Separate vault-manager to a new package

Isolating all vault-manager helm chart and related content into a new
package. Per STX.APP.12, STX.APP.13, vault-manager should be allowed to
be disabled so that another solution can be used to manage vault. The
file structure is also changed, so that vault-helm is under
helm-charts/upstream, and vault-manager-helm is under helm-chart/custom

Test Plan:
PASS	build all vault-related packages
PASS	Create new vault application tarball
PASS 	test existing vault features:
PASS		AIO-SX vault sanity
PASS		Vault rekey feature test
PASS		vault application update and watch PVC conversion

Story: 2010929
Task: 49600

Change-Id: I87cce3466ad905d00da715ce582baa28371135c1
Signed-off-by: Tae Park <tae.park@windriver.com>

debian_pkg_dirs

@@ -1,3 +1,4 @@
 python3-k8sapp-vault
 stx-vault-helm
-vault-helm
+helm-charts/upstream/vault-helm
+helm-charts/custom/vault-manager-helm

helm-charts/custom/vault-manager-helm/debian/deb_folder/changelog

@@ -0,0 +1,5 @@
+vault-manager-helm (1.0-1) unstable; urgency=medium
+
+  * Initial release.
+
+ --  Tae Park <tae.park@windriver.com>  Fri, 1 Mar 2021 09:08:42 +0000

helm-charts/custom/vault-manager-helm/debian/deb_folder/control

@@ -0,0 +1,16 @@
+Source: vault-manager-helm
+Section: libs
+Priority: optional
+Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
+Build-Depends: debhelper-compat (= 13),
+ helm,
+ build-info,
+Standards-Version: 4.5.1
+Homepage: https://www.starlingx.io
+
+Package: vault-manager-helm
+Section: libs
+Architecture: any
+Depends: ${misc:Depends}
+Description: StarlingX Vault Manager Helm Charts
+ This package contains helm charts for the vault manager application.

helm-charts/custom/vault-manager-helm/debian/deb_folder/copyright

@@ -0,0 +1,21 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: vault-manager-helm
+Source: https://opendev.org/starlingx/vault-armada-app/
+
+Files: *
+Copyright: (c) 2020-2024 Wind River Systems, Inc
+License: Apache-2
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+    https://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ On Debian-based systems the full text of the Apache version 2.0 license
+ can be found in `/usr/share/common-licenses/Apache-2.0'.

helm-charts/custom/vault-manager-helm/debian/deb_folder/rules

@@ -0,0 +1,26 @@
+#!/usr/bin/make -f
+export DH_VERBOSE = 1
+
+export DEB_VERSION = $(shell dpkg-parsechangelog | egrep '^Version:' | cut -f 2 -d ' ')
+export PATCH_VERSION = $(shell echo $(DEB_VERSION) | cut -f 4 -d '.')
+export CHART_BASE_VERSION = $(shell echo $(DEB_VERSION) | sed 's/-/./' | cut -d '.' -f 1-3)
+export CHART_VERSION = $(CHART_BASE_VERSION)+STX.$(PATCH_VERSION)
+
+export ROOT = debian/tmp
+export APP_FOLDER = $(ROOT)/usr/lib/helm
+
+%:
+	dh $@
+
+override_dh_auto_build:
+	mkdir -p vault-manager
+	cp Chart.yaml values.yaml vault-manager
+	cp -r templates/ vault-manager
+	make CHART_VERSION=$(CHART_VERSION) vault-manager
+
+override_dh_auto_install:
+	# Install the app tar file.
+	install -d -m 755 $(APP_FOLDER)
+	install -p -D -m 755 vault-manager*.tgz $(APP_FOLDER)
+
+override_dh_auto_test:

helm-charts/custom/vault-manager-helm/debian/meta_data.yaml

@@ -0,0 +1,15 @@
+---
+debname: vault-manager-helm
+debver: 1.0-1
+src_path: vault-manager-helm
+src_files:
+  - vault-manager-helm/Makefile
+  - vault-manager-helm/vault-manager/templates/
+  - vault-manager-helm/vault-manager/Chart.yaml
+  - vault-manager-helm/vault-manager/values.yaml
+revision:
+  dist: $STX_DIST
+  stx_patch: 69
+  GITREVCOUNT:
+    SRC_DIR: ${MY_REPO}/stx/vault-armada-app/helm-charts/custom/vault-manager-helm
+    BASE_SRCREV: 05ccd6fea52da96968134eda00ebe51debd7082a

helm-charts/custom/vault-manager-helm/vault-manager-helm/Makefile

@@ -1,7 +1,7 @@
 #
 # Copyright 2017 The Openstack-Helm Authors.
 #
-# Copyright (c) 2019 Wind River Systems, Inc.
+# Copyright (c) 2024 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -9,8 +9,8 @@
 SHELL := /bin/bash
 TASK  := build
 
-EXCLUDES := helm-toolkit doc tests tools logs tmp
+EXCLUDES := doc tests tools logs tmp
-CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
+CHARTS := $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
 
 .PHONY: $(EXCLUDES) $(CHARTS)
 
@@ -25,18 +25,16 @@ $(CHARTS):
 
 init-%:
 	if [ -f $*/Makefile ]; then make -C $*; fi
-	if [ -f $*/requirements.yaml ]; then helm dep up $*; fi
 
 lint-%: init-%
 	if [ -d $* ]; then helm lint $*; fi
 
-build-%: 
+build-%: lint-%
-	if [ -d $* ]; then helm package $*; fi
+	if [ -d $* ]; then helm package --version $(CHART_VERSION) $*; fi
 
 clean:
 	@echo "Clean all build artifacts"
 	rm -f */templates/_partials.tpl */templates/_globals.tpl
-	rm -f *tgz */charts/*tgz */requirements.lock
 	rm -rf */charts */tmpcharts
 
 %:

helm-charts/custom/vault-manager-helm/vault-manager-helm/README

@@ -0,0 +1,4 @@
+This directory contains the helm chart for Vault Manager. Rather than
+being installed on the Starlingx cluster, this Vault-Manager chart is
+included within the Vault application tarball in the stx-vault-helm
+package.

helm-charts/custom/vault-manager-helm/vault-manager-helm/vault-manager/Chart.yaml

@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v2
+appVersion: "1.0.1"
+description: Vault manager helm chart
+name: vault-manager
+version: 1.0.1

helm-charts/custom/vault-manager-helm/vault-manager-helm/vault-manager/templates/vault-init.yaml

@@ -10,8 +10,8 @@ data:
 
     # Template vaules from helm
     VAULT_NS={{ .Release.Namespace }}
-    VAULT_NAME={{ template "vault.name" .}}
+    VAULT_NAME={{ .Values.vault.name }}
-    VAULT_FN={{ template "vault.fullname" . }}
+    VAULT_FN={{ .Values.vault.fullname }}
     HA_REPLICAS={{ .Values.server.ha.replicas }}
 
     # Set the domain for resolving pod names
@@ -1413,7 +1413,7 @@ data:
     # from PVC.
     #
     # See also the function mountHelper and the ConfigMap named:
-    #     {{ include "vault.name" . }}-mount-helper
+    #     {{ .Values.vault.name }}-mount-helper
     #
     # This function does not support overwriting an existing
     # cluster-key-* secret, but it does support validating those secrets
@@ -3371,7 +3371,7 @@ metadata:
         .: {}
         f:init.sh: {}
     manager: vault-init-unseal
-  name: vault-init-unseal-2
+  name: vault-init-unseal-3
   namespace: {{ .Release.Namespace }}
 ---
 apiVersion: v1
@@ -3384,8 +3384,8 @@ metadata:
       f:data:
         .: {}
         f:pvc-attach.yaml: {}
-    manager: {{ include "vault.name" . }}-mount-helper
+    manager: {{ .Values.vault.name }}-mount-helper
-  name: {{ include "vault.name" . }}-mount-helper
+  name: {{ .Values.vault.name }}-mount-helper
   namespace: {{ .Release.Namespace }}
 data:
   pvc-attach.yaml: |
@@ -3393,7 +3393,7 @@ data:
     apiVersion: batch/v1
     kind: Job
     metadata:
-      name: {{ template "vault.fullname" . }}-mount-helper
+      name: {{ .Values.vault.fullname }}-mount-helper
       namespace: vault
     spec:
       activeDeadlineSeconds: 600
@@ -3403,10 +3403,10 @@ data:
       template:
         spec:
           restartPolicy: Never
-          serviceAccountName: "{{ template "vault.fullname" . }}-vault-manager"
+          serviceAccountName: "{{ .Values.vault.fullname }}-manager-1"
-          {{- if .Values.global.imagePullSecrets }}
+          {{- if .Values.manager.imagePullSecrets }}
           imagePullSecrets:
-            {{- toYaml .Values.global.imagePullSecrets | nindent 12 }}
+            {{- toYaml .Values.manager.imagePullSecrets | nindent 12 }}
           {{- end }}
           {{- if .Values.manager.tolerations }}
           tolerations:
@@ -3415,7 +3415,7 @@ data:
           containers:
             - name: mount
               image: "{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }}"
-              imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
+              imagePullPolicy: "{{ .Values.manager.image.pullPolicy }}"
               args:
                 - bash
                 - /opt/script/init.sh
@@ -3434,7 +3434,7 @@ data:
           volumes:
           - name: mount-helper
             configMap:
-              name: vault-init-unseal-2
+              name: vault-init-unseal-3
           - name: manager-pvc
             persistentVolumeClaim:
               claimName: manager-pvc-sva-vault-manager-0
@@ -3443,7 +3443,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   namespace: {{ .Release.Namespace }}
-  name: {{ template "vault.fullname" . }}-vault-manager
+  name: {{ .Values.vault.fullname }}-manager-1
 rules:
 - apiGroups: [""] # "" indicates the core API group
   resources: ["pods"]
@@ -3464,41 +3464,39 @@ rules:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ template "vault.fullname" . }}-vault-manager
+  name: {{ .Values.vault.fullname }}-manager-1
   namespace: {{ .Release.Namespace }}
   labels:
-    helm.sh/chart: {{ include "vault.chart" . }}
+    helm.sh/chart: {{ .Values.manager.chart }}
-    app.kubernetes.io/name: {{ include "vault.name" . }}-vault-manager
+    app.kubernetes.io/name: {{ .Values.vault.name }}-manager
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ template "vault.fullname" . }}-vault-manager
+  name: {{ .Values.vault.fullname }}-manager-1
   namespace: {{ .Release.Namespace }}
 subjects:
 - kind: ServiceAccount
-  name: {{ template "vault.fullname" . }}-vault-manager
+  name: {{ .Values.vault.fullname }}-manager-1
 roleRef:
   kind: Role
-  name: {{ template "vault.fullname" . }}-vault-manager
+  name: {{ .Values.vault.fullname }}-manager-1
   apiGroup: rbac.authorization.k8s.io
 ---
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
-# Deployment for the unsealer
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  name: {{ template "vault.fullname" . }}-manager2
+  name: {{ .Values.vault.fullname }}-manager-3
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "vault.name" . }}-manager
+    app.kubernetes.io/name: {{ .Values.vault.name }}-manager
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     component: webhook
 spec:
-  serviceName: {{ template "vault.fullname" . }}
+  serviceName: {{ .Values.vault.fullname }}
   replicas: 1
   selector:
     matchLabels:
@@ -3507,17 +3505,17 @@ spec:
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: {{ template "vault.name" . }}-manager
+        app.kubernetes.io/name: {{ .Values.vault.name }}-manager
         app.kubernetes.io/instance: {{ .Release.Name }}
         component: webhook
         {{- if  .Values.manager.extraLabels }}
           {{- toYaml .Values.manager.extraLabels | nindent 8 -}}
         {{- end }}
     spec:
-      serviceAccountName: "{{ template "vault.fullname" . }}-vault-manager"
+      serviceAccountName: "{{ .Values.vault.fullname }}-manager-1"
-      {{- if .Values.global.imagePullSecrets }}
+      {{- if .Values.manager.imagePullSecrets }}
       imagePullSecrets:
-        {{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
+        {{- toYaml .Values.manager.imagePullSecrets | nindent 8 }}
       {{- end }}
       {{- if .Values.manager.tolerations }}
       tolerations:
@@ -3526,7 +3524,7 @@ spec:
       containers:
         - name: manager
           image: "{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }}"
-          imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
+          imagePullPolicy: "{{ .Values.manager.image.pullPolicy }}"
           args:
             - bash
             - /opt/script/init.sh
@@ -3534,7 +3532,7 @@ spec:
           - name: CA_CERT
             value: /mnt/data/ca/tls.crt
           volumeMounts:
-            - name: vault-init-unseal-2
+            - name: vault-init-unseal-3
               mountPath: /opt/script
               readOnly: false
             - name: mount-helper-yaml
@@ -3544,13 +3542,12 @@ spec:
               mountPath: /mnt/data/ca
               readOnly: true
       volumes:
-        - name: vault-init-unseal-2
+        - name: vault-init-unseal-3
           configMap:
-            name: vault-init-unseal-2
+            name: vault-init-unseal-3
         - name: mount-helper-yaml
           configMap:
-            name: {{ include "vault.name" . }}-mount-helper
+            name: {{ .Values.vault.name }}-mount-helper
         - name: vault-ca
           secret:
             secretName: vault-ca
-{{ end }}

helm-charts/custom/vault-manager-helm/vault-manager-helm/vault-manager/values.yaml

@@ -0,0 +1,125 @@
+#
+# Copyright (c) 2020-2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Values migrated from vault helm chart
+
+vault:
+  name: vault
+  fullname: sva-vault
+
+server:
+  ha:
+    replicas: 1
+
+# Vault Manager specific values
+manager:
+  image:
+    repository: starlingx/stx-vault-manager
+    tag: stx.9.0-v1.28.6-1
+    pullPolicy: IfNotPresent
+
+  chart: vault_0.6.0
+
+  imagePullSecrets: []
+
+  # Rate at which vault-manager checks status of vault servers.
+  # After initialization of the raft, Vault manager will loop forever
+  # checking the pods for vault servers that need to be unsealed.
+  # This value is the sleep, in seconds, between intervals.  Value
+  # must be a positive integer
+  statusCheckRate: 5
+
+  # After initial configuration, in combination with statusCheckRate,
+  # the amount of time to wait before unsealing a recovering vault
+  # server.  The option is intended to allow the active vault server
+  # time to start sending heartbeats to the recovering pod before
+  # unsealing the server.
+  #
+  # A value of 0 indicates no wait time: unseal the vault server without
+  # delay.  The wait time is statusCheckRate * unsealWaitIntervals.
+  # Default is 5 s/interval * 3 intervals == 15 seconds.
+  #
+  unsealWaitIntervals: 3
+
+  api:
+    # Network timeout for queries to vault server /sys/health endpoint
+    #
+    # The maximum time in seconds to wait for a server to respond to
+    # health query.  This applies for the HA recovery situations, not the
+    # initialization of vault cluster.  Unsetting the value is not
+    # recommended, and defaults to timeout of 120 seconds.
+    #
+    # vault-manager will appear to hang if healthQueryTimeout is
+    # over-large.  This setting affects the logs, since vault-manager will
+    # issue a log when the 'sealed' status toggles between true/false and
+    # the 'unknown' value
+    healthQueryTimeout: 2
+
+    # Network timeout for vault API operations against /sys/unseal
+    #
+    # The maximum time in seconds to wait for a server to respond to
+    # the unseal request.
+    unsealOpTimeout: 10
+
+    # Network timeout for queries to vault server /sys/rekey/init
+    # and /sys/rekey/verify
+    #
+    # The maximum time in seconds to wait for a server to respond to
+    # the query.
+    rekeyStatusTimeout: 2
+
+    # Network timeout for vault API operations against /sys/rekey/init
+    # and /sys/rekey/verify
+    #
+    # The maximum time in seconds to wait for a server to respond to
+    # the request.
+    rekeyOpTimeout: 10
+
+  rekey:
+    # During upgrade of the application from PVC storage to storage
+    # using kubernetes, enable vault rekey to run automatically to
+    # resecure the vault with new shards.
+    # See also Hashicorp vault documentation:
+    #   https://developer.hashicorp.com/vault/tutorials/operations/rekeying-and-rotating
+    #   https://developer.hashicorp.com/vault/api-docs/v1.13.x/system/rekey
+    #
+    enableOnPVCConversion: true
+
+  k8s:
+    # The major/minor version of kubectl client binary to use.  Must
+    # exist within the vault manager image for example
+    #      client_version: v1.28
+    client_version: ""
+
+  waitTermination:
+    # During upgrade of the application from PVC storage to storage
+    # using kubernetes, wait for previous version of vault manager
+    # to terminate before proceding with the conversion of storage from PVC to
+    # kubernetes secrets.
+    #
+    # The maximum tries before proceding with the conversion of storage
+    # from PVC to kubernetes secrets.
+    maxTries: 12
+
+    # Number of seconds slept between each tries before proceding with
+    # the conversion of storage from PVC to kubernetes secrets.
+    sleepTime: 5
+
+  # Debugging option to setup pause request for vault manager on startup
+  # A pause_on_trap file will be created with the content of this value
+  # Values may include a positive integer matching a call of
+  # exit_on_trap
+  #
+  # pause: 1
+
+  # Debugging option to improve log reading, allow more verbose logging
+  #   DEBUG: 1
+  #    INFO: 2
+  # WARNING: 3
+  #   ERROR: 4
+  #   FATAL: 5
+  log:
+    defaultLogLevel: 2

helm-charts/upstream/vault-helm/debian/deb_folder/patches/series

@@ -0,0 +1,2 @@
+0001-Add-yaml-for-starlingx-image-handling.patch
+0001-Update-vault-version-to-1.14.8.patch

helm-charts/upstream/vault-helm/debian/deb_folder/rules

@@ -3,7 +3,7 @@ export DH_VERBOSE = 1
 
 export DEB_VERSION = $(shell dpkg-parsechangelog | egrep '^Version:' | cut -f 2 -d ' ')
 export PATCH_VERSION = $(shell echo $(DEB_VERSION) | cut -f 4 -d '.')
-export CHART_BASE_VERSION = "0.25.0"
+export CHART_BASE_VERSION = $(shell echo $(DEB_VERSION) | sed 's/-/./' | cut -d '.' -f 1-3)
 export CHART_VERSION = $(CHART_BASE_VERSION)+STX.$(PATCH_VERSION)
 
 export ROOT = debian/tmp
@@ -16,7 +16,7 @@ override_dh_auto_build:
 	# Set up chart build files.
 	mkdir vault
 	cp Chart.yaml values.yaml vault
-	cp vault-init.yaml vault-certificates.yaml templates
+	cp vault-certificates.yaml templates
 	cat _helpers-CA.tpl >> templates/_helpers.tpl
 	mv templates vault/templates
 	# Create the TGZ file.

helm-charts/upstream/vault-helm/debian/deb_folder/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

helm-charts/upstream/vault-helm/debian/deb_folder/vault-helm.install

@@ -0,0 +1 @@
+usr/lib/helm/*

helm-charts/upstream/vault-helm/debian/meta_data.yaml

@@ -9,10 +9,10 @@ src_files:
   - vault-helm/files/Makefile
   - vault-helm/helm-charts/_helpers-CA.tpl
   - vault-helm/helm-charts/vault-certificates.yaml
-  - vault-helm/helm-charts/vault-init.yaml
 revision:
   dist: $STX_DIST
+  stx_patch: 1
   PKG_GITREVCOUNT: true
   GITREVCOUNT:
-    SRC_DIR: ${MY_REPO}/stx/vault-armada-app/vault-helm
+    SRC_DIR: ${MY_REPO}/stx/vault-armada-app/helm-charts/upstream/vault-helm
     BASE_SRCREV: ccdb17d29610247eebf45e862ff9f30ff18432eb

helm-charts/upstream/vault-helm/vault-helm/files/Makefile

@@ -9,8 +9,8 @@
 SHELL := /bin/bash
 TASK  := build
 
-EXCLUDES := helm-toolkit doc tests tools logs tmp
+EXCLUDES := doc tests tools logs tmp
-CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
+CHARTS := $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
 
 .PHONY: $(EXCLUDES) $(CHARTS)
 

stx-vault-helm/debian/deb_folder/control

@@ -4,10 +4,8 @@ Priority: optional
 Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
 Build-Depends: debhelper-compat (= 13),
  vault-helm,
- chartmuseum,
+ vault-manager-helm,
  helm,
- procps,
- python3-k8sapp-vault,
  python3-k8sapp-vault-wheels,
  build-info
 Standards-Version: 4.5.1

stx-vault-helm/debian/deb_folder/rules

@@ -18,15 +18,6 @@ export STAGING = staging
 	dh $@
 
 override_dh_auto_build:
-	# Host a server for the helm charts.
-	chartmuseum --debug --port=8879 --context-path='/charts' --storage="local" \
-		--storage-local-rootdir="." &
-	sleep 2
-	helm repo add local http://localhost:8879/charts
-
-	# Terminate the helm chart server.
-	pkill chartmuseum
-
 	# Setup the staging directory.
 	mkdir -p $(STAGING)
 	cp files/metadata.yaml $(STAGING)
@@ -40,7 +31,7 @@ override_dh_auto_build:
 		chart_name=$${chart%-*}; \
 		chart_version=$${chart##*-}; \
 		echo "Found $$chart; name: $$chart_name, version: $$chart_version"; \
-		chart_manifest=$$(find $(STAGING)/fluxcd-manifests -name helmrelease.yaml -exec grep -q $$chart_name {} \; -print); \
+		chart_manifest=$$(find $(STAGING)/fluxcd-manifests/$$chart_name -name helmrelease.yaml -exec grep -q $$chart_name {} \; -print); \
 		echo "Updating manifest: $$chart_manifest"; \
 		sed -i "s/REPLACE_HELM_CHART_VERSION/$$chart_version/g" $$chart_manifest; \
 		grep version $$chart_manifest; \

stx-vault-helm/stx-vault-helm/files/index.yaml

@@ -1,3 +0,0 @@
-apiVersion: v1
-entries: {}
-generated: 2019-01-07T12:33:46.098166523-06:00

stx-vault-helm/stx-vault-helm/fluxcd-manifests/kustomization.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2022 Wind River Systems, Inc.
+# Copyright (c) 2022, 2024 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -10,3 +10,4 @@ namespace: vault
 resources:
   - base
   - vault
+  - vault-manager

stx-vault-helm/stx-vault-helm/fluxcd-manifests/vault-manager/helmrelease.yaml

@@ -0,0 +1,36 @@
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+apiVersion: "helm.toolkit.fluxcd.io/v2beta1"
+kind: HelmRelease
+metadata:
+  name: vault-manager
+  labels:
+    chart_group: vault
+spec:
+  releaseName: sva-vault-manager
+  chart:
+    spec:
+      chart: vault-manager
+      version: REPLACE_HELM_CHART_VERSION
+      sourceRef:
+        kind: HelmRepository
+        name: stx-platform
+  interval: 1m
+  timeout: 30m
+  test:
+    enable: false
+  install:
+    disableHooks: false
+  upgrade:
+    disableHooks: false
+  valuesFrom:
+    - kind: Secret
+      name: vault-manager-static-overrides
+      valuesKey: vault-manager-static-overrides.yaml
+    - kind: Secret
+      name: vault-manager-system-overrides
+      valuesKey: vault-manager-system-overrides.yaml

stx-vault-helm/stx-vault-helm/fluxcd-manifests/vault-manager/kustomization.yaml

@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+namespace: vault
+resources:
+  - helmrelease.yaml
+secretGenerator:
+  - name: vault-manager-static-overrides
+    files:
+      - vault-manager-static-overrides.yaml
+  - name: vault-manager-system-overrides
+    files:
+      - vault-manager-system-overrides.yaml
+generatorOptions:
+  disableNameSuffixHash: true

stx-vault-helm/stx-vault-helm/fluxcd-manifests/vault-manager/vault-manager-static-overrides.yaml

@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+manager:
+  image:
+    repository: starlingx/stx-vault-manager
+    tag: stx.9.0-v1.28.6-1
+  tolerations: |
+    - key: "node-role.kubernetes.io/master"
+      operator: "Exists"
+      effect: "NoSchedule"
+    - key: "node-role.kubernetes.io/control-plane"
+      operator: "Exists"
+      effect: "NoSchedule"
+  unsealWaitIntervals: 0

stx-vault-helm/stx-vault-helm/fluxcd-manifests/vault-manager/vault-manager-system-overrides.yaml

@@ -0,0 +1,6 @@
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+

stx-vault-helm/stx-vault-helm/fluxcd-manifests/vault/vault-static-overrides.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2022 Wind River Systems, Inc.
+# Copyright (c) 2022, 2024 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -9,18 +9,6 @@ global:
   tlsDisable: false
   imagePullSecrets:
     - name: default-registry-key
-manager:
-  image:
-    repository: starlingx/stx-vault-manager
-    tag: stx.9.0-v1.28.6-1
-  tolerations: |
-    - key: "node-role.kubernetes.io/master"
-      operator: "Exists"
-      effect: "NoSchedule"
-    - key: "node-role.kubernetes.io/control-plane"
-      operator: "Exists"
-      effect: "NoSchedule"
-  unsealWaitIntervals: 0
 injector:
   enabled: true
   nodeSelector: |

vault-helm/debian/deb_folder/patches/0001-Add-log-level-option-for-vault-manager.patch

@@ -1,42 +0,0 @@
-From 3ea54def194ee7c79b3ade000825fdad07603d24 Mon Sep 17 00:00:00 2001
-From: Michel Thebeau <Michel.Thebeau@windriver.com>
-Date: Fri, 29 Sep 2023 21:23:19 +0000
-Subject: [PATCH] Add log level option for vault-manager
-
-Add manager.log.defaultLogLevel to values.yaml to allow a developer to
-set the log level of vault-manager pod.  Values may be:
-
-  DEBUG: 1
-  INFO: 2   (default)
-  WARNING: 3
-  ERROR: 4
-  FATAL: 5
-
-Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
----
- values.yaml | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/values.yaml b/values.yaml
-index f35df52..600d632 100644
---- a/values.yaml
-+++ b/values.yaml
-@@ -114,6 +114,15 @@ manager:
-     #      client_version: v1.28
-     client_version: ""
- 
-+  # Debugging option to improve log reading, allow more verbose logging
-+  #   DEBUG: 1
-+  #    INFO: 2
-+  # WARNING: 3
-+  #   ERROR: 4
-+  #   FATAL: 5
-+  log:
-+    defaultLogLevel: 2
-+
- injector:
-   # True if you want to enable vault agent injection.
-   # @default: global.enabled
--- 
-2.34.1
-

vault-helm/debian/deb_folder/patches/0001-Add-manager-pause-request-to-helm-values.yaml.patch

@@ -1,39 +0,0 @@
-From 632a43d0fb4661c0bd1ca7a03e6dee69c1d9974e Mon Sep 17 00:00:00 2001
-From: Michel Thebeau <Michel.Thebeau@windriver.com>
-Date: Mon, 6 Nov 2023 19:28:52 +0000
-Subject: [PATCH] Add manager pause request to helm values.yaml
-
-Add manager.pause to values.yaml to allow a developer to pause the
-execution of vault-manager.  This is intended as a debugging option.
-
-The vault-manager pauses on any of the exit_on_trap safe points.  A
-value of '1' pauses before vault-manager executes any code (other than
-variable initialization).
-
-
-Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
----
- values.yaml | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/values.yaml b/values.yaml
-index 600d632..ac35eb2 100644
---- a/values.yaml
-+++ b/values.yaml
-@@ -123,6 +123,13 @@ manager:
-   log:
-     defaultLogLevel: 2
- 
-+  # Debugging option to setup pause request for vault manager on startup
-+  # A pause_on_trap file will be created with the content of this value
-+  # Values may include a positive integer matching a call of
-+  # exit_on_trap
-+  #
-+  # pause: 1
-+
- injector:
-   # True if you want to enable vault agent injection.
-   # @default: global.enabled
--- 
-2.34.1
-

vault-helm/debian/deb_folder/patches/0001-Add-vault-manager-repository-to-values.yaml.patch

@@ -1,112 +0,0 @@
-From fda70b8f0e34be97e9c80251afdec45518314ab1 Mon Sep 17 00:00:00 2001
-From: Greg Waines <greg.waines@windriver.com>
-Date: Sat, 5 Nov 2022 20:14:58 -0400
-Subject: [PATCH] Add vault manager repository to values.yaml
-
-Add image repository for vault-manager pod
-
-Add timing parameters for the vault-manager main function, rate at which
-to check for and unseal vault pods.
-
-Add timing parameters for the vault API.  These parameters tune the
-timing of unsealing the vault server/raft, queries and operations for
-vault rekey.
-
-Add option to enable/disable rekey of vault after conversion of storage
-backend from PVC to k8s secrets.
-
-Add option to select kubectl version.
-
-Signed-off-by: Michel Thebeau <michel.thebeau@windriver.com>
----
- values.yaml | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 74 insertions(+)
-
-diff --git a/values.yaml b/values.yaml
-index 9e35ac8..3e311d6 100644
---- a/values.yaml
-+++ b/values.yaml
-@@ -40,6 +40,80 @@ global:
-     # See the top level serverTelemetry section below before enabling this feature.
-     prometheusOperator: false
- 
-+manager:
-+  image:
-+    repository: starlingx/stx-vault-manager
-+    tag: stx.9.0-v1.28.6-1
-+
-+  # Rate at which vault-manager checks status of vault servers.
-+  # After initialization of the raft, Vault manager will loop forever
-+  # checking the pods for vault servers that need to be unsealed.
-+  # This value is the sleep, in seconds, between intervals.  Value
-+  # must be a positive integer
-+  statusCheckRate: 5
-+
-+  # After initial configuration, in combination with statusCheckRate,
-+  # the amount of time to wait before unsealing a recovering vault
-+  # server.  The option is intended to allow the active vault server
-+  # time to start sending heartbeats to the recovering pod before
-+  # unsealing the server.
-+  #
-+  # A value of 0 indicates no wait time: unseal the vault server without
-+  # delay.  The wait time is statusCheckRate * unsealWaitIntervals.
-+  # Default is 5 s/interval * 3 intervals == 15 seconds.
-+  #
-+  unsealWaitIntervals: 3
-+
-+  api:
-+    # Network timeout for queries to vault server /sys/health endpoint
-+    #
-+    # The maximum time in seconds to wait for a server to respond to
-+    # health query.  This applies for the HA recovery situations, not the
-+    # initialization of vault cluster.  Unsetting the value is not
-+    # recommended, and defaults to timeout of 120 seconds.
-+    #
-+    # vault-manager will appear to hang if healthQueryTimeout is
-+    # over-large.  This setting affects the logs, since vault-manager will
-+    # issue a log when the 'sealed' status toggles between true/false and
-+    # the 'unknown' value
-+    healthQueryTimeout: 2
-+
-+    # Network timeout for vault API operations against /sys/unseal
-+    #
-+    # The maximum time in seconds to wait for a server to respond to
-+    # the unseal request.
-+    unsealOpTimeout: 10
-+
-+    # Network timeout for queries to vault server /sys/rekey/init
-+    # and /sys/rekey/verify
-+    #
-+    # The maximum time in seconds to wait for a server to respond to
-+    # the query.
-+    rekeyStatusTimeout: 2
-+
-+    # Network timeout for vault API operations against /sys/rekey/init
-+    # and /sys/rekey/verify
-+    #
-+    # The maximum time in seconds to wait for a server to respond to
-+    # the request.
-+    rekeyOpTimeout: 10
-+
-+  rekey:
-+    # During upgrade of the application from PVC storage to storage
-+    # using kubernetes, enable vault rekey to run automatically to
-+    # resecure the vault with new shards.
-+    # See also Hashicorp vault documentation:
-+    #   https://developer.hashicorp.com/vault/tutorials/operations/rekeying-and-rotating
-+    #   https://developer.hashicorp.com/vault/api-docs/v1.13.x/system/rekey
-+    #
-+    enableOnPVCConversion: true
-+
-+  k8s:
-+    # The major/minor version of kubectl client binary to use.  Must
-+    # exist within the vault manager image for example
-+    #      client_version: v1.28
-+    client_version: ""
-+
- injector:
-   # True if you want to enable vault agent injection.
-   # @default: global.enabled
--- 
-2.34.1
-

vault-helm/debian/deb_folder/patches/0001-Add-vault-manager-termination-wait-time.patch

@@ -1,42 +0,0 @@
-From 06b5719c35c7e75b776ce7bd08c6df32c2dcf9cd Mon Sep 17 00:00:00 2001
-From: Tae Park <tae.park@windriver.com>
-Date: Mon, 29 Jan 2024 15:24:37 -0500
-Subject: [PATCH] Add vault manager termination wait time
-
-Adding configure options for maximum number of tries for checking
-PVC removal, and time slept between each tries. Changed the
-default to 60 seconds total wait time
-
-Signed-off-by: Tae Park <tae.park@windriver.com>
----
- values.yaml | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/values.yaml b/values.yaml
-index 1bce118..487b44a 100644
---- a/values.yaml
-+++ b/values.yaml
-@@ -114,6 +114,20 @@ manager:
-     #      client_version: v1.28
-     client_version: ""
- 
-+  waitTermination:
-+    # During upgrade of the application from PVC storage to storage
-+    # using kubernetes, wait for previous version of vault manager
-+    # to terminate before proceding with the conversion of storage from PVC to
-+    # kubernetes secrets.
-+    #
-+    # The maximum tries before proceding with the conversion of storage
-+    # from PVC to kubernetes secrets.
-+    maxTries: 12
-+
-+    # Number of seconds slept between each tries before proceding with
-+    # the conversion of storage from PVC to kubernetes secrets.
-+    sleepTime: 5
-+
-   # Debugging option to improve log reading, allow more verbose logging
-   #   DEBUG: 1
-   #    INFO: 2
--- 
-2.25.1
-

vault-helm/debian/deb_folder/patches/series

@@ -1,6 +0,0 @@
-0001-Add-vault-manager-repository-to-values.yaml.patch
-0001-Add-yaml-for-starlingx-image-handling.patch
-0001-Add-log-level-option-for-vault-manager.patch
-0001-Add-manager-pause-request-to-helm-values.yaml.patch
-0001-Update-vault-version-to-1.14.8.patch
-0001-Add-vault-manager-termination-wait-time.patch