diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 505275b91..81d396c8e 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -397,6 +397,34 @@ Sets extra vault server Service annotations {{- end }} {{- end -}} +{{/* +Sets extra vault server Service (active) annotations +*/}} +{{- define "vault.service.active.annotations" -}} + {{- if .Values.server.service.active.annotations }} + {{- $tp := typeOf .Values.server.service.active.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.active.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.active.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra vault server Service annotations +*/}} +{{- define "vault.service.standby.annotations" -}} + {{- if .Values.server.service.standby.annotations }} + {{- $tp := typeOf .Values.server.service.standby.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.standby.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.standby.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets PodSecurityPolicy annotations */}} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 74fca41d7..cda48eff9 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -1,6 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- if and (eq .mode "ha" ) (eq (.Values.server.service.active.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} # Service for active Vault pod apiVersion: v1 kind: Service @@ -13,12 +13,16 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: -{{ template "vault.service.annotations" .}} +{{ template "vault.service.active.annotations" .}} spec: - {{- if .Values.server.service.type}} + {{- if .Values.server.service.active.type}} + type: {{ .Values.server.service.active.type }} + {{- else if .Values.server.service.type }} type: {{ .Values.server.service.type }} {{- end}} - {{- if .Values.server.service.clusterIP }} + {{- if .Values.server.service.active.clusterIP }} + clusterIP: {{ .Values.server.service.active.clusterIP }} + {{- else if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} publishNotReadyAddresses: true @@ -26,7 +30,9 @@ spec: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} - {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + {{- if and (.Values.server.service.active.nodePort) (eq (.Values.server.service.active.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.active.nodePort }} + {{- else if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} nodePort: {{ .Values.server.service.nodePort }} {{- end }} - name: https-internal diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 9213b7452..5eea8cd0b 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,6 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- if and (eq .mode "ha" ) (eq (.Values.server.service.standby.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} # Service for standby Vault pod apiVersion: v1 kind: Service @@ -13,12 +13,16 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: -{{ template "vault.service.annotations" .}} +{{ template "vault.service.standby.annotations" .}} spec: - {{- if .Values.server.service.type}} + {{- if .Values.server.service.standby.type}} + type: {{ .Values.server.service.standby.type }} + {{- else if .Values.server.service.type }} type: {{ .Values.server.service.type }} {{- end}} - {{- if .Values.server.service.clusterIP }} + {{- if .Values.server.service.standby.clusterIP }} + clusterIP: {{ .Values.server.service.standby.clusterIP }} + {{- else if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} publishNotReadyAddresses: true @@ -26,7 +30,9 @@ spec: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} - {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + {{- if and (.Values.server.service.standby.nodePort) (eq (.Values.server.service.standby.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.standby.nodePort }} + {{- else if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} nodePort: {{ .Values.server.service.nodePort }} {{- end }} - name: https-internal @@ -38,4 +44,4 @@ spec: component: server vault-active: "false" {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index be3060d64..920ac5cdc 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -7,7 +7,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-active-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.annotations=vaultIsAwesome: true' \ + --set 'server.service.active.annotations=vaultIsAwesome: true' \ . | tee /dev/stderr | yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index e164cde1c..9165cc3c3 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -7,7 +7,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.annotations=vaultIsAwesome: true' \ + --set 'server.service.standby.annotations=vaultIsAwesome: true' \ . | tee /dev/stderr | yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -18,7 +18,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-ha-standby-service.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.service.annotations.vaultIsAwesome=true' \ + --set 'server.service.standby.annotations.vaultIsAwesome=true' \ . | tee /dev/stderr | yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/values.schema.json b/values.schema.json index e2d00454f..dfedf1b02 100644 --- a/values.schema.json +++ b/values.schema.json @@ -685,6 +685,34 @@ }, "targetPort": { "type": "integer" + }, + "active": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + } + } + }, + "standby": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + } + } } } }, diff --git a/values.yaml b/values.yaml index acab97a3b..0599d7887 100644 --- a/values.yaml +++ b/values.yaml @@ -459,6 +459,54 @@ server: # to the service. annotations: {} + # Enables a headless service that contains the active pod only + active: + enabled: true + # clusterIP controls whether a Cluster IP address is attached to the + # Vault service within Kubernetes. By default the Vault service will + # be given a Cluster IP address, set to None to disable. When disabled + # Kubernetes will create a "headless" service. Headless services can be + # used to communicate with pods directly through DNS instead of a round robin + # load balancer. + # clusterIP: None + + # Configures the service type for the active Vault service. Can be ClusterIP + # or NodePort. + #type: ClusterIP + + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #nodePort: 30000 + + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the service. + annotations: {} + + # Enables a headless service that contains standby pods only + standby: + enabled: true + # clusterIP controls whether a Cluster IP address is attached to the + # Vault service within Kubernetes. By default the Vault service will + # be given a Cluster IP address, set to None to disable. When disabled + # Kubernetes will create a "headless" service. Headless services can be + # used to communicate with pods directly through DNS instead of a round robin + # load balancer. + # clusterIP: None + + # Configures the service type for the standby Vault service. Can be ClusterIP + # or NodePort. + #type: ClusterIP + + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #nodePort: 30000 + + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the service. + annotations: {} + # This configures the Vault Statefulset to create a PVC for data # storage when using the file or raft backend storage engines. # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more