Skip to content

Commit

Permalink
Adding documentation for multiple vault-k8s replicas (#10659)
Browse files Browse the repository at this point in the history
Describes the setup and config for using multiple injector replicas
with auto and manual TLS.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
  • Loading branch information
2 people authored and actions-user committed Jan 7, 2021
1 parent fe3dd48 commit 397f8c1
Showing 1 changed file with 30 additions and 1 deletion.
31 changes: 30 additions & 1 deletion website/pages/docs/platform/k8s/injector/installation.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm search repo hashicorp/vault
NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.5.0 Install and configure Vault on Kubernetes.
hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart
```

Then install the chart and enable the injection feature by setting the
Expand Down Expand Up @@ -65,6 +65,35 @@ The following is required to configure TLS manually:

For more information on configuring manual TLS, see the [Vault Helm cert values](/docs/platform/k8s/helm/configuration#certs).

## Multiple Replicas and TLS

The Vault Agent Injector can be run with multiple replicas if using [Manual
TLS](#manual-tls), and as of v0.7.0 multiple replicas are also supported with
[Auto TLS](#auto-tls). The number of replicas is controlled in the Vault Helm
chart by the [injector.replicas
value](/docs/platform/k8s/helm/configuration#replicas).

With Auto TLS and multiple replicas, a leader-elector sidecar container is
deployed with each replica. These sidecars determine which injector replica is
the "leader" in charge of generating the CA and patching the webhook caBundle in
Kubernetes, and also generating and distributing the certificate and key to the
"followers". The followers read the certificate and key needed for the webhook
service listener from a Kubernetes Secret, which is updated by the leader when a
certificate is near expiration.

The leader-elector sidecar in use is described in detail [here][k8s-blog]. For
more information on configuring leader election, see the [Vault Helm
leaderElector values](/docs/platform/k8s/helm/configuration#leaderelector).

With Manual TLS and multiple replicas,
[injector.leaderElector.enabled](/docs/platform/k8s/helm/configuration#enabled-2)
should be set to `false` since leader-election is not necessary in this case.

If there is only one replica set (regardless of other TLS or leaderElector
settings), no leader-elector containers will be deployed.

[k8s-blog]: <https://kubernetes.io/blog/2016/01/simple-leader-election-with-kubernetes/> "Simple leader election with Kubernetes and Docker"

## Namespace Selector

By default, the Vault Agent Injector will process all namespaces in Kubernetes except
Expand Down

0 comments on commit 397f8c1

Please sign in to comment.