Introduce a value for the vault URL
What does this MR do and why?
Currenty Sylva deploys a Vault server in the management cluster, then k8s resources, using this vault, are configured with the local URL of the vault, i.e. https://vault.vault.svc.cluster.local:8200. If we want to use an external vault, instead a local one, it must be possible to change the Vault URL.
This MR adresses a sub-task of the issue Leverage an external Vault: it paves the way to an external vault by introducing the values .security.vault.external_url and .security.vault.external_vault_ca.
The schema ensures that the value .security.vault.external_vault_ca is allowed only if .security.vault.external_url is defined. The reverse is not true since the external vault may disable TLS (we never know...).
The MR replaces the hardcoded Vault URL https://vault.vault.svc.cluster.local:8200 by the variable ${VAULT_API} across the code. VAULT_API is equal https://vault.vault.svc.cluster.local:8200 by default.
Note that the MR does not change the Vault configuration, it only allows the clustersecretstore vault and randomsecret to use an URL defined in the values.
In this MR the CA of vault is still sylva CA, but the MR allows to use an alternative CA for vault (in order to prepare integration with an external vault). Consequently, the MR renames the field .spec.provider.vault.caProvider.name and .spec.provider.vault.caProvider.namespace of the clustersecretstore vault to use a secret vault/vault-ca, which, in this MR can only be the certificate of the sylva CA:
- If deploying an internal vault (so using the default URL), vault/vault-ca is set to cert-manager/ca-key-pair by the unit vault/copy-sylva-ca.yaml, so it does not change anything at this stage.
Related reference(s)
parent issue: #2262
This MR does nothing until !4463 is completed.
closes #2395 (closed)
depends on !4427 (merged)
Test coverage
CI deployments to check that the modification does not break deployments with local vault.
CI configuration
Below you can choose test deployment variants to run in this MR's CI.
Click to open to CI configuration
Legend:
| Icon | Meaning | Available values |
|---|---|---|
| Infra Provider |
capd, capo, capm3
|
|
| Bootstrap Provider |
kubeadm (alias kadm), rke2
|
|
| Node OS |
ubuntu, suse
|
|
| Deployment Options |
light-deploy, dev-sources, ha, misc, maxsurge-0, logging
|
|
| Pipeline Scenarios | Available scenario list and description |
-
🎬 preview☁️ capd🚀 kadm🐧 ubuntu -
🎬 preview☁️ capo🚀 rke2🐧 suse -
🎬 preview☁️ capm3🚀 rke2🐧 ubuntu -
☁️ capd🚀 kadm🛠️ light-deploy🐧 ubuntu -
☁️ capd🚀 rke2🛠️ light-deploy🐧 suse -
☁️ capo🚀 rke2🐧 suse -
☁️ capo🚀 kadm🐧 ubuntu -
☁️ capo🚀 rke2🎬 rolling-update🛠️ ha🐧 ubuntu -
☁️ capo🚀 kadm🎬 wkld-k8s-upgrade🐧 ubuntu -
☁️ capo🚀 rke2🎬 rolling-update-no-wkld🛠️ ha🐧 suse -
☁️ capo🚀 rke2🎬 sylva-upgrade-from-1.3.x🛠️ ha🐧 ubuntu -
☁️ capo🚀 rke2🎬 sylva-upgrade-from-1.3.x🛠️ ha,misc🐧 ubuntu -
☁️ capo🚀 rke2🛠️ ha,misc🐧 ubuntu -
☁️ capm3🚀 rke2🐧 suse -
☁️ capm3🚀 kadm🐧 ubuntu -
☁️ capm3🚀 kadm🎬 rolling-update-no-wkld🛠️ ha,misc🐧 ubuntu -
☁️ capm3🚀 rke2🎬 wkld-k8s-upgrade🛠️ ha🐧 suse -
☁️ capm3🚀 kadm🎬 rolling-update🛠️ ha🐧 ubuntu -
☁️ capm3🚀 rke2🎬 sylva-upgrade-from-1.3.x🛠️ ha🐧 suse -
☁️ capm3🚀 rke2🛠️ misc,ha🐧 suse -
☁️ capm3🚀 rke2🎬 sylva-upgrade-from-1.3.x🛠️ ha,misc🐧 suse -
☁️ capm3🚀 kadm🎬 rolling-update🛠️ ha🐧 suse -
☁️ capm3🚀 ck8s🎬 no-wkld🛠️ light-deploy,k8s-1.31🐧 ubuntu
Global config for deployment pipelines
-
autorun pipelines -
allow failure on pipelines -
record sylvactl events
Notes:
- Enabling
autorunwill make deployment pipelines to be run automatically without human interaction - Disabling
allow failurewill make deployment pipelines mandatory for pipeline success. - if both
autorunandallow failureare disabled, deployment pipelines will need manual triggering but will be blocking the pipeline
Be aware: after configuration change, pipeline is not triggered automatically.
Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.