Skip to content

Commit

Permalink
docs: update Vault Helm to 0.9.0 (#10656)
Browse files Browse the repository at this point in the history
* docs: update vault-helm for 0.9.0

* Fix typo in leaderElector config

* Add default value to ttl

* Update website/content/docs/platform/k8s/helm/configuration.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update website/content/docs/platform/k8s/helm/configuration.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update website/content/docs/platform/k8s/helm/configuration.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Add affinity default for injector

* Update website/content/docs/platform/k8s/helm/configuration.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
  • Loading branch information
jasonodonnell and tvoran committed Jan 5, 2021
1 parent 4b96b35 commit 026f42b
Show file tree
Hide file tree
Showing 4 changed files with 85 additions and 17 deletions.
75 changes: 70 additions & 5 deletions website/pages/docs/platform/k8s/helm/configuration.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -56,19 +56,33 @@ and consider if they're appropriate for your deployment.
- `externalVaultAddr` (`string: ""`) - External vault server address for the injector to use. Setting this will disable deployment of the vault server, and only deploy the injector.
A service account with token review permissions is automatically created if `server.serviceAccount.create=true` is set for the external Vault server to use.

- `replicas` (`int: 1`) - The number of pods to deploy to create a highly available cluster of Vault Agent Injectors. Requires Vault K8s 0.7.0 to have more than 1 replica.

- `leaderElector` - Values that configure the Vault Agent Injector leader election for HA deployments.

- `enabled` (`boolean: true`) - When set to `true`, enables leader election for Vault Agent Injector. This is required when using auto-tls and more than 1 replica.

- `image` - Values that configure the Vault Agent Injector Leader Election image.

- `repository` (`string: "gcr.io/google_containers/leader-elector"`) - The name of the leader election image for the Vault Agent Injector.
- `tag` (`string: "0.4"`) - The tag of the Docker image for the Leader Election. **This should be pinned to a specific version when running in production.**

- `ttl` (`string: "60s"`) - The frequency in which leader elections are performed in the Vault Agent Injector cluster.
- `image` - Values that configure the Vault Agent Injector Docker image.

- `repository` (`string: "hashicorp/vault-k8s"`) - The name of the Docker image for Vault Agent Injector.
- `tag` (`string: "0.6.0"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
- `tag` (`string: "0.7.0"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.

- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.

- `agentImage` - Values that configure the Vault Agent sidecar image.

- `repository` (`string: "vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image.
- `tag` (`string: "1.5.4"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**.
- `tag` (`string: "1.6.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**.

- `metrics` - Values that configure the Vault Agent Injector metric exporter.

Expand Down Expand Up @@ -102,6 +116,14 @@ and consider if they're appropriate for your deployment.
injection: enabled
```

- `extraLabels` (`dictionary: {}`) - This value defines additional labels for Vault Agent Injector pods.

```yaml
extraLabels:
'sample/label1': 'foo'
'sample/label2': 'bar'
```

- `certs` - The certs section configures how the webhook TLS certs are configured. These are the TLS certs for the Kube apiserver communicating to the webhook. By default, the injector will generate and manage its own certs, but this requires the ability for the injector to update its own `MutatingWebhookConfiguration`. In a production environment, custom certs should probably be used. Configure the values below to enable this.

- `secretName` (`string: ""`) - secretName is the name of the Kubernetes secret that has the TLS certificate and private key to serve the injector webhook. If this is null, then the injector will default to its automatic management mode.
Expand All @@ -114,7 +136,20 @@ and consider if they're appropriate for your deployment.

- `extraEnvironmentVars` (`dictionary: {}`) - Extra environment variables to set in the injector deployment.

- `affinity` (`string: null`) - Affinity Settings for injector pods. This should be a multi-line string matching the affinity section of a PodSpec.
- `affinity` - This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for Vault Agent Injector pods. It defaults to allowing only a single pod on each node, which minimizes risk of the cluster becoming unusable if a node is lost. If you need to run more pods per node (for example, testing on Minikube), set this value to `null`.

```yaml
# Recommended default server affinity:
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: {{ template "vault.name" . }}
release: "{{ .Release.Name }}"
component: injector
topologyKey: kubernetes.io/hostname
```

- `tolerations` (`string: null`) - Toleration Settings for injector pods. This should be a multi-line string matching the Toleration array in a PodSpec.

Expand All @@ -134,16 +169,32 @@ and consider if they're appropriate for your deployment.
"sample/annotation2": "bar"
```

- `failurePolicy` (`string : ""`) - When set to `Fail`, an error calling the webhook causes the admission to fail and the API request to be rejected.
- `failurePolicy` (`string: "Ignore"`) - When set to `Fail`, an error calling the webhook causes the admission to fail and the API request to be rejected.
When set to `Ignore`, an error calling the webhook is ignored and the API request is allowed to continue. Allowed values: `Fail`, `Ignore`.

- `service` - The service section configures the Kubernetes service for the Vault Agent Injector.

- `annotations` (`dictionary: {}`) - This value defines additional annotations to
add to the Vault Agent Injector service. This can either be YAML or a YAML-formatted
multi-line templated string.

```yaml
annotations:
"sample/annotation1": "foo"
"sample/annotation2": "bar"
# or
annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
```

- `server` - Values that configure running a Vault server within Kubernetes.

- `image` - Values that configure the Vault Docker image.

- `repository` (`string: "vault"`) - The name of the Docker image for the containers running Vault.
- `tag` (`string: "1.5.4"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
- `tag` (`string: "1.6.1"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.

- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.

Expand Down Expand Up @@ -414,6 +465,18 @@ and consider if they're appropriate for your deployment.

- `enabled` (`boolean: false`) - When set to `true`, enables a Network Policy for the Vault cluster.

- `egress` (`array: []`) - This value configures the [egress](https://kubernetes.io/docs/concepts/services-networking/network-policies/) network policy rules.

```yaml
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 8200
```

- `priorityClassName` (`string: ""`) - Priority class for server pods
- `extraLabels` (`dictionary: {}`) - This value defines additional labels for server pods.
Expand Down Expand Up @@ -543,6 +606,8 @@ and consider if they're appropriate for your deployment.
- `enabled` (`boolean: false`) -
Enables `dev` mode for the Vault server. This mode is useful for experimenting with Vault without needing to unseal.

- `devRootToken` (`string: "root"`) - Configures the root token for the Vault development server.
~> **Security Warning:** Never, ever, ever run a "dev" mode server in production. It is insecure and will lose data on every restart (since it stores data in-memory). It is only made for development or experimentation.
- `standalone` - This configures `standalone` mode for the Vault server.
Expand Down
7 changes: 4 additions & 3 deletions website/pages/docs/platform/k8s/helm/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm search repo hashicorp/vault
NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.8.0 1.5.4 Official HashiCorp Vault Chart
hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart
```

-> **Important:** The Helm chart is new and under significant development.
Expand All @@ -58,12 +58,13 @@ Installing a specific version of the chart.
# List the available releases
$ helm search repo hashicorp/vault -l
NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart
hashicorp/vault 0.8.0 1.5.4 Official HashiCorp Vault Chart
hashicorp/vault 0.7.0 1.5.2 Official HashiCorp Vault Chart
hashicorp/vault 0.6.0 1.4.2 Official HashiCorp Vault Chart

# Install version 0.8.0
$ helm install vault hashicorp/vault --version 0.8.0
# Install version 0.9.0
$ helm install vault hashicorp/vault --version 0.9.0
```

~> **Security Warning:** By default, the chart runs in standalone mode. This
Expand Down
9 changes: 5 additions & 4 deletions website/pages/docs/platform/k8s/helm/openshift.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -69,8 +69,8 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories
$ helm search repo hashicorp/vault
NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.8.0 1.5.4 Official HashiCorp Vault Chart
NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart
```

-> **Important:** The Helm chart is new and under significant development.
Expand All @@ -89,12 +89,13 @@ Or install a specific version of the chart.
# List the available releases
$ helm search repo hashicorp/vault -l
NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart
hashicorp/vault 0.8.0 1.5.4 Official HashiCorp Vault Chart
hashicorp/vault 0.7.0 1.5.2 Official HashiCorp Vault Chart
hashicorp/vault 0.6.0 1.4.2 Official HashiCorp Vault Chart
# Install version 0.8.0
$ helm install vault hashicorp/vault --version 0.8.0
# Install version 0.9.0
$ helm install vault hashicorp/vault --version 0.9.0
```

The `helm install` command accepts parameters to override default configuration
Expand Down
11 changes: 6 additions & 5 deletions website/pages/docs/platform/k8s/helm/run.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm search repo hashicorp/vault
NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.8.0 1.5.4 Official HashiCorp Vault Chart
hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart
```

-> **Important:** The Helm chart is new and under significant development.
Expand All @@ -73,12 +73,13 @@ Or install a specific version of the chart.
# List the available releases
$ helm search repo hashicorp/vault -l
NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart
hashicorp/vault 0.8.0 1.5.4 Official HashiCorp Vault Chart
hashicorp/vault 0.7.0 1.5.2 Official HashiCorp Vault Chart
hashicorp/vault 0.6.0 1.4.2 Official HashiCorp Vault Chart

# Install version 0.8.0
$ helm install vault hashicorp/vault --version 0.8.0
# Install version 0.9.0
$ helm install vault hashicorp/vault --version 0.9.0
```

The `helm install` command accepts parameters to override default configuration
Expand Down Expand Up @@ -421,14 +422,14 @@ Next, list the Helm versions and choose the desired version to install.
```bash
helm search repo hashicorp/vault
NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.8.0 1.5.4 Official HashiCorp Vault Chart
hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart
```

Next, test the upgrade with `--dry-run` first to verify the changes sent to the
Kubernetes cluster.

```shell-session
$ helm upgrade vault hashicorp/vault --version=0.8.0 \
$ helm upgrade vault hashicorp/vault --version=0.9.0 \
--set='server.image.repository=vault' \
--set='server.image.tag=123.456' \
--dry-run
Expand Down

0 comments on commit 026f42b

Please sign in to comment.