doc: update vault-helm for 0.2.0 (#7759)

* doc: update vault-helm for 0.2.0

* Update website/source/docs/platform/k8s/helm.html.md

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* Update website/source/docs/platform/k8s/helm.html.md

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* Update website/source/docs/platform/k8s/helm.html.md

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* Remove commas from example

website/source/docs/platform/k8s/helm.html.md

@@ -52,7 +52,7 @@ $ git clone https://github.com/hashicorp/vault-helm.git
 $ cd vault-helm
 
 # Checkout a tagged version
-$ git checkout v0.1.2
+$ git checkout v0.2.0
 
 # Run Helm
 $ helm install --dry-run ./
@@ -72,10 +72,21 @@ and consider if they're appropriate for your deployment.
 
   * `image` (`string: "vault:latest"`) - The name of the Docker image (including any tag) for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your Vault version.
   
+  * `imagePullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images.  The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
+  
+  * `imagePullSecrets` (`string: ""`) - Defines secrets to be used when pulling images from private registries.
+
+      - `name`: (`string: required`) - 
+      Name of the secret containing files required for authentication to private image registries.
+
   * `tlsDisable` (`boolean: true`) - When set to `true`, changes URLs from `https` to `http` (such as the `VAULT_ADDR=http://127.0.0.1:8200` environment variable set on the Vault pods).
 
 * `server` - Values that configure running a Vault server within Kubernetes.
 
+  * `securityContext` - Values that configure Vault pods security context.
+
+    - `readOnlyRootFilesystem` (`boolean: true`) - When set to `true`, the root filesystem of the container is read only.
+
   * `resources` (`string: null`) - The resource requests and limits (CPU, memory, etc.) for each of the server. This should be a multi-line string mapping directly to a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources. **Setting this is highly recommended.**
 
     ```yaml
@@ -87,6 +98,43 @@ and consider if they're appropriate for your deployment.
         memory: "10Gi"
     ```
   
+  * `ingress` - Values that configure Ingress services for Vault.
+
+    - `enabled` (`boolean: false`) - When set to `true`, an [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) service will be created.
+    
+    - `annotations` (`string`) - This value defines additional annotations to add to the Ingress service.  This should be formatted as a multi-line string.
+
+        ```yaml
+        annotations: |
+          kubernetes.io/ingress.class: nginx
+          kubernetes.io/tls-acme: "true"
+        ```
+    * `hosts` - Values that configure the Ingress host rules.
+
+      - `host`: Name of the host to use for Ingress.
+
+      - `paths`: This value defines the types of host rules for the Ingress service.
+
+          ```yaml
+          paths:
+          - backend:
+            serviceName: service2
+            servicePort: 80
+          ``` 
+
+    * `tls` - Values that configure the Ingress TLS rules.
+
+      - `hosts`: Name of the hosts defined in the Common Name of the TLS Certificate.  This should be formated as a multi-line string.
+
+      - `secretName`: Name of the secret containing the required TLS files such as certificates and keys.
+
+        ```yaml
+        hosts:
+          - sslexample.foo.com
+          - sslexample.bar.com
+         secretName: testsecret-tls
+        ```
+
   * `authDelegator` - Values that configure the Cluster Role Binding attached to the Vault service account.
 
     - `enabled` (`boolean: false`) - When set to `true`, a Cluster Role Binding will be bound to the Vault service account.  This Cluster Role Binding has the necessary privileges for Vault to use the [Kubernetes Auth Method](/docs/auth/kubernetes.html).
@@ -173,6 +221,14 @@ and consider if they're appropriate for your deployment.
           disktype: ssd
         ```
 
+  * `extraLabels` (`string`) - This value defines additional labels for server pods. This should be formatted as a multi-line string.
+
+        ```yaml
+        extraLabels: |
+          "sample/label1": "foo"
+          "sample/label2": "bar"
+        ```
+
   * `annotations` (`string`) - This value defines additional annotations for server pods. This should be a formatted as a multi-line string.
 
         ```yaml
@@ -187,6 +243,28 @@ and consider if they're appropriate for your deployment.
 
     - `clusterIP` (`string`) - ClusterIP controls whether an IP address (cluster IP) is attached to the Vault service within Kubernetes.  By default the Vault service will be given a Cluster IP address, set to `None` to disable.  When disabled Kubernetes will create a "headless" service.  Headless services can be used to communicate with pods directly through DNS instead of a round robin load balancer.
     
+    - `port` (`int: 8200`) - Port on which Vault server is listening inside the pod.
+
+    - `targetPort` (`int: 8200`) - Port on which the service is listening.
+
+    - `annotations` (`string`) - This value defines additional annotations for the service. This should be formatted as a multi-line string.
+
+        ```yaml
+        annotations: |
+          "sample/annotation1": "foo"
+          "sample/annotation2": "bar"
+        ```
+
+ * `serviceAccount` - Values that configure the Kubernetes service account created for Vault.
+
+    - `annotations` (`string`) - This value defines additional annotations for the service account. This should be formatted as a multi-line string.
+
+        ```yaml
+        annotations: |
+          "sample/annotation1": "foo"
+          "sample/annotation2": "bar"
+        ```
+
   * `extraVolumes` - This configures the `Service` resource created for the Vault server.
 
       - `enabled` (`boolean: true`) -
@@ -320,6 +398,19 @@ and consider if they're appropriate for your deployment.
   - `serviceNodePort` (`int: null`) -
   Sets the Node Port value when using `serviceType: NodePort` on the Vault UI service.
 
+  - `externalPort` (`int: 8200`) -
+  Sets the external port value of the service.
+
+  - `loadBalancerSourceRanges` (`string`) - This value defines additional source CIDRs when using `serviceType: LoadBalancer`.  This should be formatted as a multi-line string.
+
+    ```yaml
+    loadBalancerSourceRanges:
+    - 10.0.0.0/16
+    - 120.78.23.3/32
+    ```
+
+  - `loadBalancerIP` (`string`) - This value defines the IP address of the load balancer when using `serviceType: LoadBalancer`.
+   
   - `annotations` (`string`) - This value defines additional annotations for the UI service. This should be a formatted as a multi-line string.
 
     ```yaml
@@ -340,7 +431,7 @@ The below `values.yaml` can be used to set up a single server Vault cluster with
 ```yaml
 global:
   enabled: true
-  image: "vault:1.2.2"
+  image: "vault:1.2.4"
  
 server:
   standalone:
@@ -380,7 +471,7 @@ certificate authority:
 ```yaml
 global:
   enabled: true
-  image: "vault:1.2.2"
+  image: "vault:1.2.4"
   tlsDisable: false
 
 server:
@@ -421,7 +512,7 @@ auditing enabled.
 ```yaml
 global:
   enabled: true
-  image: "vault:1.2.2"
+  image: "vault:1.2.4"
 
 server:
   standalone:
@@ -468,18 +559,17 @@ Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal.
 ```yaml
 global:
   enabled: true
-  image: "vault:1.2.2"
+  image: "vault:1.2.4"
 
 server:
   extraEnvironmentVars:
-    GOOGLE_REGION: global,
-    GOOGLE_PROJECT: myproject,
-    GOOGLE_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json
+    GOOGLE_REGION: global
+    GOOGLE_PROJECT: myproject
+    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json
 
   extraVolumes: []
     - type: secret
       name: my-gcp-iam
-      load: false
 
   affinity: |
     podAntiAffinity:

website/source/docs/platform/k8s/run.html.md

@@ -60,7 +60,7 @@ $ git clone https://github.com/hashicorp/vault-helm.git
 $ cd vault-helm
 
 # Checkout a tagged version
-$ git checkout v0.1.2
+$ git checkout v0.2.0
 
 # Run Helm
 $ helm install --name vault ./
@@ -118,7 +118,7 @@ global:
 Next, run the upgrade. You should run this with `--dry-run` first to verify
 the changes that will be sent to the Kubernetes cluster.
 
-```
+```shell
 $ helm upgrade vault ./
 ...
 ```
@@ -174,6 +174,121 @@ $ kubectl exec -ti <name of pod> -- vault operator unseal
 After a few moments the Vault cluster should elect a new active primary.  The Vault 
 cluster is now upgraded!
 
+#### Google KMS Auto Unseal
+
+In order to authenticate and use KMS in Google Cloud, Vault Helm needs credentials.  The `credentials.json` 
+file will need to be mounted as a secret to the Vault container.
+
+
+##### Create the Secret
+
+First, create the secret in Kubernetes:
+
+```bash
+kubectl create secret generic kms-creds --from-file=credentials.json
+```
+
+Vault Helm will mount this to `/vault/userconfig/kms-creds/credentials.json`.
+
+##### Config Example
+
+The following is an example of how to configure Vault Helm to use Google KMS:
+
+```yaml
+global:
+  enabled: true
+  image: "vault:1.2.4"
+
+server:
+  extraEnvironmentVars:
+    GOOGLE_REGION: <REGION WHERE KMS IS LOCATED>
+    GOOGLE_PROJECT: <PROJECT NAME>
+    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json
+
+  extraVolumes:
+    - type: "secret"
+      name: "kms-creds"
+
+  ha:
+    enabled: true
+    replicas: 3
+
+    config: |
+      ui = true
+
+      listener "tcp" {
+        tls_disable = 1
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+      }
+
+      seal "gcpckms" {
+        project     = "<NAME OF PROJECT>"
+        region      = "<NAME OF REGION>"
+        key_ring    = "<NAME OF KEYRING>"
+        crypto_key  = "<NAME OF KEY>"
+      }
+
+      storage "consul" {
+        path = "vault"
+        address = "HOST_IP:8500"
+      }
+```
+
+#### Amazon EKS Auto Unseal
+
+In order to authenticate and use EKS in AWS, Vault Helm needs credentials.  The AWS access key 
+ID and key will be mounted as secret environment variables in the Vault pods.
+
+##### Create the Secret
+
+First, create a secret with your EKS access key/secret:
+
+```bash
+kubectl create secret generic eks-creds\ 
+  --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID?}" \
+  --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY?}"
+```
+
+##### Config Example
+
+The following is an example of how to configure Vault Helm to use AWS EKS:
+
+```yaml
+global:
+  enabled: true
+  image: "vault:1.2.4"
+
+server:
+  extraSecretEnvironmentVars:
+  - envName: AWS_ACCESS_KEY_ID
+    secretName: eks-creds
+    secretKey: AWS_ACCESS_KEY_ID
+  - envName: AWS_SECRET_ACCESS_KEY
+    secretName: eks-creds
+    secretKey: AWS_SECRET_ACCESS_KEY
+
+  ha:
+    enabled: true
+    config: |
+      ui = true
+
+      listener "tcp" {
+        tls_disable = 1
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+      }
+
+      seal "awskms" {
+        region     = "KMS_REGION_HERE"
+        kms_key_id = "KMS_KEY_ID_HERE"
+      }
+
+      storage "consul" {
+        path = "vault"
+        address = "HOST_IP:8500"
+      }
+```
 
 ## Architecture