From ca456021b0555c40b7d53913dd4c708bf1a17596 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 26 Oct 2023 10:31:15 -0700 Subject: [PATCH] backport of commit 41cc3b31bf374c43dec139944a541a297bc7faa9 (#23860) docs/vault-helm: updates for the last release (v0.25.0) (#23844) --- .../service-registration/kubernetes.mdx | 8 ++--- .../docs/platform/k8s/helm/configuration.mdx | 31 ++++++++++++++----- .../docs/platform/k8s/helm/enterprise.mdx | 2 +- .../helm/examples/enterprise-dr-with-raft.mdx | 4 +-- .../examples/enterprise-perf-with-raft.mdx | 4 +-- .../helm/examples/enterprise-with-raft.mdx | 2 +- .../content/docs/platform/k8s/helm/run.mdx | 4 +-- website/content/partials/helm/install.mdx | 6 ++-- website/content/partials/helm/repo.mdx | 2 +- 9 files changed, 39 insertions(+), 24 deletions(-) diff --git a/website/content/docs/configuration/service-registration/kubernetes.mdx b/website/content/docs/configuration/service-registration/kubernetes.mdx index 346af7564..8bc5c03c8 100644 --- a/website/content/docs/configuration/service-registration/kubernetes.mdx +++ b/website/content/docs/configuration/service-registration/kubernetes.mdx @@ -71,7 +71,7 @@ metadata: vault-initialized: "true" vault-perf-standby: "false" vault-sealed: "false" - vault-version: 1.13.1 + vault-version: 1.14.0 ``` After shutdowns, Vault pods will bear the following labels: @@ -86,7 +86,7 @@ metadata: vault-initialized: "false" vault-perf-standby: "false" vault-sealed: "true" - vault-version: 1.13.1 + vault-version: 1.14.0 ``` ## Label definitions @@ -102,7 +102,7 @@ metadata: - `vault-sealed` `(string: "true"/"false")` – Vault sealed is updated dynamically each time Vault's sealed/unsealed status changes. True indicates that Vault is currently sealed. False indicates that Vault is currently unsealed. -- `vault-version` `(string: "1.13.1")` – Vault version is a string that will not change during a pod's lifecycle. +- `vault-version` `(string: "1.14.0")` – Vault version is a string that will not change during a pod's lifecycle. ## Working with vault's service discovery labels @@ -156,7 +156,7 @@ $ vault write -f sys/replication/performance/primary/enable \ In conjunction with the pod labels and the `OnDelete` upgrade strategy, upgrades are much easier to orchestrate: ```shell-session -$ helm upgrade vault --set='server.image.tag=1.13.1' +$ helm upgrade vault --set='server.image.tag=1.14.0' $ kubectl delete pod --selector=vault-active=false \ --selector=vault-version=1.2.3 diff --git a/website/content/docs/platform/k8s/helm/configuration.mdx b/website/content/docs/platform/k8s/helm/configuration.mdx index 6129ca065..b3ad77e5d 100644 --- a/website/content/docs/platform/k8s/helm/configuration.mdx +++ b/website/content/docs/platform/k8s/helm/configuration.mdx @@ -85,7 +85,7 @@ and consider if they're appropriate for your deployment. - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image. - - `tag` (`string: "1.13.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**. + - `tag` (`string: "1.14.0"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**. - `agentDefaults` - Values that configure the injected Vault Agent containers default values. @@ -97,6 +97,10 @@ and consider if they're appropriate for your deployment. - `memRequest` (`string: "64Mi"`) - The default memory request for injected Vault Agent containers. + - `ephemeralLimit` (`string: ""`) - The default ephemeral storage limit for injected Vault Agent containers. + + - `ephemeralRequest` (`string: ""`) - The default ephemeral storage request for injected Vault Agent containers. + - `template` (`string: "map"`) - The default template type for rendered secrets if no custom templates are defined. Possible values include `map` and `json`. @@ -345,7 +349,7 @@ and consider if they're appropriate for your deployment. - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the containers running Vault. - - `tag` (`string: "1.13.1"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. + - `tag` (`string: "1.14.0"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists. @@ -357,7 +361,7 @@ and consider if they're appropriate for your deployment. - `logFormat` (`string: ""`) - Configures the Vault server logging format. If set this will override values defined in the Vault configuration file. Supported log formats include: `standard`, `json`. - - `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for each container of the server. This should be a YAML dictionary of a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.15/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources, which limits the ability for Kubernetes to make efficient use of compute resources. **Setting this is highly recommended.** + - `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for each container of the server. This should be a YAML dictionary of a Kubernetes [resource](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) object. If this isn't specified, then the pods won't request any specific amount of resources, which limits the ability for Kubernetes to make efficient use of compute resources. **Setting this is highly recommended.** ```yaml resources: @@ -722,7 +726,7 @@ and consider if they're appropriate for your deployment. - `standbyNodePort` (`int:`) - (When HA mode is enabled) If type is set to "NodePort", a specific nodePort value can be configured for the `standby` service, will be random if left blank. - - `publishNotReadyAddresses` (`boolean: true`) - If true, do not wait for server pods to be ready before adding them to the service pool. + - `publishNotReadyAddresses` (`boolean: true`) - If true, do not wait for pods to be ready before including them in the services' targets. Does not apply to the headless service, which is used for cluster-internal communication. - `instanceSelector` @@ -1028,7 +1032,7 @@ and consider if they're appropriate for your deployment. - `repository` (`string: "hashicorp/vault-csi-provider"`) - The name of the Docker image for the Vault CSI Provider. - - `tag` (`string: "1.3.0"`) - The tag of the Docker image for the Vault CSI Provider.. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your CSI provider. + - `tag` (`string: "1.4.0"`) - The tag of the Docker image for the Vault CSI Provider.. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your CSI provider. - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists locally. @@ -1051,7 +1055,7 @@ and consider if they're appropriate for your deployment. readOnly: true ``` - - `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for each of the CSI containers. This should be a YAML dictionary of a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.15/#resourcerequirements-v1-core) objects. If this isn't specified, then the pods won't request any specific amount of resources, which limits the ability for Kubernetes to make efficient use of compute resources.
**Setting this is highly recommended.** + - `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for each of the CSI containers. This should be a YAML dictionary of a Kubernetes [resource](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) object. If this isn't specified, then the pods won't request any specific amount of resources, which limits the ability for Kubernetes to make efficient use of compute resources.
**Setting this is highly recommended.** ```yaml resources: @@ -1061,6 +1065,8 @@ and consider if they're appropriate for your deployment. memory: '10Gi' ``` + - `hmacSecretName` (`string: ""`) - Override the default secret name for the CSI Provider's HMAC key used for generating secret versions. + - `daemonSet` - Values that configure the Vault CSI Provider daemonSet. - `updateStrategy` - Values that configure the Vault CSI Provider update strategy. @@ -1109,6 +1115,15 @@ and consider if they're appropriate for your deployment. - `extraLabels` (`dictionary: {}`) - This value defines additional labels for CSI provider pods. + - `nodeSelector` (`dictionary: {}`) - [nodeSelector](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) labels for csi pod assignment, formatted as a multi-line string or YAML map. + + ```yaml + nodeSelector: + beta.kubernetes.io/arch: amd64 + ``` + + - `affinity` (`dictionary: {}`) - This should be either a multi-line string or YAML matching the PodSpec's affinity field. + - `tolerations` (`array: []`) - Toleration Settings for CSI pods. This should be a multi-line string or YAML matching the Toleration array in a PodSpec. - `priorityClassName` (`string: ""`) - Priority class for CSI Provider pods @@ -1166,7 +1181,7 @@ and consider if they're appropriate for your deployment. - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image. - - `tag` (`string: "1.13.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. + - `tag` (`string: "1.14.0"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. - `logFormat` (`string: "standard"`) - - `logLevel` (`string: "info"`) - @@ -1233,7 +1248,7 @@ and consider if they're appropriate for your deployment. - `selectors` (`dictionary: {}`) - Selector labels to add to the Prometheus rules. - - `rules`: (`dictionary: {}`) - Prometheus rules to create. + - `rules`: (`array: []`) - Prometheus rules to create. For example: ```yaml diff --git a/website/content/docs/platform/k8s/helm/enterprise.mdx b/website/content/docs/platform/k8s/helm/enterprise.mdx index 4be0ba9fd..dbeb3c81b 100644 --- a/website/content/docs/platform/k8s/helm/enterprise.mdx +++ b/website/content/docs/platform/k8s/helm/enterprise.mdx @@ -33,7 +33,7 @@ In your chart overrides, set the values of [`server.image`](/vault/docs/platform server: image: repository: hashicorp/vault-enterprise - tag: 1.13.1-ent + tag: 1.14.0-ent enterpriseLicense: secretName: vault-ent-license ``` diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx index f637b445b..8c9aff702 100644 --- a/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx +++ b/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx @@ -23,7 +23,7 @@ First, create the primary cluster: ```shell helm install vault-primary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set='server.image.tag=1.14.0-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` @@ -75,7 +75,7 @@ disaster recovery replication. ```shell helm install vault-secondary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set='server.image.tag=1.14.0-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx index 9fc61036c..ca3318f42 100644 --- a/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx +++ b/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx @@ -23,7 +23,7 @@ First, create the primary cluster: ```shell helm install vault-primary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set='server.image.tag=1.14.0-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` @@ -74,7 +74,7 @@ With the primary cluster created, next create a secondary cluster. ```shell helm install vault-secondary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set='server.image.tag=1.14.0-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx index a2c29bc04..492e20ba3 100644 --- a/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx +++ b/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx @@ -15,7 +15,7 @@ Integrated Storage (raft) can be enabled using the `server.ha.raft.enabled` valu ```shell helm install vault hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.13.1-ent' \ + --set='server.image.tag=1.14.0-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` diff --git a/website/content/docs/platform/k8s/helm/run.mdx b/website/content/docs/platform/k8s/helm/run.mdx index cdaaacdde..5ea5ff7be 100644 --- a/website/content/docs/platform/k8s/helm/run.mdx +++ b/website/content/docs/platform/k8s/helm/run.mdx @@ -409,14 +409,14 @@ Next, list the Helm versions and choose the desired version to install. ```bash $ helm search repo hashicorp/vault NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart +hashicorp/vault 0.25.0 1.14.0 Official HashiCorp Vault Chart ``` Next, test the upgrade with `--dry-run` first to verify the changes sent to the Kubernetes cluster. ```shell-session -$ helm upgrade vault hashicorp/vault --version=0.24.0 \ +$ helm upgrade vault hashicorp/vault --version=0.25.0 \ --set='server.image.repository=vault' \ --set='server.image.tag=123.456' \ --dry-run diff --git a/website/content/partials/helm/install.mdx b/website/content/partials/helm/install.mdx index 4c94d424b..054681e84 100644 --- a/website/content/partials/helm/install.mdx +++ b/website/content/partials/helm/install.mdx @@ -2,15 +2,15 @@ # List the available releases $ helm search repo hashicorp/vault -l NAME CHART VERSION APP VERSION DESCRIPTION +hashicorp/vault 0.25.0 1.14.0 Official HashiCorp Vault Chart hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart hashicorp/vault 0.23.0 1.12.1 Official HashiCorp Vault Chart hashicorp/vault 0.22.1 1.12.0 Official HashiCorp Vault Chart hashicorp/vault 0.22.0 1.11.3 Official HashiCorp Vault Chart hashicorp/vault 0.21.0 1.11.2 Official HashiCorp Vault Chart hashicorp/vault 0.20.1 1.10.3 Official HashiCorp Vault Chart -hashicorp/vault 0.20.0 1.10.3 Official HashiCorp Vault Chart ... -# Install version 0.24.0 -$ helm install vault hashicorp/vault --version 0.24.0 +# Install version 0.25.0 +$ helm install vault hashicorp/vault --version 0.25.0 ``` diff --git a/website/content/partials/helm/repo.mdx b/website/content/partials/helm/repo.mdx index f3571bbea..6f9f512dd 100644 --- a/website/content/partials/helm/repo.mdx +++ b/website/content/partials/helm/repo.mdx @@ -4,5 +4,5 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm search repo hashicorp/vault NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart +hashicorp/vault 0.25.0 1.14.0 Official HashiCorp Vault Chart ```