Separate vault-manager to a new package

Isolating all vault-manager helm chart and related content into a new
package. Per STX.APP.12, STX.APP.13, vault-manager should be allowed to
be disabled so that another solution can be used to manage vault. The
file structure is also changed, so that vault-helm is under
helm-charts/upstream, and vault-manager-helm is under helm-chart/custom

Test Plan:
PASS	build all vault-related packages
PASS	Create new vault application tarball
PASS 	test existing vault features:
PASS		AIO-SX vault sanity
PASS		Vault rekey feature test
PASS		vault application update and watch PVC conversion

Story: 2010929
Task: 49600

Change-Id: I87cce3466ad905d00da715ce582baa28371135c1
Signed-off-by: Tae Park <tae.park@windriver.com>
This commit is contained in:
Tae Park 2024-02-29 18:05:36 -05:00
parent 05ccd6fea5
commit 96c4965be3
43 changed files with 353 additions and 319 deletions

View File

@ -1,3 +1,4 @@
python3-k8sapp-vault
stx-vault-helm
vault-helm
helm-charts/upstream/vault-helm
helm-charts/custom/vault-manager-helm

View File

@ -0,0 +1,5 @@
vault-manager-helm (1.0-1) unstable; urgency=medium
* Initial release.
-- Tae Park <tae.park@windriver.com> Fri, 1 Mar 2021 09:08:42 +0000

View File

@ -0,0 +1,16 @@
Source: vault-manager-helm
Section: libs
Priority: optional
Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
Build-Depends: debhelper-compat (= 13),
helm,
build-info,
Standards-Version: 4.5.1
Homepage: https://www.starlingx.io
Package: vault-manager-helm
Section: libs
Architecture: any
Depends: ${misc:Depends}
Description: StarlingX Vault Manager Helm Charts
This package contains helm charts for the vault manager application.

View File

@ -0,0 +1,21 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: vault-manager-helm
Source: https://opendev.org/starlingx/vault-armada-app/
Files: *
Copyright: (c) 2020-2024 Wind River Systems, Inc
License: Apache-2
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
.
https://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
.
On Debian-based systems the full text of the Apache version 2.0 license
can be found in `/usr/share/common-licenses/Apache-2.0'.

View File

@ -0,0 +1,26 @@
#!/usr/bin/make -f
export DH_VERBOSE = 1
export DEB_VERSION = $(shell dpkg-parsechangelog | egrep '^Version:' | cut -f 2 -d ' ')
export PATCH_VERSION = $(shell echo $(DEB_VERSION) | cut -f 4 -d '.')
export CHART_BASE_VERSION = $(shell echo $(DEB_VERSION) | sed 's/-/./' | cut -d '.' -f 1-3)
export CHART_VERSION = $(CHART_BASE_VERSION)+STX.$(PATCH_VERSION)
export ROOT = debian/tmp
export APP_FOLDER = $(ROOT)/usr/lib/helm
%:
dh $@
override_dh_auto_build:
mkdir -p vault-manager
cp Chart.yaml values.yaml vault-manager
cp -r templates/ vault-manager
make CHART_VERSION=$(CHART_VERSION) vault-manager
override_dh_auto_install:
# Install the app tar file.
install -d -m 755 $(APP_FOLDER)
install -p -D -m 755 vault-manager*.tgz $(APP_FOLDER)
override_dh_auto_test:

View File

@ -0,0 +1,15 @@
---
debname: vault-manager-helm
debver: 1.0-1
src_path: vault-manager-helm
src_files:
- vault-manager-helm/Makefile
- vault-manager-helm/vault-manager/templates/
- vault-manager-helm/vault-manager/Chart.yaml
- vault-manager-helm/vault-manager/values.yaml
revision:
dist: $STX_DIST
stx_patch: 69
GITREVCOUNT:
SRC_DIR: ${MY_REPO}/stx/vault-armada-app/helm-charts/custom/vault-manager-helm
BASE_SRCREV: 05ccd6fea52da96968134eda00ebe51debd7082a

View File

@ -1,7 +1,7 @@
#
# Copyright 2017 The Openstack-Helm Authors.
#
# Copyright (c) 2019 Wind River Systems, Inc.
# Copyright (c) 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
@ -9,8 +9,8 @@
SHELL := /bin/bash
TASK := build
EXCLUDES := helm-toolkit doc tests tools logs tmp
CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
EXCLUDES := doc tests tools logs tmp
CHARTS := $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
.PHONY: $(EXCLUDES) $(CHARTS)
@ -25,18 +25,16 @@ $(CHARTS):
init-%:
if [ -f $*/Makefile ]; then make -C $*; fi
if [ -f $*/requirements.yaml ]; then helm dep up $*; fi
lint-%: init-%
if [ -d $* ]; then helm lint $*; fi
build-%:
if [ -d $* ]; then helm package $*; fi
build-%: lint-%
if [ -d $* ]; then helm package --version $(CHART_VERSION) $*; fi
clean:
@echo "Clean all build artifacts"
rm -f */templates/_partials.tpl */templates/_globals.tpl
rm -f *tgz */charts/*tgz */requirements.lock
rm -rf */charts */tmpcharts
%:

View File

@ -0,0 +1,4 @@
This directory contains the helm chart for Vault Manager. Rather than
being installed on the Starlingx cluster, this Vault-Manager chart is
included within the Vault application tarball in the stx-vault-helm
package.

View File

@ -0,0 +1,10 @@
#
# Copyright (c) 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
apiVersion: v2
appVersion: "1.0.1"
description: Vault manager helm chart
name: vault-manager
version: 1.0.1

View File

@ -10,8 +10,8 @@ data:
# Template vaules from helm
VAULT_NS={{ .Release.Namespace }}
VAULT_NAME={{ template "vault.name" .}}
VAULT_FN={{ template "vault.fullname" . }}
VAULT_NAME={{ .Values.vault.name }}
VAULT_FN={{ .Values.vault.fullname }}
HA_REPLICAS={{ .Values.server.ha.replicas }}
# Set the domain for resolving pod names
@ -1413,7 +1413,7 @@ data:
# from PVC.
#
# See also the function mountHelper and the ConfigMap named:
# {{ include "vault.name" . }}-mount-helper
# {{ .Values.vault.name }}-mount-helper
#
# This function does not support overwriting an existing
# cluster-key-* secret, but it does support validating those secrets
@ -3371,7 +3371,7 @@ metadata:
.: {}
f:init.sh: {}
manager: vault-init-unseal
name: vault-init-unseal-2
name: vault-init-unseal-3
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
@ -3384,8 +3384,8 @@ metadata:
f:data:
.: {}
f:pvc-attach.yaml: {}
manager: {{ include "vault.name" . }}-mount-helper
name: {{ include "vault.name" . }}-mount-helper
manager: {{ .Values.vault.name }}-mount-helper
name: {{ .Values.vault.name }}-mount-helper
namespace: {{ .Release.Namespace }}
data:
pvc-attach.yaml: |
@ -3393,7 +3393,7 @@ data:
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "vault.fullname" . }}-mount-helper
name: {{ .Values.vault.fullname }}-mount-helper
namespace: vault
spec:
activeDeadlineSeconds: 600
@ -3403,10 +3403,10 @@ data:
template:
spec:
restartPolicy: Never
serviceAccountName: "{{ template "vault.fullname" . }}-vault-manager"
{{- if .Values.global.imagePullSecrets }}
serviceAccountName: "{{ .Values.vault.fullname }}-manager-1"
{{- if .Values.manager.imagePullSecrets }}
imagePullSecrets:
{{- toYaml .Values.global.imagePullSecrets | nindent 12 }}
{{- toYaml .Values.manager.imagePullSecrets | nindent 12 }}
{{- end }}
{{- if .Values.manager.tolerations }}
tolerations:
@ -3415,7 +3415,7 @@ data:
containers:
- name: mount
image: "{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }}"
imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
imagePullPolicy: "{{ .Values.manager.image.pullPolicy }}"
args:
- bash
- /opt/script/init.sh
@ -3434,7 +3434,7 @@ data:
volumes:
- name: mount-helper
configMap:
name: vault-init-unseal-2
name: vault-init-unseal-3
- name: manager-pvc
persistentVolumeClaim:
claimName: manager-pvc-sva-vault-manager-0
@ -3443,7 +3443,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {{ .Release.Namespace }}
name: {{ template "vault.fullname" . }}-vault-manager
name: {{ .Values.vault.fullname }}-manager-1
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
@ -3464,41 +3464,39 @@ rules:
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.fullname" . }}-vault-manager
name: {{ .Values.vault.fullname }}-manager-1
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-vault-manager
helm.sh/chart: {{ .Values.manager.chart }}
app.kubernetes.io/name: {{ .Values.vault.name }}-manager
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-vault-manager
name: {{ .Values.vault.fullname }}-manager-1
namespace: {{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-vault-manager
name: {{ .Values.vault.fullname }}-manager-1
roleRef:
kind: Role
name: {{ template "vault.fullname" . }}-vault-manager
name: {{ .Values.vault.fullname }}-manager-1
apiGroup: rbac.authorization.k8s.io
---
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
# Deployment for the unsealer
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "vault.fullname" . }}-manager2
name: {{ .Values.vault.fullname }}-manager-3
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-manager
app.kubernetes.io/name: {{ .Values.vault.name }}-manager
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook
spec:
serviceName: {{ template "vault.fullname" . }}
serviceName: {{ .Values.vault.fullname }}
replicas: 1
selector:
matchLabels:
@ -3507,17 +3505,17 @@ spec:
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-manager
app.kubernetes.io/name: {{ .Values.vault.name }}-manager
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- if .Values.manager.extraLabels }}
{{- toYaml .Values.manager.extraLabels | nindent 8 -}}
{{- end }}
spec:
serviceAccountName: "{{ template "vault.fullname" . }}-vault-manager"
{{- if .Values.global.imagePullSecrets }}
serviceAccountName: "{{ .Values.vault.fullname }}-manager-1"
{{- if .Values.manager.imagePullSecrets }}
imagePullSecrets:
{{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
{{- toYaml .Values.manager.imagePullSecrets | nindent 8 }}
{{- end }}
{{- if .Values.manager.tolerations }}
tolerations:
@ -3526,7 +3524,7 @@ spec:
containers:
- name: manager
image: "{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }}"
imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
imagePullPolicy: "{{ .Values.manager.image.pullPolicy }}"
args:
- bash
- /opt/script/init.sh
@ -3534,7 +3532,7 @@ spec:
- name: CA_CERT
value: /mnt/data/ca/tls.crt
volumeMounts:
- name: vault-init-unseal-2
- name: vault-init-unseal-3
mountPath: /opt/script
readOnly: false
- name: mount-helper-yaml
@ -3544,13 +3542,12 @@ spec:
mountPath: /mnt/data/ca
readOnly: true
volumes:
- name: vault-init-unseal-2
- name: vault-init-unseal-3
configMap:
name: vault-init-unseal-2
name: vault-init-unseal-3
- name: mount-helper-yaml
configMap:
name: {{ include "vault.name" . }}-mount-helper
name: {{ .Values.vault.name }}-mount-helper
- name: vault-ca
secret:
secretName: vault-ca
{{ end }}

View File

@ -0,0 +1,125 @@
#
# Copyright (c) 2020-2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# Values migrated from vault helm chart
vault:
name: vault
fullname: sva-vault
server:
ha:
replicas: 1
# Vault Manager specific values
manager:
image:
repository: starlingx/stx-vault-manager
tag: stx.9.0-v1.28.6-1
pullPolicy: IfNotPresent
chart: vault_0.6.0
imagePullSecrets: []
# Rate at which vault-manager checks status of vault servers.
# After initialization of the raft, Vault manager will loop forever
# checking the pods for vault servers that need to be unsealed.
# This value is the sleep, in seconds, between intervals. Value
# must be a positive integer
statusCheckRate: 5
# After initial configuration, in combination with statusCheckRate,
# the amount of time to wait before unsealing a recovering vault
# server. The option is intended to allow the active vault server
# time to start sending heartbeats to the recovering pod before
# unsealing the server.
#
# A value of 0 indicates no wait time: unseal the vault server without
# delay. The wait time is statusCheckRate * unsealWaitIntervals.
# Default is 5 s/interval * 3 intervals == 15 seconds.
#
unsealWaitIntervals: 3
api:
# Network timeout for queries to vault server /sys/health endpoint
#
# The maximum time in seconds to wait for a server to respond to
# health query. This applies for the HA recovery situations, not the
# initialization of vault cluster. Unsetting the value is not
# recommended, and defaults to timeout of 120 seconds.
#
# vault-manager will appear to hang if healthQueryTimeout is
# over-large. This setting affects the logs, since vault-manager will
# issue a log when the 'sealed' status toggles between true/false and
# the 'unknown' value
healthQueryTimeout: 2
# Network timeout for vault API operations against /sys/unseal
#
# The maximum time in seconds to wait for a server to respond to
# the unseal request.
unsealOpTimeout: 10
# Network timeout for queries to vault server /sys/rekey/init
# and /sys/rekey/verify
#
# The maximum time in seconds to wait for a server to respond to
# the query.
rekeyStatusTimeout: 2
# Network timeout for vault API operations against /sys/rekey/init
# and /sys/rekey/verify
#
# The maximum time in seconds to wait for a server to respond to
# the request.
rekeyOpTimeout: 10
rekey:
# During upgrade of the application from PVC storage to storage
# using kubernetes, enable vault rekey to run automatically to
# resecure the vault with new shards.
# See also Hashicorp vault documentation:
# https://developer.hashicorp.com/vault/tutorials/operations/rekeying-and-rotating
# https://developer.hashicorp.com/vault/api-docs/v1.13.x/system/rekey
#
enableOnPVCConversion: true
k8s:
# The major/minor version of kubectl client binary to use. Must
# exist within the vault manager image for example
# client_version: v1.28
client_version: ""
waitTermination:
# During upgrade of the application from PVC storage to storage
# using kubernetes, wait for previous version of vault manager
# to terminate before proceding with the conversion of storage from PVC to
# kubernetes secrets.
#
# The maximum tries before proceding with the conversion of storage
# from PVC to kubernetes secrets.
maxTries: 12
# Number of seconds slept between each tries before proceding with
# the conversion of storage from PVC to kubernetes secrets.
sleepTime: 5
# Debugging option to setup pause request for vault manager on startup
# A pause_on_trap file will be created with the content of this value
# Values may include a positive integer matching a call of
# exit_on_trap
#
# pause: 1
# Debugging option to improve log reading, allow more verbose logging
# DEBUG: 1
# INFO: 2
# WARNING: 3
# ERROR: 4
# FATAL: 5
log:
defaultLogLevel: 2

View File

@ -0,0 +1,2 @@
0001-Add-yaml-for-starlingx-image-handling.patch
0001-Update-vault-version-to-1.14.8.patch

View File

@ -3,7 +3,7 @@ export DH_VERBOSE = 1
export DEB_VERSION = $(shell dpkg-parsechangelog | egrep '^Version:' | cut -f 2 -d ' ')
export PATCH_VERSION = $(shell echo $(DEB_VERSION) | cut -f 4 -d '.')
export CHART_BASE_VERSION = "0.25.0"
export CHART_BASE_VERSION = $(shell echo $(DEB_VERSION) | sed 's/-/./' | cut -d '.' -f 1-3)
export CHART_VERSION = $(CHART_BASE_VERSION)+STX.$(PATCH_VERSION)
export ROOT = debian/tmp
@ -16,7 +16,7 @@ override_dh_auto_build:
# Set up chart build files.
mkdir vault
cp Chart.yaml values.yaml vault
cp vault-init.yaml vault-certificates.yaml templates
cp vault-certificates.yaml templates
cat _helpers-CA.tpl >> templates/_helpers.tpl
mv templates vault/templates
# Create the TGZ file.

View File

@ -0,0 +1 @@
3.0 (quilt)

View File

@ -0,0 +1 @@
usr/lib/helm/*

View File

@ -9,10 +9,10 @@ src_files:
- vault-helm/files/Makefile
- vault-helm/helm-charts/_helpers-CA.tpl
- vault-helm/helm-charts/vault-certificates.yaml
- vault-helm/helm-charts/vault-init.yaml
revision:
dist: $STX_DIST
stx_patch: 1
PKG_GITREVCOUNT: true
GITREVCOUNT:
SRC_DIR: ${MY_REPO}/stx/vault-armada-app/vault-helm
SRC_DIR: ${MY_REPO}/stx/vault-armada-app/helm-charts/upstream/vault-helm
BASE_SRCREV: ccdb17d29610247eebf45e862ff9f30ff18432eb

View File

@ -9,8 +9,8 @@
SHELL := /bin/bash
TASK := build
EXCLUDES := helm-toolkit doc tests tools logs tmp
CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
EXCLUDES := doc tests tools logs tmp
CHARTS := $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
.PHONY: $(EXCLUDES) $(CHARTS)

View File

@ -4,10 +4,8 @@ Priority: optional
Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
Build-Depends: debhelper-compat (= 13),
vault-helm,
chartmuseum,
vault-manager-helm,
helm,
procps,
python3-k8sapp-vault,
python3-k8sapp-vault-wheels,
build-info
Standards-Version: 4.5.1

View File

@ -18,15 +18,6 @@ export STAGING = staging
dh $@
override_dh_auto_build:
# Host a server for the helm charts.
chartmuseum --debug --port=8879 --context-path='/charts' --storage="local" \
--storage-local-rootdir="." &
sleep 2
helm repo add local http://localhost:8879/charts
# Terminate the helm chart server.
pkill chartmuseum
# Setup the staging directory.
mkdir -p $(STAGING)
cp files/metadata.yaml $(STAGING)
@ -40,7 +31,7 @@ override_dh_auto_build:
chart_name=$${chart%-*}; \
chart_version=$${chart##*-}; \
echo "Found $$chart; name: $$chart_name, version: $$chart_version"; \
chart_manifest=$$(find $(STAGING)/fluxcd-manifests -name helmrelease.yaml -exec grep -q $$chart_name {} \; -print); \
chart_manifest=$$(find $(STAGING)/fluxcd-manifests/$$chart_name -name helmrelease.yaml -exec grep -q $$chart_name {} \; -print); \
echo "Updating manifest: $$chart_manifest"; \
sed -i "s/REPLACE_HELM_CHART_VERSION/$$chart_version/g" $$chart_manifest; \
grep version $$chart_manifest; \

View File

@ -1,3 +0,0 @@
apiVersion: v1
entries: {}
generated: 2019-01-07T12:33:46.098166523-06:00

View File

@ -1,5 +1,5 @@
#
# Copyright (c) 2022 Wind River Systems, Inc.
# Copyright (c) 2022, 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
@ -10,3 +10,4 @@ namespace: vault
resources:
- base
- vault
- vault-manager

View File

@ -0,0 +1,36 @@
#
# Copyright (c) 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
apiVersion: "helm.toolkit.fluxcd.io/v2beta1"
kind: HelmRelease
metadata:
name: vault-manager
labels:
chart_group: vault
spec:
releaseName: sva-vault-manager
chart:
spec:
chart: vault-manager
version: REPLACE_HELM_CHART_VERSION
sourceRef:
kind: HelmRepository
name: stx-platform
interval: 1m
timeout: 30m
test:
enable: false
install:
disableHooks: false
upgrade:
disableHooks: false
valuesFrom:
- kind: Secret
name: vault-manager-static-overrides
valuesKey: vault-manager-static-overrides.yaml
- kind: Secret
name: vault-manager-system-overrides
valuesKey: vault-manager-system-overrides.yaml

View File

@ -0,0 +1,18 @@
#
# Copyright (c) 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
namespace: vault
resources:
- helmrelease.yaml
secretGenerator:
- name: vault-manager-static-overrides
files:
- vault-manager-static-overrides.yaml
- name: vault-manager-system-overrides
files:
- vault-manager-system-overrides.yaml
generatorOptions:
disableNameSuffixHash: true

View File

@ -0,0 +1,18 @@
#
# Copyright (c) 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
manager:
image:
repository: starlingx/stx-vault-manager
tag: stx.9.0-v1.28.6-1
tolerations: |
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
unsealWaitIntervals: 0

View File

@ -0,0 +1,6 @@
#
# Copyright (c) 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#

View File

@ -1,5 +1,5 @@
#
# Copyright (c) 2022 Wind River Systems, Inc.
# Copyright (c) 2022, 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
@ -9,18 +9,6 @@ global:
tlsDisable: false
imagePullSecrets:
- name: default-registry-key
manager:
image:
repository: starlingx/stx-vault-manager
tag: stx.9.0-v1.28.6-1
tolerations: |
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
unsealWaitIntervals: 0
injector:
enabled: true
nodeSelector: |

View File

@ -1,42 +0,0 @@
From 3ea54def194ee7c79b3ade000825fdad07603d24 Mon Sep 17 00:00:00 2001
From: Michel Thebeau <Michel.Thebeau@windriver.com>
Date: Fri, 29 Sep 2023 21:23:19 +0000
Subject: [PATCH] Add log level option for vault-manager
Add manager.log.defaultLogLevel to values.yaml to allow a developer to
set the log level of vault-manager pod. Values may be:
DEBUG: 1
INFO: 2 (default)
WARNING: 3
ERROR: 4
FATAL: 5
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
---
values.yaml | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/values.yaml b/values.yaml
index f35df52..600d632 100644
--- a/values.yaml
+++ b/values.yaml
@@ -114,6 +114,15 @@ manager:
# client_version: v1.28
client_version: ""
+ # Debugging option to improve log reading, allow more verbose logging
+ # DEBUG: 1
+ # INFO: 2
+ # WARNING: 3
+ # ERROR: 4
+ # FATAL: 5
+ log:
+ defaultLogLevel: 2
+
injector:
# True if you want to enable vault agent injection.
# @default: global.enabled
--
2.34.1

View File

@ -1,39 +0,0 @@
From 632a43d0fb4661c0bd1ca7a03e6dee69c1d9974e Mon Sep 17 00:00:00 2001
From: Michel Thebeau <Michel.Thebeau@windriver.com>
Date: Mon, 6 Nov 2023 19:28:52 +0000
Subject: [PATCH] Add manager pause request to helm values.yaml
Add manager.pause to values.yaml to allow a developer to pause the
execution of vault-manager. This is intended as a debugging option.
The vault-manager pauses on any of the exit_on_trap safe points. A
value of '1' pauses before vault-manager executes any code (other than
variable initialization).
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
---
values.yaml | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/values.yaml b/values.yaml
index 600d632..ac35eb2 100644
--- a/values.yaml
+++ b/values.yaml
@@ -123,6 +123,13 @@ manager:
log:
defaultLogLevel: 2
+ # Debugging option to setup pause request for vault manager on startup
+ # A pause_on_trap file will be created with the content of this value
+ # Values may include a positive integer matching a call of
+ # exit_on_trap
+ #
+ # pause: 1
+
injector:
# True if you want to enable vault agent injection.
# @default: global.enabled
--
2.34.1

View File

@ -1,112 +0,0 @@
From fda70b8f0e34be97e9c80251afdec45518314ab1 Mon Sep 17 00:00:00 2001
From: Greg Waines <greg.waines@windriver.com>
Date: Sat, 5 Nov 2022 20:14:58 -0400
Subject: [PATCH] Add vault manager repository to values.yaml
Add image repository for vault-manager pod
Add timing parameters for the vault-manager main function, rate at which
to check for and unseal vault pods.
Add timing parameters for the vault API. These parameters tune the
timing of unsealing the vault server/raft, queries and operations for
vault rekey.
Add option to enable/disable rekey of vault after conversion of storage
backend from PVC to k8s secrets.
Add option to select kubectl version.
Signed-off-by: Michel Thebeau <michel.thebeau@windriver.com>
---
values.yaml | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 74 insertions(+)
diff --git a/values.yaml b/values.yaml
index 9e35ac8..3e311d6 100644
--- a/values.yaml
+++ b/values.yaml
@@ -40,6 +40,80 @@ global:
# See the top level serverTelemetry section below before enabling this feature.
prometheusOperator: false
+manager:
+ image:
+ repository: starlingx/stx-vault-manager
+ tag: stx.9.0-v1.28.6-1
+
+ # Rate at which vault-manager checks status of vault servers.
+ # After initialization of the raft, Vault manager will loop forever
+ # checking the pods for vault servers that need to be unsealed.
+ # This value is the sleep, in seconds, between intervals. Value
+ # must be a positive integer
+ statusCheckRate: 5
+
+ # After initial configuration, in combination with statusCheckRate,
+ # the amount of time to wait before unsealing a recovering vault
+ # server. The option is intended to allow the active vault server
+ # time to start sending heartbeats to the recovering pod before
+ # unsealing the server.
+ #
+ # A value of 0 indicates no wait time: unseal the vault server without
+ # delay. The wait time is statusCheckRate * unsealWaitIntervals.
+ # Default is 5 s/interval * 3 intervals == 15 seconds.
+ #
+ unsealWaitIntervals: 3
+
+ api:
+ # Network timeout for queries to vault server /sys/health endpoint
+ #
+ # The maximum time in seconds to wait for a server to respond to
+ # health query. This applies for the HA recovery situations, not the
+ # initialization of vault cluster. Unsetting the value is not
+ # recommended, and defaults to timeout of 120 seconds.
+ #
+ # vault-manager will appear to hang if healthQueryTimeout is
+ # over-large. This setting affects the logs, since vault-manager will
+ # issue a log when the 'sealed' status toggles between true/false and
+ # the 'unknown' value
+ healthQueryTimeout: 2
+
+ # Network timeout for vault API operations against /sys/unseal
+ #
+ # The maximum time in seconds to wait for a server to respond to
+ # the unseal request.
+ unsealOpTimeout: 10
+
+ # Network timeout for queries to vault server /sys/rekey/init
+ # and /sys/rekey/verify
+ #
+ # The maximum time in seconds to wait for a server to respond to
+ # the query.
+ rekeyStatusTimeout: 2
+
+ # Network timeout for vault API operations against /sys/rekey/init
+ # and /sys/rekey/verify
+ #
+ # The maximum time in seconds to wait for a server to respond to
+ # the request.
+ rekeyOpTimeout: 10
+
+ rekey:
+ # During upgrade of the application from PVC storage to storage
+ # using kubernetes, enable vault rekey to run automatically to
+ # resecure the vault with new shards.
+ # See also Hashicorp vault documentation:
+ # https://developer.hashicorp.com/vault/tutorials/operations/rekeying-and-rotating
+ # https://developer.hashicorp.com/vault/api-docs/v1.13.x/system/rekey
+ #
+ enableOnPVCConversion: true
+
+ k8s:
+ # The major/minor version of kubectl client binary to use. Must
+ # exist within the vault manager image for example
+ # client_version: v1.28
+ client_version: ""
+
injector:
# True if you want to enable vault agent injection.
# @default: global.enabled
--
2.34.1

View File

@ -1,42 +0,0 @@
From 06b5719c35c7e75b776ce7bd08c6df32c2dcf9cd Mon Sep 17 00:00:00 2001
From: Tae Park <tae.park@windriver.com>
Date: Mon, 29 Jan 2024 15:24:37 -0500
Subject: [PATCH] Add vault manager termination wait time
Adding configure options for maximum number of tries for checking
PVC removal, and time slept between each tries. Changed the
default to 60 seconds total wait time
Signed-off-by: Tae Park <tae.park@windriver.com>
---
values.yaml | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/values.yaml b/values.yaml
index 1bce118..487b44a 100644
--- a/values.yaml
+++ b/values.yaml
@@ -114,6 +114,20 @@ manager:
# client_version: v1.28
client_version: ""
+ waitTermination:
+ # During upgrade of the application from PVC storage to storage
+ # using kubernetes, wait for previous version of vault manager
+ # to terminate before proceding with the conversion of storage from PVC to
+ # kubernetes secrets.
+ #
+ # The maximum tries before proceding with the conversion of storage
+ # from PVC to kubernetes secrets.
+ maxTries: 12
+
+ # Number of seconds slept between each tries before proceding with
+ # the conversion of storage from PVC to kubernetes secrets.
+ sleepTime: 5
+
# Debugging option to improve log reading, allow more verbose logging
# DEBUG: 1
# INFO: 2
--
2.25.1

View File

@ -1,6 +0,0 @@
0001-Add-vault-manager-repository-to-values.yaml.patch
0001-Add-yaml-for-starlingx-image-handling.patch
0001-Add-log-level-option-for-vault-manager.patch
0001-Add-manager-pause-request-to-helm-values.yaml.patch
0001-Update-vault-version-to-1.14.8.patch
0001-Add-vault-manager-termination-wait-time.patch