starlingx/vault-armada-app
Code Issues Proposed changes

Add multiple version support of kubectl

Browse Source 
Allow vault-manager to pick the version of kubectl that matches the
currently running server.  Add a helm override option to pick a
particular version available within the image.

Refresh the helm chart patches on top of this change.

Test Plan:
PASS  Unit test the code
PASS  helm chart override
PASS  sanity of vault application
PASS  watch vault manager log during kubernetes upgrade

Story: 2010930
Task: 49177

Change-Id: I2459d0376efb6b7e47a25f59ee82ca74b277361f
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
This commit is contained in:
Michel Thebeau 2023-11-30 19:58:35 +00:00
parent 65e8589183
commit 733ca0e9a6
5 changed files with 203 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
vault-helm/debian/deb_folder/patches/0001-Add-log-level-option-for-vault-manager.patch
View File

@ -1,4 +1,4 @@
From 5db06329aa7ac13d3a9bf041071bfcb715d11934 Mon Sep 17 00:00:00 2001
From 3ea54def194ee7c79b3ade000825fdad07603d24 Mon Sep 17 00:00:00 2001
From: Michel Thebeau <Michel.Thebeau@windriver.com>
Date: Fri, 29 Sep 2023 21:23:19 +0000
Subject: [PATCH] Add log level option for vault-manager
@ -18,12 +18,12 @@ Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
1 file changed, 9 insertions(+)
diff --git a/values.yaml b/values.yaml
index c0a0f9e..e9547fd 100644
index f35df52..600d632 100644
--- a/values.yaml
+++ b/values.yaml
@@ -102,6 +102,15 @@ manager:
#
enableOnPVCConversion: true
@@ -114,6 +114,15 @@ manager:
# client_version: v1.28
client_version: ""
+ # Debugging option to improve log reading, allow more verbose logging
+ # DEBUG: 1

6
vault-helm/debian/deb_folder/patches/0001-Add-manager-pause-request-to-helm-values.yaml.patch
View File

@ -1,4 +1,4 @@
From 3e899dcd7bced1de65b59ce3a1aa7d9b8c78bc55 Mon Sep 17 00:00:00 2001
From 632a43d0fb4661c0bd1ca7a03e6dee69c1d9974e Mon Sep 17 00:00:00 2001
From: Michel Thebeau <Michel.Thebeau@windriver.com>
Date: Mon, 6 Nov 2023 19:28:52 +0000
Subject: [PATCH] Add manager pause request to helm values.yaml
@ -17,10 +17,10 @@ Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
1 file changed, 7 insertions(+)
diff --git a/values.yaml b/values.yaml
index e9547fd..fc22705 100644
index 600d632..ac35eb2 100644
--- a/values.yaml
+++ b/values.yaml
@@ -111,6 +111,13 @@ manager:
@@ -123,6 +123,13 @@ manager:
log:
defaultLogLevel: 2

18
vault-helm/debian/deb_folder/patches/0001-Add-vault-manager-repository-to-values.yaml.patch
View File

@ -1,4 +1,4 @@
From c271b6865e6c1bcbca6372f8b3b2db6d19ec9e89 Mon Sep 17 00:00:00 2001
From fda70b8f0e34be97e9c80251afdec45518314ab1 Mon Sep 17 00:00:00 2001
From: Greg Waines <greg.waines@windriver.com>
Date: Sat, 5 Nov 2022 20:14:58 -0400
Subject: [PATCH] Add vault manager repository to values.yaml
@ -15,16 +15,18 @@ vault rekey.
Add option to enable/disable rekey of vault after conversion of storage
backend from PVC to k8s secrets.
Add option to select kubectl version.
Signed-off-by: Michel Thebeau <michel.thebeau@windriver.com>
---
values.yaml | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 68 insertions(+)
values.yaml | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 74 insertions(+)
diff --git a/values.yaml b/values.yaml
index 9e35ac8..0da34a5 100644
index 9e35ac8..3e311d6 100644
--- a/values.yaml
+++ b/values.yaml
@@ -40,6 +40,74 @@ global:
@@ -40,6 +40,80 @@ global:
# See the top level serverTelemetry section below before enabling this feature.
prometheusOperator: false
@ -95,6 +97,12 @@ index 9e35ac8..0da34a5 100644
+ # https://developer.hashicorp.com/vault/api-docs/v1.13.x/system/rekey
+ #
+ enableOnPVCConversion: true
+
+ k8s:
+ # The major/minor version of kubectl client binary to use. Must
+ # exist within the vault manager image for example
+ # client_version: v1.28
+ client_version: ""
+
injector:
# True if you want to enable vault agent injection.

8
vault-helm/debian/deb_folder/patches/0001-Add-yaml-for-starlingx-image-handling.patch
View File

@ -1,9 +1,9 @@
From 8840718defe47f2ff2fbc011f7ee4a1375118ea0 Mon Sep 17 00:00:00 2001
From df90377c1979008b4cf305591732b44032c8f831 Mon Sep 17 00:00:00 2001
From: Michel Thebeau <michel.thebeau@windriver.com>
Date: Tue, 2 May 2023 14:59:18 -0400
Subject: [PATCH] Add yaml for starlingx image handling
Add values yaml compatible with starlingx platform's image pull and
Add values yaml compatible with StarlingX platform's image pull and
service parameter registry override handling. The platform will pull
the image and populate registry.local, and the vault injector agent will
pull from registry.local.
@ -14,10 +14,10 @@ Signed-off-by: Michel Thebeau <michel.thebeau@windriver.com>
1 file changed, 3 insertions(+)
diff --git a/values.yaml b/values.yaml
index 5066c1b..c0a0f9e 100644
index 3e311d6..f35df52 100644
--- a/values.yaml
+++ b/values.yaml
@@ -134,6 +134,9 @@ injector:
@@ -146,6 +146,9 @@ injector:
# containers. This should be set to the official Vault image. Vault 1.3.1+ is
# required.
agentImage:

196
vault-helm/vault-helm/helm-charts/vault-init.yaml
View File

@ -27,6 +27,10 @@ data:
WORKDIR=/workdir
mkdir -p $WORKDIR
# Selection of kubectl version from helm override
KUBECTL=kubectl
KUBECTL_HELM_OVERRIDE={{ .Values.manager.k8s.client_version }}
# Trap and trap notification file. When SIGTERM is sent to this pod
# we want to exit promptly and gracefully.
TRAPFILE=$WORKDIR/exit_on_trap
@ -144,6 +148,157 @@ data:
# FUNCTIONS
# takes major/minor version of k8s and compares
# for example: v1.28 > v1.27 > v1.26
#
# Returns:
# 0 left is larger
# 1 equal
# 2 right is larger
function compareK8sVersion {
local left="$1"
local right="$2"
# strip leading 'v'
left="${left#v}"
right="${right#v}"
# compare the strings
if [ "$left" == "$right" ]; then
return 1
fi
# compare major
if [ "${left%.*}" -gt "${right%.*}" ]; then
return 0
elif [ "${left%.*}" -lt "${right%.*}" ]; then
return 2
fi
# compare the minor
if [ "${left#*.}" -gt "${right#*.}" ]; then
return 0
fi
return 2
}
# Give kubectl an opportunity to express complaints in the log
function k8sComplain {
local result
result="$( $KUBECTL version -o json 2>&1 >/dev/null )"
if [ -n "$result" ]; then
log $WARNING "kubectl: $result"
fi
}
# Double-check that the binary exists before setting the specified
# value of KUBECTL
function switchK8sVersion {
local select="$1"
local fname="kubectl.$select"
local newbin="${KUBECTL_INSTALL_PATH}/$fname"
which "$fname" >/dev/null
if [ $? -ne 0 -o ! -f "$newbin" ]; then
log $ERROR "Missing kubectl version: $select"
k8sComplain
return 1
fi
if [ "$KUBECTL" != "$fname" ]; then
KUBECTL="$fname"
log $INFO "Switching to use kubectl version $select"
fi
k8sComplain
return 0
}
# Select the version of kubectl matching the running server
function pickK8sVersion {
local result
local serverver
local majorver
local minorver
local select=""
local majmin=""
local maxver
local minver
# omit this code if the image does not support kubectl versions
if [ -z "$KUBE_VERSIONS" ]; then
k8sComplain
return
fi
if [ -n "$KUBECTL_HELM_OVERRIDE" ]; then
# pick the binary requested, if it exists
switchK8sVersion "$KUBECTL_HELM_OVERRIDE"
if [ $? -eq 0 ]; then
return
fi
log $ERROR "kubectl version from helm-override not" \
"available: $KUBECTL_HELM_OVERRIDE"
fi
# use -o json for consistent usage, as oppose to --short
result="$( $KUBECTL version -o json 2>/dev/null )"
if [ $? -ne 0 ]; then
log $ERROR "Unable to get k8s server version"
# no change in value of KUBECTL
k8sComplain
return
fi
serverver="$( jq -r '.serverVersion.gitVersion' <<<"$result" \
| grep "[0-9]" )"
majorver="$( jq -r '.serverVersion.major' <<<"$result" \
| grep "[0-9]" )"
minorver="$( jq -r '.serverVersion.minor' <<<"$result" \
| grep "[0-9]" )"
if [ -z "$serverver" -o -z "$majorver" -o -z "$minorver" ]; then
log $ERROR "Unable to detect K8s server version:" \
"["$result"]"
# no change in value of KUBECTL
k8sComplain
return
fi
# pick matching client major/minor version
for select in $KUBE_VERSIONS noverhere; do
majmin="v${majorver}.${minorver}"
if [[ "$select" =~ ^$majmin ]]; then
break
fi
done
if [ "$select" == noverhere ]; then
# Try to pick a near version. We really shouldn't be in
# this situation, but here is a compromise. This algorithm
# assumes that there are no omitted versions in the series
# of KUBE_VERSIONS, and that they are sorted largest to
# smallest in that list
maxver="$( awk '{print $1}' <<<"$KUBE_VERSIONS" )"
minver="$( awk '{print $NF}' <<<"$KUBE_VERSIONS" )"
compareK8sVersion ${serverver%.*} ${maxver%.*}
if [ "$?" -le 1 ]; then
select="$maxver"
else
compareK8sVersion ${minver%.*} ${serverver%.*}
if [ "$?" -le 1 ]; then
select="$minver"
else
log $ERROR "Could not pick nearest version for kubectl"
k8sComplain
return
fi
fi
fi
switchK8sVersion "${select%.*}"
}
# Convert log level to text for log message
function log_to_str {
local level="$1"
@ -451,7 +606,7 @@ data:
fi
jpath='{range .items[*]}'"$jfields"'{"\n"}{end}'
kubectl get pods \
$KUBECTL get pods \
-n "$VAULT_NS" \
-l component=server,app.kubernetes.io/name=vault \
-o=jsonpath="$jpath" \
@ -465,7 +620,7 @@ data:
{.status.podIPs[].ip}{"\t"}{.status.phase}{"\n"} \
{end}'
CURRENT_PODS=$(kubectl get pods \
CURRENT_PODS=$($KUBECTL get pods \
-l component=server,app.kubernetes.io/name=vault \
-o=jsonpath="$jsonPath" \
| grep Running \
@ -482,7 +637,7 @@ data:
log $INFO "Waiting for ${VAULT_FN}" \
"statefulset running pods ($CURRENT_PODS) to equal" \
"desired pods ($DESIRED_PODS)"
CURRENT_PODS=$(kubectl get pods \
CURRENT_PODS=$($KUBECTL get pods \
-l component=server,app.kubernetes.io/name=vault \
-o=jsonpath="$jsonPath" \
| grep Running \
@ -904,7 +1059,7 @@ data:
local output
local result
output="$( kubectl create secret generic -n "$VAULT_NS" \
output="$( $KUBECTL create secret generic -n "$VAULT_NS" \
"$secret" "--from-file=strdata=$contentf" 2>&1 )"
result=$?
if [ "$result" -ne 0 ]; then
@ -917,7 +1072,7 @@ data:
function get_secret {
local secret="$1"
kubectl get secrets -n "$VAULT_NS" "$secret" \
$KUBECTL get secrets -n "$VAULT_NS" "$secret" \
-o jsonpath='{.data.strdata}' \
| base64 -d
}
@ -973,7 +1128,7 @@ data:
# Prints the name of the secret
function secretExists {
local name="$1"
kubectl get secrets -n vault "$name" \
$KUBECTL get secrets -n vault "$name" \
-o jsonpath='{.metadata.name}' 2>/dev/null \
| grep "$name"
}
@ -1064,7 +1219,7 @@ data:
function deleteSecrets {
local secrets="$@"
local text
text="$( kubectl delete secrets -n vault \
text="$( $KUBECTL delete secrets -n vault \
$secrets 2>&1 )"
if [ $? -ne 0 ]; then
log $ERROR "Error deleting secrets: ["$text"]"
@ -1090,7 +1245,7 @@ data:
# the grep makes sure the result contains the 'manager-pvc'
# string (as opposed to 'null' for example)
text="$(
kubectl get persistentvolumeclaims -n vault -o json \
$KUBECTL get persistentvolumeclaims -n vault -o json \
| jq -r "$jqscript" 2>/dev/null \
| grep manager-pvc )"
result=$?
@ -1117,7 +1272,7 @@ data:
# this kubectl query returns zero whether manager-pvc is
# found or not
# result variable is either empty or 'manager-pvc'
result="$( kubectl get pods -n vault \
result="$( $KUBECTL get pods -n vault \
-o jsonpath="{${cspec}.${vspec}}" )"
if [ -n "$result" ]; then
@ -1132,7 +1287,7 @@ data:
local result
log $DEBUG "Waiting for delete of mount-helper job"
text="$( kubectl delete --ignore-not-found=true --wait=true \
text="$( $KUBECTL delete --ignore-not-found=true --wait=true \
-f /opt/yaml/pvc-attach.yaml 2>&1 )"
result=$?
log $DEBUG "Output of deleting mount-helper: [$text]"
@ -1158,7 +1313,7 @@ data:
fi
# get profile of the files before shredding
kubectl exec -n vault "$helper" -- \
$KUBECTL exec -n vault "$helper" -- \
bash -c 'find /mnt/data -type f \
| sort | xargs wc | head -n-1' \
>/tmp/shred_before.txt 2>&1
@ -1171,7 +1326,7 @@ data:
# The shred by default has three randomized passes, and with -z
# option will finalize with zeros. -f prompts shred to work
# around any unexpected file permissions
text="$( kubectl exec -n vault "$helper" -- \
text="$( $KUBECTL exec -n vault "$helper" -- \
bash -c '\
result=0; \
while read fname; do \
@ -1182,7 +1337,7 @@ data:
result=$?
# get profile of the files after shredding
kubectl exec -n vault "$helper" -- \
$KUBECTL exec -n vault "$helper" -- \
bash -c 'find /mnt/data -type f \
| sort | xargs wc | head -n-1' \
>/tmp/shred_after.txt 2>&1
@ -1233,7 +1388,7 @@ data:
name="$( pvcExists )"
if [ $? -eq 0 ] && [[ "$name" =~ ^manager-pvc ]]; then
text="$( kubectl delete persistentvolumeclaims -n vault \
text="$( $KUBECTL delete persistentvolumeclaims -n vault \
"$name" 2>&1 )"
if [ $? -ne 0 ]; then
log $ERROR "Error deleting PVC: [$text]"
@ -1268,7 +1423,7 @@ data:
fi
# run the pod
output="$( kubectl apply -f /opt/yaml/pvc-attach.yaml 2>&1 )"
output="$( $KUBECTL apply -f /opt/yaml/pvc-attach.yaml 2>&1 )"
if [ $? -ne 0 ]; then
log $ERROR "Failed to apply mount-helper"
log $DEBUG "Output: [$output]"
@ -1282,7 +1437,7 @@ data:
log $INFO "Waiting for mount-helper pod to run"
while [ -z "$pod" -a "$count" -le "$MAX_POD_RUN_TRIES" ]; do
count=$((count+1))
text="$( kubectl get pods -n vault | grep "mount-helper" )"
text="$( $KUBECTL get pods -n vault | grep "mount-helper" )"
pod="$( echo "$text" | grep "Running" | awk '{print $1}' )"
if [ -z "$pod" ]; then
sleep 1
@ -1297,7 +1452,7 @@ data:
fi
# get the pvc data
PVCtext="$( kubectl exec -n vault "$pod" \
PVCtext="$( $KUBECTL exec -n vault "$pod" \
-- cat /mnt/data/cluster_keys.json )"
if [ $? -ne 0 -o -z "$PVCtext" ]; then
log $ERROR "Failed to read cluster_keys.json"
@ -1308,7 +1463,7 @@ data:
# if the Root secret is pre-existing, compare the existing
# shard secrets and root secret before deleting the PVC
kubectl get secrets -n vault cluster-key-root >/dev/null 2>&1
$KUBECTL get secrets -n vault cluster-key-root >/dev/null 2>&1
if [ $? -eq 0 ]; then
log $INFO "Cluster secrets exist:" \
"validating"
@ -3008,6 +3163,9 @@ data:
exit_on_trap 1
# Match kubectl version to server version (or etc)
pickK8sVersion
# check if this pod is helping to convert storage from pvc to k8s
# secrets
mountHelper
@ -3095,6 +3253,8 @@ data:
while true; do
exit_on_trap 10
sleep "$STATUS_RATE"
exit_on_trap 20
pickK8sVersion # check if the k8s server version is changed
rm $WORKDIR/pods.txt
echo "" > "$PODREC_TMP_F"
exit_on_trap 11