docs: vault-helm 0.4.0 updates (#8318)
Updated docs for vault-helm 0.4.0 configuration changes, and helm 3 support (dropping helm 2). Also some spelling changes, and shortened page titles for the k8s helm examples.
This commit is contained in:
parent
24ae59b317
commit
17efdd6336
|
@ -7,10 +7,10 @@ description: This section documents configuration options for the Vault Helm cha
|
|||
|
||||
# Configuration
|
||||
|
||||
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
|
||||
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
|
||||
|
||||
The chart is highly customizable using
|
||||
[Helm configuration values](https://docs.helm.sh/using_helm/#customizing-the-chart-before-installing).
|
||||
[Helm configuration values](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
|
||||
Each value has a default tuned for an optimal getting started experience
|
||||
with Vault. Before going into production, please review the parameters below
|
||||
and consider if they're appropriate for your deployment.
|
||||
|
@ -29,6 +29,8 @@ and consider if they're appropriate for your deployment.
|
|||
|
||||
- `enabled` (`boolean: true`) - When set to `true`, the Vault Agent Injector Admission Webhook controller will be created.
|
||||
|
||||
- `externalVaultAddr` (`string: ""`) - External vault server address for the injector to use. Setting this will disable deployment of the vault server, and only deploy the injector.
|
||||
|
||||
- `image` - Values that configure the Vault Agent Injector Docker image.
|
||||
|
||||
- `repository` (`string: "hashicorp/vault-k8s"`) - The name of the Docker image for Vault Agent Injector.
|
||||
|
@ -84,6 +86,8 @@ and consider if they're appropriate for your deployment.
|
|||
|
||||
- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
|
||||
|
||||
- `updateStrategyType` (`string: "OnDelete"`) - Configure the [Update Strategy Type](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies) for the StatefulSet.
|
||||
|
||||
- `resources` (`string: null`) - The resource requests and limits (CPU, memory, etc.) for each of the server. This should be a multi-line string mapping directly to a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources. **Setting this is highly recommended.**
|
||||
|
||||
```yaml
|
||||
|
@ -141,7 +145,7 @@ and consider if they're appropriate for your deployment.
|
|||
|
||||
- `enabled` (`boolean: true`) - When set to `true`, a readiness probe will be applied to the Vault pods.
|
||||
|
||||
- `path` (`string: ""`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controled by the `tlsDisable` value.
|
||||
- `path` (`string: ""`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controlled by the `tlsDisable` value.
|
||||
|
||||
```yaml
|
||||
readinessProbe:
|
||||
|
@ -153,7 +157,7 @@ and consider if they're appropriate for your deployment.
|
|||
|
||||
- `enabled` (`boolean: false`) - When set to `true`, a liveliness probe will be applied to the Vault pods.
|
||||
|
||||
- `path` (`string: "/v1/sys/health?standbyok=true"`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controled by the `tlsDisable` value.
|
||||
- `path` (`string: "/v1/sys/health?standbyok=true"`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controlled by the `tlsDisable` value.
|
||||
|
||||
- `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the liveliness probe when the container starts.
|
||||
|
||||
|
@ -164,6 +168,8 @@ and consider if they're appropriate for your deployment.
|
|||
initialDelaySeconds: 60
|
||||
```
|
||||
|
||||
- `preStopSleepSeconds` (`int: 5`) - Used to set the sleep time during the preStop step.
|
||||
|
||||
- `extraContainers` (`array: []`) - The extra containers to be applied to the Vault server pods.
|
||||
|
||||
```yaml
|
||||
|
@ -173,14 +179,6 @@ and consider if they're appropriate for your deployment.
|
|||
env: ...
|
||||
```
|
||||
|
||||
```yaml
|
||||
# Extra Environment Variables are defined as key/value strings.
|
||||
extraEnvironmentVars:
|
||||
GOOGLE_REGION: global
|
||||
GOOGLE_PROJECT: myproject
|
||||
GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
|
||||
```
|
||||
|
||||
- `extraEnvironmentVars` - The extra environment variables to be applied to the Vault server. This should be a multi-line key/value string.
|
||||
|
||||
```yaml
|
||||
|
@ -191,6 +189,8 @@ and consider if they're appropriate for your deployment.
|
|||
GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
|
||||
```
|
||||
|
||||
- `shareProcessNamespace` (`boolean: false`) - Enables process namespace sharing between Vault and the extraContainers. This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation.
|
||||
|
||||
- `extraArgs` (`string: null`) - The extra arguments to be applied to the Vault server startup command.
|
||||
|
||||
```yaml
|
||||
|
@ -397,7 +397,7 @@ and consider if they're appropriate for your deployment.
|
|||
The number of pods to deploy to create a highly available cluster of Vault servers.
|
||||
|
||||
- `updatePartition` (`int: 0`) -
|
||||
If an updatePartition is specified, all Pods with an ordinal that is greater than or equal to the partition will be updated when the StatefulSet’s `.spec.template` is updated. If set to `0`, this disables parition updates. For more information see the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#rolling-updates).
|
||||
If an updatePartition is specified, all Pods with an ordinal that is greater than or equal to the partition will be updated when the StatefulSet’s `.spec.template` is updated. If set to `0`, this disables partition updates. For more information see the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#rolling-updates).
|
||||
|
||||
- `config` (`string: "{}"`) -
|
||||
A raw string of extra HCL or JSON [configuration](/docs/configuration) for Vault servers.
|
||||
|
|
|
@ -2,14 +2,14 @@
|
|||
layout: "docs"
|
||||
page_title: "Highly Available Vault Cluster with Consul"
|
||||
sidebar_current: "docs-platform-k8s-examples-ha-with-consul"
|
||||
sidebar_title: "Highly Available Vault Cluster with Consul"
|
||||
sidebar_title: "Highly Available Cluster with Consul"
|
||||
description: |-
|
||||
Describes how to set up a highly available Vault cluster with Consul backend
|
||||
---
|
||||
|
||||
# Highly Available Vault Cluster with Consul
|
||||
|
||||
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
|
||||
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
|
||||
|
||||
The below `values.yaml` can be used to set up a five server Vault cluster using
|
||||
Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal.
|
||||
|
|
|
@ -9,7 +9,7 @@ description: |-
|
|||
|
||||
# Helm Chart Examples
|
||||
|
||||
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
|
||||
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
|
||||
|
||||
These are a collection of examples of common configurations for Vault using the Helm chart.
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ description: |-
|
|||
|
||||
# Bootstrapping Kubernetes Auth Method
|
||||
|
||||
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
|
||||
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
|
||||
|
||||
In this example, we will walk through how to set up the [Kubernetes Auth Method](/docs/auth/kubernetes.html).
|
||||
|
||||
|
|
|
@ -2,14 +2,14 @@
|
|||
layout: "docs"
|
||||
page_title: "Standalone Server with Audit Storage"
|
||||
sidebar_current: "docs-platform-k8s-examples-standalone-audit"
|
||||
sidebar_title: "Standalone Server with Audit Storage"
|
||||
sidebar_title: "Standalone with Audit Storage"
|
||||
description: |-
|
||||
Describes how to set up a standalone Vault with audit storage
|
||||
---
|
||||
|
||||
# Standalone Server with Audit Storage
|
||||
|
||||
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
|
||||
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
|
||||
|
||||
The below `values.yaml` can be used to set up a single server Vault cluster with
|
||||
auditing enabled.
|
||||
|
|
|
@ -2,14 +2,14 @@
|
|||
layout: "docs"
|
||||
page_title: "Standalone Server with Load Balanced UI"
|
||||
sidebar_current: "docs-platform-k8s-examples-standalone-load-balanced-ui"
|
||||
sidebar_title: "Standalone Server with Load Balanced UI"
|
||||
sidebar_title: "Standalone with Load Balanced UI"
|
||||
description: |-
|
||||
Describes how to set up a standalone Vault with a load balanced UI
|
||||
---
|
||||
|
||||
# Standalone Server with Load Balanced UI
|
||||
|
||||
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
|
||||
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
|
||||
|
||||
The below `values.yaml` can be used to set up a single server Vault cluster with a LoadBalancer to allow external access to the UI and API.
|
||||
|
||||
|
|
|
@ -2,14 +2,14 @@
|
|||
layout: "docs"
|
||||
page_title: "Standalone Server with TLS"
|
||||
sidebar_current: "docs-platform-k8s-examples-standalone-tls"
|
||||
sidebar_title: "Standalone Server with TLS"
|
||||
sidebar_title: "Standalone with TLS"
|
||||
description: |-
|
||||
Describes how to set up a standalone Vault with TLS certificate
|
||||
---
|
||||
|
||||
# Standalone Server with TLS
|
||||
|
||||
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
|
||||
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
|
||||
|
||||
This example can be used to set up a single server Vault cluster using TLS.
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ description: >-
|
|||
|
||||
# Helm Chart
|
||||
|
||||
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
|
||||
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
|
||||
|
||||
The [Vault Helm chart](https://github.com/hashicorp/vault-helm)
|
||||
is the recommended way to install and configure Vault on Kubernetes.
|
||||
|
@ -17,7 +17,7 @@ In addition to running Vault itself, the Helm chart is the primary
|
|||
method for installing and configuring Vault to integrate with other
|
||||
services such as Consul for High Availability deployments.
|
||||
|
||||
This page assumes general knowledge of [Helm](https://v2.helm.sh/) and
|
||||
This page assumes general knowledge of [Helm](https://helm.sh/) and
|
||||
how to use it. Using Helm to install Vault will require that Helm is
|
||||
properly installed and configured with your Kubernetes cluster.
|
||||
|
||||
|
@ -54,8 +54,8 @@ $ git clone https://github.com/hashicorp/vault-helm.git
|
|||
$ cd vault-helm
|
||||
|
||||
# Checkout a tagged version
|
||||
$ git checkout v0.3.3
|
||||
$ git checkout v0.4.0
|
||||
|
||||
# Run Helm
|
||||
$ helm install --dry-run ./
|
||||
$ helm install vault ./
|
||||
```
|
||||
|
|
|
@ -4,7 +4,7 @@ page_title: Running Vault - Kubernetes
|
|||
sidebar_title: Running Vault
|
||||
description: >-
|
||||
Vault can run directly on Kubernetes in various configurations. For
|
||||
pure-Kubernetes worloads, this enables Vault to also exist purely within
|
||||
pure-Kubernetes workloads, this enables Vault to also exist purely within
|
||||
Kubernetes.
|
||||
---
|
||||
|
||||
|
@ -19,7 +19,7 @@ This page starts with a large how-to section for various specific tasks.
|
|||
!> **IMPORTANT NOTE:** Vault Enterprise is currently not supported. We are actively
|
||||
working a version for Vault Enterprise and it will be available in the future.
|
||||
|
||||
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
|
||||
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
|
||||
|
||||
## Helm Chart
|
||||
|
||||
|
@ -63,10 +63,10 @@ $ git clone https://github.com/hashicorp/vault-helm.git
|
|||
$ cd vault-helm
|
||||
|
||||
# Checkout a tagged version
|
||||
$ git checkout v0.3.3
|
||||
$ git checkout v0.4.0
|
||||
|
||||
# Run Helm
|
||||
$ helm install --name vault ./
|
||||
$ helm install vault ./
|
||||
...
|
||||
```
|
||||
|
||||
|
@ -109,11 +109,11 @@ the [`ui.service` chart values](/docs/platform/k8s/helm#v-ui).
|
|||
|
||||
To upgrade Vault on Kubernetes, we follow the same pattern as
|
||||
[generally upgrading Vault](/docs/upgrading), except we can use
|
||||
the Helm chart to update the Vault server Statefulset. It is important to understand
|
||||
the Helm chart to update the Vault server StatefulSet. It is important to understand
|
||||
how to [generally upgrade Vault](/docs/upgrading) before reading this
|
||||
section.
|
||||
|
||||
The Vault Statefulset uses `OnDelete` update strategy. It is critical to use `OnDelete` instead
|
||||
The Vault StatefulSet uses `OnDelete` update strategy. It is critical to use `OnDelete` instead
|
||||
of `RollingUpdate` because standbys must be updated before the active primary. A
|
||||
failover to an older version of Vault must always be avoided.
|
||||
|
||||
|
@ -149,7 +149,7 @@ $ helm upgrade vault ./
|
|||
This should cause no changes (although the resource will be updated). If
|
||||
everything is stable, `helm upgrade` can be run.
|
||||
|
||||
The `helm upgrade` command should have updated the Statefulset template for
|
||||
The `helm upgrade` command should have updated the StatefulSet template for
|
||||
the Vault servers, however, no pods have been deleted. The pods must be manually
|
||||
deleted to upgrade. Deleting the pods will not delete any persisted data.
|
||||
|
||||
|
@ -161,7 +161,7 @@ $ kubectl delete pod <name of Vault pod>
|
|||
```
|
||||
|
||||
If Vault is deployed using `ha` mode, the standby pods must be upgraded first.
|
||||
To identify which pod is currently the active primary, run the following commad
|
||||
To identify which pod is currently the active primary, run the following command
|
||||
on each Vault pod:
|
||||
|
||||
```bash
|
||||
|
@ -232,7 +232,7 @@ Finally, mount this secret as an extra volume and add an additional `-config` fl
|
|||
to the Vault startup command:
|
||||
|
||||
```bash
|
||||
helm install --name=vault \
|
||||
helm install vault \
|
||||
--set='server.extraVolumes[0].type=secret' \
|
||||
--set='server.extraVolumes[0].name=vault-storage-config' \
|
||||
--set='server.extraArgs=-config=/vault/userconfig/vault-storage-config/config.hcl' .
|
||||
|
|
|
@ -20,9 +20,9 @@ upgrade the installation using `helm upgrade` for existing installs or
|
|||
To install a new instance of Vault and the Vault Agent Injector, run the following:
|
||||
|
||||
```bash
|
||||
helm install --name=vault \
|
||||
helm install vault \
|
||||
--set="injector.enabled=true" \
|
||||
https://github.com/hashicorp/vault-helm/archive/v0.3.3.tar.gz
|
||||
https://github.com/hashicorp/vault-helm/archive/v0.4.0.tar.gz
|
||||
```
|
||||
|
||||
Other values in the Helm chart can be used to limit the namespaces the injector
|
||||
|
@ -40,7 +40,7 @@ the Vault Agent Injector supports two TLS options:
|
|||
|
||||
By default, the Vault Agent Injector will bootstrap TLS by generating a certificate
|
||||
authority and creating a certificate/key to be used by the controller. If using
|
||||
Vault Helm, the chart will automatically create the neccessary DNS entries for the
|
||||
Vault Helm, the chart will automatically create the necessary DNS entries for the
|
||||
controller's service used to verify the certificate.
|
||||
|
||||
### Manual TLS
|
||||
|
|
Loading…
Reference in a new issue