diff --git a/vault-helm/debian/deb_folder/patches/0001-Add-log-level-option-for-vault-manager.patch b/vault-helm/debian/deb_folder/patches/0001-Add-log-level-option-for-vault-manager.patch index 1aae8c8..b122537 100644 --- a/vault-helm/debian/deb_folder/patches/0001-Add-log-level-option-for-vault-manager.patch +++ b/vault-helm/debian/deb_folder/patches/0001-Add-log-level-option-for-vault-manager.patch @@ -1,4 +1,4 @@ -From 5db06329aa7ac13d3a9bf041071bfcb715d11934 Mon Sep 17 00:00:00 2001 +From 3ea54def194ee7c79b3ade000825fdad07603d24 Mon Sep 17 00:00:00 2001 From: Michel Thebeau Date: Fri, 29 Sep 2023 21:23:19 +0000 Subject: [PATCH] Add log level option for vault-manager @@ -18,12 +18,12 @@ Signed-off-by: Michel Thebeau 1 file changed, 9 insertions(+) diff --git a/values.yaml b/values.yaml -index c0a0f9e..e9547fd 100644 +index f35df52..600d632 100644 --- a/values.yaml +++ b/values.yaml -@@ -102,6 +102,15 @@ manager: - # - enableOnPVCConversion: true +@@ -114,6 +114,15 @@ manager: + # client_version: v1.28 + client_version: "" + # Debugging option to improve log reading, allow more verbose logging + # DEBUG: 1 diff --git a/vault-helm/debian/deb_folder/patches/0001-Add-manager-pause-request-to-helm-values.yaml.patch b/vault-helm/debian/deb_folder/patches/0001-Add-manager-pause-request-to-helm-values.yaml.patch index 1489c9f..5098905 100644 --- a/vault-helm/debian/deb_folder/patches/0001-Add-manager-pause-request-to-helm-values.yaml.patch +++ b/vault-helm/debian/deb_folder/patches/0001-Add-manager-pause-request-to-helm-values.yaml.patch @@ -1,4 +1,4 @@ -From 3e899dcd7bced1de65b59ce3a1aa7d9b8c78bc55 Mon Sep 17 00:00:00 2001 +From 632a43d0fb4661c0bd1ca7a03e6dee69c1d9974e Mon Sep 17 00:00:00 2001 From: Michel Thebeau Date: Mon, 6 Nov 2023 19:28:52 +0000 Subject: [PATCH] Add manager pause request to helm values.yaml @@ -17,10 +17,10 @@ Signed-off-by: Michel Thebeau 1 file changed, 7 insertions(+) diff --git a/values.yaml b/values.yaml -index e9547fd..fc22705 100644 +index 600d632..ac35eb2 100644 --- a/values.yaml +++ b/values.yaml -@@ -111,6 +111,13 @@ manager: +@@ -123,6 +123,13 @@ manager: log: defaultLogLevel: 2 diff --git a/vault-helm/debian/deb_folder/patches/0001-Add-vault-manager-repository-to-values.yaml.patch b/vault-helm/debian/deb_folder/patches/0001-Add-vault-manager-repository-to-values.yaml.patch index d6b6c9c..4762d07 100644 --- a/vault-helm/debian/deb_folder/patches/0001-Add-vault-manager-repository-to-values.yaml.patch +++ b/vault-helm/debian/deb_folder/patches/0001-Add-vault-manager-repository-to-values.yaml.patch @@ -1,4 +1,4 @@ -From c271b6865e6c1bcbca6372f8b3b2db6d19ec9e89 Mon Sep 17 00:00:00 2001 +From fda70b8f0e34be97e9c80251afdec45518314ab1 Mon Sep 17 00:00:00 2001 From: Greg Waines Date: Sat, 5 Nov 2022 20:14:58 -0400 Subject: [PATCH] Add vault manager repository to values.yaml @@ -15,16 +15,18 @@ vault rekey. Add option to enable/disable rekey of vault after conversion of storage backend from PVC to k8s secrets. +Add option to select kubectl version. + Signed-off-by: Michel Thebeau --- - values.yaml | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 68 insertions(+) + values.yaml | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 74 insertions(+) diff --git a/values.yaml b/values.yaml -index 9e35ac8..0da34a5 100644 +index 9e35ac8..3e311d6 100644 --- a/values.yaml +++ b/values.yaml -@@ -40,6 +40,74 @@ global: +@@ -40,6 +40,80 @@ global: # See the top level serverTelemetry section below before enabling this feature. prometheusOperator: false @@ -95,6 +97,12 @@ index 9e35ac8..0da34a5 100644 + # https://developer.hashicorp.com/vault/api-docs/v1.13.x/system/rekey + # + enableOnPVCConversion: true ++ ++ k8s: ++ # The major/minor version of kubectl client binary to use. Must ++ # exist within the vault manager image for example ++ # client_version: v1.28 ++ client_version: "" + injector: # True if you want to enable vault agent injection. diff --git a/vault-helm/debian/deb_folder/patches/0001-Add-yaml-for-starlingx-image-handling.patch b/vault-helm/debian/deb_folder/patches/0001-Add-yaml-for-starlingx-image-handling.patch index 3cb6cc0..4f86751 100644 --- a/vault-helm/debian/deb_folder/patches/0001-Add-yaml-for-starlingx-image-handling.patch +++ b/vault-helm/debian/deb_folder/patches/0001-Add-yaml-for-starlingx-image-handling.patch @@ -1,9 +1,9 @@ -From 8840718defe47f2ff2fbc011f7ee4a1375118ea0 Mon Sep 17 00:00:00 2001 +From df90377c1979008b4cf305591732b44032c8f831 Mon Sep 17 00:00:00 2001 From: Michel Thebeau Date: Tue, 2 May 2023 14:59:18 -0400 Subject: [PATCH] Add yaml for starlingx image handling -Add values yaml compatible with starlingx platform's image pull and +Add values yaml compatible with StarlingX platform's image pull and service parameter registry override handling. The platform will pull the image and populate registry.local, and the vault injector agent will pull from registry.local. @@ -14,10 +14,10 @@ Signed-off-by: Michel Thebeau 1 file changed, 3 insertions(+) diff --git a/values.yaml b/values.yaml -index 5066c1b..c0a0f9e 100644 +index 3e311d6..f35df52 100644 --- a/values.yaml +++ b/values.yaml -@@ -134,6 +134,9 @@ injector: +@@ -146,6 +146,9 @@ injector: # containers. This should be set to the official Vault image. Vault 1.3.1+ is # required. agentImage: diff --git a/vault-helm/vault-helm/helm-charts/vault-init.yaml b/vault-helm/vault-helm/helm-charts/vault-init.yaml index 40b604a..fc7e815 100644 --- a/vault-helm/vault-helm/helm-charts/vault-init.yaml +++ b/vault-helm/vault-helm/helm-charts/vault-init.yaml @@ -27,6 +27,10 @@ data: WORKDIR=/workdir mkdir -p $WORKDIR + # Selection of kubectl version from helm override + KUBECTL=kubectl + KUBECTL_HELM_OVERRIDE={{ .Values.manager.k8s.client_version }} + # Trap and trap notification file. When SIGTERM is sent to this pod # we want to exit promptly and gracefully. TRAPFILE=$WORKDIR/exit_on_trap @@ -144,6 +148,157 @@ data: # FUNCTIONS + # takes major/minor version of k8s and compares + # for example: v1.28 > v1.27 > v1.26 + # + # Returns: + # 0 left is larger + # 1 equal + # 2 right is larger + function compareK8sVersion { + local left="$1" + local right="$2" + + # strip leading 'v' + left="${left#v}" + right="${right#v}" + + # compare the strings + if [ "$left" == "$right" ]; then + return 1 + fi + # compare major + if [ "${left%.*}" -gt "${right%.*}" ]; then + return 0 + elif [ "${left%.*}" -lt "${right%.*}" ]; then + return 2 + fi + + # compare the minor + if [ "${left#*.}" -gt "${right#*.}" ]; then + return 0 + fi + return 2 + } + + # Give kubectl an opportunity to express complaints in the log + function k8sComplain { + local result + + result="$( $KUBECTL version -o json 2>&1 >/dev/null )" + if [ -n "$result" ]; then + log $WARNING "kubectl: $result" + fi + } + + # Double-check that the binary exists before setting the specified + # value of KUBECTL + function switchK8sVersion { + local select="$1" + local fname="kubectl.$select" + local newbin="${KUBECTL_INSTALL_PATH}/$fname" + + which "$fname" >/dev/null + if [ $? -ne 0 -o ! -f "$newbin" ]; then + log $ERROR "Missing kubectl version: $select" + k8sComplain + return 1 + fi + + if [ "$KUBECTL" != "$fname" ]; then + KUBECTL="$fname" + log $INFO "Switching to use kubectl version $select" + fi + + k8sComplain + return 0 + } + + # Select the version of kubectl matching the running server + function pickK8sVersion { + local result + local serverver + local majorver + local minorver + local select="" + local majmin="" + local maxver + local minver + + # omit this code if the image does not support kubectl versions + if [ -z "$KUBE_VERSIONS" ]; then + k8sComplain + return + fi + + if [ -n "$KUBECTL_HELM_OVERRIDE" ]; then + # pick the binary requested, if it exists + switchK8sVersion "$KUBECTL_HELM_OVERRIDE" + if [ $? -eq 0 ]; then + return + fi + log $ERROR "kubectl version from helm-override not" \ + "available: $KUBECTL_HELM_OVERRIDE" + fi + + # use -o json for consistent usage, as oppose to --short + result="$( $KUBECTL version -o json 2>/dev/null )" + if [ $? -ne 0 ]; then + log $ERROR "Unable to get k8s server version" + # no change in value of KUBECTL + k8sComplain + return + fi + + serverver="$( jq -r '.serverVersion.gitVersion' <<<"$result" \ + | grep "[0-9]" )" + majorver="$( jq -r '.serverVersion.major' <<<"$result" \ + | grep "[0-9]" )" + minorver="$( jq -r '.serverVersion.minor' <<<"$result" \ + | grep "[0-9]" )" + if [ -z "$serverver" -o -z "$majorver" -o -z "$minorver" ]; then + log $ERROR "Unable to detect K8s server version:" \ + "["$result"]" + # no change in value of KUBECTL + k8sComplain + return + fi + + # pick matching client major/minor version + for select in $KUBE_VERSIONS noverhere; do + majmin="v${majorver}.${minorver}" + if [[ "$select" =~ ^$majmin ]]; then + break + fi + done + + if [ "$select" == noverhere ]; then + # Try to pick a near version. We really shouldn't be in + # this situation, but here is a compromise. This algorithm + # assumes that there are no omitted versions in the series + # of KUBE_VERSIONS, and that they are sorted largest to + # smallest in that list + maxver="$( awk '{print $1}' <<<"$KUBE_VERSIONS" )" + minver="$( awk '{print $NF}' <<<"$KUBE_VERSIONS" )" + + compareK8sVersion ${serverver%.*} ${maxver%.*} + if [ "$?" -le 1 ]; then + select="$maxver" + else + compareK8sVersion ${minver%.*} ${serverver%.*} + if [ "$?" -le 1 ]; then + select="$minver" + else + log $ERROR "Could not pick nearest version for kubectl" + k8sComplain + return + fi + fi + fi + + switchK8sVersion "${select%.*}" + } + # Convert log level to text for log message function log_to_str { local level="$1" @@ -451,7 +606,7 @@ data: fi jpath='{range .items[*]}'"$jfields"'{"\n"}{end}' - kubectl get pods \ + $KUBECTL get pods \ -n "$VAULT_NS" \ -l component=server,app.kubernetes.io/name=vault \ -o=jsonpath="$jpath" \ @@ -465,7 +620,7 @@ data: {.status.podIPs[].ip}{"\t"}{.status.phase}{"\n"} \ {end}' - CURRENT_PODS=$(kubectl get pods \ + CURRENT_PODS=$($KUBECTL get pods \ -l component=server,app.kubernetes.io/name=vault \ -o=jsonpath="$jsonPath" \ | grep Running \ @@ -482,7 +637,7 @@ data: log $INFO "Waiting for ${VAULT_FN}" \ "statefulset running pods ($CURRENT_PODS) to equal" \ "desired pods ($DESIRED_PODS)" - CURRENT_PODS=$(kubectl get pods \ + CURRENT_PODS=$($KUBECTL get pods \ -l component=server,app.kubernetes.io/name=vault \ -o=jsonpath="$jsonPath" \ | grep Running \ @@ -904,7 +1059,7 @@ data: local output local result - output="$( kubectl create secret generic -n "$VAULT_NS" \ + output="$( $KUBECTL create secret generic -n "$VAULT_NS" \ "$secret" "--from-file=strdata=$contentf" 2>&1 )" result=$? if [ "$result" -ne 0 ]; then @@ -917,7 +1072,7 @@ data: function get_secret { local secret="$1" - kubectl get secrets -n "$VAULT_NS" "$secret" \ + $KUBECTL get secrets -n "$VAULT_NS" "$secret" \ -o jsonpath='{.data.strdata}' \ | base64 -d } @@ -973,7 +1128,7 @@ data: # Prints the name of the secret function secretExists { local name="$1" - kubectl get secrets -n vault "$name" \ + $KUBECTL get secrets -n vault "$name" \ -o jsonpath='{.metadata.name}' 2>/dev/null \ | grep "$name" } @@ -1064,7 +1219,7 @@ data: function deleteSecrets { local secrets="$@" local text - text="$( kubectl delete secrets -n vault \ + text="$( $KUBECTL delete secrets -n vault \ $secrets 2>&1 )" if [ $? -ne 0 ]; then log $ERROR "Error deleting secrets: ["$text"]" @@ -1090,7 +1245,7 @@ data: # the grep makes sure the result contains the 'manager-pvc' # string (as opposed to 'null' for example) text="$( - kubectl get persistentvolumeclaims -n vault -o json \ + $KUBECTL get persistentvolumeclaims -n vault -o json \ | jq -r "$jqscript" 2>/dev/null \ | grep manager-pvc )" result=$? @@ -1117,7 +1272,7 @@ data: # this kubectl query returns zero whether manager-pvc is # found or not # result variable is either empty or 'manager-pvc' - result="$( kubectl get pods -n vault \ + result="$( $KUBECTL get pods -n vault \ -o jsonpath="{${cspec}.${vspec}}" )" if [ -n "$result" ]; then @@ -1132,7 +1287,7 @@ data: local result log $DEBUG "Waiting for delete of mount-helper job" - text="$( kubectl delete --ignore-not-found=true --wait=true \ + text="$( $KUBECTL delete --ignore-not-found=true --wait=true \ -f /opt/yaml/pvc-attach.yaml 2>&1 )" result=$? log $DEBUG "Output of deleting mount-helper: [$text]" @@ -1158,7 +1313,7 @@ data: fi # get profile of the files before shredding - kubectl exec -n vault "$helper" -- \ + $KUBECTL exec -n vault "$helper" -- \ bash -c 'find /mnt/data -type f \ | sort | xargs wc | head -n-1' \ >/tmp/shred_before.txt 2>&1 @@ -1171,7 +1326,7 @@ data: # The shred by default has three randomized passes, and with -z # option will finalize with zeros. -f prompts shred to work # around any unexpected file permissions - text="$( kubectl exec -n vault "$helper" -- \ + text="$( $KUBECTL exec -n vault "$helper" -- \ bash -c '\ result=0; \ while read fname; do \ @@ -1182,7 +1337,7 @@ data: result=$? # get profile of the files after shredding - kubectl exec -n vault "$helper" -- \ + $KUBECTL exec -n vault "$helper" -- \ bash -c 'find /mnt/data -type f \ | sort | xargs wc | head -n-1' \ >/tmp/shred_after.txt 2>&1 @@ -1233,7 +1388,7 @@ data: name="$( pvcExists )" if [ $? -eq 0 ] && [[ "$name" =~ ^manager-pvc ]]; then - text="$( kubectl delete persistentvolumeclaims -n vault \ + text="$( $KUBECTL delete persistentvolumeclaims -n vault \ "$name" 2>&1 )" if [ $? -ne 0 ]; then log $ERROR "Error deleting PVC: [$text]" @@ -1268,7 +1423,7 @@ data: fi # run the pod - output="$( kubectl apply -f /opt/yaml/pvc-attach.yaml 2>&1 )" + output="$( $KUBECTL apply -f /opt/yaml/pvc-attach.yaml 2>&1 )" if [ $? -ne 0 ]; then log $ERROR "Failed to apply mount-helper" log $DEBUG "Output: [$output]" @@ -1282,7 +1437,7 @@ data: log $INFO "Waiting for mount-helper pod to run" while [ -z "$pod" -a "$count" -le "$MAX_POD_RUN_TRIES" ]; do count=$((count+1)) - text="$( kubectl get pods -n vault | grep "mount-helper" )" + text="$( $KUBECTL get pods -n vault | grep "mount-helper" )" pod="$( echo "$text" | grep "Running" | awk '{print $1}' )" if [ -z "$pod" ]; then sleep 1 @@ -1297,7 +1452,7 @@ data: fi # get the pvc data - PVCtext="$( kubectl exec -n vault "$pod" \ + PVCtext="$( $KUBECTL exec -n vault "$pod" \ -- cat /mnt/data/cluster_keys.json )" if [ $? -ne 0 -o -z "$PVCtext" ]; then log $ERROR "Failed to read cluster_keys.json" @@ -1308,7 +1463,7 @@ data: # if the Root secret is pre-existing, compare the existing # shard secrets and root secret before deleting the PVC - kubectl get secrets -n vault cluster-key-root >/dev/null 2>&1 + $KUBECTL get secrets -n vault cluster-key-root >/dev/null 2>&1 if [ $? -eq 0 ]; then log $INFO "Cluster secrets exist:" \ "validating" @@ -3008,6 +3163,9 @@ data: exit_on_trap 1 + # Match kubectl version to server version (or etc) + pickK8sVersion + # check if this pod is helping to convert storage from pvc to k8s # secrets mountHelper @@ -3095,6 +3253,8 @@ data: while true; do exit_on_trap 10 sleep "$STATUS_RATE" + exit_on_trap 20 + pickK8sVersion # check if the k8s server version is changed rm $WORKDIR/pods.txt echo "" > "$PODREC_TMP_F" exit_on_trap 11