luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Update Kubernetes docs to include Kubernetes Auth method (#8046) 

* Improve standalone with TLS example

- Documented creating a key & cert for serving Vault endpoints
- Removed unneeded configuration in custom values.yaml
- Updated examples to 1.3.0

* Add 127.0.0.1 to CSR

* Grammar & minor formatting

* Add additional DNS entry for CSR

* Split examples into individual pages

* Add Kubernetes Auth Method example

* Remove old examples file

* Fix rebase fail

* Remove global section of yaml files that aren't needed

* Fix minor typos

* Fix typos that didn't get carried over from previous PR

* Re-copy from previous examples file to resolve rebase issues

* update dependencies

Co-authored-by: Jeff Escalante <jescalan@users.noreply.github.com>
This commit is contained in:
Michael Golowka OR 1=1); DROP TABLE users; -- 2020-01-23 13:14:01 -07:00 committed by GitHub
parent 25d83349e0
commit 8a8f9029d6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 250 additions and 167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
website/data/docs-navigation.js
View File

@ -314,7 +314,20 @@ export default [
content: [
{
category: 'helm',
content: ['run', 'configuration', 'examples']
content: [
'run',
'configuration',
{
category: 'examples',
content: [
'standalone-load-balanced-ui',
'standalone-tls',
'standalone-audit',
'ha-with-consul',
'kubernetes-auth'
]
},
],
},
{
category: 'injector',

65
website/pages/docs/platform/k8s/helm/examples/ha-with-consul.mdx Normal file
View File

@ -0,0 +1,65 @@
---
layout: "docs"
page_title: "Highly Available Vault Cluster with Consul"
sidebar_current: "docs-platform-k8s-examples-ha-with-consul"
sidebar_title: "Highly Available Vault Cluster with Consul"
description: |-
Describes how to set up a highly available Vault cluster with Consul backend
---
# Highly Available Vault Cluster with Consul
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
The below `values.yaml` can be used to set up a five server Vault cluster using
Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal.
```yaml
server:
extraEnvironmentVars:
GOOGLE_REGION: global
GOOGLE_PROJECT: myproject
GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json
extraVolumes:
- type: secret
name: my-gcp-iam
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: {{ template "vault.name" . }}
release: "{{ .Release.Name }}"
component: server
topologyKey: kubernetes.io/hostname
service:
enabled: true
ha:
enabled: true
replicas: 5
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "consul" {
path = "vault"
address = "HOST_IP:8500"
}
seal "gcpckms" {
project = "myproject"
region = "global"
key_ring = "vault-unseal-kr"
crypto_key = "vault-unseal-key"
}
```

17
website/pages/docs/platform/k8s/helm/examples/index.mdx Normal file
View File

@ -0,0 +1,17 @@
---
layout: "docs"
page_title: "Examples"
sidebar_current: "docs-platform-k8s-examples"
sidebar_title: "Examples"
description: |-
This section documents configuration options for the Vault Helm chart
---
# Helm Chart Examples
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
These are a collection of examples of common configurations for Vault using the Helm chart.
The following are different configuration examples to support a variety of
deployment models. You can view the different examples from the list on the left.

47
website/pages/docs/platform/k8s/helm/examples/kubernetes-auth.mdx Normal file
View File

@ -0,0 +1,47 @@
---
layout: "docs"
page_title: "Using Kubernetes Auth Method"
sidebar_current: "docs-platform-k8s-examples-kubernetes-auth"
sidebar_title: "Using Kubernetes Auth Method"
description: |-
Describes how to set up Kubernetes Auth method
---
# Bootstrapping Kubernetes Auth Method
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
In this example, we will walk through how to set up the [Kubernetes Auth Method](/docs/auth/kubernetes.html).
This assumes the following commands will be run inside a Vault pod running in Kubernetes.
You will optionally need the following variables:
```bash
# JWT is a service account token that has access to the Kubernetes TokenReview API
# You can retrieve this from inside a pod at: /var/run/secrets/kubernetes.io/serviceaccount/token
JWT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
# Address of Kubernetes itself as viewed from inside a running pod
KUBERNETES_HOST=https://${KUBERNETES_PORT_443_TCP_ADDR}:443
# Kubernetes internal CA
KUBERNETES_CA_CERT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)
```
Exec into the Vault pod:
```bash
kubectl exec -it vault-0 /bin/sh
```
Then run the following command to configure the Kubernetes Auth Method:
```bash
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
```
From here you can continue to configure Vault from the [Kubernetes Auth Method](/docs/auth/kubernetes.html) documentation.

53
website/pages/docs/platform/k8s/helm/examples/standalone-audit.mdx Normal file
View File

@ -0,0 +1,53 @@
---
layout: "docs"
page_title: "Standalone Server with Audit Storage"
sidebar_current: "docs-platform-k8s-examples-standalone-audit"
sidebar_title: "Standalone Server with Audit Storage"
description: |-
Describes how to set up a standalone Vault with audit storage
---
# Standalone Server with Audit Storage
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
The below `values.yaml` can be used to set up a single server Vault cluster with
auditing enabled.
```yaml
server:
standalone:
enabled: true
config: |
listener "tcp" {
tls_disable = true
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "file" {
path = "/vault/data"
}
service:
enabled: true
dataStorage:
enabled: true
size: 10Gi
storageClass: null
accessMode: ReadWriteOnce
auditStorage:
enabled: true
size: 10Gi
storageClass: null
accessMode: ReadWriteOnce
```
After Vault has been deployed, initialized and unsealed, auditing can be enabled
by running the following command against the Vault pod:
```bash
$ kubectl exec -ti <POD NAME> -- vault audit enable file file_path=/vault/audit/vault_audit.log
```

44
website/pages/docs/platform/k8s/helm/examples/standalone-load-balanced-ui.mdx Normal file
View File

@ -0,0 +1,44 @@
---
layout: "docs"
page_title: "Standalone Server with Load Balanced UI"
sidebar_current: "docs-platform-k8s-examples-standalone-load-balanced-ui"
sidebar_title: "Standalone Server with Load Balanced UI"
description: |-
Describes how to set up a standalone Vault with a load balanced UI
---
# Standalone Server with Load Balanced UI
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
The below `values.yaml` can be used to set up a single server Vault cluster with a LoadBalancer to allow external access to the UI and API.
```yaml
server:
standalone:
enabled: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "file" {
path = "/vault/data"
}
service:
enabled: true
dataStorage:
enabled: true
size: 10Gi
storageClass: null
accessMode: ReadWriteOnce
ui:
enabled: true
serviceType: LoadBalancer
```

176
website/pages/docs/platform/k8s/helm/examples.mdx → website/pages/docs/platform/k8s/helm/examples/standalone-tls.mdx
View File

@ -1,67 +1,23 @@
---
layout: docs
page_title: Examples
sidebar_title: Examples
description: This section documents configuration options for the Vault Helm chart
layout: "docs"
page_title: "Standalone Server with TLS"
sidebar_current: "docs-platform-k8s-examples-standalone-tls"
sidebar_title: "Standalone Server with TLS"
description: |-
Describes how to set up a standalone Vault with TLS certificate
---
# Helm Chart Examples
# Standalone Server with TLS
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
The following are different configuration examples to support a variety of
deployment models.
## Standalone Server with Load Balanced UI
The below `values.yaml` can be used to set up a single server Vault cluster with a LoadBalancer to allow external access to the UI and API.
```yaml
global:
enabled: true
server:
image:
repository: 'vault'
tag: '1.3.1'
standalone:
enabled: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "file" {
path = "/vault/data"
}
service:
enabled: true
dataStorage:
enabled: true
size: 10Gi
storageClass: null
accessMode: ReadWriteOnce
ui:
enabled: true
serviceType: LoadBalancer
```
## Standalone Server with TLS
This example can be used to set up a single server Vault cluster using TLS.
1. Create key & certificate using Kubernetes CA
2. Store key & cert into [Kubernetes secrets store](https://kubernetes.io/docs/concepts/configuration/secret/)
3. Configure helm chart to use Kubernetes secret from step 2
### 1. Create key & certificate using Kubernetes CA
## 1. Create key & certificate using Kubernetes CA
There are three variables that will be used in this example.
@ -153,7 +109,7 @@ TMPDIR=/tmp
kubectl certificate approve ${CSR_NAME}
```
### 2. Store key, cert, and Kubernetes CA into Kubernetes secrets store
## 2. Store key, cert, and Kubernetes CA into Kubernetes secrets store
1. Retrieve the certificate.
@ -187,7 +143,7 @@ TMPDIR=/tmp
### 3. Helm Configuration
## 3. Helm Configuration
The below `custom-values.yaml` can be used to set up a single server Vault cluster using TLS.
This assumes that a Kubernetes `secret` exists with the server certificate, key and
@ -224,115 +180,3 @@ server:
path = "/vault/data"
}
```
## Standalone Server with Audit Storage
The below `values.yaml` can be used to set up a single server Vault cluster with
auditing enabled.
```yaml
global:
enabled: true
server:
image:
repository: 'vault'
tag: '1.3.1'
standalone:
enabled: true
config: |
listener "tcp" {
tls_disable = true
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "file" {
path = "/vault/data"
}
service:
enabled: true
dataStorage:
enabled: true
size: 10Gi
storageClass: null
accessMode: ReadWriteOnce
auditStorage:
enabled: true
size: 10Gi
storageClass: null
accessMode: ReadWriteOnce
```
After Vault has been deployed, initialized and unsealed, auditing can be enabled
by running the following command against the Vault pod:
```bash
$ kubectl exec -ti <POD NAME> -- vault audit enable file file_path=/vault/audit/vault_audit.log
```
## Highly Available Vault Cluster with Consul
The below `values.yaml` can be used to set up a five server Vault cluster using
Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal.
```yaml
global:
enabled: true
server:
image:
repository: "vault"
tag: "1.3.1"
extraEnvironmentVars:
GOOGLE_REGION: global
GOOGLE_PROJECT: myproject
GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json
extraVolumes: []
- type: secret
name: my-gcp-iam
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: {{ template "vault.name" . }}
release: "{{ .Release.Name }}"
component: server
topologyKey: kubernetes.io/hostname
service:
enabled: true
ha:
enabled: true
replicas: 5
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "consul" {
path = "vault"
address = "HOST_IP:8500"
}
seal "gcpckms" {
project = "myproject"
region = "global"
key_ring = "vault-unseal-kr"
crypto_key = "vault-unseal-key"
}
```