docs: update vault-k8s to 0.9.0 (#11138)

* docs: update vault-k8s to 0.9.0

* Fix typos

* Update website/content/docs/platform/k8s/injector/examples.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update website/content/docs/platform/k8s/injector/annotations.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Add links for auto-auth

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
This commit is contained in:
Jason O'Donnell 2021-03-19 11:34:58 -04:00 committed by GitHub
parent 689dd3722f
commit 921979a40f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 78 additions and 11 deletions

View File

@ -29,7 +29,7 @@ them, optional commands to run, etc.
- `vault.hashicorp.com/agent-image` - name of the Vault docker image to use. This
value overrides the default image configured in the controller and is usually
not needed. Defaults to `vault:1.4.2`.
not needed. Defaults to `vault:1.6.3`.
- `vault.hashicorp.com/agent-init-first` - configures the pod to run the Vault Agent
init container first if `true` (last if `false`). This is useful when other init
@ -144,7 +144,10 @@ them, optional commands to run, etc.
(uid 0), the `run-as-same-user` annotation will fail injection with an error.
- `vault.hashicorp.com/agent-cache-enable` - configures Vault Agent to enable
[caching](/docs/agent/caching). Defaults to `false`.
[caching](/docs/agent/caching). In Vault 1.7+ this annotation will also enable
a Vault Agent persistent cache. This persistent cache will be shared between the init
and sidecar container to reuse tokens and leases retrieved by the init container.
Defaults to `false`.
- `vault.hashicorp.com/agent-cache-use-auto-auth-token` - configures Vault Agent cache
to authenticate on behalf of the requester. Set to `force` to enable. Disabled
@ -163,9 +166,21 @@ Vault annotations change how the Vault Agent containers communicate with Vault.
example, Vault's address, TLS certificates to use, client parameters such as timeouts,
etc.
- `vault.hashicorp.com/auth-path` - configures the auth path for the Kubernetes
- `vault.hashicorp.com/auth-config` - configures additional parameters for the configured
authentication method. The name of the config is any unique string after
`vault.hashicorp.com/auth-config-`, such as `vault.hashicorp.com/auth-config-role-id-file-path`.
This annotation can be reused multiple times to configure multiple settings for the authentication
method. Some authentication methods may require additional secrets and should be mounted via the
`vault.hashicorp.com/agent-extra-secret` annotation. For a list of valid authentication configurations,
see the Vault Agent [auto-auth documentation](/docs/agent/autoauth/methods).
- `vault.hashicorp.com/auth-path` - configures the authentication path for the Kubernetes
auth method. Defaults to `auth/kubernetes`.
- `vault.hashicorp.com/auth-type` - configures the authentication type for Vault Agent.
Defaults to `kubernetes`. For a list of valid authentication methods, see the Vault Agent
[auto-auth documentation](/docs/agent/autoauth/methods).
- `vault.hashicorp.com/ca-cert` - path of the CA certificate used to verify Vault's
TLS.
@ -194,6 +209,9 @@ etc.
- `vault.hashicorp.com/namespace` - configures the Vault Enterprise namespace to
be used when requesting secrets from Vault.
- `vault.hashicorp.com/proxy-address` - configures the HTTP proxy to use when connecting
to a Vault server.
- `vault.hashicorp.com/role` - configures the Vault role used by the Vault Agent
auto-auth method. Required when `vault.hashicorp.com/agent-configmap` is not set.

View File

@ -290,3 +290,52 @@ spec:
ports:
- containerPort: 9090
```
## AppRole Authentication
The following example demonstrates how the AppRole authentication method can be used by
Vault Agent for retrieving secrets. A Kubernetes secret containing the AppRole secret ID
and role ID should be created first.
```yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-deployment
labels:
app: web
spec:
replicas: 1
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-extra-secret: "approle-example"
vault.hashicorp.com/auth-type: "approle"
vault.hashicorp.com/auth-path: "auth/approle"
vault.hashicorp.com/auth-config-role-id-file-path: "/vault/custom/role-id"
vault.hashicorp.com/auth-config-secret-id-file-path: "/vault/custom/secret-id"
vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/db-app"
vault.hashicorp.com/agent-inject-template-db-creds: |
{{- with secret "database/creds/db-app" -}}
postgres://{{ .Data.username }}:{{ .Data.password }}@postgres.postgres.svc:5432/wizard?sslmode=disable
{{- end }}
vault.hashicorp.com/role: "my-role"
vault.hashicorp.com/tls-secret: "vault-tls"
vault.hashicorp.com/ca-cert: "/vault/tls/ca.crt"
spec:
serviceAccountName: web
containers:
- name: web
image: alpine:latest
args:
['sh', '-c', 'source /vault/secrets/config && <entrypoint script>']
ports:
- containerPort: 9090
```

View File

@ -50,15 +50,15 @@ useful to customize Vault Agent beyond what the provided annotations offer.
### Authenticating with Vault
The primary method of authentication with Vault when using the Vault Agent Injector
is the service account attached to the pod. At this time, no other authentication
method is supported by the controller.
is the service account attached to the pod. Other authentication methods can be configured
using annotations.
The service account must be bound to a Vault role and a policy granting access to
the secrets desired.
For Kubernetes authentication, the service account must be bound to a Vault role and a
policy granting access to the secrets desired.
A service account must be present to use the Vault Agent Injector. It is _not_
recommended to bind Vault roles to the default service account provided to pods
if no service account is defined.
A service account must be present to use the Vault Agent Injector with the Kubernetes
authentication method. It is _not_ recommended to bind Vault roles to the default service
account provided to pods if no service account is defined.
### Requesting Secrets