespace, + vaultVersion, + "../deploy/examples/base/rbac.yaml", + "../deploy/examples/cr-disabled-root-token-storage.yaml", + ) require.NoError(t, err) for _, resource := range resources { k8s.KubectlApplyFromString(t, kubectlOptions, string(resource)) @@ -276,9 +311,8 @@ func TestPriorityClass(t *testing.T) { resources, err := prepareResources( kubectlOptions.Namespace, vaultVersion, - "../deploy/crd/priorityclass.yaml", - "../deploy/crd/cr-priority.yaml", - "rbac.yaml", + "../deploy/examples/base/rbac.yaml", + "../deploy/examples/cr-priority.yaml", ) require.NoError(t, err) for _, resource := range resources { @@ -308,7 +342,12 @@ func TestOIDC(t *testing.T) { kubectlOptions := k8s.NewKubectlOptions("", "", "default") // Prepare and apply resources - resources, err := prepareResources(kubectlOptions.Namespace, vaultVersion, "../deploy/crd/cr-oidc.yaml", "rbac.yaml") + resources, err := prepareResources( + kubectlOptions.Namespace, + vaultVersion, + "../deploy/examples/base/rbac.yaml", + "../deploy/examples/cr-oidc.yaml", + ) require.NoError(t, err) for _, resource := range resources { k8s.KubectlApplyFromString(t, kubectlOptions, string(resource)) @@ -326,7 +365,7 @@ func TestOIDC(t *testing.T) { waitUntilPodSucceeded(t, kubectlOptions, "oidc", 60, 10*time.Second) // Clean up - k8s.KubectlDelete(t, kubectlOptions, "../deploy/crd/cr-oidc.yaml") + k8s.KubectlDelete(t, kubectlOptions, "../deploy/examples/cr-oidc.yaml") k8s.RunKubectl(t, kubectlOptions, "delete", "secret", "vault-unseal-keys") k8s.KubectlDelete(t, kubectlOptions, oidcPodFilePath) } From 92b923ad7d219375f05446430506510e366de8e4 Mon Sep 17 00:00:00 2001 From: Ramiz Polic Date: Tue, 27 Jun 2023 13:46:03 +0200 Subject: [PATCH 5/8] chore: resolve deployment examples Signed-off-by: Ramiz Polic --- Makefile | 16 ++++++++-------- deploy/dev/multi-dc/test/multi-dc-raft.sh | 2 +- deploy/examples/{base => default}/crd.yaml | 0 deploy/examples/{base => default}/rbac.yaml | 0 .../issuer.yaml => vault-cert-issuer.yaml} | 0 .../config.yaml => vault-config-default.yaml} | 2 +- ...cret.yaml => vault-config-from-secret.yaml} | 0 ...g-jwt-groups.yaml => vault-config-jwt.yaml} | 2 +- ...vault-scc.yaml => vault-openshift-scc.yaml} | 0 ...ro-backup.yaml => vault-velero-backup.yaml} | 0 test/acceptance_test.go | 18 +++++++++--------- 11 files changed, 20 insertions(+), 20 deletions(-) rename deploy/examples/{base => default}/crd.yaml (100%) rename deploy/examples/{base => default}/rbac.yaml (100%) rename deploy/examples/{base/issuer.yaml => vault-cert-issuer.yaml} (100%) rename deploy/examples/{base/config.yaml => vault-config-default.yaml} (90%) rename deploy/examples/{base/secret.yaml => vault-config-from-secret.yaml} (100%) rename deploy/examples/{base/config-jwt-groups.yaml => vault-config-jwt.yaml} (98%) rename deploy/examples/{openshift-vault-scc.yaml => vault-openshift-scc.yaml} (100%) rename deploy/examples/{velero-backup.yaml => vault-velero-backup.yaml} (100%) diff --git a/Makefile b/Makefile index 9ce43b0a..d0f3e017 100644 --- a/Makefile +++ b/Makefile @@ -33,14 +33,14 @@ build: ## Build binary .PHONY: run run: ## Run the operator locally talking to a Kubernetes cluster - kubectl replace -f deploy/examples/base/crd.yaml || kubectl create -f deploy/examples/base/crd.yaml - kubectl apply -f deploy/examples/base/rbac.yaml + kubectl replace -f deploy/examples/default/crd.yaml || kubectl create -f deploy/examples/default/crd.yaml + kubectl apply -f deploy/examples/default/rbac.yaml OPERATOR_NAME=vault-dev go run cmd/manager/main.go -verbose .PHONY: clean clean: ## Clean operator resources from a Kubernetes cluster - kubectl delete -f deploy/examples/base/crd.yaml - kubectl delete -f deploy/examples/base/rbac.yaml + kubectl delete -f deploy/examples/default/crd.yaml + kubectl delete -f deploy/examples/default/rbac.yaml .PHONY: artifacts artifacts: container-image helm-chart @@ -105,10 +105,10 @@ generate-code: ## Regenerate clientset, deepcopy funcs, listers and informers .PHONY: generate-crds generate-crds: ## Regenerate CRDs in the Helm chart and examples - controller-gen crd:maxDescLen=0 paths=./pkg/... output:crd:artifacts:config=./deploy/examples/base - cp deploy/examples/base/vault.banzaicloud.com_vaults.yaml deploy/charts/vault-operator/crds/crd.yaml - cp deploy/examples/base/vault.banzaicloud.com_vaults.yaml deploy/examples/base/crd.yaml - rm deploy/examples/base/vault.banzaicloud.com_vaults.yaml + controller-gen crd:maxDescLen=0 paths=./pkg/... output:crd:artifacts:config=./deploy/examples/default + cp deploy/examples/default/vault.banzaicloud.com_vaults.yaml deploy/charts/vault-operator/crds/crd.yaml + cp deploy/examples/default/vault.banzaicloud.com_vaults.yaml deploy/examples/default/crd.yaml + rm deploy/examples/default/vault.banzaicloud.com_vaults.yaml .PHONY: generate-helm-docs generate-helm-docs: diff --git a/deploy/dev/multi-dc/test/multi-dc-raft.sh b/deploy/dev/multi-dc/test/multi-dc-raft.sh index 96019847..9321e1b3 100755 --- a/deploy/dev/multi-dc/test/multi-dc-raft.sh +++ b/deploy/dev/multi-dc/test/multi-dc-raft.sh @@ -83,7 +83,7 @@ function install_instance { helm upgrade --install vault-operator ./deploy/charts/vault-operator --wait --set image.tag=${OPERATOR_VERSION} --set image.pullPolicy=Never --set image.bankVaultsTag=${BANK_VAULTS_VERSION} - kubectl apply -f deploy/examples/base/rbac.yaml + kubectl apply -f deploy/examples/default/rbac.yaml envtpl deploy/dev/multi-dc/test/cr-"${INSTANCE}".yaml | kubectl apply -f - echo "Waiting for for ${INSTANCE} vault instance..." diff --git a/deploy/examples/base/crd.yaml b/deploy/examples/default/crd.yaml similarity index 100% rename from deploy/examples/base/crd.yaml rename to deploy/examples/default/crd.yaml diff --git a/deploy/examples/base/rbac.yaml b/deploy/examples/default/rbac.yaml similarity index 100% rename from deploy/examples/base/rbac.yaml rename to deploy/examples/default/rbac.yaml diff --git a/deploy/examples/base/issuer.yaml b/deploy/examples/vault-cert-issuer.yaml similarity index 100% rename from deploy/examples/base/issuer.yaml rename to deploy/examples/vault-cert-issuer.yaml diff --git a/deploy/examples/base/config.yaml b/deploy/examples/vault-config-default.yaml similarity index 90% rename from deploy/examples/base/config.yaml rename to deploy/examples/vault-config-default.yaml index e3dd2326..a5b73d7f 100644 --- a/deploy/examples/base/config.yaml +++ b/deploy/examples/vault-config-default.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: vault-configurator vault_cr: vault - name: second-config + name: config-default-example data: vault-config.yml: | audit: diff --git a/deploy/examples/base/secret.yaml b/deploy/examples/vault-config-from-secret.yaml similarity index 100% rename from deploy/examples/base/secret.yaml rename to deploy/examples/vault-config-from-secret.yaml diff --git a/deploy/examples/base/config-jwt-groups.yaml b/deploy/examples/vault-config-jwt.yaml similarity index 98% rename from deploy/examples/base/config-jwt-groups.yaml rename to deploy/examples/vault-config-jwt.yaml index 8f94cedb..282993e6 100644 --- a/deploy/examples/base/config-jwt-groups.yaml +++ b/deploy/examples/vault-config-jwt.yaml @@ -4,7 +4,7 @@ metadata: labels: app.kubernetes.io/name: vault-configurator vault_cr: vault - name: jwt-full-example + name: config-jwt-example data: vault-config.yml: | auth: diff --git a/deploy/examples/openshift-vault-scc.yaml b/deploy/examples/vault-openshift-scc.yaml similarity index 100% rename from deploy/examples/openshift-vault-scc.yaml rename to deploy/examples/vault-openshift-scc.yaml diff --git a/deploy/examples/velero-backup.yaml b/deploy/examples/vault-velero-backup.yaml similarity index 100% rename from deploy/examples/velero-backup.yaml rename to deploy/examples/vault-velero-backup.yaml diff --git a/test/acceptance_test.go b/test/acceptance_test.go index a948b61c..fbb4c797 100644 --- a/test/acceptance_test.go +++ b/test/acceptance_test.go @@ -124,7 +124,7 @@ func TestKvv2(t *testing.T) { resources, err := prepareResources( kubectlOptions.Namespace, vaultVersion, - "../deploy/examples/base/rbac.yaml", + "../deploy/examples/default/rbac.yaml", "../deploy/examples/cr-kvv2.yaml", ) require.NoError(t, err) @@ -146,7 +146,7 @@ func TestStatsd(t *testing.T) { resources, err := prepareResources( kubectlOptions.Namespace, vaultVersion, - "../deploy/examples/base/rbac.yaml", + "../deploy/examples/default/rbac.yaml", "../deploy/examples/cr-statsd.yaml", ) require.NoError(t, err) @@ -169,7 +169,7 @@ func TestExternalSecretsWatcherDeployment(t *testing.T) { kubectlOptions.Namespace, vaultVersion, "deploy/test-external-secrets-watch-deployment.yaml", - "../deploy/examples/base/rbac.yaml", + "../deploy/examples/default/rbac.yaml", ) require.NoError(t, err) for _, resource := range resources { @@ -197,7 +197,7 @@ func TestExternalSecretsWatcherSecrets(t *testing.T) { kubectlOptions.Namespace, vaultVersion, "deploy/test-external-secrets-watch-deployment.yaml", - "../deploy/examples/base/rbac.yaml", + "../deploy/examples/default/rbac.yaml", ) require.NoError(t, err) for _, resource := range resources { @@ -225,7 +225,7 @@ func TestRaft(t *testing.T) { resources, err := prepareResources( kubectlOptions.Namespace, vaultVersion, - "../deploy/examples/base/rbac.yaml", + "../deploy/examples/default/rbac.yaml", "../deploy/examples/cr-raft.yaml", ) require.NoError(t, err) @@ -249,7 +249,7 @@ func TestSoftHSM(t *testing.T) { resources, err := prepareResources( kubectlOptions.Namespace, vaultVersion, - "../deploy/examples/base/rbac.yaml", + "../deploy/examples/default/rbac.yaml", "../deploy/examples/cr-hsm-softhsm.yaml", ) require.NoError(t, err) @@ -271,7 +271,7 @@ func TestDisabledRootTokenStorage(t *testing.T) { resources, err := prepareResources( kubectlOptions.Namespace, vaultVersion, - "../deploy/examples/base/rbac.yaml", + "../deploy/examples/default/rbac.yaml", "../deploy/examples/cr-disabled-root-token-storage.yaml", ) require.NoError(t, err) @@ -311,7 +311,7 @@ func TestPriorityClass(t *testing.T) { resources, err := prepareResources( kubectlOptions.Namespace, vaultVersion, - "../deploy/examples/base/rbac.yaml", + "../deploy/examples/default/rbac.yaml", "../deploy/examples/cr-priority.yaml", ) require.NoError(t, err) @@ -345,7 +345,7 @@ func TestOIDC(t *testing.T) { resources, err := prepareResources( kubectlOptions.Namespace, vaultVersion, - "../deploy/examples/base/rbac.yaml", + "../deploy/examples/default/rbac.yaml", "../deploy/examples/cr-oidc.yaml", ) require.NoError(t, err) From 5296d32595e3bfcfddacd6d378a6acb6ea719e98 Mon Sep 17 00:00:00 2001 From: Ramiz Polic Date: Tue, 27 Jun 2023 13:50:54 +0200 Subject: [PATCH 6/8] chore: update default deployment resource paths Signed-off-by: Ramiz Polic --- Makefile | 16 ++++++++-------- deploy/{examples => }/default/crd.yaml | 0 deploy/{examples => }/default/rbac.yaml | 0 deploy/dev/multi-dc/test/multi-dc-raft.sh | 2 +- test/acceptance_test.go | 18 +++++++++--------- 5 files changed, 18 insertions(+), 18 deletions(-) rename deploy/{examples => }/default/crd.yaml (100%) rename deploy/{examples => }/default/rbac.yaml (100%) diff --git a/Makefile b/Makefile index d0f3e017..5e341257 100644 --- a/Makefile +++ b/Makefile @@ -33,14 +33,14 @@ build: ## Build binary .PHONY: run run: ## Run the operator locally talking to a Kubernetes cluster - kubectl replace -f deploy/examples/default/crd.yaml || kubectl create -f deploy/examples/default/crd.yaml - kubectl apply -f deploy/examples/default/rbac.yaml + kubectl replace -f deploy/default/crd.yaml || kubectl create -f deploy/default/crd.yaml + kubectl apply -f deploy/default/rbac.yaml OPERATOR_NAME=vault-dev go run cmd/manager/main.go -verbose .PHONY: clean clean: ## Clean operator resources from a Kubernetes cluster - kubectl delete -f deploy/examples/default/crd.yaml - kubectl delete -f deploy/examples/default/rbac.yaml + kubectl delete -f deploy/default/crd.yaml + kubectl delete -f deploy/default/rbac.yaml .PHONY: artifacts artifacts: container-image helm-chart @@ -105,10 +105,10 @@ generate-code: ## Regenerate clientset, deepcopy funcs, listers and informers .PHONY: generate-crds generate-crds: ## Regenerate CRDs in the Helm chart and examples - controller-gen crd:maxDescLen=0 paths=./pkg/... output:crd:artifacts:config=./deploy/examples/default - cp deploy/examples/default/vault.banzaicloud.com_vaults.yaml deploy/charts/vault-operator/crds/crd.yaml - cp deploy/examples/default/vault.banzaicloud.com_vaults.yaml deploy/examples/default/crd.yaml - rm deploy/examples/default/vault.banzaicloud.com_vaults.yaml + controller-gen crd:maxDescLen=0 paths=./pkg/... output:crd:artifacts:config=./deploy/default + cp deploy/default/vault.banzaicloud.com_vaults.yaml deploy/charts/vault-operator/crds/crd.yaml + cp deploy/default/vault.banzaicloud.com_vaults.yaml deploy/default/crd.yaml + rm deploy/default/vault.banzaicloud.com_vaults.yaml .PHONY: generate-helm-docs generate-helm-docs: diff --git a/deploy/examples/default/crd.yaml b/deploy/default/crd.yaml similarity index 100% rename from deploy/examples/default/crd.yaml rename to deploy/default/crd.yaml diff --git a/deploy/examples/default/rbac.yaml b/deploy/default/rbac.yaml similarity index 100% rename from deploy/examples/default/rbac.yaml rename to deploy/default/rbac.yaml diff --git a/deploy/dev/multi-dc/test/multi-dc-raft.sh b/deploy/dev/multi-dc/test/multi-dc-raft.sh index 9321e1b3..4396e974 100755 --- a/deploy/dev/multi-dc/test/multi-dc-raft.sh +++ b/deploy/dev/multi-dc/test/multi-dc-raft.sh @@ -83,7 +83,7 @@ function install_instance { helm upgrade --install vault-operator ./deploy/charts/vault-operator --wait --set image.tag=${OPERATOR_VERSION} --set image.pullPolicy=Never --set image.bankVaultsTag=${BANK_VAULTS_VERSION} - kubectl apply -f deploy/examples/default/rbac.yaml + kubectl apply -f deploy/default/rbac.yaml envtpl deploy/dev/multi-dc/test/cr-"${INSTANCE}".yaml | kubectl apply -f - echo "Waiting for for ${INSTANCE} vault instance..." diff --git a/test/acceptance_test.go b/test/acceptance_test.go index fbb4c797..68eb1b82 100644 --- a/test/acceptance_test.go +++ b/test/acceptance_test.go @@ -124,7 +124,7 @@ func TestKvv2(t *testing.T) { resources, err := prepareResources( kubectlOptions.Namespace, vaultVersion, - "../deploy/examples/default/rbac.yaml", + "../deploy/default/rbac.yaml", "../deploy/examples/cr-kvv2.yaml", ) require.NoError(t, err) @@ -146,7 +146,7 @@ func TestStatsd(t *testing.T) { resources, err := prepareResources( kubectlOptions.Namespace, vaultVersion, - "../deploy/examples/default/rbac.yaml", + "../deploy/default/rbac.yaml", "../deploy/examples/cr-statsd.yaml", ) require.NoError(t, err) @@ -169,7 +169,7 @@ func TestExternalSecretsWatcherDeployment(t *testing.T) { kubectlOptions.Namespace, vaultVersion, "deploy/test-external-secrets-watch-deployment.yaml", - "../deploy/examples/default/rbac.yaml", + "../deploy/default/rbac.yaml", ) require.NoError(t, err) for _, resource := range resources { @@ -197,7 +197,7 @@ func TestExternalSecretsWatcherSecrets(t *testing.T) { kubectlOptions.Namespace, vaultVersion, "deploy/test-external-secrets-watch-deployment.yaml", - "../deploy/examples/default/rbac.yaml", + "../deploy/default/rbac.yaml", ) require.NoError(t, err) for _, resource := range resources { @@ -225,7 +225,7 @@ func TestRaft(t *testing.T) { resources, err := prepareResources( kubectlOptions.Namespace, vaultVersion, - "../deploy/examples/default/rbac.yaml", + "../deploy/default/rbac.yaml", "../deploy/examples/cr-raft.yaml", ) require.NoError(t, err) @@ -249,7 +249,7 @@ func TestSoftHSM(t *testing.T) { resources, err := prepareResources( kubectlOptions.Namespace, vaultVersion, - "../deploy/examples/default/rbac.yaml", + "../deploy/default/rbac.yaml", "../deploy/examples/cr-hsm-softhsm.yaml", ) require.NoError(t, err) @@ -271,7 +271,7 @@ func TestDisabledRootTokenStorage(t *testing.T) { resources, err := prepareResources( kubectlOptions.Namespace, vaultVersion, - "../deploy/examples/default/rbac.yaml", + "../deploy/default/rbac.yaml", "../deploy/examples/cr-disabled-root-token-storage.yaml", ) require.NoError(t, err) @@ -311,7 +311,7 @@ func TestPriorityClass(t *testing.T) { resources, err := prepareResources( kubectlOptions.Namespace, vaultVersion, - "../deploy/examples/default/rbac.yaml", + "../deploy/default/rbac.yaml", "../deploy/examples/cr-priority.yaml", ) require.NoError(t, err) @@ -345,7 +345,7 @@ func TestOIDC(t *testing.T) { resources, err := prepareResources( kubectlOptions.Namespace, vaultVersion, - "../deploy/examples/default/rbac.yaml", + "../deploy/default/rbac.yaml", "../deploy/examples/cr-oidc.yaml", ) require.NoError(t, err) From 8f7035b7b1cfca7fd141ec2b47497a8c091bb64c Mon Sep 17 00:00:00 2001 From: Ramiz Polic Date: Tue, 27 Jun 2023 15:10:14 +0200 Subject: [PATCH 7/8] chore: simplify istio example Signed-off-by: Ramiz Polic --- deploy/examples/cr-istio.yaml | 100 +--------------------------------- 1 file changed, 1 insertion(+), 99 deletions(-) diff --git a/deploy/examples/cr-istio.yaml b/deploy/examples/cr-istio.yaml index de9375df..9353f04c 100644 --- a/deploy/examples/cr-istio.yaml +++ b/deploy/examples/cr-istio.yaml @@ -2,7 +2,6 @@ apiVersion: "vault.banzaicloud.com/v1alpha1" kind: Vault metadata: name: vault - namespace: vault spec: size: 1 image: vault:1.3.1 @@ -96,7 +95,7 @@ spec: # This is true by default preFlightChecks: true kubernetes: - secretNamespace: vault + secretNamespace: default # A YAML representation of a final vault config file. # See https://www.vaultproject.io/docs/configuration/ for more information. @@ -200,7 +199,6 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: vault-file - namespace: vault spec: # https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1 # storageClassName: "" @@ -209,99 +207,3 @@ spec: resources: requests: storage: 1Gi - ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: vault - namespace: vault - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: vault-secrets - namespace: vault -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - "*" - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: vault-secrets - namespace: vault -roleRef: - kind: Role - name: vault-secrets - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: vault - ---- -# This binding allows the deployed Vault instance to authenticate clients -# through Kubernetes ServiceAccounts (if configured so). -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vault-auth-delegator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: - - kind: ServiceAccount - name: vault - namespace: vault - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: app - namespace: app -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: app - template: - metadata: - labels: - app.kubernetes.io/name: app - annotations: - vault.security.banzaicloud.io/vault-addr: "https://vault.vault:8200" - vault.security.banzaicloud.io/vault-tls-secret: vault-tls - spec: - # initContainers only works if Vault is having PERMISSIVE authentication policy in Istio - initContainers: - - name: init-ubuntu - image: ubuntu - command: - [ - "sh", - "-c", - "echo $AWS_SECRET_ACCESS_KEY && echo initContainers ready", - ] - env: - - name: AWS_SECRET_ACCESS_KEY - value: vault:secret/data/accounts/aws#${.AWS_SECRET_ACCESS_KEY} # Go templates are also supported with ${} delimiters - containers: - - name: app - image: alpine - command: - [ - "sh", - "-c", - "echo $AWS_SECRET_ACCESS_KEY && echo going to sleep... && sleep 10000", - ] - env: - - name: AWS_SECRET_ACCESS_KEY - value: vault:secret/data/accounts/aws#AWS_SECRET_ACCESS_KEY From ac47e22da9ecd27fdede9db45e78bea88f04245d Mon Sep 17 00:00:00 2001 From: Ramiz Polic Date: Tue, 27 Jun 2023 16:31:59 +0200 Subject: [PATCH 8/8] chore: finalize base project cleanup Signed-off-by: Ramiz Polic --- .dockerignore | 7 +- .yamlignore | 5 +- .../validate-config-crud.sh | 413 ------------------ .../validate-config-crud/vault-config.yml | 86 ---- 4 files changed, 6 insertions(+), 505 deletions(-) delete mode 100755 hack/scripts/validate-config-crud/validate-config-crud.sh delete mode 100644 hack/scripts/validate-config-crud/vault-config.yml diff --git a/.dockerignore b/.dockerignore index a17d5ccb..76cb7aea 100644 --- a/.dockerignore +++ b/.dockerignore @@ -3,9 +3,8 @@ /.github/ /bin/ /build/ +/deploy/ +/Dockerfile /e2e/ -/test/ /hack/ -/deploy/ - -/Dockerfile \ No newline at end of file +/test/ diff --git a/.yamlignore b/.yamlignore index 39393980..0fa46f2b 100644 --- a/.yamlignore +++ b/.yamlignore @@ -1,3 +1,4 @@ -/test/ -/e2e/ /deploy/ +/e2e/deploy/ +/e2e/test/ +/test/ diff --git a/hack/scripts/validate-config-crud/validate-config-crud.sh b/hack/scripts/validate-config-crud/validate-config-crud.sh deleted file mode 100755 index 2eedef5f..00000000 --- a/hack/scripts/validate-config-crud/validate-config-crud.sh +++ /dev/null @@ -1,413 +0,0 @@ -#!/bin/bash -# -# Validate Bank-Vaults configuration CRUD to make sure the creation and deletion work as expected. -# It will be used in the CI pipelines. This is the first iteration, and in the next iteration it could be replaced -# with a testing freamwork/library. "Terratest" could be a good candidate for that. - -log_level=${LOG_LEVEL:-'info'} - -set -euo pipefail - -if [ "${log_level,,}" == 'debug' ]; then - set -x -fi - -bank_vaults_config_key="${1}" -bank_vaults_config_file_orig="hack/scripts/validate-config-crud/vault-config.yml" -bank_vaults_config_file="${BANK_VAULTS_CONFIG_FILE:-/tmp/vault-config.yml}" - -# A hacky way to use "yq" to get a section from a YAML and keeping the key used in the query. -bank_vaults_config_copy_section () { - local key_name="${1}" - - key_value="$(yq .\"${key_name}\" ${bank_vaults_config_file_orig})" \ - yq --null-input '.'\"${key_name}\"' = env(key_value)' -} - -# Create bank-vaults config with specific section(s). -bank_vaults_config_copy () { - # Note: To ignore the indentation of "Here-Document" inside the cat command, - # tabs are used before all lines till 2nd EOF. Make sure to use tabs (and tabs only) otherwise it will not work. - cat <<-EOF > "${bank_vaults_config_file}" - ` - bank_vaults_config_copy_section "purgeUnmanagedConfig" - for key_name in ${1}; do - bank_vaults_config_copy_section "${key_name}"; - done - ` - EOF - - cat "${bank_vaults_config_file}" - sleep 1 -} - -# Bank-Vaults watchs the actual file change not changes in the file so here we mimic creating a new file. -bank_vaults_config_touch () { - cp -a "${bank_vaults_config_file}" "${bank_vaults_config_file}.tmp" - cat "${bank_vaults_config_file}.tmp" > "${bank_vaults_config_file}" - rm "${bank_vaults_config_file}.tmp" - - sleep 1 -} - -test_case_passed () { - echo "[PASSED] Test case successfully passed." -} - - -# -# Test group - Audit -# -audit_test () { - bank_vaults_config_copy "audit" - local get_vault_values_json='vault audit list -format=json' - - # - ## Case 1. - echo -e "\nCase 1: Check audit in the config have been added." - - test "$(${get_vault_values_json} | jq -r '."audit_foo/".type')" == "file"; test_case_passed - test "$(${get_vault_values_json} | jq -r '."audit_bar/".type')" == "file"; test_case_passed - # If the "path" key is not defined, then the "type" value should be used as "path". - test "$(${get_vault_values_json} | jq -r '."file/".type')" == "file"; test_case_passed - - # - ## Case 2. - echo -e "\nCase 2: Vault config removed when purgeUnmanagedConfig is enabled." - - # 2.1. Remove audit from the config. - yq -i 'del(.audit[] | select(.path == "audit_foo"))' "${bank_vaults_config_file}" - bank_vaults_config_touch - - # 2.2. Check the removed audit is NOT in Vault. - test "$(${get_vault_values_json} | jq -r '."audit_foo/".type')" == "null"; test_case_passed - - # - ## Case 3. - echo -e "\nCase 3: Vault config exists when the config excluded in purgeUnmanagedConfig." - - # 3.1. Disable purge for audit. - yq -i '.purgeUnmanagedConfig.exclude.audit = true' "${bank_vaults_config_file}" - - # 3.2. Remove audit from the config. - yq -i 'del(.audit[] | select(.path == "audit_bar"))' "${bank_vaults_config_file}" - bank_vaults_config_touch - - # 3.3. Check the removed audit is IN Vault. - test "$(${get_vault_values_json} | jq -r '."audit_bar/".type')" == "file"; test_case_passed - - # - ## Success. - echo "All audit test cases have been passed." -} - - -# -# Test group - Auth -# -auth_test () { - bank_vaults_config_copy "auth" - local get_vault_values_json='vault auth list -format=json' - - # - ## Case 1. - echo -e "\nCase 1: Check auths in the config have been added." - - test "$(${get_vault_values_json} | jq -r '."auth_foo/".type')" == "approle"; test_case_passed - test "$(${get_vault_values_json} | jq -r '."auth_bar/".type')" == "userpass"; test_case_passed - # If the "path" key is not defined, then the "type" value should be used as "path". - test "$(${get_vault_values_json} | jq -r '."userpass/".type')" == "userpass"; test_case_passed - - # - ## Case 2. - echo -e "\nCase 2: Vault config removed when purgeUnmanagedConfig is enabled." - - # 2.1. Remove auth from the config. - yq -i 'del(.auth[] | select(.path == "auth_foo"))' "${bank_vaults_config_file}" - bank_vaults_config_touch - - # 2.2. Check the removed auth is NOT in Vault. - test "$(${get_vault_values_json} | jq -r '."auth_foo/".type')" == "null"; test_case_passed - - # - ## Case 3. - echo -e "\nCase 3: Vault config exists when the config excluded in purgeUnmanagedConfig." - - # 3.1. Disable purge for auth. - yq -i '.purgeUnmanagedConfig.exclude.auth = true' "${bank_vaults_config_file}" - - # 3.2. Remove auth from the config. - yq -i 'del(.auth[] | select(.path == "auth_bar"))' "${bank_vaults_config_file}" - bank_vaults_config_touch - - # 3.3. Check the removed auth is IN Vault. - test "$(${get_vault_values_json} | jq -r '."auth_bar/".type')" == "userpass"; test_case_passed - - # - ## Success. - echo "All auth test cases have been passed." -} - - -# -# Test group - Groups -# -groups_test () { - bank_vaults_config_copy 'groups' - local get_vault_values_json='vault list -format=json identity/group/name' - - # - ## Case 1. - echo -e "\nCase 1: Check groups in the config have been added." - - test "$(${get_vault_values_json} | jq -r '.[] | select(. == "group_foo")')" == "group_foo"; test_case_passed - test "$(${get_vault_values_json} | jq -r '.[] | select(. == "group_bar")')" == "group_bar"; test_case_passed - - # - ## Case 2. - echo -e "\nCase 2: Vault config removed when purgeUnmanagedConfig is enabled." - - # 2.1. Remove group from the config. - yq -i 'del(.groups[] | select(.name == "group_foo"))' "${bank_vaults_config_file}" - bank_vaults_config_touch - - # 2.2. Check the removed group is NOT in Vault. - test "$(${get_vault_values_json} | jq -r '.[] | select(. == "group_foo")')" == ""; test_case_passed - - # - ## Case 3. - echo -e "\nCase 3: Vault config exists when the config excluded in purgeUnmanagedConfig." - - # 3.1. Disable purge for group. - yq -i '.purgeUnmanagedConfig.exclude.groups = true' "${bank_vaults_config_file}" - - # 3.2. Remove group from the config. - yq -i 'del(.groups[] | select(.name == "group_bar"))' "${bank_vaults_config_file}" - bank_vaults_config_touch - - # 3.3. Check the removed group is IN Vault. - test "$(${get_vault_values_json} | jq -r '.[] | select(. == "group_bar")')" == "group_bar"; test_case_passed - - # - ## Success. - echo "All groups test cases have been passed." -} - - -# -# Test group - Group-Aliases -# -group_aliases_test () { - # NOTE: group-aliases has a different test style because Vault exposes only group-aliases IDs not the names directly. - bank_vaults_config_copy 'auth groups group-aliases' - - group_aliases_ids () { - vault list -format=json identity/group-alias/id | jq -r '.[]' - } - - # - ## Case 1. - echo -e "\nCase 1: Check group-aliases in the config have been added." - - sleep 2 - for group_aliases_id in $(group_aliases_ids); do - vault read -format=json identity/group-alias/id/${group_aliases_id} | jq -r '.data.name' \ - | egrep "group_aliases_foo|group_aliases_bar" - done - test_case_passed - - # - ## Case 2. - echo -e "\nCase 2: Vault config removed when purgeUnmanagedConfig is enabled." - - # 2.1. Remove group-aliase from the config. - yq -i 'del(.group-aliases[] | select(.name == "group_aliases_foo"))' "${bank_vaults_config_file}" - bank_vaults_config_touch - - # 2.2. Check the removed group-aliase is NOT in Vault. - sleep 2 - for group_aliases_id in $(group_aliases_ids); do - vault read -format=json identity/group-alias/id/${group_aliases_id} | jq -r '.data.name' \ - | (! grep "group_aliases_foo") - done - test_case_passed - - # - ## Case 3. - echo -e "\nCase 3: Vault config exists when the config excluded in purgeUnmanagedConfig." - - # 3.1. Disable purge for group-aliase. - yq -i '.purgeUnmanagedConfig.exclude.group-aliases = true' "${bank_vaults_config_file}" - - # 3.2. Remove group-aliase from the config. - yq -i 'del(.group-aliases[] | select(.name == "group_aliases_bar"))' "${bank_vaults_config_file}" - bank_vaults_config_touch - - # 3.3. Check the removed group is IN Vault. - sleep 2 - for group_aliases_id in $(group_aliases_ids); do - vault read -format=json identity/group-alias/id/${group_aliases_id} | jq -r '.data.name' \ - | grep "group_aliases_bar" - done - test_case_passed - - # - ## Success. - echo "All group-aliases test cases have been passed." -} - - -# -# Test group - StartupSecrets -# -startup_secrets_test () { - # Note: The "startupSecrets" doesn't have purge option; hence, we only check the values. - bank_vaults_config_copy "secrets startupSecrets" - sleep 2 - - # - ## Case 1. - echo -e "\nCase 1: Check startupSecrets in the config have been added." - test "$(vault kv get -field=secret passwords/foo)" == "foo"; test_case_passed - test "$(vault kv get -field=secret passwords/bar)" == "bar"; test_case_passed - - # - ## Success. - echo "All startupSecrets test cases have been passed." -} - - -# -# Test group - Secrets -# -secrets_test () { - bank_vaults_config_copy "secrets" - local get_vault_values_json='vault secrets list -format=json' - - # - ## Case 1. - echo -e "\nCase 1: Check secrets in the config have been added." - - test "$(${get_vault_values_json} | jq -r '."secret_foo/".type')" == "kv"; test_case_passed - test "$(${get_vault_values_json} | jq -r '."secret_bar/".type')" == "ssh"; test_case_passed - # If the "path" key is not defined, then the "type" value should be used as "path". - test "$(${get_vault_values_json} | jq -r '."ssh/".type')" == "ssh"; test_case_passed - - # - ## Case 2. - echo -e "\nCase 2: Vault config removed when purgeUnmanagedConfig is enabled." - - # 2.1. Remove secret from the config. - yq -i 'del(.secrets[] | select(.path == "secret_foo"))' "${bank_vaults_config_file}" - bank_vaults_config_touch - - # 2.2. Check the removed secret is NOT in Vault. - test "$(${get_vault_values_json} | jq -r '."secret_foo/".type')" == "null"; test_case_passed - - # - ## Case 3. - echo -e "\nCase 3: Vault config exists when the config excluded in purgeUnmanagedConfig." - - # 3.1. Disable purge for secrets. - yq -i '.purgeUnmanagedConfig.exclude.secrets = true' "${bank_vaults_config_file}" - - # 3.2. Remove secrets from the config. - yq 'del(.secrets[] | select(.path == "secret_bar"))' "${bank_vaults_config_file}" - bank_vaults_config_touch - - # 3.3. Check the removed secrets is IN Vault. - test "$(${get_vault_values_json} | jq -r '."secret_bar/".type')" == "ssh"; test_case_passed - - # - ## Success. - echo "All secrets test cases have been passed." -} - - -# -# Test group - Policies -# -policies_test () { - bank_vaults_config_copy 'policies' - local get_vault_values_json='vault policy list -format=json' - - # - ## Case 1. - echo -e "\nCase 1: Check policies in the config have been added." - - test "$(${get_vault_values_json} | jq -r '.[] | select(. == "policy_foo")')" == "policy_foo"; test_case_passed - test "$(${get_vault_values_json} | jq -r '.[] | select(. == "policy_bar")')" == "policy_bar"; test_case_passed - - # - ## Case 2. - echo -e "\nCase 2: Vault config removed when purgeUnmanagedConfig is enabled." - - # 2.1. Remove policy from the config. - yq -i 'del(.policies[] | select(.name == "policy_foo"))' "${bank_vaults_config_file}" - bank_vaults_config_touch - - # 2.2. Check the removed policy is NOT in Vault. - test "$(${get_vault_values_json} | jq -r '.[] | select(. == "policy_foo")')" == ""; test_case_passed - - # - ## Case 3. - echo -e "\nCase 3: Vault config exists when the config excluded in purgeUnmanagedConfig." - - # 3.1. Disable purge for policy. - yq -i '.purgeUnmanagedConfig.exclude.policies = true' "${bank_vaults_config_file}" - - # 3.2. Remove policy from the config. - yq -i 'del(.policies[] | select(.name == "policy_bar"))' "${bank_vaults_config_file}" - bank_vaults_config_touch - - # 3.3. Check the removed policy is IN Vault. - test "$(${get_vault_values_json} | jq -r '.[] | select(. == "policy_bar")')" == "policy_bar"; test_case_passed - - # - ## Success. - echo "All polices test cases have been passed." -} - -case ${bank_vaults_config_key} in - "all") - audit_test - auth_test - groups_test - group_aliases_test - policies_test - startup_secrets_test - secrets_test - ;; - - "audit") - audit_test - ;; - - "auth") - auth_test - ;; - - "groups") - groups_test - ;; - - "group-aliases") - group_aliases_test - ;; - - "policies") - policies_test - ;; - - "startupSecrets") - startup_secrets_test - ;; - - "secrets") - secrets_test - ;; - - *) - echo "This key is not supported." - ;; -esac diff --git a/hack/scripts/validate-config-crud/vault-config.yml b/hack/scripts/validate-config-crud/vault-config.yml deleted file mode 100644 index e1bd20fe..00000000 --- a/hack/scripts/validate-config-crud/vault-config.yml +++ /dev/null @@ -1,86 +0,0 @@ -purgeUnmanagedConfig: - enabled: true - # Each section will be excluded during the tests to test both cases (global enabled and individually excluded). - exclude: - audit: false - auth: false - group-aliases: false - groups: false - policies: false - secrets: false - -audit: - - path: audit_foo - type: file - options: - file_path: /tmp/foo.log - - path: audit_bar - type: file - options: - file_path: /tmp/foo.log - # The "path" would be defaulted to "type". - - type: file - options: - file_path: /tmp/file.log - -auth: - # The auth "auth_approle" is used in group-aliases tests. - - path: auth_approle - type: approle - - path: auth_foo - type: approle - - path: auth_bar - type: userpass - # The "path" would be defaulted to "type". - - type: userpass - -groups: - - name: group_foo - type: external - policies: - - policy_foo - - name: group_bar - type: external - policies: - - policy_bar - -group-aliases: - - name: group_aliases_foo - mountpath: auth_approle - group: group_foo - - name: group_aliases_bar - mountpath: auth_approle - group: group_bar - -policies: - - name: policy_foo - rules: | - path "foo" { capabilities = ["read"] } - - name: policy_bar - rules: | - path "bar" { capabilities = ["read"] } - -secrets: - # The secret "passwords" is used in startupSecrets tests. - - path: passwords - type: kv - options: - version: 2 - - path: secret_foo - type: kv - - path: secret_bar - type: ssh - # The "path" would be defaulted to "type". - - type: ssh - -startupSecrets: - - type: kv - path: passwords/data/foo - data: - data: - secret: foo - - type: kv - path: passwords/data/bar - data: - data: - secret: bar