luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

[docs] update helm docs for vso beta1 release (#20776) 

* update helm docs for vso beta1 release
This commit is contained in:
Kyle Schochenmaier 2023-05-25 16:45:08 -05:00 committed by GitHub
parent 27dd70457b
commit b43e865aef
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 68 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
website/content/docs/platform/k8s/vso/helm.mdx
View File

@ -13,7 +13,7 @@ The chart is customizable using
[Helm configuration values](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
<!-- DO NOT EDIT. The docs below are generated automatically. To change, edit
the vault-secrets-operator repo's values.yaml: file commit=7236932478761438b62db3f21634308b3baaf891 -->
the vault-secrets-operator repo's values.yaml: file commit=b9d4f2f8ac86bdc1de71ca101ea8ed1c4e8a429e -->
<!-- codegen: start -->
## Top-Level Stanzas
@ -60,6 +60,8 @@ Use these links to navigate to a particular top-level stanza.
- `memory` ((#v-controller-kuberbacproxy-resources-requests-memory)) (`string: 64Mi`)
- `annotations` ((#v-controller-annotations)) - This value defines additional annotations for the deployment. This should be formatted as a YAML object (map)
- `manager` ((#v-controller-manager)) - Settings related to the vault-secrets-operator container.
- `image` ((#v-controller-manager-image)) - Image sets the repo and tag of the vault-secrets-operator image to use for the controller.
@ -69,14 +71,18 @@ Use these links to navigate to a particular top-level stanza.
- `tag` ((#v-controller-manager-image-tag)) (`string: 0.1.0-beta`)
- `clientCache` ((#v-controller-manager-clientcache)) - Configures the client cache which is used by the controller to cache (and potentially persist) vault tokens that
are the result of using the VaultAuthMethod. This enables re-use of Vault Tokens around their TTLs as well as the
ability to renew.
are the result of using the VaultAuthMethod. This enables re-use of Vault Tokens
throughout their TTLs as well as the ability to renew.
Persistence is only useful in the context of Dynamic Secrets, so "none" is an okay default.
- `persistenceModel` ((#v-controller-manager-clientcache-persistencemodel)) (`string: ""`) - Defines the `-client-cache-persistence-model` which caches+persists vault tokens.
Valid values are:
"none" - in-memory client cache is used, no tokens are persisted.
"direct-unencrypted" - in-memory client cache is persisted, unencrypted. This is NOT recommended for any production workload.
"direct-encrypted" - in-memory client cache is persisted encrypted using the Vault Transit engine.
Note: It is strongly encouraged to not use the setting of "direct-unencrypted" in
production due to the potential of vault tokens being leaked as they would then be stored
in clear text.
default: "none"
@ -86,6 +92,33 @@ Use these links to navigate to a particular top-level stanza.
default: 10000
- `storageEncryption` ((#v-controller-manager-clientcache-storageencryption)) - StorageEncryption provides the necessary configuration to encrypt the client storage
cache within Kubernetes objects using (required) Vault Transit Engine.
This should only be configured when client cache persistence with encryption is enabled.
E.g. `controller.manager.clientCache.persistenceMode=direct-encrypted`
Typically there should only ever be one VaultAuth configured with
StorageEncryption in the Cluster.
- `vaultConnectionRef` ((#v-controller-manager-clientcache-storageencryption-vaultconnectionref)) (`string: default`) - Vault Connection Ref to be used by the VaultAuthMethod.
Default setting will use the default VaultConnectionRef, which must also be configured.
- `namespace` ((#v-controller-manager-clientcache-storageencryption-namespace)) (`string: ""`) - Vault namespace for the VaultAuthMethod
- `keyName` ((#v-controller-manager-clientcache-storageencryption-keyname)) (`string: ""`) - KeyName to use for encrypt/decrypt operations via Vault Transit.
- `mount` ((#v-controller-manager-clientcache-storageencryption-mount)) (`string: kubernetes`) - Mount path for the Vault Auth Method.
- `role` ((#v-controller-manager-clientcache-storageencryption-role)) (`string: ""`) - Vault Auth Role to use
This is a required field and must be setup in Vault prior to deploying the helm chart
if `defaultAuthMethod.enabled=true`
- `serviceAccount` ((#v-controller-manager-clientcache-storageencryption-serviceaccount)) (`string: ""`) - Kubernetes ServiceAccount associated with the default Vault Auth Role
default: Operator's ServiceAccount
- `tokenAudiences` ((#v-controller-manager-clientcache-storageencryption-tokenaudiences)) (`array<string>: []`) - Token Audience should match the audience of the vault kubernetes auth role.
- `transitMount` ((#v-controller-manager-clientcache-storageencryption-transitmount)) (`string: ""`) - Mount path for the Transit Method.
- `maxConcurrentReconciles` ((#v-controller-manager-maxconcurrentreconciles)) (`integer: ""`) - Defines the maximum number of concurrent reconciles by the controller.
NOTE: Currently this is only used by the reconciliation logic of dynamic secrets.
@ -203,8 +236,38 @@ Use these links to navigate to a particular top-level stanza.
- `serviceAccount` ((#v-defaultauthmethod-kubernetes-serviceaccount)) (`string: default`) - Kubernetes ServiceAccount associated with the default Vault Auth Role
- `tokenAudiences` ((#v-defaultauthmethod-kubernetes-tokenaudiences)) (`array<string>: []`) - Token Audience is required and should match whatever the audience
of the vault kubernetes auth role has set.
- `tokenAudiences` ((#v-defaultauthmethod-kubernetes-tokenaudiences)) (`array<string>: []`) - Token Audience should match the audience of the vault kubernetes auth role.
- `jwt` ((#v-defaultauthmethod-jwt)) - Vault JWT auth method specific configuration
- `role` ((#v-defaultauthmethod-jwt-role)) (`string: ""`) - Vault Auth Role to use
This is a required field and must be setup in Vault prior to deploying the helm chart
if `jwtAuthMethod.enabled=true`
- `secretName` ((#v-defaultauthmethod-jwt-secretname)) (`string: ""`) - One of the following is required prior to deploying the helm chart
- K8s secret that contains the JWT
- K8s service account if a service account JWT is used as a Vault JWT auth token and needs generating by VSO
Name of Kubernetes Secret that has the Vault JWT auth token.
The Kubernetes Secret must contain a key named `jwt` which references the JWT token, and must exist in the namespace
of any consuming VaultSecret CR. This is a required field if a JWT token is provided.
- `serviceAccount` ((#v-defaultauthmethod-jwt-serviceaccount)) (`string: default`) - Kubernetes ServiceAccount to generate a service account JWT
- `tokenAudiences` ((#v-defaultauthmethod-jwt-tokenaudiences)) (`array<string>: []`) - Token Audience should match the bound_audiences or the `aud` list in bound_claims if applicable
of the Vault JWT auth role.
- `appRole` ((#v-defaultauthmethod-approle)) - AppRole auth method specific configuration
- `roleId` ((#v-defaultauthmethod-approle-roleid)) (`string: ""`) - AppRole Role's RoleID to use for authenticating to Vault.
This is a required field when using appRole and must be setup in Vault prior to deploying the
helm chart.
- `secretName` ((#v-defaultauthmethod-approle-secretname)) (`string: ""`) - Name of Kubernetes Secret that has the AppRole Role's SecretID used to authenticate with Vault.
The Kubernetes Secret must contain a key named `id` which references the AppRole Role's
SecretID, and must exist in the namespace of any consuming VaultSecret CR.
This is a required field when using appRole and must be setup in Vault prior to deploying the
helm chart.
- `params` ((#v-defaultauthmethod-params)) (`string: ""`) - Params to use when authenticating to Vault
params: |