docs: vault-helm 0.4.0 updates (#8318)

Updated docs for vault-helm 0.4.0 configuration changes, and helm 3
support (dropping helm 2). Also some spelling changes, and shortened
page titles for the k8s helm examples.
This commit is contained in:
Theron Voran 2020-02-21 12:10:38 -08:00 committed by GitHub
parent 24ae59b317
commit 17efdd6336
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 39 additions and 39 deletions

View file

@ -7,10 +7,10 @@ description: This section documents configuration options for the Vault Helm cha
# Configuration
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
The chart is highly customizable using
[Helm configuration values](https://docs.helm.sh/using_helm/#customizing-the-chart-before-installing).
[Helm configuration values](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
Each value has a default tuned for an optimal getting started experience
with Vault. Before going into production, please review the parameters below
and consider if they're appropriate for your deployment.
@ -29,6 +29,8 @@ and consider if they're appropriate for your deployment.
- `enabled` (`boolean: true`) - When set to `true`, the Vault Agent Injector Admission Webhook controller will be created.
- `externalVaultAddr` (`string: ""`) - External vault server address for the injector to use. Setting this will disable deployment of the vault server, and only deploy the injector.
- `image` - Values that configure the Vault Agent Injector Docker image.
- `repository` (`string: "hashicorp/vault-k8s"`) - The name of the Docker image for Vault Agent Injector.
@ -84,6 +86,8 @@ and consider if they're appropriate for your deployment.
- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
- `updateStrategyType` (`string: "OnDelete"`) - Configure the [Update Strategy Type](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies) for the StatefulSet.
- `resources` (`string: null`) - The resource requests and limits (CPU, memory, etc.) for each of the server. This should be a multi-line string mapping directly to a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources. **Setting this is highly recommended.**
```yaml
@ -141,7 +145,7 @@ and consider if they're appropriate for your deployment.
- `enabled` (`boolean: true`) - When set to `true`, a readiness probe will be applied to the Vault pods.
- `path` (`string: ""`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controled by the `tlsDisable` value.
- `path` (`string: ""`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controlled by the `tlsDisable` value.
```yaml
readinessProbe:
@ -153,7 +157,7 @@ and consider if they're appropriate for your deployment.
- `enabled` (`boolean: false`) - When set to `true`, a liveliness probe will be applied to the Vault pods.
- `path` (`string: "/v1/sys/health?standbyok=true"`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controled by the `tlsDisable` value.
- `path` (`string: "/v1/sys/health?standbyok=true"`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controlled by the `tlsDisable` value.
- `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the liveliness probe when the container starts.
@ -164,6 +168,8 @@ and consider if they're appropriate for your deployment.
initialDelaySeconds: 60
```
- `preStopSleepSeconds` (`int: 5`) - Used to set the sleep time during the preStop step.
- `extraContainers` (`array: []`) - The extra containers to be applied to the Vault server pods.
```yaml
@ -173,14 +179,6 @@ and consider if they're appropriate for your deployment.
env: ...
```
```yaml
# Extra Environment Variables are defined as key/value strings.
extraEnvironmentVars:
GOOGLE_REGION: global
GOOGLE_PROJECT: myproject
GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
```
- `extraEnvironmentVars` - The extra environment variables to be applied to the Vault server. This should be a multi-line key/value string.
```yaml
@ -191,6 +189,8 @@ and consider if they're appropriate for your deployment.
GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
```
- `shareProcessNamespace` (`boolean: false`) - Enables process namespace sharing between Vault and the extraContainers. This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation.
- `extraArgs` (`string: null`) - The extra arguments to be applied to the Vault server startup command.
```yaml
@ -397,7 +397,7 @@ and consider if they're appropriate for your deployment.
The number of pods to deploy to create a highly available cluster of Vault servers.
- `updatePartition` (`int: 0`) -
If an updatePartition is specified, all Pods with an ordinal that is greater than or equal to the partition will be updated when the StatefulSets `.spec.template` is updated. If set to `0`, this disables parition updates. For more information see the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#rolling-updates).
If an updatePartition is specified, all Pods with an ordinal that is greater than or equal to the partition will be updated when the StatefulSets `.spec.template` is updated. If set to `0`, this disables partition updates. For more information see the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#rolling-updates).
- `config` (`string: "{}"`) -
A raw string of extra HCL or JSON [configuration](/docs/configuration) for Vault servers.

View file

@ -2,14 +2,14 @@
layout: "docs"
page_title: "Highly Available Vault Cluster with Consul"
sidebar_current: "docs-platform-k8s-examples-ha-with-consul"
sidebar_title: "Highly Available Vault Cluster with Consul"
sidebar_title: "Highly Available Cluster with Consul"
description: |-
Describes how to set up a highly available Vault cluster with Consul backend
---
# Highly Available Vault Cluster with Consul
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
The below `values.yaml` can be used to set up a five server Vault cluster using
Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal.

View file

@ -9,7 +9,7 @@ description: |-
# Helm Chart Examples
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
These are a collection of examples of common configurations for Vault using the Helm chart.

View file

@ -9,7 +9,7 @@ description: |-
# Bootstrapping Kubernetes Auth Method
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
In this example, we will walk through how to set up the [Kubernetes Auth Method](/docs/auth/kubernetes.html).

View file

@ -2,14 +2,14 @@
layout: "docs"
page_title: "Standalone Server with Audit Storage"
sidebar_current: "docs-platform-k8s-examples-standalone-audit"
sidebar_title: "Standalone Server with Audit Storage"
sidebar_title: "Standalone with Audit Storage"
description: |-
Describes how to set up a standalone Vault with audit storage
---
# Standalone Server with Audit Storage
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
The below `values.yaml` can be used to set up a single server Vault cluster with
auditing enabled.

View file

@ -2,14 +2,14 @@
layout: "docs"
page_title: "Standalone Server with Load Balanced UI"
sidebar_current: "docs-platform-k8s-examples-standalone-load-balanced-ui"
sidebar_title: "Standalone Server with Load Balanced UI"
sidebar_title: "Standalone with Load Balanced UI"
description: |-
Describes how to set up a standalone Vault with a load balanced UI
---
# Standalone Server with Load Balanced UI
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
The below `values.yaml` can be used to set up a single server Vault cluster with a LoadBalancer to allow external access to the UI and API.

View file

@ -2,14 +2,14 @@
layout: "docs"
page_title: "Standalone Server with TLS"
sidebar_current: "docs-platform-k8s-examples-standalone-tls"
sidebar_title: "Standalone Server with TLS"
sidebar_title: "Standalone with TLS"
description: |-
Describes how to set up a standalone Vault with TLS certificate
---
# Standalone Server with TLS
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
This example can be used to set up a single server Vault cluster using TLS.

View file

@ -9,7 +9,7 @@ description: >-
# Helm Chart
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
The [Vault Helm chart](https://github.com/hashicorp/vault-helm)
is the recommended way to install and configure Vault on Kubernetes.
@ -17,7 +17,7 @@ In addition to running Vault itself, the Helm chart is the primary
method for installing and configuring Vault to integrate with other
services such as Consul for High Availability deployments.
This page assumes general knowledge of [Helm](https://v2.helm.sh/) and
This page assumes general knowledge of [Helm](https://helm.sh/) and
how to use it. Using Helm to install Vault will require that Helm is
properly installed and configured with your Kubernetes cluster.
@ -54,8 +54,8 @@ $ git clone https://github.com/hashicorp/vault-helm.git
$ cd vault-helm
# Checkout a tagged version
$ git checkout v0.3.3
$ git checkout v0.4.0
# Run Helm
$ helm install --dry-run ./
$ helm install vault ./
```

View file

@ -4,7 +4,7 @@ page_title: Running Vault - Kubernetes
sidebar_title: Running Vault
description: >-
Vault can run directly on Kubernetes in various configurations. For
pure-Kubernetes worloads, this enables Vault to also exist purely within
pure-Kubernetes workloads, this enables Vault to also exist purely within
Kubernetes.
---
@ -19,7 +19,7 @@ This page starts with a large how-to section for various specific tasks.
!> **IMPORTANT NOTE:** Vault Enterprise is currently not supported. We are actively
working a version for Vault Enterprise and it will be available in the future.
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
## Helm Chart
@ -63,10 +63,10 @@ $ git clone https://github.com/hashicorp/vault-helm.git
$ cd vault-helm
# Checkout a tagged version
$ git checkout v0.3.3
$ git checkout v0.4.0
# Run Helm
$ helm install --name vault ./
$ helm install vault ./
...
```
@ -109,11 +109,11 @@ the [`ui.service` chart values](/docs/platform/k8s/helm#v-ui).
To upgrade Vault on Kubernetes, we follow the same pattern as
[generally upgrading Vault](/docs/upgrading), except we can use
the Helm chart to update the Vault server Statefulset. It is important to understand
the Helm chart to update the Vault server StatefulSet. It is important to understand
how to [generally upgrade Vault](/docs/upgrading) before reading this
section.
The Vault Statefulset uses `OnDelete` update strategy. It is critical to use `OnDelete` instead
The Vault StatefulSet uses `OnDelete` update strategy. It is critical to use `OnDelete` instead
of `RollingUpdate` because standbys must be updated before the active primary. A
failover to an older version of Vault must always be avoided.
@ -149,7 +149,7 @@ $ helm upgrade vault ./
This should cause no changes (although the resource will be updated). If
everything is stable, `helm upgrade` can be run.
The `helm upgrade` command should have updated the Statefulset template for
The `helm upgrade` command should have updated the StatefulSet template for
the Vault servers, however, no pods have been deleted. The pods must be manually
deleted to upgrade. Deleting the pods will not delete any persisted data.
@ -161,7 +161,7 @@ $ kubectl delete pod <name of Vault pod>
```
If Vault is deployed using `ha` mode, the standby pods must be upgraded first.
To identify which pod is currently the active primary, run the following commad
To identify which pod is currently the active primary, run the following command
on each Vault pod:
```bash
@ -232,7 +232,7 @@ Finally, mount this secret as an extra volume and add an additional `-config` fl
to the Vault startup command:
```bash
helm install --name=vault \
helm install vault \
--set='server.extraVolumes[0].type=secret' \
--set='server.extraVolumes[0].name=vault-storage-config' \
--set='server.extraArgs=-config=/vault/userconfig/vault-storage-config/config.hcl' .

View file

@ -20,9 +20,9 @@ upgrade the installation using `helm upgrade` for existing installs or
To install a new instance of Vault and the Vault Agent Injector, run the following:
```bash
helm install --name=vault \
helm install vault \
--set="injector.enabled=true" \
https://github.com/hashicorp/vault-helm/archive/v0.3.3.tar.gz
https://github.com/hashicorp/vault-helm/archive/v0.4.0.tar.gz
```
Other values in the Helm chart can be used to limit the namespaces the injector
@ -40,7 +40,7 @@ the Vault Agent Injector supports two TLS options:
By default, the Vault Agent Injector will bootstrap TLS by generating a certificate
authority and creating a certificate/key to be used by the controller. If using
Vault Helm, the chart will automatically create the neccessary DNS entries for the
Vault Helm, the chart will automatically create the necessary DNS entries for the
controller's service used to verify the certificate.
### Manual TLS