doc: update vault-helm for 0.2.0 (#7759)

* doc: update vault-helm for 0.2.0 * Update website/source/docs/platform/k8s/helm.html.md Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update website/source/docs/platform/k8s/helm.html.md Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update website/source/docs/platform/k8s/helm.html.md Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Remove commas from example
2019-11-11 11:07:35 -05:00 · 2019-11-11 11:07:35 -05:00 · 0321d9fb3a
parent 004857084b
commit 0321d9fb3a
2 changed files with 216 additions and 11 deletions
--- a/website/source/docs/platform/k8s/helm.html.md
+++ b/website/source/docs/platform/k8s/helm.html.md
@ -52,7 +52,7 @@ $ git clone https://github.com/hashicorp/vault-helm.git
 $ cd vault-helm

 # Checkout a tagged version
-$ git checkout v0.1.2
+$ git checkout v0.2.0

 # Run Helm
 $ helm install --dry-run ./
@ -71,11 +71,22 @@ and consider if they're appropriate for your deployment.
  * `enabled` (`boolean: true`) - The master enabled/disabled configuration. If this is true, most components will be installed by default. If this is false, no components will be installed by default and manually opting-in is required, such as by setting `server.enabled` to true.

  * `image` (`string: "vault:latest"`) - The name of the Docker image (including any tag) for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your Vault version.
+  
+  * `imagePullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images.  The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
+  
+  * `imagePullSecrets` (`string: ""`) - Defines secrets to be used when pulling images from private registries.
+
+      - `name`: (`string: required`) - 
+      Name of the secret containing files required for authentication to private image registries.

  * `tlsDisable` (`boolean: true`) - When set to `true`, changes URLs from `https` to `http` (such as the `VAULT_ADDR=http://127.0.0.1:8200` environment variable set on the Vault pods).

 * `server` - Values that configure running a Vault server within Kubernetes.

+  * `securityContext` - Values that configure Vault pods security context.
+
+    - `readOnlyRootFilesystem` (`boolean: true`) - When set to `true`, the root filesystem of the container is read only.
+
  * `resources` (`string: null`) - The resource requests and limits (CPU, memory, etc.) for each of the server. This should be a multi-line string mapping directly to a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources. **Setting this is highly recommended.**

    ```yaml
@ -86,6 +97,43 @@ and consider if they're appropriate for your deployment.
      limits:
        memory: "10Gi"
    ```
+  
+  * `ingress` - Values that configure Ingress services for Vault.
+
+    - `enabled` (`boolean: false`) - When set to `true`, an [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) service will be created.
+    
+    - `annotations` (`string`) - This value defines additional annotations to add to the Ingress service.  This should be formatted as a multi-line string.
+
+        ```yaml
+        annotations: |
+          kubernetes.io/ingress.class: nginx
+          kubernetes.io/tls-acme: "true"
+        ```
+    * `hosts` - Values that configure the Ingress host rules.
+
+      - `host`: Name of the host to use for Ingress.
+
+      - `paths`: This value defines the types of host rules for the Ingress service.
+
+          ```yaml
+          paths:
+          - backend:
+            serviceName: service2
+            servicePort: 80
+          ``` 
+
+    * `tls` - Values that configure the Ingress TLS rules.
+
+      - `hosts`: Name of the hosts defined in the Common Name of the TLS Certificate.  This should be formated as a multi-line string.
+
+      - `secretName`: Name of the secret containing the required TLS files such as certificates and keys.
+
+        ```yaml
+        hosts:
+          - sslexample.foo.com
+          - sslexample.bar.com
+         secretName: testsecret-tls
+        ```

  * `authDelegator` - Values that configure the Cluster Role Binding attached to the Vault service account.

@ -173,6 +221,14 @@ and consider if they're appropriate for your deployment.
          disktype: ssd
        ```

+  * `extraLabels` (`string`) - This value defines additional labels for server pods. This should be formatted as a multi-line string.
+
+        ```yaml
+        extraLabels: |
+          "sample/label1": "foo"
+          "sample/label2": "bar"
+        ```
+
  * `annotations` (`string`) - This value defines additional annotations for server pods. This should be a formatted as a multi-line string.

        ```yaml
@ -186,6 +242,28 @@ and consider if they're appropriate for your deployment.
    - `enabled` (`boolean: true`) - When set to `true`, a Kubernetes service will be created for Vault.

    - `clusterIP` (`string`) - ClusterIP controls whether an IP address (cluster IP) is attached to the Vault service within Kubernetes.  By default the Vault service will be given a Cluster IP address, set to `None` to disable.  When disabled Kubernetes will create a "headless" service.  Headless services can be used to communicate with pods directly through DNS instead of a round robin load balancer.
+    
+    - `port` (`int: 8200`) - Port on which Vault server is listening inside the pod.
+
+    - `targetPort` (`int: 8200`) - Port on which the service is listening.
+
+    - `annotations` (`string`) - This value defines additional annotations for the service. This should be formatted as a multi-line string.
+
+        ```yaml
+        annotations: |
+          "sample/annotation1": "foo"
+          "sample/annotation2": "bar"
+        ```
+
+ * `serviceAccount` - Values that configure the Kubernetes service account created for Vault.
+
+    - `annotations` (`string`) - This value defines additional annotations for the service account. This should be formatted as a multi-line string.
+
+        ```yaml
+        annotations: |
+          "sample/annotation1": "foo"
+          "sample/annotation2": "bar"
+        ```

  * `extraVolumes` - This configures the `Service` resource created for the Vault server.

@ -319,6 +397,19 @@ and consider if they're appropriate for your deployment.

  - `serviceNodePort` (`int: null`) -
  Sets the Node Port value when using `serviceType: NodePort` on the Vault UI service.
+
+  - `externalPort` (`int: 8200`) -
+  Sets the external port value of the service.
+
+  - `loadBalancerSourceRanges` (`string`) - This value defines additional source CIDRs when using `serviceType: LoadBalancer`.  This should be formatted as a multi-line string.
+
+    ```yaml
+    loadBalancerSourceRanges:
+    - 10.0.0.0/16
+    - 120.78.23.3/32
+    ```
+
+  - `loadBalancerIP` (`string`) - This value defines the IP address of the load balancer when using `serviceType: LoadBalancer`.
   
  - `annotations` (`string`) - This value defines additional annotations for the UI service. This should be a formatted as a multi-line string.

@ -340,7 +431,7 @@ The below `values.yaml` can be used to set up a single server Vault cluster with
 ```yaml
 global:
  enabled: true
-  image: "vault:1.2.2"
+  image: "vault:1.2.4"
 
 server:
  standalone:
@ -380,7 +471,7 @@ certificate authority:
 ```yaml
 global:
  enabled: true
-  image: "vault:1.2.2"
+  image: "vault:1.2.4"
  tlsDisable: false

 server:
@ -421,7 +512,7 @@ auditing enabled.
 ```yaml
 global:
  enabled: true
-  image: "vault:1.2.2"
+  image: "vault:1.2.4"

 server:
  standalone:
@ -468,18 +559,17 @@ Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal.
 ```yaml
 global:
  enabled: true
-  image: "vault:1.2.2"
+  image: "vault:1.2.4"

 server:
  extraEnvironmentVars:
-    GOOGLE_REGION: global,
-    GOOGLE_PROJECT: myproject,
-    GOOGLE_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json
+    GOOGLE_REGION: global
+    GOOGLE_PROJECT: myproject
+    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json

  extraVolumes: []
    - type: secret
      name: my-gcp-iam
-      load: false

  affinity: |
    podAntiAffinity:
--- a/website/source/docs/platform/k8s/run.html.md
+++ b/website/source/docs/platform/k8s/run.html.md
@ -60,7 +60,7 @@ $ git clone https://github.com/hashicorp/vault-helm.git
 $ cd vault-helm

 # Checkout a tagged version
-$ git checkout v0.1.2
+$ git checkout v0.2.0

 # Run Helm
 $ helm install --name vault ./
@ -118,7 +118,7 @@ global:
 Next, run the upgrade. You should run this with `--dry-run` first to verify
 the changes that will be sent to the Kubernetes cluster.

-```
+```shell
 $ helm upgrade vault ./
 ...
 ```
@ -174,6 +174,121 @@ $ kubectl exec -ti <name of pod> -- vault operator unseal
 After a few moments the Vault cluster should elect a new active primary.  The Vault 
 cluster is now upgraded!

+#### Google KMS Auto Unseal
+
+In order to authenticate and use KMS in Google Cloud, Vault Helm needs credentials.  The `credentials.json` 
+file will need to be mounted as a secret to the Vault container.
+
+
+##### Create the Secret
+
+First, create the secret in Kubernetes:
+
+```bash
+kubectl create secret generic kms-creds --from-file=credentials.json
+```
+
+Vault Helm will mount this to `/vault/userconfig/kms-creds/credentials.json`.
+
+##### Config Example
+
+The following is an example of how to configure Vault Helm to use Google KMS:
+
+```yaml
+global:
+  enabled: true
+  image: "vault:1.2.4"
+
+server:
+  extraEnvironmentVars:
+    GOOGLE_REGION: <REGION WHERE KMS IS LOCATED>
+    GOOGLE_PROJECT: <PROJECT NAME>
+    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json
+
+  extraVolumes:
+    - type: "secret"
+      name: "kms-creds"
+
+  ha:
+    enabled: true
+    replicas: 3
+
+    config: |
+      ui = true
+
+      listener "tcp" {
+        tls_disable = 1
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+      }
+
+      seal "gcpckms" {
+        project     = "<NAME OF PROJECT>"
+        region      = "<NAME OF REGION>"
+        key_ring    = "<NAME OF KEYRING>"
+        crypto_key  = "<NAME OF KEY>"
+      }
+
+      storage "consul" {
+        path = "vault"
+        address = "HOST_IP:8500"
+      }
+```
+
+#### Amazon EKS Auto Unseal
+
+In order to authenticate and use EKS in AWS, Vault Helm needs credentials.  The AWS access key 
+ID and key will be mounted as secret environment variables in the Vault pods.
+
+##### Create the Secret
+
+First, create a secret with your EKS access key/secret:
+
+```bash
+kubectl create secret generic eks-creds\ 
+  --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID?}" \
+  --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY?}"
+```
+
+##### Config Example
+
+The following is an example of how to configure Vault Helm to use AWS EKS:
+
+```yaml
+global:
+  enabled: true
+  image: "vault:1.2.4"
+
+server:
+  extraSecretEnvironmentVars:
+  - envName: AWS_ACCESS_KEY_ID
+    secretName: eks-creds
+    secretKey: AWS_ACCESS_KEY_ID
+  - envName: AWS_SECRET_ACCESS_KEY
+    secretName: eks-creds
+    secretKey: AWS_SECRET_ACCESS_KEY
+
+  ha:
+    enabled: true
+    config: |
+      ui = true
+
+      listener "tcp" {
+        tls_disable = 1
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+      }
+
+      seal "awskms" {
+        region     = "KMS_REGION_HERE"
+        kms_key_id = "KMS_KEY_ID_HERE"
+      }
+
+      storage "consul" {
+        path = "vault"
+        address = "HOST_IP:8500"
+      }
+```

 ## Architecture