From 2c11121c194470790e3aaf3bace362cc45758b00 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Thu, 8 Sep 2022 15:30:32 -0700 Subject: [PATCH] Update docs for helm 0.22.0 (#17072) Update docs for helm 0.22.0 Including Prometheus Operator support. Co-authored-by: Theron Voran --- .../service-registration/kubernetes.mdx | 2 +- .../docs/platform/k8s/helm/configuration.mdx | 84 ++++++++++++++++++- .../docs/platform/k8s/helm/enterprise.mdx | 2 +- .../helm/examples/enterprise-dr-with-raft.mdx | 4 +- .../examples/enterprise-perf-with-raft.mdx | 4 +- .../helm/examples/enterprise-with-raft.mdx | 2 +- .../content/docs/platform/k8s/helm/run.mdx | 6 +- website/content/partials/helm/install.mdx | 5 +- website/content/partials/helm/repo.mdx | 2 +- 9 files changed, 95 insertions(+), 16 deletions(-) diff --git a/website/content/docs/configuration/service-registration/kubernetes.mdx b/website/content/docs/configuration/service-registration/kubernetes.mdx index 9296b84dc..74f63257c 100644 --- a/website/content/docs/configuration/service-registration/kubernetes.mdx +++ b/website/content/docs/configuration/service-registration/kubernetes.mdx @@ -156,7 +156,7 @@ $ vault write -f sys/replication/performance/primary/enable \ In conjunction with the pod labels and the `OnDelete` upgrade strategy, upgrades are much easier to orchestrate: ```shell-session -$ helm upgrade vault --set='server.image.tag=1.11.2' +$ helm upgrade vault --set='server.image.tag=1.11.3' $ kubectl delete pod --selector=vault-active=false \ --selector=vault-version=1.2.3 diff --git a/website/content/docs/platform/k8s/helm/configuration.mdx b/website/content/docs/platform/k8s/helm/configuration.mdx index 6909206cf..17dd53841 100644 --- a/website/content/docs/platform/k8s/helm/configuration.mdx +++ b/website/content/docs/platform/k8s/helm/configuration.mdx @@ -55,6 +55,11 @@ and consider if they're appropriate for your deployment. seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default ``` + - `serverTelemetry` - Values that configure metrics and telemetry + + - `prometheusOperator` (`boolean: false`) - When set to `true`, enables integration with the + Prometheus Operator. Be sure to configure the top-level [`serverTelemetry`](/docs/platform/k8s/helm/configuration#servertelemetry-1) section for more details + and required configuration values. - `injector` - Values that configure running a Vault Agent Injector Admission Webhook Controller within Kubernetes. @@ -72,7 +77,7 @@ and consider if they're appropriate for your deployment. - `repository` (`string: "hashicorp/vault-k8s"`) - The name of the Docker image for Vault Agent Injector. - - `tag` (`string: "0.17.0"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. + - `tag` (`string: "1.0.0"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists. @@ -80,7 +85,7 @@ and consider if they're appropriate for your deployment. - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image. - - `tag` (`string: "1.11.2"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**. + - `tag` (`string: "1.11.3"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**. - `agentDefaults` - Values that configure the injected Vault Agent containers default values. @@ -304,7 +309,7 @@ and consider if they're appropriate for your deployment. - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the containers running Vault. - - `tag` (`string: "1.11.2"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. + - `tag` (`string: "1.11.3"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists. @@ -1077,3 +1082,76 @@ and consider if they're appropriate for your deployment. - `debug` (`bool: false`) - When set to true, enables debug logging on the Vault CSI Provider daemonset. - `extraArgs` (`string: array`) - The extra arguments to be applied to the CSI pod startup command. See [here](/docs/platform/k8s/csi/configurations#command-line-arguments) for available flags. + +- `serverTelemetry` - Values the configure metrics and telemetry. Enabling these features requires setting + the `telemetry {}` stanza in the Vault configuration. See the [telemetry](/docs/configuration/telemetry) + [docs](/docs/internals/telemetry) for more on the Vault configuration. + + Currently, this chart does not support authenticating to Vault's metrics endpoint, so the following `telemetry {}` block must be included in the `listener "tcp" {}` stanza of the Vault configuration: + + ```yaml + listener "tcp" { + tls_disable = 1 + address = "0.0.0.0:8200" + + telemetry { + unauthenticated_metrics_access = "true" + } + } + ``` + + In addition, a top level `telemetry {}` stanza must also be included in the Vault configuration, such as: + + ```yaml + telemetry { + prometheus_retention_time = "30s", + disable_hostname = true + } + ``` + + - `serviceMonitor` - Values that configure monitoring the Vault server + + - `enabled` (`boolean: false`) - When set to `true`, enable deployment of the Vault Server + ServiceMonitor CustomResource. The Prometheus operator *must* be installed before enabling this + feature. If not, the chart will fail to install due to missing CustomResourceDefinitions provided by + the operator. + + Instructions on how to install the Helm chart can be found [here](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack). + + More information can be found here in the + [these](https://github.com/prometheus-operator/prometheus-operator) + [repositories](https://github.com/prometheus-operator/kube-prometheus) + + - `selectors` (`dictionary: {}`) - Selector labels to add to the ServiceMonitor. + + - `interval` (`string: "30s"`) - Interval at which Prometheus scrapes metrics. + + - `scrapeTimeout` (`string: "10s"`) - Timeout for Prometheus scrapes. + + - `prometheusRules` - Values that configure Prometheus rules. + + - `enabled` (`boolean: false`) - Deploy the PrometheusRule custom resource for AlertManager-based + alerts. Requires that AlertManager is properly deployed. + + - `selectors` (`dictionary: {}`) - Selector labels to add to the Prometheus rules. + + - `rules`: (`dictionary: {}`) - Prometheus rules to create. + + For example: + ```yaml + rules: + - alert: vault-HighResponseTime + annotations: + message: The response time of Vault is over 500ms on average over the last 5 minutes. + expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 + for: 5m + labels: + severity: warning + - alert: vault-HighResponseTime + annotations: + message: The response time of Vault is over 1s on average over the last 5 minutes. + expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 + for: 5m + labels: + severity: critical + ``` diff --git a/website/content/docs/platform/k8s/helm/enterprise.mdx b/website/content/docs/platform/k8s/helm/enterprise.mdx index dc2c0f08f..aa28e6e49 100644 --- a/website/content/docs/platform/k8s/helm/enterprise.mdx +++ b/website/content/docs/platform/k8s/helm/enterprise.mdx @@ -33,7 +33,7 @@ In your chart overrides, set the values of [`server.image`](/docs/platform/k8s/h server: image: repository: hashicorp/vault-enterprise - tag: 1.11.2-ent + tag: 1.11.3-ent enterpriseLicense: secretName: vault-ent-license ``` diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx index f336a3cfd..71adb4a9b 100644 --- a/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx +++ b/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx @@ -23,7 +23,7 @@ First, create the primary cluster: ```shell helm install vault-primary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.2-ent' \ + --set='server.image.tag=1.11.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` @@ -75,7 +75,7 @@ disaster recovery replication. ```shell helm install vault-secondary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.2-ent' \ + --set='server.image.tag=1.11.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx index 23eb4463d..03aa3226d 100644 --- a/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx +++ b/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx @@ -23,7 +23,7 @@ First, create the primary cluster: ```shell helm install vault-primary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.2-ent' \ + --set='server.image.tag=1.11.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` @@ -74,7 +74,7 @@ With the primary cluster created, next create a secondary cluster. ```shell helm install vault-secondary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.2-ent' \ + --set='server.image.tag=1.11.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx index 3a335bfdd..65c00dd81 100644 --- a/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx +++ b/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx @@ -15,7 +15,7 @@ Integrated Storage (raft) can be enabled using the `server.ha.raft.enabled` valu ```shell helm install vault hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.11.2-ent' \ + --set='server.image.tag=1.11.3-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` diff --git a/website/content/docs/platform/k8s/helm/run.mdx b/website/content/docs/platform/k8s/helm/run.mdx index 30ca9ae5a..30e2f8704 100644 --- a/website/content/docs/platform/k8s/helm/run.mdx +++ b/website/content/docs/platform/k8s/helm/run.mdx @@ -409,14 +409,14 @@ Next, list the Helm versions and choose the desired version to install. ```bash $ helm search repo hashicorp/vault NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/vault 0.21.0 1.11.2 Official HashiCorp Vault Chart +hashicorp/vault 0.22.0 1.11.3 Official HashiCorp Vault Chart ``` Next, test the upgrade with `--dry-run` first to verify the changes sent to the Kubernetes cluster. ```shell-session -$ helm upgrade vault hashicorp/vault --version=0.21.0 \ +$ helm upgrade vault hashicorp/vault --version=0.22.0 \ --set='server.image.repository=vault' \ --set='server.image.tag=123.456' \ --dry-run @@ -438,7 +438,7 @@ $ kubectl delete pod If Vault is deployed using `ha` mode, the standby pods must be upgraded first. Vault has K8s service discovery built in (when enabled in the server configuration) and -will automatically change the labels of the pod with its current leader status. These labels +will automatically change the labels of the pod with its current leader status. These labels can be used to filter the pods. For example, select all pods that are Vault standbys: diff --git a/website/content/partials/helm/install.mdx b/website/content/partials/helm/install.mdx index eb172c063..2c5c843da 100644 --- a/website/content/partials/helm/install.mdx +++ b/website/content/partials/helm/install.mdx @@ -2,6 +2,7 @@ # List the available releases $ helm search repo hashicorp/vault -l NAME CHART VERSION APP VERSION DESCRIPTION +hashicorp/vault 0.22.0 1.11.3 Official HashiCorp Vault Chart hashicorp/vault 0.21.0 1.11.2 Official HashiCorp Vault Chart hashicorp/vault 0.20.1 1.10.3 Official HashiCorp Vault Chart hashicorp/vault 0.20.0 1.10.3 Official HashiCorp Vault Chart @@ -10,6 +11,6 @@ hashicorp/vault 0.18.0 1.9.0 Official HashiCorp Vault Chart hashicorp/vault 0.17.1 1.8.4 Official HashiCorp Vault Chart ... -# Install version 0.21.0 -$ helm install vault hashicorp/vault --version 0.21.0 +# Install version 0.22.0 +$ helm install vault hashicorp/vault --version 0.22.0 ``` diff --git a/website/content/partials/helm/repo.mdx b/website/content/partials/helm/repo.mdx index 97fd3e274..ca941ed4b 100644 --- a/website/content/partials/helm/repo.mdx +++ b/website/content/partials/helm/repo.mdx @@ -4,5 +4,5 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm search repo hashicorp/vault NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/vault 0.21.0 1.11.2 Official HashiCorp Vault Chart +hashicorp/vault 0.22.0 1.11.3 Official HashiCorp Vault Chart ```