diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 44aa9e6fd..b6ab34c92 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -86,7 +86,7 @@ Next, execute the tests with the following commands: ```shell docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit ``` -It's possible to only run specific bats tests using regular expressions. +It's possible to only run specific bats tests using regular expressions. For example, the following will run only tests with "injector" in the name: ```shell docker run -it --rm -v "${PWD}:/test" openbao-helm-test bats /test/test/unit -f "injector" @@ -123,7 +123,7 @@ may not be properly cleaned up. We recommend recycling the Kubernetes cluster to start from a clean slate. **Note:** There is a Terraform configuration in the -[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory +[`test/terraform/`](https://github.com/openbao/openbao-helm/tree/main/test/terraform) directory that can be used to quickly bring up a GKE cluster and configure `kubectl` and `helm` locally. This can be used to quickly spin up a test cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes diff --git a/Makefile b/Makefile index 96503eb69..987363356 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ -TEST_IMAGE?=vault-helm-test -GOOGLE_CREDENTIALS?=vault-helm-test.json -CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 +TEST_IMAGE?=openbao-helm-test +GOOGLE_CREDENTIALS?=openbao-helm-test.json +CLOUDSDK_CORE_PROJECT?=openbao-helm-dev-246514 # set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats ACCEPTANCE_TESTS?=acceptance @@ -11,7 +11,7 @@ UNIT_TESTS_FILTER?='.*' LOCAL_ACCEPTANCE_TESTS?=false # kind cluster name -KIND_CLUSTER_NAME?=vault-helm +KIND_CLUSTER_NAME?=openbao-helm # kind k8s version KIND_K8S_VERSION?=v1.29.2 @@ -40,7 +40,6 @@ else -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ -e KUBECONFIG=/helm-test/.kube/config \ - -e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \ -w /helm-test \ $(TEST_IMAGE) \ make acceptance diff --git a/charts/openbao/README.md b/charts/openbao/README.md index 5715d6068..f956ca2ef 100644 --- a/charts/openbao/README.md +++ b/charts/openbao/README.md @@ -10,7 +10,7 @@ Official OpenBao Chart | Name | Email | Url | | ---- | ------ | --- | -| OpenBao | | | +| OpenBao | | | ## Source Code @@ -42,7 +42,7 @@ Kubernetes: `>= 1.27.0-0` | csi.daemonSet.updateStrategy.maxUnavailable | string | `""` | | | csi.daemonSet.updateStrategy.type | string | `"RollingUpdate"` | | | csi.debug | bool | `false` | | -| csi.enabled | bool | `false` | True if you want to install a secrets-store-csi-driver-provider-vault daemonset. Requires installing the secrets-store-csi-driver separately, see: https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver With the driver and provider installed, you can mount Vault secrets into volumes similar to the Vault Agent injector, and you can also sync those secrets into Kubernetes secrets. | +| csi.enabled | bool | `false` | True if you want to install a secrets-store-csi-driver-provider-vault daemonset. Requires installing the secrets-store-csi-driver separately, see: https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver With the driver and provider installed, you can mount OpenBao secrets into volumes similar to the OpenBao Agent injector, and you can also sync those secrets into Kubernetes secrets. | | csi.extraArgs | list | `[]` | | | csi.hmacSecretName | string | `""` | | | csi.image.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for csi image. if tag is "latest", set to "Always" | @@ -68,10 +68,10 @@ Kubernetes: `>= 1.27.0-0` | csi.resources | object | `{}` | | | csi.serviceAccount.annotations | object | `{}` | | | csi.serviceAccount.extraLabels | object | `{}` | | -| csi.volumeMounts | string | `nil` | volumeMounts is a list of volumeMounts for the main server container. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. | -| csi.volumes | string | `nil` | volumes is a list of volumes made available to all containers. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. | +| csi.volumeMounts | list | `[]` | volumeMounts is a list of volumeMounts for the main server container. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. | +| csi.volumes | list | `[]` | volumes is a list of volumes made available to all containers. These are rendered via toYaml rather than pre-processed like the extraVolumes value. The purpose is to make it easy to share volumes between containers. | | global.enabled | bool | `true` | enabled is the master enabled switch. Setting this to true or false will enable or disable all the components within this chart by default. | -| global.externalVaultAddr | string | `""` | External vault server address for the injector and CSI provider to use. Setting this will disable deployment of a vault server. | +| global.externalVaultAddr | string | `""` | External openbao server address for the injector and CSI provider to use. Setting this will disable deployment of a openbao server. | | global.imagePullSecrets | list | `[]` | Image pull secret to use for registry authentication. Alternatively, the value may be specified as an array of strings. | | global.namespace | string | `""` | The namespace to deploy to. Defaults to the `helm` installation namespace. | | global.openshift | bool | `false` | If deploying to OpenShift | @@ -79,7 +79,7 @@ Kubernetes: `>= 1.27.0-0` | global.psp.annotations | string | `"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default\n"` | Annotation for PodSecurityPolicy. This is a multi-line templated string map, and can also be set as YAML. | | global.serverTelemetry.prometheusOperator | bool | `false` | Enable integration with the Prometheus Operator See the top level serverTelemetry section below before enabling this feature. | | global.tlsDisable | bool | `true` | TLS for end-to-end encrypted transport | -| injector.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"vault.name\" . }}-agent-injector\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: webhook\n topologyKey: kubernetes.io/hostname\n"` | | +| injector.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"openbao.name\" . }}-agent-injector\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: webhook\n topologyKey: kubernetes.io/hostname\n"` | | | injector.agentDefaults.cpuLimit | string | `"500m"` | | | injector.agentDefaults.cpuRequest | string | `"250m"` | | | injector.agentDefaults.memLimit | string | `"128Mi"` | | @@ -87,7 +87,7 @@ Kubernetes: `>= 1.27.0-0` | injector.agentDefaults.template | string | `"map"` | | | injector.agentDefaults.templateConfig.exitOnRetryFailure | bool | `true` | | | injector.agentDefaults.templateConfig.staticSecretRenderInterval | string | `""` | | -| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.0-alpha20240329"}` | agentImage sets the repo and tag of the Vault image to use for the Vault Agent containers. This should be set to the official Vault image. Vault 1.3.1+ is required. | +| injector.agentImage | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"openbao/openbao","tag":"2.0.0-alpha20240329"}` | agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is required. | | injector.agentImage.pullPolicy | string | `"IfNotPresent"` | image pull policy to use for agent image. if tag is "latest", set to "Always" | | injector.agentImage.registry | string | `"quay.io"` | image registry to use for agent image | | injector.agentImage.repository | string | `"openbao/openbao"` | image repo to use for agent image | @@ -98,7 +98,7 @@ Kubernetes: `>= 1.27.0-0` | injector.certs.certName | string | `"tls.crt"` | | | injector.certs.keyName | string | `"tls.key"` | | | injector.certs.secretName | string | `nil` | | -| injector.enabled | string | `"-"` | True if you want to enable vault agent injection. @default: global.enabled | +| injector.enabled | string | `"-"` | True if you want to enable openbao agent injection. @default: global.enabled | | injector.externalVaultAddr | string | `""` | Deprecated: Please use global.externalVaultAddr instead. | | injector.extraEnvironmentVars | object | `{}` | | | injector.extraLabels | object | `{}` | | @@ -147,16 +147,16 @@ Kubernetes: `>= 1.27.0-0` | injector.webhook.failurePolicy | string | `"Ignore"` | | | injector.webhook.matchPolicy | string | `"Exact"` | | | injector.webhook.namespaceSelector | object | `{}` | | -| injector.webhook.objectSelector | string | `"matchExpressions:\n- key: app.kubernetes.io/name\n operator: NotIn\n values:\n - {{ template \"vault.name\" . }}-agent-injector\n"` | | +| injector.webhook.objectSelector | string | `"matchExpressions:\n- key: app.kubernetes.io/name\n operator: NotIn\n values:\n - {{ template \"openbao.name\" . }}-agent-injector\n"` | | | injector.webhook.timeoutSeconds | int | `30` | | | injector.webhookAnnotations | object | `{}` | | -| server.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"vault.name\" . }}\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: server\n topologyKey: kubernetes.io/hostname\n"` | | +| server.affinity | string | `"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"openbao.name\" . }}\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: server\n topologyKey: kubernetes.io/hostname\n"` | | | server.annotations | object | `{}` | | | server.auditStorage.accessMode | string | `"ReadWriteOnce"` | | | server.auditStorage.annotations | object | `{}` | | | server.auditStorage.enabled | bool | `false` | | | server.auditStorage.labels | object | `{}` | | -| server.auditStorage.mountPath | string | `"/vault/audit"` | | +| server.auditStorage.mountPath | string | `"/openbao/audit"` | | | server.auditStorage.size | string | `"10Gi"` | | | server.auditStorage.storageClass | string | `nil` | | | server.authDelegator.enabled | bool | `true` | | @@ -165,13 +165,13 @@ Kubernetes: `>= 1.27.0-0` | server.dataStorage.annotations | object | `{}` | | | server.dataStorage.enabled | bool | `true` | | | server.dataStorage.labels | object | `{}` | | -| server.dataStorage.mountPath | string | `"/vault/data"` | | +| server.dataStorage.mountPath | string | `"/openbao/data"` | | | server.dataStorage.size | string | `"10Gi"` | | | server.dataStorage.storageClass | string | `nil` | | | server.dev.devRootToken | string | `"root"` | | | server.dev.enabled | bool | `false` | | | server.enabled | string | `"-"` | | -| server.extraArgs | string | `""` | extraArgs is a string containing additional Vault server arguments. | +| server.extraArgs | string | `""` | extraArgs is a string containing additional OpenBao server arguments. | | server.extraContainers | string | `nil` | | | server.extraEnvironmentVars | object | `{}` | | | server.extraInitContainers | list | `[]` | extraInitContainers is a list of init containers. Specified as a YAML list. This is useful if you need to run a script to provision TLS certificates or write out configuration files in a dynamic way. | @@ -181,11 +181,11 @@ Kubernetes: `>= 1.27.0-0` | server.extraVolumes | list | `[]` | | | server.ha.apiAddr | string | `nil` | | | server.ha.clusterAddr | string | `nil` | | -| server.ha.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n}\nstorage \"consul\" {\n path = \"vault\"\n address = \"HOST_IP:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"vault-helm-dev-246514\"\n# region = \"global\"\n# key_ring = \"vault-helm-unseal-kr\"\n# crypto_key = \"vault-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics.\n# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.\n# You may wish to enable unauthenticated metrics in the listener block above.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | | +| server.ha.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n}\nstorage \"consul\" {\n path = \"openbao\"\n address = \"HOST_IP:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"openbao-helm-dev-246514\"\n# region = \"global\"\n# key_ring = \"openbao-helm-unseal-kr\"\n# crypto_key = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics.\n# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.\n# You may wish to enable unauthenticated metrics in the listener block above.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | | | server.ha.disruptionBudget.enabled | bool | `true` | | | server.ha.disruptionBudget.maxUnavailable | string | `nil` | | | server.ha.enabled | bool | `false` | | -| server.ha.raft.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\n\nstorage \"raft\" {\n path = \"/vault/data\"\n}\n\nservice_registration \"kubernetes\" {}\n"` | | +| server.ha.raft.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\n\nstorage \"raft\" {\n path = \"/openbao/data\"\n}\n\nservice_registration \"kubernetes\" {}\n"` | | | server.ha.raft.enabled | bool | `false` | | | server.ha.raft.setNodeId | bool | `false` | | | server.ha.replicas | int | `3` | | @@ -261,8 +261,8 @@ Kubernetes: `>= 1.27.0-0` | server.serviceAccount.extraLabels | object | `{}` | | | server.serviceAccount.name | string | `""` | | | server.serviceAccount.serviceDiscovery.enabled | bool | `true` | | -| server.shareProcessNamespace | bool | `false` | shareProcessNamespace enables process namespace sharing between Vault and the extraContainers This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation | -| server.standalone.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\nstorage \"file\" {\n path = \"/vault/data\"\n}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"vault-helm-dev\"\n# region = \"global\"\n# key_ring = \"vault-helm-unseal-kr\"\n# crypto_key = \"vault-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | | +| server.shareProcessNamespace | bool | `false` | shareProcessNamespace enables process namespace sharing between OpenBao and the extraContainers This is useful if OpenBao must be signaled, e.g. to send a SIGHUP for a log rotation | +| server.standalone.config | string | `"ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\nstorage \"file\" {\n path = \"/openbao/data\"\n}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"openbao-helm-dev\"\n# region = \"global\"\n# key_ring = \"openbao-helm-unseal-kr\"\n# crypto_key = \"openbao-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"` | | | server.standalone.enabled | string | `"-"` | | | server.statefulSet.annotations | object | `{}` | | | server.statefulSet.securityContext.container | object | `{}` | | @@ -280,7 +280,7 @@ Kubernetes: `>= 1.27.0-0` | serverTelemetry.serviceMonitor.interval | string | `"30s"` | | | serverTelemetry.serviceMonitor.scrapeTimeout | string | `"10s"` | | | serverTelemetry.serviceMonitor.selectors | object | `{}` | | -| ui.activeVaultPodOnly | bool | `false` | | +| ui.activeOpenbaoPodOnly | bool | `false` | | | ui.annotations | object | `{}` | | | ui.enabled | bool | `false` | | | ui.externalPort | int | `8200` | | diff --git a/charts/openbao/templates/NOTES.txt b/charts/openbao/templates/NOTES.txt index 89985f4e6..c89dbd2d7 100644 --- a/charts/openbao/templates/NOTES.txt +++ b/charts/openbao/templates/NOTES.txt @@ -2,7 +2,7 @@ Thank you for installing OpenBao! Now that you have deployed OpenBao, you should look over the docs on using -Vault with Kubernetes available here: +OpenBao with Kubernetes available here: https://openbao.org/docs/ diff --git a/charts/openbao/templates/_helpers.tpl b/charts/openbao/templates/_helpers.tpl index ececc84b3..2650db50b 100644 --- a/charts/openbao/templates/_helpers.tpl +++ b/charts/openbao/templates/_helpers.tpl @@ -9,7 +9,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "vault.fullname" -}} +{{- define "openbao.fullname" -}} {{- if .Values.fullnameOverride -}} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- else -}} @@ -25,28 +25,28 @@ be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "vault.chart" -}} +{{- define "openbao.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Expand the name of the chart. */}} -{{- define "vault.name" -}} +{{- define "openbao.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Allow the release namespace to be overridden */}} -{{- define "vault.namespace" -}} +{{- define "openbao.namespace" -}} {{- default .Release.Namespace .Values.global.namespace -}} {{- end -}} {{/* Compute if the csi driver is enabled. */}} -{{- define "vault.csiEnabled" -}} +{{- define "openbao.csiEnabled" -}} {{- $_ := set . "csiEnabled" (or (eq (.Values.csi.enabled | toString) "true") (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} @@ -55,7 +55,7 @@ Compute if the csi driver is enabled. {{/* Compute if the injector is enabled. */}} -{{- define "vault.injectorEnabled" -}} +{{- define "openbao.injectorEnabled" -}} {{- $_ := set . "injectorEnabled" (or (eq (.Values.injector.enabled | toString) "true") (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} @@ -64,7 +64,7 @@ Compute if the injector is enabled. {{/* Compute if the server is enabled. */}} -{{- define "vault.serverEnabled" -}} +{{- define "openbao.serverEnabled" -}} {{- $_ := set . "serverEnabled" (or (eq (.Values.server.enabled | toString) "true") (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} @@ -73,7 +73,7 @@ Compute if the server is enabled. {{/* Compute if the server serviceaccount is enabled. */}} -{{- define "vault.serverServiceAccountEnabled" -}} +{{- define "openbao.serverServiceAccountEnabled" -}} {{- $_ := set . "serverServiceAccountEnabled" (and (eq (.Values.server.serviceAccount.create | toString) "true" ) @@ -85,7 +85,7 @@ Compute if the server serviceaccount is enabled. {{/* Compute if the server serviceaccount should have a token created and mounted to the serviceaccount. */}} -{{- define "vault.serverServiceAccountSecretCreationEnabled" -}} +{{- define "openbao.serverServiceAccountSecretCreationEnabled" -}} {{- $_ := set . "serverServiceAccountSecretCreationEnabled" (and (eq (.Values.server.serviceAccount.create | toString) "true") @@ -96,7 +96,7 @@ Compute if the server serviceaccount should have a token created and mounted to {{/* Compute if the server auth delegator serviceaccount is enabled. */}} -{{- define "vault.serverAuthDelegator" -}} +{{- define "openbao.serverAuthDelegator" -}} {{- $_ := set . "serverAuthDelegator" (and (eq (.Values.server.authDelegator.enabled | toString) "true" ) @@ -110,15 +110,15 @@ Compute if the server auth delegator serviceaccount is enabled. {{/* Compute if the server service is enabled. */}} -{{- define "vault.serverServiceEnabled" -}} -{{- template "vault.serverEnabled" . -}} +{{- define "openbao.serverServiceEnabled" -}} +{{- template "openbao.serverEnabled" . -}} {{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}} {{- end -}} {{/* Compute if the ui is enabled. */}} -{{- define "vault.uiEnabled" -}} +{{- define "openbao.uiEnabled" -}} {{- $_ := set . "uiEnabled" (or (eq (.Values.ui.enabled | toString) "true") (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} @@ -129,7 +129,7 @@ Compute the maximum number of unavailable replicas for the PodDisruptionBudget. This defaults to (n/2)-1 where n is the number of members of the server cluster. Add a special case for replicas=1, where it should default to 0 as well. */}} -{{- define "vault.pdb.maxUnavailable" -}} +{{- define "openbao.pdb.maxUnavailable" -}} {{- if eq (int .Values.server.ha.replicas) 1 -}} {{ 0 }} {{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}} @@ -143,8 +143,8 @@ Add a special case for replicas=1, where it should default to 0 as well. Set the variable 'mode' to the server mode requested by the user to simplify template logic. */}} -{{- define "vault.mode" -}} - {{- template "vault.serverEnabled" . -}} +{{- define "openbao.mode" -}} + {{- template "openbao.serverEnabled" . -}} {{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}} {{- $_ := set . "mode" "external" -}} {{- else if not .serverEnabled -}} @@ -163,7 +163,7 @@ template logic. {{/* Set's the replica count based on the different modes configured by user */}} -{{- define "vault.replicas" -}} +{{- define "openbao.replicas" -}} {{ if eq .mode "standalone" }} {{- default 1 -}} {{ else if eq .mode "ha" }} @@ -182,11 +182,11 @@ Set's up configmap mounts if this isn't a dev deployment and the user defined a custom configuration. Additionally iterates over any extra volumes the user may have specified (such as a secret with TLS). */}} -{{- define "vault.volumes" -}} +{{- define "openbao.volumes" -}} {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} - name: config configMap: - name: {{ template "vault.fullname" . }}-config + name: {{ template "openbao.fullname" . }}-config {{ end }} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} @@ -204,11 +204,11 @@ extra volumes the user may have specified (such as a secret with TLS). {{- end -}} {{/* -Set's the args for custom command to render the Vault configuration +Set's the args for custom command to render the OpenBao configuration file with IP addresses to make the out of box experience easier for users looking to use this chart with Consul Helm. */}} -{{- define "vault.args" -}} +{{- define "openbao.args" -}} {{ if or (eq .mode "standalone") (eq .mode "ha") }} - | cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; @@ -221,14 +221,14 @@ for users looking to use this chart with Consul Helm. /usr/local/bin/docker-entrypoint.sh bao server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }} {{ else if eq .mode "dev" }} - | - /usr/local/bin/docker-entrypoint.sh vault server -dev {{ .Values.server.extraArgs }} + /usr/local/bin/docker-entrypoint.sh bao server -dev {{ .Values.server.extraArgs }} {{ end }} {{- end -}} {{/* Set's additional environment variables based on the mode. */}} -{{- define "vault.envs" -}} +{{- define "openbao.envs" -}} {{ if eq .mode "dev" }} - name: VAULT_DEV_ROOT_TOKEN_ID value: {{ .Values.server.dev.devRootToken }} @@ -241,7 +241,7 @@ Set's additional environment variables based on the mode. Set's which additional volumes should be mounted to the container based on the mode configured. */}} -{{- define "vault.mounts" -}} +{{- define "openbao.mounts" -}} {{ if eq (.Values.server.auditStorage.enabled | toString) "true" }} - name: audit mountPath: {{ .Values.server.auditStorage.mountPath }} @@ -254,12 +254,12 @@ based on the mode configured. {{ end }} {{ if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} - name: config - mountPath: /vault/config + mountPath: /openbao/config {{ end }} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} readOnly: true - mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }} + mountPath: {{ .path | default "/openbao/userconfig" }}/{{ .name }} {{- end }} {{- if .Values.server.volumeMounts }} {{- toYaml .Values.server.volumeMounts | nindent 12}} @@ -271,14 +271,14 @@ Set's up the volumeClaimTemplates when data or audit storage is required. HA might not use data storage since Consul is likely it's backend, however, audit storage might be desired by the user. */}} -{{- define "vault.volumeclaims" -}} +{{- define "openbao.volumeclaims" -}} {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }} volumeClaimTemplates: {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }} - metadata: name: data - {{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }} - {{- include "vault.dataVolumeClaim.labels" . | nindent 6 }} + {{- include "openbao.dataVolumeClaim.annotations" . | nindent 6 }} + {{- include "openbao.dataVolumeClaim.labels" . | nindent 6 }} spec: accessModes: - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }} @@ -292,8 +292,8 @@ storage might be desired by the user. {{- if eq (.Values.server.auditStorage.enabled | toString) "true" }} - metadata: name: audit - {{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }} - {{- include "vault.auditVolumeClaim.labels" . | nindent 6 }} + {{- include "openbao.auditVolumeClaim.annotations" . | nindent 6 }} + {{- include "openbao.auditVolumeClaim.labels" . | nindent 6 }} spec: accessModes: - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }} @@ -310,7 +310,7 @@ storage might be desired by the user. {{/* Set's the affinity for pod placement when running in standalone and HA modes. */}} -{{- define "vault.affinity" -}} +{{- define "openbao.affinity" -}} {{- if and (ne .mode "dev") .Values.server.affinity }} affinity: {{ $tp := typeOf .Values.server.affinity }} @@ -340,7 +340,7 @@ Sets the injector affinity for pod placement {{/* Sets the topologySpreadConstraints when running in standalone and HA modes. */}} -{{- define "vault.topologySpreadConstraints" -}} +{{- define "openbao.topologySpreadConstraints" -}} {{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }} topologySpreadConstraints: {{ $tp := typeOf .Values.server.topologySpreadConstraints }} @@ -371,7 +371,7 @@ Sets the injector topologySpreadConstraints for pod placement {{/* Sets the toleration for pod placement when running in standalone and HA modes. */}} -{{- define "vault.tolerations" -}} +{{- define "openbao.tolerations" -}} {{- if and (ne .mode "dev") .Values.server.tolerations }} tolerations: {{- $tp := typeOf .Values.server.tolerations }} @@ -401,7 +401,7 @@ Sets the injector toleration for pod placement {{/* Set's the node selector for pod placement when running in standalone and HA modes. */}} -{{- define "vault.nodeselector" -}} +{{- define "openbao.nodeselector" -}} {{- if and (ne .mode "dev") .Values.server.nodeSelector }} nodeSelector: {{- $tp := typeOf .Values.server.nodeSelector }} @@ -446,10 +446,10 @@ Sets the injector deployment update strategy {{/* Sets extra pod annotations */}} -{{- define "vault.annotations" }} +{{- define "openbao.annotations" }} annotations: {{- if .Values.server.includeConfigAnnotation }} - vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }} + openbao.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }} {{- end }} {{- if .Values.server.annotations }} {{- $tp := typeOf .Values.server.annotations }} @@ -555,7 +555,7 @@ securityContext for the statefulset pod template. {{- end -}} {{/* -securityContext for the statefulset vault container +securityContext for the statefulset openbao container */}} {{- define "server.statefulSet.securityContext.container" -}} {{- if .Values.server.statefulSet.securityContext.container }} @@ -622,7 +622,7 @@ Set's the injector webhook objectSelector {{/* Sets extra ui service annotations */}} -{{- define "vault.ui.annotations" -}} +{{- define "openbao.ui.annotations" -}} {{- if .Values.ui.annotations }} annotations: {{- $tp := typeOf .Values.ui.annotations }} @@ -637,9 +637,9 @@ Sets extra ui service annotations {{/* Create the name of the service account to use */}} -{{- define "vault.serviceAccount.name" -}} +{{- define "openbao.serviceAccount.name" -}} {{- if .Values.server.serviceAccount.create -}} - {{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }} + {{ default (include "openbao.fullname" .) .Values.server.serviceAccount.name }} {{- else -}} {{ default "default" .Values.server.serviceAccount.name }} {{- end -}} @@ -648,7 +648,7 @@ Create the name of the service account to use {{/* Sets extra service account annotations */}} -{{- define "vault.serviceAccount.annotations" -}} +{{- define "openbao.serviceAccount.annotations" -}} {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }} annotations: {{- $tp := typeOf .Values.server.serviceAccount.annotations }} @@ -663,7 +663,7 @@ Sets extra service account annotations {{/* Sets extra ingress annotations */}} -{{- define "vault.ingress.annotations" -}} +{{- define "openbao.ingress.annotations" -}} {{- if .Values.server.ingress.annotations }} annotations: {{- $tp := typeOf .Values.server.ingress.annotations }} @@ -678,7 +678,7 @@ Sets extra ingress annotations {{/* Sets extra route annotations */}} -{{- define "vault.route.annotations" -}} +{{- define "openbao.route.annotations" -}} {{- if .Values.server.route.annotations }} annotations: {{- $tp := typeOf .Values.server.route.annotations }} @@ -691,9 +691,9 @@ Sets extra route annotations {{- end -}} {{/* -Sets extra vault server Service annotations +Sets extra openbao server Service annotations */}} -{{- define "vault.service.annotations" -}} +{{- define "openbao.service.annotations" -}} {{- if .Values.server.service.annotations }} {{- $tp := typeOf .Values.server.service.annotations }} {{- if eq $tp "string" }} @@ -705,9 +705,9 @@ Sets extra vault server Service annotations {{- end -}} {{/* -Sets extra vault server Service (active) annotations +Sets extra openbao server Service (active) annotations */}} -{{- define "vault.service.active.annotations" -}} +{{- define "openbao.service.active.annotations" -}} {{- if .Values.server.service.active.annotations }} {{- $tp := typeOf .Values.server.service.active.annotations }} {{- if eq $tp "string" }} @@ -718,9 +718,9 @@ Sets extra vault server Service (active) annotations {{- end }} {{- end -}} {{/* -Sets extra vault server Service annotations +Sets extra openbao server Service annotations */}} -{{- define "vault.service.standby.annotations" -}} +{{- define "openbao.service.standby.annotations" -}} {{- if .Values.server.service.standby.annotations }} {{- $tp := typeOf .Values.server.service.standby.annotations }} {{- if eq $tp "string" }} @@ -734,7 +734,7 @@ Sets extra vault server Service annotations {{/* Sets PodSecurityPolicy annotations */}} -{{- define "vault.psp.annotations" -}} +{{- define "openbao.psp.annotations" -}} {{- if .Values.global.psp.annotations }} annotations: {{- $tp := typeOf .Values.global.psp.annotations }} @@ -749,7 +749,7 @@ Sets PodSecurityPolicy annotations {{/* Sets extra statefulset annotations */}} -{{- define "vault.statefulSet.annotations" -}} +{{- define "openbao.statefulSet.annotations" -}} {{- if .Values.server.statefulSet.annotations }} annotations: {{- $tp := typeOf .Values.server.statefulSet.annotations }} @@ -764,7 +764,7 @@ Sets extra statefulset annotations {{/* Sets VolumeClaim annotations for data volume */}} -{{- define "vault.dataVolumeClaim.annotations" -}} +{{- define "openbao.dataVolumeClaim.annotations" -}} {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }} annotations: {{- $tp := typeOf .Values.server.dataStorage.annotations }} @@ -779,7 +779,7 @@ Sets VolumeClaim annotations for data volume {{/* Sets VolumeClaim labels for data volume */}} -{{- define "vault.dataVolumeClaim.labels" -}} +{{- define "openbao.dataVolumeClaim.labels" -}} {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }} labels: {{- $tp := typeOf .Values.server.dataStorage.labels }} @@ -794,7 +794,7 @@ Sets VolumeClaim labels for data volume {{/* Sets VolumeClaim annotations for audit volume */}} -{{- define "vault.auditVolumeClaim.annotations" -}} +{{- define "openbao.auditVolumeClaim.annotations" -}} {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }} annotations: {{- $tp := typeOf .Values.server.auditStorage.annotations }} @@ -809,7 +809,7 @@ Sets VolumeClaim annotations for audit volume {{/* Sets VolumeClaim labels for audit volume */}} -{{- define "vault.auditVolumeClaim.labels" -}} +{{- define "openbao.auditVolumeClaim.labels" -}} {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }} labels: {{- $tp := typeOf .Values.server.auditStorage.labels }} @@ -824,7 +824,7 @@ Sets VolumeClaim labels for audit volume {{/* Set's the container resources if the user has set any. */}} -{{- define "vault.resources" -}} +{{- define "openbao.resources" -}} {{- if .Values.server.resources -}} resources: {{ toYaml .Values.server.resources | indent 12}} @@ -983,7 +983,7 @@ Sets extra CSI service account annotations {{/* Inject extra environment vars in the format key:value, if populated */}} -{{- define "vault.extraEnvironmentVars" -}} +{{- define "openbao.extraEnvironmentVars" -}} {{- if .extraEnvironmentVars -}} {{- range $key, $value := .extraEnvironmentVars }} - name: {{ printf "%s" $key | replace "." "_" | upper | quote }} @@ -995,7 +995,7 @@ Inject extra environment vars in the format key:value, if populated {{/* Inject extra environment populated by secrets, if populated */}} -{{- define "vault.extraSecretEnvironmentVars" -}} +{{- define "openbao.extraSecretEnvironmentVars" -}} {{- if .extraSecretEnvironmentVars -}} {{- range .extraSecretEnvironmentVars }} - name: {{ .envName }} @@ -1008,7 +1008,7 @@ Inject extra environment populated by secrets, if populated {{- end -}} {{/* Scheme for health check and local endpoint */}} -{{- define "vault.scheme" -}} +{{- define "openbao.scheme" -}} {{- if .Values.global.tlsDisable -}} {{ "http" }} {{- else -}} @@ -1071,7 +1071,7 @@ Supported inputs are Values.ui {{/* config file from values */}} -{{- define "vault.config" -}} +{{- define "openbao.config" -}} {{- if or (eq .mode "ha") (eq .mode "standalone") }} {{- $type := typeOf (index .Values.server .mode).config }} {{- if eq $type "string" }} diff --git a/charts/openbao/templates/csi-agent-configmap.yaml b/charts/openbao/templates/csi-agent-configmap.yaml index 18cdb04ac..5455b0958 100644 --- a/charts/openbao/templates/csi-agent-configmap.yaml +++ b/charts/openbao/templates/csi-agent-configmap.yaml @@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.csiEnabled" . -}} +{{- template "openbao.csiEnabled" . -}} {{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}} apiVersion: v1 kind: ConfigMap metadata: - name: {{ template "vault.fullname" . }}-csi-provider-agent-config - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-csi-provider-agent-config + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} data: @@ -21,7 +21,7 @@ data: {{- if .Values.global.externalVaultAddr }} "address" = "{{ .Values.global.externalVaultAddr }}" {{- else }} - "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}" + "address" = "{{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }}" {{- end }} } diff --git a/charts/openbao/templates/csi-clusterrole.yaml b/charts/openbao/templates/csi-clusterrole.yaml index 6d979ea40..a3fbb612c 100644 --- a/charts/openbao/templates/csi-clusterrole.yaml +++ b/charts/openbao/templates/csi-clusterrole.yaml @@ -3,14 +3,14 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.csiEnabled" . -}} +{{- template "openbao.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "vault.fullname" . }}-csi-provider-clusterrole + name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: diff --git a/charts/openbao/templates/csi-clusterrolebinding.yaml b/charts/openbao/templates/csi-clusterrolebinding.yaml index 506ec944a..3c7847af8 100644 --- a/charts/openbao/templates/csi-clusterrolebinding.yaml +++ b/charts/openbao/templates/csi-clusterrolebinding.yaml @@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.csiEnabled" . -}} +{{- template "openbao.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding + name: {{ template "openbao.fullname" . }}-csi-provider-clusterrolebinding labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "vault.fullname" . }}-csi-provider-clusterrole + name: {{ template "openbao.fullname" . }}-csi-provider-clusterrole subjects: - kind: ServiceAccount - name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-csi-provider + namespace: {{ include "openbao.namespace" . }} {{- end }} diff --git a/charts/openbao/templates/csi-daemonset.yaml b/charts/openbao/templates/csi-daemonset.yaml index c144af5a3..f3d228457 100644 --- a/charts/openbao/templates/csi-daemonset.yaml +++ b/charts/openbao/templates/csi-daemonset.yaml @@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.csiEnabled" . -}} +{{- template "openbao.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: apps/v1 kind: DaemonSet metadata: - name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-csi-provider + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- if .Values.csi.daemonSet.extraLabels -}} @@ -27,12 +27,12 @@ spec: {{- end }} selector: matchLabels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} template: metadata: labels: - app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ template "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} {{- if .Values.csi.pod.extraLabels -}} {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}} @@ -43,12 +43,12 @@ spec: {{- if .Values.csi.priorityClassName }} priorityClassName: {{ .Values.csi.priorityClassName }} {{- end }} - serviceAccountName: {{ template "vault.fullname" . }}-csi-provider + serviceAccountName: {{ template "openbao.fullname" . }}-csi-provider {{- template "csi.pod.tolerations" . }} {{- template "csi.pod.nodeselector" . }} {{- template "csi.pod.affinity" . }} containers: - - name: {{ include "vault.name" . }}-csi-provider + - name: {{ include "openbao.name" . }}-csi-provider {{ template "csi.resources" . }} {{ template "csi.daemonSet.securityContext.container" . }} image: "{{ .Values.csi.image.registry | default "docker.io" }}/{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" @@ -59,7 +59,7 @@ spec: {{- if .Values.csi.hmacSecretName }} - --hmac-secret-name={{ .Values.csi.hmacSecretName }} {{- else }} - - --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key + - --hmac-secret-name={{- include "openbao.name" . }}-csi-provider-hmac-key {{- end }} {{- if .Values.csi.extraArgs }} {{- toYaml .Values.csi.extraArgs | nindent 12 }} @@ -71,7 +71,7 @@ spec: {{- else if .Values.global.externalVaultAddr }} value: "{{ .Values.global.externalVaultAddr }}" {{- else }} - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} + value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }} {{- end }} volumeMounts: - name: providervol @@ -102,12 +102,12 @@ spec: successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} {{- if eq (.Values.csi.agent.enabled | toString) "true" }} - - name: {{ include "vault.name" . }}-agent + - name: {{ include "openbao.name" . }}-agent image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}" imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }} {{ template "csi.agent.resources" . }} command: - - vault + - bao args: - agent - -config=/etc/vault/config.hcl @@ -145,7 +145,7 @@ spec: {{- if eq (.Values.csi.agent.enabled | toString) "true" }} - name: agent-config configMap: - name: {{ template "vault.fullname" . }}-csi-provider-agent-config + name: {{ template "openbao.fullname" . }}-csi-provider-agent-config - name: agent-unix-socket emptyDir: medium: Memory diff --git a/charts/openbao/templates/csi-role.yaml b/charts/openbao/templates/csi-role.yaml index 17e1918b4..a7554a659 100644 --- a/charts/openbao/templates/csi-role.yaml +++ b/charts/openbao/templates/csi-role.yaml @@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.csiEnabled" . -}} +{{- template "openbao.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "vault.fullname" . }}-csi-provider-role - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-csi-provider-role + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: @@ -22,7 +22,7 @@ rules: {{- if .Values.csi.hmacSecretName }} - {{ .Values.csi.hmacSecretName }} {{- else }} - - {{ include "vault.name" . }}-csi-provider-hmac-key + - {{ include "openbao.name" . }}-csi-provider-hmac-key {{- end }} # 'create' permissions cannot be restricted by resource name: # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources diff --git a/charts/openbao/templates/csi-rolebinding.yaml b/charts/openbao/templates/csi-rolebinding.yaml index 3d3b981b8..c46096e14 100644 --- a/charts/openbao/templates/csi-rolebinding.yaml +++ b/charts/openbao/templates/csi-rolebinding.yaml @@ -3,23 +3,23 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.csiEnabled" . -}} +{{- template "openbao.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "vault.fullname" . }}-csi-provider-rolebinding - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-csi-provider-rolebinding + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "vault.fullname" . }}-csi-provider-role + name: {{ template "openbao.fullname" . }}-csi-provider-role subjects: - kind: ServiceAccount - name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-csi-provider + namespace: {{ include "openbao.namespace" . }} {{- end }} diff --git a/charts/openbao/templates/csi-serviceaccount.yaml b/charts/openbao/templates/csi-serviceaccount.yaml index 6327a7b2f..2f5d346b8 100644 --- a/charts/openbao/templates/csi-serviceaccount.yaml +++ b/charts/openbao/templates/csi-serviceaccount.yaml @@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.csiEnabled" . -}} +{{- template "openbao.csiEnabled" . -}} {{- if .csiEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-csi-provider + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/name: {{ include "openbao.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- if .Values.csi.serviceAccount.extraLabels -}} diff --git a/charts/openbao/templates/injector-certs-secret.yaml b/charts/openbao/templates/injector-certs-secret.yaml index f6995af10..b5de48bfe 100644 --- a/charts/openbao/templates/injector-certs-secret.yaml +++ b/charts/openbao/templates/injector-certs-secret.yaml @@ -3,17 +3,17 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: v1 kind: Secret metadata: - name: vault-injector-certs - namespace: {{ include "vault.namespace" . }} + name: openbao-injector-certs + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/openbao/templates/injector-clusterrole.yaml b/charts/openbao/templates/injector-clusterrole.yaml index df603f250..10ea35c17 100644 --- a/charts/openbao/templates/injector-clusterrole.yaml +++ b/charts/openbao/templates/injector-clusterrole.yaml @@ -3,14 +3,14 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "vault.fullname" . }}-agent-injector-clusterrole + name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: diff --git a/charts/openbao/templates/injector-clusterrolebinding.yaml b/charts/openbao/templates/injector-clusterrolebinding.yaml index 82cbce0ce..353ee8ac1 100644 --- a/charts/openbao/templates/injector-clusterrolebinding.yaml +++ b/charts/openbao/templates/injector-clusterrolebinding.yaml @@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "vault.fullname" . }}-agent-injector-binding + name: {{ template "openbao.fullname" . }}-agent-injector-binding labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "vault.fullname" . }}-agent-injector-clusterrole + name: {{ template "openbao.fullname" . }}-agent-injector-clusterrole subjects: - kind: ServiceAccount - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector + namespace: {{ include "openbao.namespace" . }} {{ end }} diff --git a/charts/openbao/templates/injector-deployment.yaml b/charts/openbao/templates/injector-deployment.yaml index 242dca65a..7d1cd5b9f 100644 --- a/charts/openbao/templates/injector-deployment.yaml +++ b/charts/openbao/templates/injector-deployment.yaml @@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} # Deployment for the injector apiVersion: apps/v1 kind: Deployment metadata: - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} component: webhook @@ -20,14 +20,14 @@ spec: replicas: {{ .Values.injector.replicas }} selector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook {{ template "injector.strategy" . }} template: metadata: labels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook {{- if .Values.injector.extraLabels -}} @@ -42,7 +42,7 @@ spec: {{- if .Values.injector.priorityClassName }} priorityClassName: {{ .Values.injector.priorityClassName }} {{- end }} - serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" + serviceAccountName: "{{ template "openbao.fullname" . }}-agent-injector" {{ template "injector.securityContext.pod" . -}} {{- if not .Values.global.openshift }} hostNetwork: {{ .Values.injector.hostNetwork }} @@ -64,7 +64,7 @@ spec: {{- else if .Values.injector.externalVaultAddr }} value: "{{ .Values.injector.externalVaultAddr }}" {{- else }} - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} + value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }} {{- end }} - name: AGENT_INJECT_VAULT_AUTH_PATH value: {{ .Values.injector.authPath }} @@ -77,9 +77,9 @@ spec: value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}" {{- else }} - name: AGENT_INJECT_TLS_AUTO - value: {{ template "vault.fullname" . }}-agent-injector-cfg + value: {{ template "openbao.fullname" . }}-agent-injector-cfg - name: AGENT_INJECT_TLS_AUTO_HOSTS - value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc + value: {{ template "openbao.fullname" . }}-agent-injector-svc,{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }},{{ template "openbao.fullname" . }}-agent-injector-svc.{{ include "openbao.namespace" . }}.svc {{- end }} - name: AGENT_INJECT_LOG_FORMAT value: {{ .Values.injector.logFormat | default "standard" }} @@ -125,7 +125,7 @@ spec: - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}" {{- end }} - {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} + {{- include "openbao.extraEnvironmentVars" .Values.injector | nindent 12 }} - name: POD_NAME valueFrom: fieldRef: diff --git a/charts/openbao/templates/injector-disruptionbudget.yaml b/charts/openbao/templates/injector-disruptionbudget.yaml index 2b2a61c6f..08749bd29 100644 --- a/charts/openbao/templates/injector-disruptionbudget.yaml +++ b/charts/openbao/templates/injector-disruptionbudget.yaml @@ -7,18 +7,18 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: policy/v1 kind: PodDisruptionBudget metadata: - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} component: webhook spec: selector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }} diff --git a/charts/openbao/templates/injector-mutating-webhook.yaml b/charts/openbao/templates/injector-mutating-webhook.yaml index b1de1ee3f..8ffd26712 100644 --- a/charts/openbao/templates/injector-mutating-webhook.yaml +++ b/charts/openbao/templates/injector-mutating-webhook.yaml @@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} apiVersion: admissionregistration.k8s.io/v1 @@ -12,9 +12,9 @@ apiVersion: admissionregistration.k8s.io/v1beta1 {{- end }} kind: MutatingWebhookConfiguration metadata: - name: {{ template "vault.fullname" . }}-agent-injector-cfg + name: {{ template "openbao.fullname" . }}-agent-injector-cfg labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- template "injector.webhookAnnotations" . }} @@ -27,8 +27,8 @@ webhooks: admissionReviewVersions: ["v1", "v1beta1"] clientConfig: service: - name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector-svc + namespace: {{ include "openbao.namespace" . }} path: "/mutate" caBundle: {{ .Values.injector.certs.caBundle | quote }} rules: diff --git a/charts/openbao/templates/injector-network-policy.yaml b/charts/openbao/templates/injector-network-policy.yaml index 4c3b08782..95df49ec2 100644 --- a/charts/openbao/templates/injector-network-policy.yaml +++ b/charts/openbao/templates/injector-network-policy.yaml @@ -3,20 +3,20 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.openshift | toString) "true" }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ template "vault.fullname" . }}-agent-injector + name: {{ template "openbao.fullname" . }}-agent-injector labels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} spec: podSelector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook ingress: diff --git a/charts/openbao/templates/injector-psp-role.yaml b/charts/openbao/templates/injector-psp-role.yaml index a07f8f6c0..3f42450cb 100644 --- a/charts/openbao/templates/injector-psp-role.yaml +++ b/charts/openbao/templates/injector-psp-role.yaml @@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "vault.fullname" . }}-agent-injector-psp - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector-psp + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: @@ -20,6 +20,6 @@ rules: resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - - {{ template "vault.fullname" . }}-agent-injector + - {{ template "openbao.fullname" . }}-agent-injector {{- end }} {{- end }} diff --git a/charts/openbao/templates/injector-psp-rolebinding.yaml b/charts/openbao/templates/injector-psp-rolebinding.yaml index 3c97e8dad..62a609c79 100644 --- a/charts/openbao/templates/injector-psp-rolebinding.yaml +++ b/charts/openbao/templates/injector-psp-rolebinding.yaml @@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "vault.fullname" . }}-agent-injector-psp - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector-psp + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: kind: Role - name: {{ template "vault.fullname" . }}-agent-injector-psp + name: {{ template "openbao.fullname" . }}-agent-injector-psp apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount - name: {{ template "vault.fullname" . }}-agent-injector + name: {{ template "openbao.fullname" . }}-agent-injector {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/openbao/templates/injector-psp.yaml b/charts/openbao/templates/injector-psp.yaml index 0eca9a87c..5c1c58f78 100644 --- a/charts/openbao/templates/injector-psp.yaml +++ b/charts/openbao/templates/injector-psp.yaml @@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ template "vault.fullname" . }}-agent-injector + name: {{ template "openbao.fullname" . }}-agent-injector labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- template "vault.psp.annotations" . }} +{{- template "openbao.psp.annotations" . }} spec: privileged: false # Required to prevent escalations to root. diff --git a/charts/openbao/templates/injector-role.yaml b/charts/openbao/templates/injector-role.yaml index b2ad0c7b9..2e29aa7bd 100644 --- a/charts/openbao/templates/injector-role.yaml +++ b/charts/openbao/templates/injector-role.yaml @@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: diff --git a/charts/openbao/templates/injector-rolebinding.yaml b/charts/openbao/templates/injector-rolebinding.yaml index 6ad25ca69..8e460c4bc 100644 --- a/charts/openbao/templates/injector-rolebinding.yaml +++ b/charts/openbao/templates/injector-rolebinding.yaml @@ -3,25 +3,25 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-binding + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role + name: {{ template "openbao.fullname" . }}-agent-injector-leader-elector-role subjects: - kind: ServiceAccount - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector + namespace: {{ include "openbao.namespace" . }} {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/openbao/templates/injector-service.yaml b/charts/openbao/templates/injector-service.yaml index 1479cd1ab..1a7467cab 100644 --- a/charts/openbao/templates/injector-service.yaml +++ b/charts/openbao/templates/injector-service.yaml @@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector-svc + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{ template "injector.service.annotations" . }} @@ -21,7 +21,7 @@ spec: port: 443 targetPort: {{ .Values.injector.port }} selector: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook {{- end }} diff --git a/charts/openbao/templates/injector-serviceaccount.yaml b/charts/openbao/templates/injector-serviceaccount.yaml index 2f91c3d4a..a411788c4 100644 --- a/charts/openbao/templates/injector-serviceaccount.yaml +++ b/charts/openbao/templates/injector-serviceaccount.yaml @@ -3,15 +3,15 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{- template "vault.injectorEnabled" . -}} +{{- template "openbao.injectorEnabled" . -}} {{- if .injectorEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-agent-injector + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ include "openbao.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{ template "injector.serviceAccount.annotations" . }} diff --git a/charts/openbao/templates/prometheus-prometheusrules.yaml b/charts/openbao/templates/prometheus-prometheusrules.yaml index 7e58a0e52..f3d30b19f 100644 --- a/charts/openbao/templates/prometheus-prometheusrules.yaml +++ b/charts/openbao/templates/prometheus-prometheusrules.yaml @@ -10,10 +10,10 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: - name: {{ template "vault.fullname" . }} + name: {{ template "openbao.fullname" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} @@ -25,7 +25,7 @@ metadata: {{- end }} spec: groups: - - name: {{ include "vault.fullname" . }} + - name: {{ include "openbao.fullname" . }} rules: {{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }} {{- end }} diff --git a/charts/openbao/templates/prometheus-servicemonitor.yaml b/charts/openbao/templates/prometheus-servicemonitor.yaml index 25d30a468..c5a8ff51a 100644 --- a/charts/openbao/templates/prometheus-servicemonitor.yaml +++ b/charts/openbao/templates/prometheus-servicemonitor.yaml @@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }} --- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: - name: {{ template "vault.fullname" . }} + name: {{ template "openbao.fullname" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} @@ -25,18 +25,18 @@ metadata: spec: selector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- if eq .mode "ha" }} - vault-active: "true" + openbao-active: "true" {{- else }} - vault-internal: "true" + openbao-internal: "true" {{- end }} endpoints: - - port: {{ include "vault.scheme" . }} + - port: {{ include "openbao.scheme" . }} interval: {{ .Values.serverTelemetry.serviceMonitor.interval }} scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }} - scheme: {{ include "vault.scheme" . | lower }} + scheme: {{ include "openbao.scheme" . | lower }} path: /v1/sys/metrics params: format: @@ -45,5 +45,5 @@ spec: insecureSkipVerify: true namespaceSelector: matchNames: - - {{ include "vault.namespace" . }} + - {{ include "openbao.namespace" . }} {{ end }} diff --git a/charts/openbao/templates/server-clusterrolebinding.yaml b/charts/openbao/templates/server-clusterrolebinding.yaml index 14ec838a0..0f851ec1a 100644 --- a/charts/openbao/templates/server-clusterrolebinding.yaml +++ b/charts/openbao/templates/server-clusterrolebinding.yaml @@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.serverAuthDelegator" . }} +{{ template "openbao.serverAuthDelegator" . }} {{- if .serverAuthDelegator -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 @@ -12,10 +12,10 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 {{- end }} kind: ClusterRoleBinding metadata: - name: {{ template "vault.fullname" . }}-server-binding + name: {{ template "openbao.fullname" . }}-server-binding labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: @@ -24,6 +24,6 @@ roleRef: name: system:auth-delegator subjects: - kind: ServiceAccount - name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ include "vault.namespace" . }} -{{ end }} \ No newline at end of file + name: {{ template "openbao.serviceAccount.name" . }} + namespace: {{ include "openbao.namespace" . }} +{{ end }} diff --git a/charts/openbao/templates/server-config-configmap.yaml b/charts/openbao/templates/server-config-configmap.yaml index 1fed2e690..585ae7a9a 100644 --- a/charts/openbao/templates/server-config-configmap.yaml +++ b/charts/openbao/templates/server-config-configmap.yaml @@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} {{- if .serverEnabled -}} {{- if ne .mode "dev" -}} @@ -11,20 +11,20 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: v1 kind: ConfigMap metadata: - name: {{ template "vault.fullname" . }}-config - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-config + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- if .Values.server.includeConfigAnnotation }} annotations: - vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }} + vault.hashicorp.com/config-checksum: {{ include "openbao.config" . | sha256sum }} {{- end }} data: extraconfig-from-values.hcl: |- - {{ template "vault.config" . }} + {{ template "openbao.config" . }} {{- end }} {{- end }} {{- end }} diff --git a/charts/openbao/templates/server-discovery-role.yaml b/charts/openbao/templates/server-discovery-role.yaml index 0cbdefaff..082ff9965 100644 --- a/charts/openbao/templates/server-discovery-role.yaml +++ b/charts/openbao/templates/server-discovery-role.yaml @@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} {{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - namespace: {{ include "vault.namespace" . }} - name: {{ template "vault.fullname" . }}-discovery-role + namespace: {{ include "openbao.namespace" . }} + name: {{ template "openbao.fullname" . }}-discovery-role labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: diff --git a/charts/openbao/templates/server-discovery-rolebinding.yaml b/charts/openbao/templates/server-discovery-rolebinding.yaml index 87b0f6170..5d3f95e3b 100644 --- a/charts/openbao/templates/server-discovery-rolebinding.yaml +++ b/charts/openbao/templates/server-discovery-rolebinding.yaml @@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if .serverEnabled -}} {{- if eq .mode "ha" }} {{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} @@ -14,21 +14,21 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 {{- end }} kind: RoleBinding metadata: - name: {{ template "vault.fullname" . }}-discovery-rolebinding - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-discovery-rolebinding + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "vault.fullname" . }}-discovery-role + name: {{ template "openbao.fullname" . }}-discovery-role subjects: - kind: ServiceAccount - name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.serviceAccount.name" . }} + namespace: {{ include "openbao.namespace" . }} {{ end }} {{ end }} {{ end }} diff --git a/charts/openbao/templates/server-disruptionbudget.yaml b/charts/openbao/templates/server-disruptionbudget.yaml index bbe9eb299..7e6660a1b 100644 --- a/charts/openbao/templates/server-disruptionbudget.yaml +++ b/charts/openbao/templates/server-disruptionbudget.yaml @@ -3,7 +3,7 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" -}} {{- if .serverEnabled -}} {{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} @@ -12,18 +12,18 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: policy/v1 kind: PodDisruptionBudget metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }} + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} spec: - maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }} + maxUnavailable: {{ template "openbao.pdb.maxUnavailable" . }} selector: matchLabels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} component: server {{- end -}} diff --git a/charts/openbao/templates/server-ha-active-service.yaml b/charts/openbao/templates/server-ha-active-service.yaml index 9d2abfbb1..334ac306a 100644 --- a/charts/openbao/templates/server-ha-active-service.yaml +++ b/charts/openbao/templates/server-ha-active-service.yaml @@ -3,27 +3,27 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverServiceEnabled" . -}} +{{- template "openbao.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} {{- if eq (.Values.server.service.active.enabled | toString) "true" }} -# Service for active Vault pod +# Service for active OpenBao pod apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }}-active - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-active + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - vault-active: "true" + openbao-active: "true" annotations: -{{- template "vault.service.active.annotations" . }} -{{- template "vault.service.annotations" . }} +{{- template "openbao.service.active.annotations" . }} +{{- template "openbao.service.annotations" . }} spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} @@ -42,7 +42,7 @@ spec: {{- include "service.externalTrafficPolicy" .Values.server.service }} publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - - name: {{ include "vault.scheme" . }} + - name: {{ include "openbao.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} {{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} @@ -52,12 +52,12 @@ spec: port: 8201 targetPort: 8201 selector: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} component: server - vault-active: "true" + openbao-active: "true" {{- end }} {{- end }} {{- end }} diff --git a/charts/openbao/templates/server-ha-standby-service.yaml b/charts/openbao/templates/server-ha-standby-service.yaml index bae1e2834..9b1ad4dba 100644 --- a/charts/openbao/templates/server-ha-standby-service.yaml +++ b/charts/openbao/templates/server-ha-standby-service.yaml @@ -3,26 +3,26 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverServiceEnabled" . -}} +{{- template "openbao.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if eq .mode "ha" }} {{- if eq (.Values.server.service.standby.enabled | toString) "true" }} -# Service for standby Vault pod +# Service for standby OpenBao pod apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }}-standby - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-standby + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: -{{- template "vault.service.standby.annotations" . }} -{{- template "vault.service.annotations" . }} +{{- template "openbao.service.standby.annotations" . }} +{{- template "openbao.service.annotations" . }} spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} @@ -41,7 +41,7 @@ spec: {{- include "service.externalTrafficPolicy" .Values.server.service }} publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - - name: {{ include "vault.scheme" . }} + - name: {{ include "openbao.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} {{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} @@ -51,12 +51,12 @@ spec: port: 8201 targetPort: 8201 selector: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} component: server - vault-active: "false" + openbao-active: "false" {{- end }} {{- end }} {{- end }} diff --git a/charts/openbao/templates/server-headless-service.yaml b/charts/openbao/templates/server-headless-service.yaml index c0f4d3460..0498eb1df 100644 --- a/charts/openbao/templates/server-headless-service.yaml +++ b/charts/openbao/templates/server-headless-service.yaml @@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverServiceEnabled" . -}} +{{- template "openbao.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} -# Service for Vault cluster +# Service for OpenBao cluster apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }}-internal - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-internal + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - vault-internal: "true" + openbao-internal: "true" annotations: -{{ template "vault.service.annotations" .}} +{{ template "openbao.service.annotations" .}} spec: {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} {{- if .Values.server.service.ipFamilyPolicy }} @@ -33,14 +33,14 @@ spec: clusterIP: None publishNotReadyAddresses: true ports: - - name: "{{ include "vault.scheme" . }}" + - name: "{{ include "openbao.scheme" . }}" port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} - name: https-internal port: 8201 targetPort: 8201 selector: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} component: server {{- end }} diff --git a/charts/openbao/templates/server-ingress.yaml b/charts/openbao/templates/server-ingress.yaml index d796bae41..99d4063c6 100644 --- a/charts/openbao/templates/server-ingress.yaml +++ b/charts/openbao/templates/server-ingress.yaml @@ -4,12 +4,12 @@ SPDX-License-Identifier: MPL-2.0 */}} {{- if not .Values.global.openshift }} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} {{- if .Values.server.ingress.enabled -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}} -{{- $serviceName := include "vault.fullname" . -}} -{{- template "vault.serverServiceEnabled" . -}} +{{- $serviceName := include "openbao.fullname" . -}} +{{- template "openbao.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} {{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} @@ -20,17 +20,17 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }} + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- with .Values.server.ingress.labels }} {{- toYaml . | nindent 4 }} {{- end }} - {{- template "vault.ingress.annotations" . }} + {{- template "openbao.ingress.annotations" . }} spec: {{- if .Values.server.ingress.tls }} tls: diff --git a/charts/openbao/templates/server-network-policy.yaml b/charts/openbao/templates/server-network-policy.yaml index 43dcdb16f..0891a508c 100644 --- a/charts/openbao/templates/server-network-policy.yaml +++ b/charts/openbao/templates/server-network-policy.yaml @@ -7,14 +7,14 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ template "vault.fullname" . }} + name: {{ template "openbao.fullname" . }} labels: - app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} spec: podSelector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }} {{- if .Values.server.networkPolicy.egress }} diff --git a/charts/openbao/templates/server-psp-role.yaml b/charts/openbao/templates/server-psp-role.yaml index 64cd6c507..bfb716128 100644 --- a/charts/openbao/templates/server-psp-role.yaml +++ b/charts/openbao/templates/server-psp-role.yaml @@ -3,16 +3,16 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "vault.fullname" . }}-psp - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-psp + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: @@ -20,6 +20,6 @@ rules: resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - - {{ template "vault.fullname" . }} + - {{ template "openbao.fullname" . }} {{- end }} {{- end }} diff --git a/charts/openbao/templates/server-psp-rolebinding.yaml b/charts/openbao/templates/server-psp-rolebinding.yaml index 342f55379..7f8bb9752 100644 --- a/charts/openbao/templates/server-psp-rolebinding.yaml +++ b/charts/openbao/templates/server-psp-rolebinding.yaml @@ -3,24 +3,24 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "vault.fullname" . }}-psp - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-psp + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} roleRef: kind: Role - name: {{ template "vault.fullname" . }}-psp + name: {{ template "openbao.fullname" . }}-psp apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount - name: {{ template "vault.fullname" . }} + name: {{ template "openbao.fullname" . }} {{- end }} {{- end }} diff --git a/charts/openbao/templates/server-psp.yaml b/charts/openbao/templates/server-psp.yaml index 567e66245..d7c396a78 100644 --- a/charts/openbao/templates/server-psp.yaml +++ b/charts/openbao/templates/server-psp.yaml @@ -3,18 +3,18 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if .serverEnabled -}} {{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ template "vault.fullname" . }} + name: {{ template "openbao.fullname" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- template "vault.psp.annotations" . }} +{{- template "openbao.psp.annotations" . }} spec: privileged: false # Required to prevent escalations to root. diff --git a/charts/openbao/templates/server-route.yaml b/charts/openbao/templates/server-route.yaml index 4e955555a..4c350d7d6 100644 --- a/charts/openbao/templates/server-route.yaml +++ b/charts/openbao/templates/server-route.yaml @@ -6,24 +6,24 @@ SPDX-License-Identifier: MPL-2.0 {{- if .Values.global.openshift }} {{- if ne .mode "external" }} {{- if .Values.server.route.enabled -}} -{{- $serviceName := include "vault.fullname" . -}} +{{- $serviceName := include "openbao.fullname" . -}} {{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} kind: Route apiVersion: route.openshift.io/v1 metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }} + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- with .Values.server.route.labels }} {{- toYaml . | nindent 4 }} {{- end }} - {{- template "vault.route.annotations" . }} + {{- template "openbao.route.annotations" . }} spec: host: {{ .Values.server.route.host }} to: diff --git a/charts/openbao/templates/server-service.yaml b/charts/openbao/templates/server-service.yaml index c12e190cb..73e5b066d 100644 --- a/charts/openbao/templates/server-service.yaml +++ b/charts/openbao/templates/server-service.yaml @@ -3,23 +3,23 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.serverServiceEnabled" . -}} +{{- template "openbao.serverServiceEnabled" . -}} {{- if .serverServiceEnabled -}} -# Service for Vault cluster +# Service for OpenBao cluster apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }} + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: -{{ template "vault.service.annotations" .}} +{{ template "openbao.service.annotations" .}} spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} @@ -40,7 +40,7 @@ spec: # since this DNS is also used for join operations. publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - - name: {{ include "vault.scheme" . }} + - name: {{ include "openbao.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} @@ -50,7 +50,7 @@ spec: port: 8201 targetPort: 8201 selector: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} diff --git a/charts/openbao/templates/server-serviceaccount-secret.yaml b/charts/openbao/templates/server-serviceaccount-secret.yaml index 74d70f900..e9ab35757 100644 --- a/charts/openbao/templates/server-serviceaccount-secret.yaml +++ b/charts/openbao/templates/server-serviceaccount-secret.yaml @@ -3,19 +3,19 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.serverServiceAccountSecretCreationEnabled" . }} +{{ template "openbao.serverServiceAccountSecretCreationEnabled" . }} {{- if .serverServiceAccountSecretCreationEnabled -}} apiVersion: v1 kind: Secret metadata: - name: {{ template "vault.serviceAccount.name" . }}-token - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.serviceAccount.name" . }}-token + namespace: {{ include "openbao.namespace" . }} annotations: - kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }} + kubernetes.io/service-account.name: {{ template "openbao.serviceAccount.name" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} type: kubernetes.io/service-account-token -{{ end }} \ No newline at end of file +{{ end }} diff --git a/charts/openbao/templates/server-serviceaccount.yaml b/charts/openbao/templates/server-serviceaccount.yaml index 216ea6178..aa615200a 100644 --- a/charts/openbao/templates/server-serviceaccount.yaml +++ b/charts/openbao/templates/server-serviceaccount.yaml @@ -3,20 +3,20 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.serverServiceAccountEnabled" . }} +{{ template "openbao.serverServiceAccountEnabled" . }} {{- if .serverServiceAccountEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.serviceAccount.name" . }} + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }} + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- if .Values.server.serviceAccount.extraLabels -}} {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}} {{- end -}} - {{ template "vault.serviceAccount.annotations" . }} + {{ template "openbao.serviceAccount.annotations" . }} {{ end }} diff --git a/charts/openbao/templates/server-statefulset.yaml b/charts/openbao/templates/server-statefulset.yaml index 997d3f1b7..c4f0840e4 100644 --- a/charts/openbao/templates/server-statefulset.yaml +++ b/charts/openbao/templates/server-statefulset.yaml @@ -3,25 +3,25 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} {{- if ne .mode "" }} {{- if .serverEnabled -}} -# StatefulSet to run the actual vault server cluster. +# StatefulSet to run the actual openbao server cluster. apiVersion: apps/v1 kind: StatefulSet metadata: - name: {{ template "vault.fullname" . }} - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }} + namespace: {{ include "openbao.namespace" . }} labels: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- template "vault.statefulSet.annotations" . }} + {{- template "openbao.statefulSet.annotations" . }} spec: - serviceName: {{ template "vault.fullname" . }}-internal + serviceName: {{ template "openbao.fullname" . }}-internal podManagementPolicy: Parallel - replicas: {{ template "vault.replicas" . }} + replicas: {{ template "openbao.replicas" . }} updateStrategy: type: {{ .Values.server.updateStrategyType }} {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} @@ -29,30 +29,30 @@ spec: {{- end }} selector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} component: server template: metadata: labels: - helm.sh/chart: {{ template "vault.chart" . }} - app.kubernetes.io/name: {{ template "vault.name" . }} + helm.sh/chart: {{ template "openbao.chart" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} component: server {{- if .Values.server.extraLabels -}} {{- toYaml .Values.server.extraLabels | nindent 8 -}} {{- end -}} - {{ template "vault.annotations" . }} + {{ template "openbao.annotations" . }} spec: - {{ template "vault.affinity" . }} - {{ template "vault.topologySpreadConstraints" . }} - {{ template "vault.tolerations" . }} - {{ template "vault.nodeselector" . }} + {{ template "openbao.affinity" . }} + {{ template "openbao.topologySpreadConstraints" . }} + {{ template "openbao.tolerations" . }} + {{ template "openbao.nodeselector" . }} {{- if .Values.server.priorityClassName }} priorityClassName: {{ .Values.server.priorityClassName }} {{- end }} terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} - serviceAccountName: {{ template "vault.serviceAccount.name" . }} + serviceAccountName: {{ template "openbao.serviceAccount.name" . }} {{ if .Values.server.shareProcessNamespace }} shareProcessNamespace: true {{ end }} @@ -61,7 +61,7 @@ spec: hostNetwork: {{ .Values.server.hostNetwork }} {{- end }} volumes: - {{ template "vault.volumes" . }} + {{ template "openbao.volumes" . }} - name: home emptyDir: {} {{- if .Values.server.hostAliases }} @@ -73,14 +73,14 @@ spec: {{ toYaml .Values.server.extraInitContainers | nindent 8}} {{- end }} containers: - - name: vault - {{ template "vault.resources" . }} + - name: openbao + {{ template "openbao.resources" . }} image: {{ .Values.server.image.registry | default "docker.io" }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} imagePullPolicy: {{ .Values.server.image.pullPolicy }} command: - "/bin/sh" - "-ec" - args: {{ template "vault.args" . }} + args: {{ template "openbao.args" . }} {{- template "server.statefulSet.securityContext.container" . }} env: - name: HOST_IP @@ -91,21 +91,21 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP - - name: VAULT_K8S_POD_NAME + - name: BAO_K8S_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - - name: VAULT_K8S_NAMESPACE + - name: BAO_K8S_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - - name: VAULT_ADDR - value: "{{ include "vault.scheme" . }}://127.0.0.1:8200" - - name: VAULT_API_ADDR + - name: BAO_ADDR + value: "{{ include "openbao.scheme" . }}://127.0.0.1:8200" + - name: BAO_API_ADDR {{- if .Values.server.ha.apiAddr }} value: {{ .Values.server.ha.apiAddr }} {{- else }} - value: "{{ include "vault.scheme" . }}://$(POD_IP):8200" + value: "{{ include "openbao.scheme" . }}://$(POD_IP):8200" {{- end }} - name: SKIP_CHOWN value: "true" @@ -115,42 +115,42 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - - name: VAULT_CLUSTER_ADDR + - name: BAO_CLUSTER_ADDR {{- if .Values.server.ha.clusterAddr }} value: {{ .Values.server.ha.clusterAddr | quote }} {{- else }} - value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" + value: "https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201" {{- end }} {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }} - - name: VAULT_RAFT_NODE_ID + - name: BAO_RAFT_NODE_ID valueFrom: fieldRef: fieldPath: metadata.name {{- end }} - name: HOME - value: "/home/vault" + value: "/home/openbao" {{- if .Values.server.logLevel }} - - name: VAULT_LOG_LEVEL + - name: BAO_LOG_LEVEL value: "{{ .Values.server.logLevel }}" {{- end }} {{- if .Values.server.logFormat }} - - name: VAULT_LOG_FORMAT + - name: BAO_LOG_FORMAT value: "{{ .Values.server.logFormat }}" {{- end }} - {{ template "vault.envs" . }} - {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} - {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} + {{ template "openbao.envs" . }} + {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 12 }} + {{- include "openbao.extraSecretEnvironmentVars" .Values.server | nindent 12 }} volumeMounts: - {{ template "vault.mounts" . }} + {{ template "openbao.mounts" . }} - name: home - mountPath: /home/vault + mountPath: /home/openbao ports: - containerPort: 8200 - name: {{ include "vault.scheme" . }} + name: {{ include "openbao.scheme" . }} - containerPort: 8201 name: https-internal - containerPort: 8202 - name: {{ include "vault.scheme" . }}-rep + name: {{ include "openbao.scheme" . }}-rep {{- if .Values.server.extraPorts -}} {{ toYaml .Values.server.extraPorts | nindent 12}} {{- end }} @@ -160,15 +160,15 @@ spec: httpGet: path: {{ .Values.server.readinessProbe.path | quote }} port: {{ .Values.server.readinessProbe.port }} - scheme: {{ include "vault.scheme" . | upper }} + scheme: {{ include "openbao.scheme" . | upper }} {{- else }} - # Check status; unsealed vault servers return 0 + # Check status; unsealed openbao servers return 0 # The exit code reflects the seal status: # 0 - unsealed # 1 - error # 2 - sealed exec: - command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] + command: ["/bin/sh", "-ec", "bao status -tls-skip-verify"] {{- end }} failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }} initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }} @@ -188,7 +188,7 @@ spec: httpGet: path: {{ .Values.server.livenessProbe.path | quote }} port: {{ .Values.server.livenessProbe.port }} - scheme: {{ include "vault.scheme" . | upper }} + scheme: {{ include "openbao.scheme" . | upper }} {{- end }} failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} @@ -197,7 +197,7 @@ spec: timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }} {{- end }} lifecycle: - # Vault container doesn't receive SIGTERM from Kubernetes + # openbao container doesn't receive SIGTERM from Kubernetes # and after the grace period ends, Kube sends SIGKILL. This # causes issues with graceful shutdowns such as deregistering itself # from Consul (zombie services). @@ -208,7 +208,7 @@ spec: # Adding a sleep here to give the pod eviction a # chance to propagate, so requests will not be made # to this pod while it's terminating - "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)", + "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof bao)", ] {{- if .Values.server.postStart }} postStart: @@ -222,7 +222,7 @@ spec: {{ toYaml .Values.server.extraContainers | nindent 8}} {{- end }} {{- include "imagePullSecrets" . | nindent 6 }} - {{ template "vault.volumeclaims" . }} + {{ template "openbao.volumeclaims" . }} {{ end }} {{ end }} {{ end }} diff --git a/charts/openbao/templates/tests/server-test.yaml b/charts/openbao/templates/tests/server-test.yaml index 028226260..02390de76 100644 --- a/charts/openbao/templates/tests/server-test.yaml +++ b/charts/openbao/templates/tests/server-test.yaml @@ -3,14 +3,14 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} {{- if .serverEnabled -}} apiVersion: v1 kind: Pod metadata: - name: {{ template "vault.fullname" . }}-server-test - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-server-test + namespace: {{ include "openbao.namespace" . }} annotations: "helm.sh/hook": test spec: @@ -21,8 +21,8 @@ spec: imagePullPolicy: {{ .Values.server.image.pullPolicy }} env: - name: VAULT_ADDR - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} - {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }} + value: {{ include "openbao.scheme" . }}://{{ template "openbao.fullname" . }}.{{ include "openbao.namespace" . }}.svc:{{ .Values.server.service.port }} + {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 8 }} command: - /bin/sh - -c diff --git a/charts/openbao/templates/ui-service.yaml b/charts/openbao/templates/ui-service.yaml index 95370842e..fb18a9acc 100644 --- a/charts/openbao/templates/ui-service.yaml +++ b/charts/openbao/templates/ui-service.yaml @@ -3,22 +3,22 @@ Copyright (c) HashiCorp, Inc. SPDX-License-Identifier: MPL-2.0 */}} -{{ template "vault.mode" . }} +{{ template "openbao.mode" . }} {{- if ne .mode "external" }} -{{- template "vault.uiEnabled" . -}} +{{- template "openbao.uiEnabled" . -}} {{- if .uiEnabled -}} apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }}-ui - namespace: {{ include "vault.namespace" . }} + name: {{ template "openbao.fullname" . }}-ui + namespace: {{ include "openbao.namespace" . }} labels: - helm.sh/chart: {{ include "vault.chart" . }} - app.kubernetes.io/name: {{ include "vault.name" . }}-ui + helm.sh/chart: {{ include "openbao.chart" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }}-ui app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- template "vault.ui.annotations" . }} + {{- template "openbao.ui.annotations" . }} spec: {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} {{- if .Values.ui.serviceIPFamilyPolicy }} @@ -29,15 +29,15 @@ spec: {{- end }} {{- end }} selector: - app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/name: {{ include "openbao.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} component: server - {{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }} - vault-active: "true" + {{- if and (.Values.ui.activeOpenbaoPodOnly) (eq .mode "ha") }} + openbao-active: "true" {{- end }} publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }} ports: - - name: {{ include "vault.scheme" . }} + - name: {{ include "openbao.scheme" . }} port: {{ .Values.ui.externalPort }} targetPort: {{ .Values.ui.targetPort }} {{- if .Values.ui.serviceNodePort }} diff --git a/charts/openbao/values.schema.json b/charts/openbao/values.schema.json index 976065733..e19fd9489 100644 --- a/charts/openbao/values.schema.json +++ b/charts/openbao/values.schema.json @@ -230,7 +230,7 @@ }, "namespace": { "type": "string" - }, + }, "externalVaultAddr": { "type": "string" }, @@ -659,17 +659,6 @@ "string" ] }, - "enterpriseLicense": { - "type": "object", - "properties": { - "secretKey": { - "type": "string" - }, - "secretName": { - "type": "string" - } - } - }, "extraArgs": { "type": "string" }, @@ -1163,7 +1152,7 @@ "ui": { "type": "object", "properties": { - "activeVaultPodOnly": { + "activeOpenbaoPodOnly": { "type": "boolean" }, "annotations": { diff --git a/charts/openbao/values.yaml b/charts/openbao/values.yaml index 6273a1b4a..5513b1073 100644 --- a/charts/openbao/values.yaml +++ b/charts/openbao/values.yaml @@ -1,7 +1,7 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 -# Available parameters and their default values for the Vault chart. +# Available parameters and their default values for the OpenBao chart. global: # -- enabled is the master enabled switch. Setting this to true or false @@ -20,8 +20,8 @@ global: # -- TLS for end-to-end encrypted transport tlsDisable: true - # -- External vault server address for the injector and CSI provider to use. - # Setting this will disable deployment of a vault server. + # -- External openbao server address for the injector and CSI provider to use. + # Setting this will disable deployment of a openbao server. externalVaultAddr: "" # -- If deploying to OpenShift @@ -44,7 +44,7 @@ global: prometheusOperator: false injector: - # -- True if you want to enable vault agent injection. @default: global.enabled + # -- True if you want to enable openbao agent injection. @default: global.enabled enabled: "-" replicas: 1 @@ -75,8 +75,8 @@ injector: # -- image pull policy to use for k8s image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent - # -- agentImage sets the repo and tag of the Vault image to use for the Vault Agent - # containers. This should be set to the official Vault image. Vault 1.3.1+ is + # -- agentImage sets the repo and tag of the OpenBao image to use for the OpenBao Agent + # containers. This should be set to the official OpenBao image. OpenBao 1.3.1+ is # required. agentImage: # -- image registry to use for agent image @@ -88,7 +88,7 @@ injector: # -- image pull policy to use for agent image. if tag is "latest", set to "Always" pullPolicy: IfNotPresent - # The default values for the injected Vault Agent containers. + # The default values for the injected OpenBao Agent containers. agentDefaults: # For more information on configuring resources, see the K8s documentation: # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ @@ -145,7 +145,7 @@ injector: # -- Number of seconds after which the probe times out. timeoutSeconds: 5 - # Mount Path of the Vault Kubernetes Auth Method. + # Mount Path of the OpenBao Kubernetes Auth Method. authPath: "auth/kubernetes" # -- Configures the log verbosity of the injector. @@ -155,7 +155,7 @@ injector: # -- Configures the log format of the injector. Supported log formats: "standard", "json". logFormat: "standard" - # Configures all Vault Agent sidecars to revoke their token when shutting down + # Configures all OpenBao Agent sidecars to revoke their token when shutting down revokeOnShutdown: false webhook: @@ -204,7 +204,7 @@ injector: - key: app.kubernetes.io/name operator: NotIn values: - - {{ template "vault.name" . }}-agent-injector + - {{ template "openbao.name" . }}-agent-injector # Extra annotations to attach to the webhook annotations: {} @@ -300,7 +300,7 @@ injector: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/name: {{ template "openbao.name" . }}-agent-injector app.kubernetes.io/instance: "{{ .Release.Name }}" component: webhook topologyKey: kubernetes.io/hostname @@ -365,8 +365,8 @@ injector: # type: RollingUpdate server: - # If true, or "-" with global.enabled true, Vault server will be installed. - # See vault.mode in _helpers.tpl for implementation details. + # If true, or "-" with global.enabled true, OpenBao server will be installed. + # See openbao.mode in _helpers.tpl for implementation details. enabled: "-" # Resource requests, limits, etc. for the server cluster placement. This @@ -387,11 +387,11 @@ server: # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies updateStrategyType: "OnDelete" - # Configure the logging verbosity for the Vault server. + # Configure the logging verbosity for the OpenBao server. # Supported log levels include: trace, debug, info, warn, error logLevel: "" - # Configure the logging format for the Vault server. + # Configure the logging format for the OpenBao server. # Supported log formats include: standard, json logFormat: "" @@ -405,7 +405,7 @@ server: # cpu: 250m # Ingress allows ingress services to be created to allow external access - # from Kubernetes to access Vault pods. + # from Kubernetes to access OpenBao pods. # If deployment is on OpenShift, the following block is ignored. # In order to expose the service, use the route section below ingress: @@ -429,7 +429,7 @@ server: pathType: Prefix # When HA mode is enabled and K8s service registration is being used, - # configure the ingress to point to the Vault active service. + # configure the ingress to point to the OpenBao active service. activeService: true hosts: - host: chart-example.local @@ -459,7 +459,7 @@ server: enabled: false # When HA mode is enabled and K8s service registration is being used, - # configure the route to point to the Vault active service. + # configure the route to point to the OpenBao active service. activeService: true labels: {} @@ -499,11 +499,11 @@ server: # extraContainers is a list of sidecar containers. Specified as a YAML list. extraContainers: null - # -- shareProcessNamespace enables process namespace sharing between Vault and the extraContainers - # This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation + # -- shareProcessNamespace enables process namespace sharing between OpenBao and the extraContainers + # This is useful if OpenBao must be signaled, e.g. to send a SIGHUP for a log rotation shareProcessNamespace: false - # -- extraArgs is a string containing additional Vault server arguments. + # -- extraArgs is a string containing additional OpenBao server arguments. extraArgs: "" # -- extraPorts is a list of extra ports. Specified as a YAML list. @@ -537,7 +537,7 @@ server: execCommand: [] # - /bin/sh # - -c - # - /vault/userconfig/mylivenessscript/run.sh + # - /openbao/userconfig/mylivenessscript/run.sh # Path for the livenessProbe to use httpGet as the livenessProbe handler path: "/v1/sys/health?standbyok=true" # Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler @@ -566,30 +566,30 @@ server: postStart: [] # - /bin/sh # - -c - # - /vault/userconfig/myscript/run.sh + # - /openbao/userconfig/myscript/run.sh # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be # used to include variables required for auto-unseal. extraEnvironmentVars: {} # GOOGLE_REGION: global # GOOGLE_PROJECT: myproject - # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json + # GOOGLE_APPLICATION_CREDENTIALS: /openbao/userconfig/myproject/myproject-creds.json # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set. # These variables take value from existing Secret objects. extraSecretEnvironmentVars: [] # - envName: AWS_SECRET_ACCESS_KEY - # secretName: vault + # secretName: openbao # secretKey: AWS_SECRET_ACCESS_KEY # Deprecated: please use 'volumes' instead. # extraVolumes is a list of extra volumes to mount. These will be exposed - # to Vault in the path `/vault/userconfig//`. The value below is + # to OpenBao in the path `/openbao/userconfig//`. The value below is # an array of objects, examples are shown below. extraVolumes: [] # - type: secret (or "configMap") # name: my-secret - # path: null # default is `/vault/userconfig` + # path: null # default is `/openbao/userconfig` # volumes is a list of volumes made available to all containers. These are rendered # via toYaml rather than pre-processed like the extraVolumes value. @@ -615,7 +615,7 @@ server: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/name: {{ template "openbao.name" . }} app.kubernetes.io/instance: "{{ .Release.Name }}" component: server topologyKey: kubernetes.io/hostname @@ -671,25 +671,25 @@ server: annotations: {} # Add an annotation to the server configmap and the statefulset pods, - # vaultproject.io/config-checksum, that is a hash of the Vault configuration. + # vaultproject.io/config-checksum, that is a hash of the OpenBao configuration. # This can be used together with an OnDelete deployment strategy to help # identify which pods still need to be deleted during a deployment to pick up # any configuration changes. configAnnotation: false - # Enables a headless service to be used by the Vault Statefulset + # Enables a headless service to be used by the OpenBao Statefulset service: enabled: true - # Enable or disable the vault-active service, which selects Vault pods that - # have labeled themselves as the cluster leader with `vault-active: "true"`. + # Enable or disable the openbao-active service, which selects OpenBao pods that + # have labeled themselves as the cluster leader with `openbao-active: "true"`. active: enabled: true # Extra annotations for the service definition. This can either be YAML or a # YAML-formatted multi-line templated string map of the annotations to apply # to the active service. annotations: {} - # Enable or disable the vault-standby service, which selects Vault pods that - # have labeled themselves as a cluster follower with `vault-active: "false"`. + # Enable or disable the openbao-standby service, which selects OpenBao pods that + # have labeled themselves as a cluster follower with `openbao-active: "false"`. standby: enabled: true # Extra annotations for the service definition. This can either be YAML or a @@ -697,19 +697,19 @@ server: # to the standby service. annotations: {} # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` - # When disabled, services may select Vault pods not deployed from the chart. - # Does not affect the headless vault-internal service with `ClusterIP: None` + # When disabled, services may select OpenBao pods not deployed from the chart. + # Does not affect the headless openbao-internal service with `ClusterIP: None` instanceSelector: enabled: true # clusterIP controls whether a Cluster IP address is attached to the - # Vault service within Kubernetes. By default, the Vault service will + # OpenBao service within Kubernetes. By default, the OpenBao service will # be given a Cluster IP address, set to None to disable. When disabled # Kubernetes will create a "headless" service. Headless services can be # used to communicate with pods directly through DNS instead of a round-robin # load balancer. # clusterIP: None - # Configures the service type for the main Vault service. Can be ClusterIP + # Configures the service type for the main OpenBao service. Can be ClusterIP # or NodePort. # type: ClusterIP @@ -753,7 +753,7 @@ server: # will be random if left blank. # standbyNodePort: 30002 - # Port on which Vault server is listening + # Port on which OpenBao server is listening port: 8200 # Target port to which the service should be mapped to targetPort: 8200 @@ -762,7 +762,7 @@ server: # to the service. annotations: {} - # This configures the Vault Statefulset to create a PVC for data + # This configures the OpenBao Statefulset to create a PVC for data # storage when using the file or raft backend storage engines. # See https://developer.hashicorp.com/vault/docs/configuration/storage to know more dataStorage: @@ -770,7 +770,7 @@ server: # Size of the PVC created size: 10Gi # Location where the PVC will be mounted. - mountPath: "/vault/data" + mountPath: "/openbao/data" # Name of the storage class to use. If null it will use the # configured default Storage Class. storageClass: null @@ -789,17 +789,17 @@ server: # whenScaled: Retain persistentVolumeClaimRetentionPolicy: {} - # This configures the Vault Statefulset to create a PVC for audit - # logs. Once Vault is deployed, initialized, and unsealed, Vault must + # This configures the OpenBao Statefulset to create a PVC for audit + # logs. Once OpenBao is deployed, initialized, and unsealed, OpenBao must # be configured to use this for audit logs. This will be mounted to - # /vault/audit + # /openbao/audit # See https://developer.hashicorp.com/vault/docs/audit to know more auditStorage: enabled: false # Size of the PVC created size: 10Gi # Location where the PVC will be mounted. - mountPath: "/vault/audit" + mountPath: "/openbao/audit" # Name of the storage class to use. If null it will use the # configured default Storage Class. storageClass: null @@ -810,8 +810,8 @@ server: # Labels to apply to the PVC labels: {} - # Run Vault in "dev" mode. This requires no further setup, no state management, - # and no initialization. This is useful for experimenting with Vault without + # Run OpenBao in "dev" mode. This requires no further setup, no state management, + # and no initialization. This is useful for experimenting with OpenBao without # needing to unseal, store keys, et. al. All data is lost on restart - do not # use dev mode for anything other than experimenting. # See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more @@ -821,7 +821,7 @@ server: # Set VAULT_DEV_ROOT_TOKEN_ID value devRootToken: "root" - # Run Vault in "standalone" mode. This is the default mode that will deploy if + # Run OpenBao in "standalone" mode. This is the default mode that will deploy if # no arguments are given to helm. This requires a PVC for data storage to use # the "file" backend. This mode is not highly available and should not be scaled # past a single replica. @@ -829,7 +829,7 @@ server: enabled: "-" # config is a raw string of default configuration when using a Stateful - # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data + # deployment. Default is to use a PersistentVolumeClaim mounted at /openbao/data # and store data there. This is only used when using a Replica count of 1, and # using a stateful set. This should be HCL. @@ -850,17 +850,17 @@ server: #} } storage "file" { - path = "/vault/data" + path = "/openbao/data" } # Example configuration for using auto-unseal, using Google Cloud KMS. The # GKMS keys must already exist, and the cluster must have a service account # that is authorized to access GCP KMS. #seal "gcpckms" { - # project = "vault-helm-dev" + # project = "openbao-helm-dev" # region = "global" - # key_ring = "vault-helm-unseal-kr" - # crypto_key = "vault-helm-unseal-key" + # key_ring = "openbao-helm-unseal-kr" + # crypto_key = "openbao-helm-unseal-key" #} # Example configuration for enabling Prometheus metrics in your config. @@ -869,29 +869,29 @@ server: # disable_hostname = true #} - # Run Vault in "HA" mode. There are no storage requirements unless the audit log - # persistence is required. In HA mode Vault will configure itself to use Consul + # Run OpenBao in "HA" mode. There are no storage requirements unless the audit log + # persistence is required. In HA mode OpenBao will configure itself to use Consul # for its storage backend. The default configuration provided will work the Consul - # Helm project by default. It is possible to manually configure Vault to use a + # Helm project by default. It is possible to manually configure OpenBao to use a # different HA backend. ha: enabled: false replicas: 3 - # Set the api_addr configuration for Vault HA + # Set the api_addr configuration for OpenBao HA # See https://developer.hashicorp.com/vault/docs/configuration#api_addr # If set to null, this will be set to the Pod IP Address apiAddr: null - # Set the cluster_addr confuguration for Vault HA + # Set the cluster_addr confuguration for OpenBao HA # See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr - # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 + # If set to null, this will be set to https://$(HOSTNAME).{{ template "openbao.fullname" . }}-internal:8201 clusterAddr: null - # Enables Vault's integrated Raft storage. Unlike the typical HA modes where - # Vault's persistence is external (such as Consul), enabling Raft mode will create - # persistent volumes for Vault to store data according to the configuration under server.dataStorage. - # The Vault cluster will coordinate leader elections and failovers internally. + # Enables OpenBao's integrated Raft storage. Unlike the typical HA modes where + # OpenBao's persistence is external (such as Consul), enabling Raft mode will create + # persistent volumes for OpenBao to store data according to the configuration under server.dataStorage. + # The OpenBao cluster will coordinate leader elections and failovers internally. raft: # Enables Raft integrated storage @@ -917,7 +917,7 @@ server: } storage "raft" { - path = "/vault/data" + path = "/openbao/data" } service_registration "kubernetes" {} @@ -939,7 +939,7 @@ server: cluster_address = "[::]:8201" } storage "consul" { - path = "vault" + path = "openbao" address = "HOST_IP:8500" } @@ -949,10 +949,10 @@ server: # GKMS keys must already exist, and the cluster must have a service account # that is authorized to access GCP KMS. #seal "gcpckms" { - # project = "vault-helm-dev-246514" + # project = "openbao-helm-dev-246514" # region = "global" - # key_ring = "vault-helm-unseal-kr" - # crypto_key = "vault-helm-unseal-key" + # key_ring = "openbao-helm-unseal-kr" + # crypto_key = "openbao-helm-unseal-key" #} # Example configuration for enabling Prometheus metrics. @@ -973,7 +973,7 @@ server: maxUnavailable: null # Definition of the serviceAccount used to run Vault. - # These options are also used when using an external Vault server to validate + # These options are also used when using an external OpenBao server to validate # Kubernetes tokens. serviceAccount: # Specifies whether a service account should be created @@ -995,12 +995,12 @@ server: # This should be a YAML map of the labels to apply to the serviceAccount extraLabels: {} # Enable or disable a service account role binding with the permissions required for - # Vault's Kubernetes service_registration config option. + # OpenBao's Kubernetes service_registration config option. # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes serviceDiscovery: enabled: true - # Settings for the statefulSet used to run Vault. + # Settings for the statefulSet used to run OpenBao. statefulSet: # Extra annotations for the statefulSet. This can either be YAML or a # YAML-formatted multi-line templated string map of the annotations to apply @@ -1027,17 +1027,17 @@ server: # Should the server pods run on the host network hostNetwork: false -# Vault UI +# OpenBao UI ui: - # True if you want to create a Service entry for the Vault UI. + # True if you want to create a Service entry for the OpenBao UI. # # serviceType can be used to control the type of service created. For # example, setting this to "LoadBalancer" will create an external load # balancer (for supported K8S installations) to access the UI. enabled: false publishNotReadyAddresses: true - # The service should only contain selectors for active Vault pod - activeVaultPodOnly: false + # The service should only contain selectors for active OpenBao pod + activeOpenbaoPodOnly: false serviceType: "ClusterIP" serviceNodePort: null externalPort: 8200 @@ -1082,8 +1082,8 @@ csi: # Requires installing the secrets-store-csi-driver separately, see: # https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver # - # With the driver and provider installed, you can mount Vault secrets into volumes - # similar to the Vault Agent injector, and you can also sync those secrets into + # With the driver and provider installed, you can mount OpenBao secrets into volumes + # similar to the OpenBao Agent injector, and you can also sync those secrets into # Kubernetes secrets. enabled: false @@ -1100,17 +1100,17 @@ csi: # -- volumes is a list of volumes made available to all containers. These are rendered # via toYaml rather than pre-processed like the extraVolumes value. # The purpose is to make it easy to share volumes between containers. - volumes: null + volumes: [] # - name: tls # secret: - # secretName: vault-tls + # secretName: openbao-tls # -- volumeMounts is a list of volumeMounts for the main server container. These are rendered # via toYaml rather than pre-processed like the extraVolumes value. # The purpose is to make it easy to share volumes between containers. - volumeMounts: null + volumeMounts: [] # - name: tls - # mountPath: "/vault/tls" + # mountPath: "/openbao/tls" # readOnly: true resources: {} @@ -1245,16 +1245,16 @@ csi: # for the available command line flags. extraArgs: [] -# Vault is able to collect and publish various runtime metrics. +# OpenBao is able to collect and publish various runtime metrics. # Enabling this feature requires setting adding `telemetry{}` stanza to -# the Vault configuration. There are a few examples included in the `config` sections above. +# the OpenBao configuration. There are a few examples included in the `config` sections above. # # For more information see: # https://developer.hashicorp.com/vault/docs/configuration/telemetry # https://developer.hashicorp.com/vault/docs/internals/telemetry serverTelemetry: # Enable support for the Prometheus Operator. Currently, this chart does not support - # authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included + # authenticating to OpenBao's metrics endpoint, so the following `telemetry{}` must be included # in the `listener "tcp"{}` stanza # telemetry { # unauthenticated_metrics_access = "true" @@ -1262,7 +1262,7 @@ serverTelemetry: # # See the `standalone.config` for a more complete example of this. # - # In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration: + # In addition, a top level `telemetry{}` stanza must also be included in the OpenBao configuration: # # example: # telemetry { @@ -1270,7 +1270,7 @@ serverTelemetry: # disable_hostname = true # } # - # Configuration for monitoring the Vault server. + # Configuration for monitoring the OpenBao server. serviceMonitor: # The Prometheus operator *must* be installed before enabling this feature, # if not the chart will fail to install due to missing CustomResourceDefinitions @@ -1282,7 +1282,7 @@ serverTelemetry: # https://github.com/prometheus-operator/prometheus-operator # https://github.com/prometheus-operator/kube-prometheus - # Enable deployment of the Vault Server ServiceMonitor CustomResource. + # Enable deployment of the OpenBao Server ServiceMonitor CustomResource. enabled: false # Selector labels to add to the ServiceMonitor. @@ -1314,14 +1314,14 @@ serverTelemetry: rules: [] # - alert: vault-HighResponseTime # annotations: - # message: The response time of Vault is over 500ms on average over the last 5 minutes. + # message: The response time of OpenBao is over 500ms on average over the last 5 minutes. # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 # for: 5m # labels: # severity: warning # - alert: vault-HighResponseTime # annotations: - # message: The response time of Vault is over 1s on average over the last 5 minutes. + # message: The response time of OpenBao is over 1s on average over the last 5 minutes. # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 # for: 5m # labels: diff --git a/test/acceptance/_helpers.bash b/test/acceptance/_helpers.bash index def7d7cf7..c13f09d5c 100644 --- a/test/acceptance/_helpers.bash +++ b/test/acceptance/_helpers.bash @@ -3,7 +3,7 @@ # name_prefix returns the prefix of the resources within Kubernetes. name_prefix() { - printf "vault" + printf "openbao" } # chart_dir returns the directory for the chart @@ -11,7 +11,7 @@ chart_dir() { echo ${BATS_TEST_DIRNAME}/../../charts/openbao } -# helm_install installs the vault chart. This will source overridable +# helm_install installs the openbao chart. This will source overridable # values from the "values.yaml" file in this directory. This can be set # by CI or other environments to do test-specific overrides. Note that its # easily possible to break tests this way so be careful. @@ -22,11 +22,11 @@ helm_install() { fi helm install -f ${values} \ - --name vault \ + --name openbao \ ${BATS_TEST_DIRNAME}/../.. } -# helm_install_ha installs the vault chart using HA mode. This will source +# helm_install_ha installs the openbao chart using HA mode. This will source # overridable values from the "values.yaml" file in this directory. This can be # set by CI or other environments to do test-specific overrides. Note that its # easily possible to break tests this way so be careful. @@ -37,7 +37,7 @@ helm_install_ha() { fi helm install -f ${values} \ - --name vault \ + --name openbao \ --set 'server.enabled=false' \ --set 'serverHA.enabled=true' \ ${BATS_TEST_DIRNAME}/../.. @@ -61,15 +61,15 @@ wait_for_sealed_vault() { for i in $(seq 60); do if check ${POD_NAME}; then - echo "Vault on ${POD_NAME} is running." + echo "OpenBao on ${POD_NAME} is running." return fi - echo "Waiting for Vault on ${POD_NAME} to be running..." + echo "Waiting for OpenBao on ${POD_NAME} to be running..." sleep 2 done - echo "Vault on ${POD_NAME} never became running." + echo "OpenBao on ${POD_NAME} never became running." return 1 } diff --git a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml b/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml similarity index 77% rename from test/acceptance/csi-test/vault-kv-secretproviderclass.yaml rename to test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml index d52fab1bc..300676df2 100644 --- a/test/acceptance/csi-test/vault-kv-secretproviderclass.yaml +++ b/test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml @@ -1,13 +1,13 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 -# The "Hello World" Vault SecretProviderClass +# The "Hello World" OpenBao SecretProviderClass apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: - name: vault-kv + name: openbao-kv spec: - provider: vault + provider: openbao parameters: roleName: "kv-role" objects: | diff --git a/test/acceptance/csi-test/vault-policy.hcl b/test/acceptance/csi-test/openbao-policy.hcl similarity index 100% rename from test/acceptance/csi-test/vault-policy.hcl rename to test/acceptance/csi-test/openbao-policy.hcl diff --git a/test/acceptance/csi.bats b/test/acceptance/csi.bats index 7f18f3368..be5e3b97f 100644 --- a/test/acceptance/csi.bats +++ b/test/acceptance/csi.bats @@ -18,10 +18,10 @@ load _helpers --wait --timeout=5m \ --namespace=acceptance \ --set linux.image.pullPolicy="IfNotPresent" \ - --set tokenRequests[0].audience="vault" \ + --set tokenRequests[0].audience="openbao" \ --set enableSecretRotation=true \ --set rotationPollInterval=5s - # Install Vault and Vault provider + # Install OpenBao and OpenBao provider helm install openbao \ --wait --timeout=5m \ --namespace=acceptance \ @@ -35,7 +35,7 @@ load _helpers kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider # Set up k8s auth and a kv secret. - cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- openbao policy write kv-policy - + cat ./test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- openbao policy write kv-policy - kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \ kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"' @@ -46,7 +46,7 @@ load _helpers ttl=20m kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1 - kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml + kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx @@ -55,7 +55,7 @@ load _helpers for i in $(seq 10); do sleep 2 - if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then + if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then echo "Agent returned a cached login response" return fi @@ -65,8 +65,8 @@ load _helpers # Print the logs and fail the test echo "Failed to find a log for the Agent renewing CSI's auth token" - kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent - kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-csi-provider + kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent + kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider exit 1 } diff --git a/test/acceptance/injector-test/job.yaml b/test/acceptance/injector-test/job.yaml index 50a3b5f89..b40b57b83 100644 --- a/test/acceptance/injector-test/job.yaml +++ b/test/acceptance/injector-test/job.yaml @@ -38,5 +38,5 @@ spec: - "/bin/sh" - "-ec" args: - - "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout" + - "/usr/bin/pg_dump $(cat /openbao/secrets/db-creds) --no-owner > /dev/stdout" restartPolicy: Never diff --git a/test/acceptance/injector-test/pg-deployment.yaml b/test/acceptance/injector-test/pg-deployment.yaml index cacc99411..2011a0f9d 100644 --- a/test/acceptance/injector-test/pg-deployment.yaml +++ b/test/acceptance/injector-test/pg-deployment.yaml @@ -38,7 +38,7 @@ spec: - containerPort: 5432 env: - name: POSTGRES_DB - value: mydb + value: mydb - name: POSTGRES_USER value: postgres - name: POSTGRES_PASSWORD @@ -52,7 +52,7 @@ spec: - name: pgdata emptyDir: {} - name: pgconf - configMap: + configMap: name: "pg-init" --- apiVersion: v1 @@ -63,10 +63,10 @@ metadata: app: postgres data: setup.sql: | - CREATE ROLE vault; - ALTER ROLE vault WITH SUPERUSER LOGIN PASSWORD 'vault'; - - \c mydb + CREATE ROLE openbao; + ALTER ROLE openbao WITH SUPERUSER LOGIN PASSWORD 'openbao'; + + \c mydb CREATE SCHEMA app; CREATE TABLE app.inventory(id int); INSERT INTO app.inventory(id) VALUES (0); diff --git a/test/acceptance/injector.bats b/test/acceptance/injector.bats index a2e8a18cd..c4cf0a110 100644 --- a/test/acceptance/injector.bats +++ b/test/acceptance/injector.bats @@ -17,7 +17,7 @@ load _helpers --from-file ./test/acceptance/injector-test/pgdump-policy.hcl \ --from-file ./test/acceptance/injector-test/bootstrap.sh - kubectl label secret test app=vault-agent-demo + kubectl label secret test app=openbao-agent-demo helm install "$(name_prefix)" \ --set="server.extraVolumes[0].type=secret" \ diff --git a/test/acceptance/server-ha-raft.bats b/test/acceptance/server-ha-raft.bats index c6c1ef481..3f6063c2b 100644 --- a/test/acceptance/server-ha-raft.bats +++ b/test/acceptance/server-ha-raft.bats @@ -57,7 +57,7 @@ load _helpers jq -r '.spec.ports[1].port') [ "${ports}" == "8201" ] - # Vault Init + # OpenBao Init local init=$(kubectl exec -ti "$(name_prefix)-0" -- \ bao operator init -format=json -n 1 -t 1) @@ -72,7 +72,7 @@ load _helpers sleep 5 - # Vault Unseal + # OpenBao Unseal local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats index ecfcbcecf..8788d7b1a 100644 --- a/test/acceptance/server-ha.bats +++ b/test/acceptance/server-ha.bats @@ -56,14 +56,14 @@ load _helpers jq -r '.spec.ports[1].port') [ "${ports}" == "8201" ] - # Vault Init + # OpenBao Init local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ bao operator init -format=json -n 1 -t 1 | \ jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] - # Vault Unseal - local pods=($(kubectl get pods --selector='app.kubernetes.io/name=vault' -o json | jq -r '.items[].metadata.name')) + # OpenBao Unseal + local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do kubectl exec -ti ${pod} -- bao operator unseal ${token} @@ -111,7 +111,7 @@ teardown() { # If the test failed, print some debug output if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then kubectl logs -l app=consul - kubectl logs -l app.kubernetes.io/name=vault + kubectl logs -l app.kubernetes.io/name=openbao fi helm delete openbao helm delete consul diff --git a/test/acceptance/server-telemetry.bats b/test/acceptance/server-telemetry.bats index 22517322f..5b6101eca 100644 --- a/test/acceptance/server-telemetry.bats +++ b/test/acceptance/server-telemetry.bats @@ -27,13 +27,13 @@ load _helpers # Sealed, not initialized wait_for_sealed_vault $(name_prefix)-0 - # Vault Init + # OpenBao Init local token=$(kubectl exec -ti "$(name_prefix)-0" -- \ bao operator init -format=json -n 1 -t 1 | \ jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] - # Vault Unseal + # OpenBao Unseal local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do @@ -62,7 +62,7 @@ load _helpers -- wget -q -O - http://127.0.0.1:9090/api/v1/label/job/values) | tee /dev/stderr ) # Ensure the expected job label was picked up by Prometheus - [ "$(echo "${job_labels}" | jq 'any(.data[]; . == "vault-internal")')" = "true" ] && break + [ "$(echo "${job_labels}" | jq 'any(.data[]; . == "openbao-internal")')" = "true" ] && break ((++tries)) sleep .5 @@ -72,7 +72,7 @@ load _helpers # Ensure the expected job is "up" local job_up=$( ( kubectl exec -n acceptance svc/prometheus-kube-prometheus-prometheus \ -c prometheus \ - -- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="vault-internal"}' ) | \ + -- wget -q -O - 'http://127.0.0.1:9090/api/v1/query?query=up{job="openbao-internal"}' ) | \ tee /dev/stderr ) [ "$(echo "${job_up}" | jq '.data.result[0].value[1]')" = \"1\" ] } diff --git a/test/acceptance/server-test/telemetry.yaml b/test/acceptance/server-test/telemetry.yaml index 557008425..485992a52 100644 --- a/test/acceptance/server-test/telemetry.yaml +++ b/test/acceptance/server-test/telemetry.yaml @@ -17,7 +17,7 @@ server: } storage "file" { - path = "/vault/data" + path = "/openbao/data" } telemetry { diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats index 58639bfd8..e65d98792 100644 --- a/test/acceptance/server.bats +++ b/test/acceptance/server.bats @@ -78,7 +78,7 @@ load _helpers jq -r '.unseal_keys_b64[0]') [ "${token}" != "" ] - # Vault Unseal + # OpenBao Unseal local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name')) for pod in "${pods[@]}" do diff --git a/test/chart/verifier.bats b/test/chart/verifier.bats index 6d35f690a..2d0c336d8 100644 --- a/test/chart/verifier.bats +++ b/test/chart/verifier.bats @@ -5,7 +5,7 @@ load _helpers setup_file() { cd `chart_dir` export VERIFY_OUTPUT="/$BATS_RUN_TMPDIR/verify.json" - export CHART_VOLUME=vault-helm-chart-src + export CHART_VOLUME=openbao-helm-chart-src local IMAGE="quay.io/redhat-certification/chart-verifier:1.10.1" # chart-verifier requires an openshift version if a cluster isn't available local OPENSHIFT_VERSION="4.12" diff --git a/test/terraform/main.tf b/test/terraform/main.tf index d1de1a2e0..7b825a8f6 100644 --- a/test/terraform/main.tf +++ b/test/terraform/main.tf @@ -19,7 +19,7 @@ data "google_service_account" "gcpapi" { } resource "google_container_cluster" "cluster" { - name = "vault-helm-dev-${random_id.suffix.dec}" + name = "openbao-helm-dev-${random_id.suffix.dec}" project = "${var.project}" enable_legacy_abac = true initial_node_count = 3 diff --git a/test/terraform/variables.tf b/test/terraform/variables.tf index df4832b66..c21962964 100644 --- a/test/terraform/variables.tf +++ b/test/terraform/variables.tf @@ -2,7 +2,7 @@ # SPDX-License-Identifier: MPL-2.0 variable "project" { - default = "vault-helm-dev-246514" + default = "openbao-helm-dev-246514" description = < 0' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/test/unit/server-configmap.bats b/test/unit/server-configmap.bats index dcb9076be..55d67e93c 100755 --- a/test/unit/server-configmap.bats +++ b/test/unit/server-configmap.bats @@ -134,7 +134,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-config-configmap.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats index 3c5f9d8fb..025495a0d 100755 --- a/test/unit/server-dev-statefulset.bats +++ b/test/unit/server-dev-statefulset.bats @@ -27,7 +27,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-statefulset.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.dev.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -184,7 +184,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } @test "server/dev-StatefulSet: adds extra secret volume" { @@ -222,7 +222,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } @test "server/dev-StatefulSet: no storageClass on claim by default" { diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index cf36430d4..95087511e 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -7,9 +7,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-active-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.annotations=vaultIsAwesome: true' \ + --set 'server.service.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -18,9 +18,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-active-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.active.annotations=vaultIsAwesome: true' \ + --set 'server.service.active.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @test "server/ha-active-Service: with both annotations set" { @@ -28,14 +28,14 @@ load _helpers local object=$(helm template \ --show-only templates/server-ha-active-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.active.annotations=vaultIsAwesome: true' \ - --set 'server.service.annotations=vaultIsNotAwesome: false' \ + --set 'server.service.active.annotations=openBaoIsAwesome: true' \ + --set 'server.service.annotations=openbaoIsNotAwesome: false' \ . | tee /dev/stderr | yq -r '.metadata' | tee /dev/stderr) - local actual=$(echo "$object" | yq '.annotations["vaultIsAwesome"]' | tee /dev/stderr) + local actual=$(echo "$object" | yq '.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] - actual=$(echo "$object" | yq '.annotations["vaultIsNotAwesome"]' | tee /dev/stderr) + actual=$(echo "$object" | yq '.annotations["openbaoIsNotAwesome"]' | tee /dev/stderr) [ "${actual}" = "false" ] } @test "server/ha-active-Service: disable with ha.enabled false" { @@ -192,7 +192,7 @@ load _helpers [ "${actual}" = "null" ] } -@test "server/ha-active-Service: vault port name is http, when tlsDisable is true" { +@test "server/ha-active-Service: openbao port name is http, when tlsDisable is true" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ha-active-service.yaml \ @@ -203,7 +203,7 @@ load _helpers [ "${actual}" = "http" ] } -@test "server/ha-active-Service: vault port name is https, when tlsDisable is false" { +@test "server/ha-active-Service: openbao port name is https, when tlsDisable is false" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ha-active-service.yaml \ diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 4daff30e6..536c44b6d 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -47,7 +47,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-disruptionbudget.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index bd04853af..9a89dc8eb 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -7,9 +7,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.annotations=vaultIsAwesome: true' \ + --set 'server.service.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -18,9 +18,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.annotations.vaultIsAwesome=true' \ + --set 'server.service.annotations.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -29,9 +29,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.standby.annotations=vaultIsAwesome: true' \ + --set 'server.service.standby.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -40,9 +40,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.standby.annotations.vaultIsAwesome=true' \ + --set 'server.service.standby.annotations.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @test "server/ha-standby-Service: with both annotations set" { @@ -50,14 +50,14 @@ load _helpers local object=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.standby.annotations=vaultIsAwesome: true' \ - --set 'server.service.annotations=vaultIsNotAwesome: false' \ + --set 'server.service.standby.annotations=openBaoIsAwesome: true' \ + --set 'server.service.annotations=openbaoIsNotAwesome: false' \ . | tee /dev/stderr | yq -r '.metadata' | tee /dev/stderr) - local actual=$(echo "$object" | yq '.annotations["vaultIsAwesome"]' | tee /dev/stderr) + local actual=$(echo "$object" | yq '.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] - actual=$(echo "$object" | yq '.annotations["vaultIsNotAwesome"]' | tee /dev/stderr) + actual=$(echo "$object" | yq '.annotations["openbaoIsNotAwesome"]' | tee /dev/stderr) [ "${actual}" = "false" ] } @test "server/ha-standby-Service: disable with ha.enabled false" { @@ -214,7 +214,7 @@ load _helpers [ "${actual}" = "null" ] } -@test "server/ha-standby-Service: vault port name is http, when tlsDisable is true" { +@test "server/ha-standby-Service: openbao port name is http, when tlsDisable is true" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ @@ -225,7 +225,7 @@ load _helpers [ "${actual}" = "http" ] } -@test "server/ha-standby-Service: vault port name is https, when tlsDisable is false" { +@test "server/ha-standby-Service: openbao port name is https, when tlsDisable is false" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 9bb5118db..84bb21cad 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -27,7 +27,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-statefulset.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.ha.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -266,7 +266,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } @test "server/ha-StatefulSet: adds extra volume custom mount path" { @@ -347,7 +347,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } #-------------------------------------------------------------------- @@ -450,7 +450,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] + [ "${value}" = 'https://$(HOSTNAME).release-name-openbao-internal:8201' ] } @test "server/ha-StatefulSet: clusterAddr set to null" { @@ -465,7 +465,7 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = 'https://$(HOSTNAME).release-name-vault-internal:8201' ] + [ "${value}" = 'https://$(HOSTNAME).release-name-openbao-internal:8201' ] } @test "server/ha-StatefulSet: clusterAddr set to custom url" { @@ -489,18 +489,18 @@ load _helpers --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.raft.enabled=true' \ - --set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-vault-internal:8201' \ + --set 'server.ha.clusterAddr=http://$(HOSTNAME).release-name-openbao-internal:8201' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local value=$(echo $object | yq -r 'map(select(.name=="VAULT_CLUSTER_ADDR")) | .[] .value' | tee /dev/stderr) - [ "${value}" = 'http://$(HOSTNAME).release-name-vault-internal:8201' ] + [ "${value}" = 'http://$(HOSTNAME).release-name-openbao-internal:8201' ] } @test "server/ha-StatefulSet: clusterAddr gets quoted" { cd `chart_dir` - local customUrl='http://$(HOSTNAME).release-name-vault-internal:8201' + local customUrl='http://$(HOSTNAME).release-name-openbao-internal:8201' local rendered=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.ha.enabled=true' \ @@ -511,7 +511,7 @@ load _helpers local value=$(echo $rendered | yq -Y '.' | tee /dev/stderr) - [ "${value}" = 'value: "http://$(HOSTNAME).release-name-vault-internal:8201"' ] + [ "${value}" = 'value: "http://$(HOSTNAME).release-name-openbao-internal:8201"' ] } #-------------------------------------------------------------------- diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 90ed0a26c..dde368895 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -35,7 +35,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-ingress.yaml \ --set 'server.ingress.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -62,7 +62,7 @@ load _helpers [ "${actual}" = '/' ] } -@test "server/ingress: vault backend should be added when I specify a path" { +@test "server/ingress: openbao backend should be added when I specify a path" { cd `chart_dir` local actual=$(helm template \ @@ -184,7 +184,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault-active" ] + [ "${actual}" = "release-name-openbao-active" ] } @test "server/ingress: uses regular service when configured with ha - yaml" { @@ -199,7 +199,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/ingress: uses regular service when not ha - yaml" { @@ -213,7 +213,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/ingress: k8s 1.26.3 uses correct service format when not ha - yaml" { @@ -228,7 +228,7 @@ load _helpers --kube-version 1.26.3 \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/ingress: uses regular service when not ha and activeService is true - yaml" { @@ -243,7 +243,7 @@ load _helpers --set 'server.service.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.rules[0].http.paths[0].backend.service.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/ingress: pathType is added to Kubernetes version == 1.26.3" { diff --git a/test/unit/server-psp.bats b/test/unit/server-psp.bats index 400e76d16..898e1b17e 100644 --- a/test/unit/server-psp.bats +++ b/test/unit/server-psp.bats @@ -86,27 +86,27 @@ load _helpers --show-only templates/server-psp.yaml \ --set 'server.dev.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations=vault-is: amazing' \ + --set 'global.psp.annotations=openbao-is: amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] local actual=$(helm template \ --show-only templates/server-psp.yaml \ --set 'server.ha.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations=vault-is: amazing' \ + --set 'global.psp.annotations=openbao-is: amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] local actual=$(helm template \ --show-only templates/server-psp.yaml \ --set 'server.standalone.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations=vault-is: amazing' \ + --set 'global.psp.annotations=openbao-is: amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] } @@ -116,27 +116,27 @@ load _helpers --show-only templates/server-psp.yaml \ --set 'server.dev.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations.vault-is=amazing' \ + --set 'global.psp.annotations.openbao-is=amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] local actual=$(helm template \ --show-only templates/server-psp.yaml \ --set 'server.ha.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations.vault-is=amazing' \ + --set 'global.psp.annotations.openbao-is=amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] local actual=$(helm template \ --show-only templates/server-psp.yaml \ --set 'server.standalone.enabled=true' \ --set 'global.psp.enable=true' \ - --set 'global.psp.annotations.vault-is=amazing' \ + --set 'global.psp.annotations.openbao-is=amazing' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openbao-is"]' | tee /dev/stderr) [ "${actual}" = "amazing" ] } diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats index a1716fbed..f4caca061 100755 --- a/test/unit/server-route.bats +++ b/test/unit/server-route.bats @@ -18,7 +18,7 @@ load _helpers --show-only templates/server-route.yaml \ --set 'global.openshift=true' \ --set 'server.route.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -57,7 +57,7 @@ load _helpers [ "${actual}" = 'test.com' ] } -@test "server/route: OpenShift - vault backend should be added when I specify a path" { +@test "server/route: OpenShift - openbao backend should be added when I specify a path" { cd `chart_dir` local actual=$(helm template \ @@ -120,7 +120,7 @@ load _helpers --set 'server.route.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/route: OpenShift - route points to main service when not ha and activeService is true" { @@ -133,7 +133,7 @@ load _helpers --set 'server.route.activeService=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/route: OpenShift - route points to active service by when HA by default" { @@ -146,7 +146,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault-active" ] + [ "${actual}" = "release-name-openbao-active" ] } @test "server/route: OpenShift - route points to general service by when HA when configured" { @@ -160,7 +160,7 @@ load _helpers --set 'server.ha.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.to.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @test "server/route: OpenShift - route termination mode set to default passthrough" { diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 040e9fadf..9ef87e99f 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -137,7 +137,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.service.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -146,7 +146,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.service.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -155,7 +155,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.standalone.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.service.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -166,9 +166,9 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/server-service.yaml \ - --set 'server.service.annotations=vaultIsAwesome: true' \ + --set 'server.service.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -389,7 +389,7 @@ load _helpers [ "${actual}" = "null" ] } -@test "server/Service: vault port name is http, when tlsDisable is true" { +@test "server/Service: openbao port name is http, when tlsDisable is true" { cd `chart_dir` local actual=$(helm template \ @@ -400,7 +400,7 @@ load _helpers [ "${actual}" = "http" ] } -@test "server/Service: vault port name is https, when tlsDisable is false" { +@test "server/Service: openbao port name is https, when tlsDisable is false" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-serviceaccount-secret.bats b/test/unit/server-serviceaccount-secret.bats index 2cfe33395..fab9d39b3 100644 --- a/test/unit/server-serviceaccount-secret.bats +++ b/test/unit/server-serviceaccount-secret.bats @@ -28,7 +28,7 @@ load _helpers --set 'server.serviceAccount.createSecret=true' \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault-token" ] + [ "${actual}" = "release-name-openbao-token" ] } @@ -50,7 +50,7 @@ load _helpers --set 'server.serviceAccount.createSecret=true' \ . | tee /dev/stderr | yq -r '.metadata.annotations["kubernetes.io/service-account.name"]' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index 9a688a9ea..da0dd11b7 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -26,7 +26,7 @@ load _helpers --set 'server.dev.enabled=true' \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } @@ -115,7 +115,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.dev.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -123,7 +123,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -131,7 +131,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-service.yaml \ --set 'server.standalone.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 8b92c055f..890f963f4 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -71,7 +71,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-statefulset.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.standalone.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) @@ -421,7 +421,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -437,7 +437,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } @test "server/standalone-StatefulSet: server.extraVolumes adds extra secret volume" { @@ -489,7 +489,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] local object=$(helm template \ --show-only templates/server-statefulset.yaml \ @@ -505,7 +505,7 @@ load _helpers local actual=$(echo $object | yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/vault/userconfig/foo" ] + [ "${actual}" = "/openbao/userconfig/foo" ] } @test "server/standalone-StatefulSet: can mount audit" { @@ -1571,7 +1571,7 @@ load _helpers [[ "${actual}" = "sleep 10 &&"* ]] } -@test "server/standalone-StatefulSet: vault port name is http, when tlsDisable is true" { +@test "server/standalone-StatefulSet: openbao port name is http, when tlsDisable is true" { cd `chart_dir` local actual=$(helm template \ @@ -1582,7 +1582,7 @@ load _helpers [ "${actual}" = "http" ] } -@test "server/standalone-StatefulSet: vault replication port name is http-rep, when tlsDisable is true" { +@test "server/standalone-StatefulSet: openbao replication port name is http-rep, when tlsDisable is true" { cd `chart_dir` local actual=$(helm template \ @@ -1593,7 +1593,7 @@ load _helpers [ "${actual}" = "http-rep" ] } -@test "server/standalone-StatefulSet: vault port name is https, when tlsDisable is false" { +@test "server/standalone-StatefulSet: openbao port name is https, when tlsDisable is false" { cd `chart_dir` local actual=$(helm template \ @@ -1604,7 +1604,7 @@ load _helpers [ "${actual}" = "https" ] } -@test "server/standalone-StatefulSet: vault replication port name is https-rep, when tlsDisable is false" { +@test "server/standalone-StatefulSet: openbao replication port name is https-rep, when tlsDisable is false" { cd `chart_dir` local actual=$(helm template \ @@ -1621,9 +1621,9 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.annotations=vaultIsAwesome: true' \ + --set 'server.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.spec.template.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.template.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1632,9 +1632,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.auditStorage.enabled=true' \ - --set 'server.auditStorage.annotations=vaultIsAwesome: true' \ + --set 'server.auditStorage.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[1].metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[1].metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1643,9 +1643,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.dataStorage.enabled=true' \ - --set 'server.dataStorage.annotations=vaultIsAwesome: true' \ + --set 'server.dataStorage.annotations=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[0].metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[0].metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1654,9 +1654,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.auditStorage.enabled=true' \ - --set 'server.auditStorage.annotations.vaultIsAwesome=true' \ + --set 'server.auditStorage.annotations.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[1].metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[1].metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1665,9 +1665,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.dataStorage.enabled=true' \ - --set 'server.dataStorage.annotations.vaultIsAwesome=true' \ + --set 'server.dataStorage.annotations.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[0].metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[0].metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1675,9 +1675,9 @@ load _helpers cd `chart_dir` local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.annotations.vaultIsAwesome=true' \ + --set 'server.annotations.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.spec.template.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.template.metadata.annotations["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1812,67 +1812,11 @@ load _helpers --set 'server.serviceAccount.create=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) - [ "${actual}" = "release-name-vault" ] + [ "${actual}" = "release-name-openbao" ] } -#-------------------------------------------------------------------- -# enterprise license autoload support -@test "server/StatefulSet: adds volume for license secret when enterprise license secret name and key are provided" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.enterpriseLicense.secretName=foo' \ - --set 'server.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.volumes[] | select(.name == "vault-license")' | tee /dev/stderr) - [ "${actual}" = '{"name":"vault-license","secret":{"secretName":"foo","defaultMode":288}}' ] -} - -@test "server/StatefulSet: adds volume mount for license secret when enterprise license secret name and key are provided" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.enterpriseLicense.secretName=foo' \ - --set 'server.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "vault-license")' | tee /dev/stderr) - [ "${actual}" = '{"name":"vault-license","mountPath":"/vault/license","readOnly":true}' ] -} - -@test "server/StatefulSet: adds env var for license path when enterprise license secret name and key are provided" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.enterpriseLicense.secretName=foo' \ - --set 'server.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) - [ "${actual}" = '{"name":"VAULT_LICENSE_PATH","value":"/vault/license/bar"}' ] -} - -@test "server/StatefulSet: blank secretName does not set env var" { - cd `chart_dir` - - # setting secretName=null - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.enterpriseLicense.secretName=null' \ - --set 'server.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) - [ "${actual}" = '' ] - - # omitting secretName - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "VAULT_LICENSE_PATH")' | tee /dev/stderr) - [ "${actual}" = '' ] -} - #-------------------------------------------------------------------- # securityContext @@ -2036,9 +1980,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.auditStorage.enabled=true' \ - --set 'server.auditStorage.labels=vaultIsAwesome: true' \ + --set 'server.auditStorage.labels=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[1].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[1].metadata.labels["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -2047,9 +1991,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.dataStorage.enabled=true' \ - --set 'server.dataStorage.labels=vaultIsAwesome: true' \ + --set 'server.dataStorage.labels=openBaoIsAwesome: true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[0].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[0].metadata.labels["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -2058,9 +2002,9 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.auditStorage.enabled=true' \ - --set 'server.auditStorage.labels.vaultIsAwesome=true' \ + --set 'server.auditStorage.labels.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[1].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[1].metadata.labels["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -2069,8 +2013,8 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.dataStorage.enabled=true' \ - --set 'server.dataStorage.labels.vaultIsAwesome=true' \ + --set 'server.dataStorage.labels.openBaoIsAwesome=true' \ . | tee /dev/stderr | - yq -r '.spec.volumeClaimTemplates[0].metadata.labels["vaultIsAwesome"]' | tee /dev/stderr) + yq -r '.spec.volumeClaimTemplates[0].metadata.labels["openBaoIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/test/unit/server-test.bats b/test/unit/server-test.bats index 314703a5d..6619771f0 100644 --- a/test/unit/server-test.bats +++ b/test/unit/server-test.bats @@ -43,12 +43,12 @@ load _helpers --show-only templates/tests/server-test.yaml \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) - [ "${actual}" = "release-name-vault-server-test" ] + [ "${actual}" = "release-name-openbao-server-test" ] } @test "server/standalone-server-test-Pod: release metadata.name vault" { cd `chart_dir` - local actual=$(helm template vault \ + local actual=$(helm template openbao \ --show-only templates/tests/server-test.yaml \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) @@ -119,7 +119,7 @@ load _helpers cd `chart_dir` local actual=$( (helm template \ --show-only templates/tests/server-test.yaml \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ --set 'server.standalone.enabled=true' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) diff --git a/test/unit/ui-service.bats b/test/unit/ui-service.bats index dce0e5e7c..bc3547f05 100755 --- a/test/unit/ui-service.bats +++ b/test/unit/ui-service.bats @@ -70,7 +70,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/ui-service.yaml \ --set 'server.dev.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -78,7 +78,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/ui-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -86,7 +86,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/ui-service.yaml \ --set 'server.standalone.enabled=true' \ - --set 'injector.externalVaultAddr=http://vault-outside' \ + --set 'injector.externalVaultAddr=http://openbao-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -311,7 +311,7 @@ load _helpers --show-only templates/ui-service.yaml \ --set 'ui.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.selector["vault-active"]' | tee /dev/stderr) + yq -r '.spec.selector["openbao-active"]' | tee /dev/stderr) [ "${actual}" = "null" ] } @@ -320,19 +320,19 @@ load _helpers local actual=$(helm template \ --show-only templates/ui-service.yaml \ --set 'ui.enabled=true' \ - --set 'ui.activeVaultPodOnly=true' \ + --set 'ui.activeOpenbaoPodOnly=true' \ --set 'server.dev.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.selector["vault-active"]' | tee /dev/stderr) + yq -r '.spec.selector["openbao-active"]' | tee /dev/stderr) [ "${actual}" = 'null' ] local actual=$(helm template \ --show-only templates/ui-service.yaml \ --set 'ui.enabled=true' \ - --set 'ui.activeVaultPodOnly=true' \ + --set 'ui.activeOpenbaoPodOnly=true' \ --set 'server.ha.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.selector["vault-active"]' | tee /dev/stderr) + yq -r '.spec.selector["openbao-active"]' | tee /dev/stderr) [ "${actual}" = 'true' ] }