luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Adding documentation for multiple vault-k8s replicas (#10659) 

Describes the setup and config for using multiple injector replicas
with auto and manual TLS.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
This commit is contained in:
Theron Voran 2021-01-07 12:22:21 -08:00 committed by GitHub
parent 70d3185d3a
commit c788e98a16
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
website/content/docs/platform/k8s/injector/installation.mdx
View File

@ -21,7 +21,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm search repo hashicorp/vault $ helm search repo hashicorp/vault
NAME CHART VERSION APP VERSION DESCRIPTION NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.5.0 Install and configure Vault on Kubernetes. hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart
``` ```
Then install the chart and enable the injection feature by setting the Then install the chart and enable the injection feature by setting the
@ -65,6 +65,35 @@ The following is required to configure TLS manually:
For more information on configuring manual TLS, see the [Vault Helm cert values](/docs/platform/k8s/helm/configuration#certs). For more information on configuring manual TLS, see the [Vault Helm cert values](/docs/platform/k8s/helm/configuration#certs).
## Multiple Replicas and TLS
The Vault Agent Injector can be run with multiple replicas if using [Manual
TLS](#manual-tls), and as of v0.7.0 multiple replicas are also supported with
[Auto TLS](#auto-tls). The number of replicas is controlled in the Vault Helm
chart by the [injector.replicas
value](/docs/platform/k8s/helm/configuration#replicas).
With Auto TLS and multiple replicas, a leader-elector sidecar container is
deployed with each replica. These sidecars determine which injector replica is
the "leader" in charge of generating the CA and patching the webhook caBundle in
Kubernetes, and also generating and distributing the certificate and key to the
"followers". The followers read the certificate and key needed for the webhook
service listener from a Kubernetes Secret, which is updated by the leader when a
certificate is near expiration.
The leader-elector sidecar in use is described in detail [here][k8s-blog]. For
more information on configuring leader election, see the [Vault Helm
leaderElector values](/docs/platform/k8s/helm/configuration#leaderelector).
With Manual TLS and multiple replicas,
[injector.leaderElector.enabled](/docs/platform/k8s/helm/configuration#enabled-2)
should be set to `false` since leader-election is not necessary in this case.
If there is only one replica set (regardless of other TLS or leaderElector
settings), no leader-elector containers will be deployed.
[k8s-blog]: <https://kubernetes.io/blog/2016/01/simple-leader-election-with-kubernetes/> "Simple leader election with Kubernetes and Docker"
## Namespace Selector ## Namespace Selector
By default, the Vault Agent Injector will process all namespaces in Kubernetes except By default, the Vault Agent Injector will process all namespaces in Kubernetes except