From c788e98a160beb1bef46698ac22c96dfa3644461 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 7 Jan 2021 12:22:21 -0800 Subject: [PATCH] Adding documentation for multiple vault-k8s replicas (#10659) Describes the setup and config for using multiple injector replicas with auto and manual TLS. Co-authored-by: Tom Proctor --- .../platform/k8s/injector/installation.mdx | 31 ++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/website/content/docs/platform/k8s/injector/installation.mdx b/website/content/docs/platform/k8s/injector/installation.mdx index 3f5d82ea3..5e63eff86 100644 --- a/website/content/docs/platform/k8s/injector/installation.mdx +++ b/website/content/docs/platform/k8s/injector/installation.mdx @@ -21,7 +21,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm search repo hashicorp/vault NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/vault 0.5.0 Install and configure Vault on Kubernetes. +hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart ``` Then install the chart and enable the injection feature by setting the @@ -65,6 +65,35 @@ The following is required to configure TLS manually: For more information on configuring manual TLS, see the [Vault Helm cert values](/docs/platform/k8s/helm/configuration#certs). +## Multiple Replicas and TLS + +The Vault Agent Injector can be run with multiple replicas if using [Manual +TLS](#manual-tls), and as of v0.7.0 multiple replicas are also supported with +[Auto TLS](#auto-tls). The number of replicas is controlled in the Vault Helm +chart by the [injector.replicas +value](/docs/platform/k8s/helm/configuration#replicas). + +With Auto TLS and multiple replicas, a leader-elector sidecar container is +deployed with each replica. These sidecars determine which injector replica is +the "leader" in charge of generating the CA and patching the webhook caBundle in +Kubernetes, and also generating and distributing the certificate and key to the +"followers". The followers read the certificate and key needed for the webhook +service listener from a Kubernetes Secret, which is updated by the leader when a +certificate is near expiration. + +The leader-elector sidecar in use is described in detail [here][k8s-blog]. For +more information on configuring leader election, see the [Vault Helm +leaderElector values](/docs/platform/k8s/helm/configuration#leaderelector). + +With Manual TLS and multiple replicas, +[injector.leaderElector.enabled](/docs/platform/k8s/helm/configuration#enabled-2) +should be set to `false` since leader-election is not necessary in this case. + +If there is only one replica set (regardless of other TLS or leaderElector +settings), no leader-elector containers will be deployed. + +[k8s-blog]: "Simple leader election with Kubernetes and Docker" + ## Namespace Selector By default, the Vault Agent Injector will process all namespaces in Kubernetes except