Add configuration options for Vault UI service

templates/ui-service.yaml

@@ -2,11 +2,6 @@
 {{- if ne .mode "external" }}
 {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
 {{- if eq (.Values.ui.enabled | toString) "true" }}
-# Headless service for Vault server DNS entries. This service should only
-# point to Vault servers. For access to an agent, one should assume that
-# the agent is installed locally on the node and the NODE_IP should be used.
-# If the node can't run a Vault agent, then this service can be used to
-# communicate directly to a server agent.
 apiVersion: v1
 kind: Service
 metadata:
@@ -23,7 +18,10 @@ spec:
     app.kubernetes.io/name: {{ include "vault.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     component: server
-  publishNotReadyAddresses: true
+    {{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }}
+    vault-active: "true"
+    {{- end }}
+  publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }}
   ports:
     - name: {{ include "vault.scheme" . }}
       port: {{ .Values.ui.externalPort }}
@@ -43,5 +41,5 @@ spec:
   {{- end }}
 {{- end -}}
 
-{{ end }}
-{{ end }}
+{{- end }}
+{{- end }}

test/unit/ui-service.bats

@@ -248,3 +248,55 @@ load _helpers
       yq -r '.spec.ports[0].name' | tee /dev/stderr)
   [ "${actual}" = "https" ]
 }
+
+@test "ui/Service: publishNotReadyAddresses set true by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/ui-service.yaml  \
+      --set 'ui.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "ui/Service: publishNotReadyAddresses can be set to false" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/ui-service.yaml  \
+      --set 'ui.enabled=true' \
+      --set 'ui.publishNotReadyAddresses=false' \
+      . | tee /dev/stderr |
+      yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
+  [ "${actual}" = 'false' ]
+}
+
+@test "ui/Service: active pod only selector not set by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/ui-service.yaml  \
+      --set 'ui.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.selector["vault-active"]' | tee /dev/stderr)
+  [ "${actual}" = "null" ]
+}
+
+@test "ui/Service: active pod only selector can be set on HA" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/ui-service.yaml  \
+      --set 'ui.enabled=true' \
+      --set 'ui.activeVaultPodOnly=true' \
+      --set 'server.dev.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.selector["vault-active"]' | tee /dev/stderr)
+  [ "${actual}" = 'null' ]
+
+  local actual=$(helm template \
+      --show-only templates/ui-service.yaml  \
+      --set 'ui.enabled=true' \
+      --set 'ui.activeVaultPodOnly=true' \
+      --set 'server.ha.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.selector["vault-active"]' | tee /dev/stderr)
+  [ "${actual}" = 'true' ]
+}

values.yaml

@@ -509,6 +509,9 @@ ui:
   # example, setting this to "LoadBalancer" will create an external load
   # balancer (for supported K8S installations) to access the UI.
   enabled: false
+  publishNotReadyAddresses: true
+  # The service should only contain selectors for active Vault pod
+  activeVaultPodOnly: false
   serviceType: "ClusterIP"
   serviceNodePort: null
   externalPort: 8200