search

hashicorp / vault-helm

Helm chart to install Vault and other associated components.
Mozilla Public License 2.0
1.08k stars 879 forks source link

Make the vault injection serviceAccount name a configuration option #426

Open woowil opened 3 years ago

woowil commented 3 years ago

Is your feature request related to a problem? Please describe. Our Kubernetes cluster is configured to use a mandated and dedicated pod security policy service account for all deployments, statefulsets, psp and role bindings, and cluster role bindings. The current helm-vault version has a configuration option for the server (statefulset) service account , but not for the injector service account.

pod/vault-0                    1/1     Running   0          67m
pod/vault-1                    1/1     Running   0          67m
pod/vault-2                    1/1     Running   0          67m

NAME                                   READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/vault-agent-injector   0/1     0            0           67m

As you can see, the vault-agent-injector is in an un-ready state since the injector binding resources use a hardcoded service account for the vault agent injector, which further has no access in the cluster. Therefore, all injections fail. My only option here is to download the latest vault-hrlm branch/tags, edit the template files, and install. This is a cumbersome approach in our CI/CD pipelines for every news version since I must check out the repo locally and tweak the files. I want to be able to use helm repo add and helm install with a custom values file, also when PSP is imposed in the cluster for service accounts.

Describe the solution you'd like The solution is to do a similar update as implemented for the server.serviceaccount, e.g updating the files _helpers.tpl, injector-serviceaccount.yaml, injector-deployment.yaml, injector-clusterrolebinding.yaml and injector-psp-rolebinding.yaml

# File: values-custom.yaml
injector:
  serviceAccount:
    create: false
    name: "namespacename-restricted-osname"

# File: values.yaml
injector:
  serviceAccount:
    create: true
    name: ""

# File: _helpers.tpl
{{- define "vault.injector.serviceAccount.name" -}}
{{- if .Values.injector.serviceAccount.create -}}
    {{ default (include "vault.fullname" .) . "-agent-injector" }}
{{- else -}}
    {{ default "default" .Values.injector.serviceAccount.name }}
{{- end -}}
{{- end -}}

# File : injector-clusterrolebinding
subjects:
- kind: ServiceAccount
  name: {{ template "vault.injector.serviceAccount.name" . }}

# File: injector-deployment.yaml
spec
  template:
    spec::
      serviceAccountName: {{ template "vault.injector.serviceAccount.name" . }}

# File: injector-psp-rolebinding.yaml
subjects:
- kind: ServiceAccount
  name: {{ template "vault.injector.serviceAccount.name" . }}

#File: injector-serviceaccount.yaml
{{- if (eq (.Values.injector.serviceAccount.create | toString) "true" ) }}
metadata:
  name: {{ template "vault.injector.serviceAccount.name" . }}
  labels:
    app.kubernetes.io/name: {{ template "vault.injector.serviceAccount.name" . }}
{{ end }}
jasonodonnell commented 3 years ago

Hi @woowil, thanks for the feature request. I can see this being useful. If you're interested in contributing this, we'll be happy to review it. If not we're tracking this internally and will add it at some point.

Thanks!

woowil commented 3 years ago

Hi. Just tell me what/how I can contribute other than what I have suggested as a solution in the files. I hope this can be added in the next release.