Add new vault-k8s environment variables (hashicorp#219)

* Add new vault-k8s envs * update vault image * Add default tests for envs * Add note about supported log parameters * Fix typo in test name
huanwei · Mar 6, 2020 · 9d1693a · 9d1693a
1 parent 9d92922
commit 9d1693a
Show file tree

Hide file tree

Showing 3 changed files with 115 additions and 3 deletions.
diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml
@@ -60,6 +60,10 @@ spec:
             - name: AGENT_INJECT_TLS_AUTO_HOSTS
               value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc
             {{- end }}
+            - name: AGENT_INJECT_LOG_FORMAT
+              value: {{ .Values.injector.logFormat | default "standard" }}
+            - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN
+              value: {{ .Values.injector.revokeOnShutdown | default false }}
           args:
             - agent-inject
             - 2>&1

diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats
@@ -222,3 +222,102 @@ load _helpers
       yq -r '.[3].value' | tee /dev/stderr)
   [ "${actual}" = "auth/k8s" ]
 }
+
+@test "injector/deployment: default logLevel" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[1].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ]
+
+  local actual=$(echo $object |
+      yq -r '.[1].value' | tee /dev/stderr)
+  [ "${actual}" = "info" ]
+}
+
+@test "injector/deployment: custom logLevel" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.logLevel=foo' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[1].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_LOG_LEVEL" ]
+
+  local actual=$(echo $object |
+      yq -r '.[1].value' | tee /dev/stderr)
+  [ "${actual}" = "foo" ]
+}
+
+@test "injector/deployment: default logFormat" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[7].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ]
+
+  local actual=$(echo $object |
+      yq -r '.[7].value' | tee /dev/stderr)
+  [ "${actual}" = "standard" ]
+}
+
+@test "injector/deployment: custom logFormat" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.logFormat=json' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[7].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_LOG_FORMAT" ]
+
+  local actual=$(echo $object |
+      yq -r '.[7].value' | tee /dev/stderr)
+  [ "${actual}" = "json" ]
+}
+
+@test "injector/deployment: default revoke on shutdown" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[8].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ]
+
+  local actual=$(echo $object |
+      yq -r '.[8].value' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "injector/deployment: custom revoke on shutdown" {
+  cd `chart_dir`
+  local object=$(helm template \
+      --show-only templates/injector-deployment.yaml  \
+      --set 'injector.revokeOnShutdown=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[8].name' | tee /dev/stderr)
+  [ "${actual}" = "AGENT_INJECT_REVOKE_ON_SHUTDOWN" ]
+
+  local actual=$(echo $object |
+      yq -r '.[8].value' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
diff --git a/values.yaml b/values.yaml
@@ -22,19 +22,28 @@ injector:
   # image sets the repo and tag of the vault-k8s image to use for the injector.
   image:
     repository: "hashicorp/vault-k8s"
-    tag: "0.2.0"
+    tag: "0.3.0"
     pullPolicy: IfNotPresent
 
   # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
   # containers.  This should be set to the official Vault image.  Vault 1.3.1+ is
   # required.
   agentImage:
     repository: "vault"
-    tag: "1.3.2"
+    tag: "1.3.3"
 
   # Mount Path of the Vault Kubernetes Auth Method.
   authPath: "auth/kubernetes"
 
+  # Configures the log verbosity of the injector. Supported log levels: Trace, Debug, Error, Warn, Info
+  logLevel: "info"
+
+  # Configures the log format of the injector. Supported log formats: "standard", "json".
+  logFormat: "standard"
+
+  # Configures all Vault Agent sidecars to revoke their token when shutting down
+  revokeOnShutdown: false
+
   # namespaceSelector is the selector for restricting the webhook to only
   # specific namespaces. This should be set to a multiline string.
   # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
@@ -79,7 +88,7 @@ server:
 
   image:
     repository: "vault"
-    tag: "1.3.2"
+    tag: "1.3.3"
     # Overrides the default Image Pull Policy
     pullPolicy: IfNotPresent