Add lifecycle code to read secrets from PVC mounted to running
vault-manager, and vault-manager code for conversion of storage from PVC
to k8s secrets.
The lifecycle code is added because the previous version of
vault-manager does not respond to SIGTERM from kubernetes for
termination. And yet the pod will be terminating when the new
vault-manager pod runs. Reading the PVC data in lifecycle code before
helm updates the charts simplifies the process when vault-manager is
running during application-update.
The new vault-manager also handles the case where the application is not
running at the time the application is updated, such as if the
application is removed, deleted, uploaded and applied.
In general the procedure for conversion of the storage from PVC to k8s
secrets is:
- read the data from PVC
- store the data in k8s secrets
- validate the data
- confirm the stored data is the same as what was in PVC
- delete the original data only when the copy is confirmed
The solution employs a 'mount-helper', an incarnation of init.sh,
that mounts the PVC resource so that vault-manager can read it. The
mount-helper mounts the PVC resource and waits to be terminated.
Test plan:
PASS vault sanity
PASS vault sanity via application-update
PASS vault sanity update via application remove, delete, upload, apply
(update testing requires version bump similar to change 881754)
PASS unit test of the code
PASS bashate, flake8, bandit
PASS tox
Story: 2010930
Task: 48846
Change-Id: Iace37dad256b50f8d2ea6741bca070b97ec7d2d2
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
464f9d0e76