backport of commit 41cc3b31bf374c43dec139944a541a297bc7faa9 (#23860)
docs/vault-helm: updates for the last release (v0.25.0) (#23844)
This commit is contained in:
parent
9820d6b0ee
commit
ca456021b0
|
@ -71,7 +71,7 @@ metadata:
|
||||||
vault-initialized: "true"
|
vault-initialized: "true"
|
||||||
vault-perf-standby: "false"
|
vault-perf-standby: "false"
|
||||||
vault-sealed: "false"
|
vault-sealed: "false"
|
||||||
vault-version: 1.13.1
|
vault-version: 1.14.0
|
||||||
```
|
```
|
||||||
|
|
||||||
After shutdowns, Vault pods will bear the following labels:
|
After shutdowns, Vault pods will bear the following labels:
|
||||||
|
@ -86,7 +86,7 @@ metadata:
|
||||||
vault-initialized: "false"
|
vault-initialized: "false"
|
||||||
vault-perf-standby: "false"
|
vault-perf-standby: "false"
|
||||||
vault-sealed: "true"
|
vault-sealed: "true"
|
||||||
vault-version: 1.13.1
|
vault-version: 1.14.0
|
||||||
```
|
```
|
||||||
|
|
||||||
## Label definitions
|
## Label definitions
|
||||||
|
@ -102,7 +102,7 @@ metadata:
|
||||||
- `vault-sealed` `(string: "true"/"false")` – Vault sealed is updated dynamically each
|
- `vault-sealed` `(string: "true"/"false")` – Vault sealed is updated dynamically each
|
||||||
time Vault's sealed/unsealed status changes. True indicates that Vault is currently sealed. False indicates that Vault
|
time Vault's sealed/unsealed status changes. True indicates that Vault is currently sealed. False indicates that Vault
|
||||||
is currently unsealed.
|
is currently unsealed.
|
||||||
- `vault-version` `(string: "1.13.1")` – Vault version is a string that will not change during a pod's lifecycle.
|
- `vault-version` `(string: "1.14.0")` – Vault version is a string that will not change during a pod's lifecycle.
|
||||||
|
|
||||||
## Working with vault's service discovery labels
|
## Working with vault's service discovery labels
|
||||||
|
|
||||||
|
@ -156,7 +156,7 @@ $ vault write -f sys/replication/performance/primary/enable \
|
||||||
In conjunction with the pod labels and the `OnDelete` upgrade strategy, upgrades are much easier to orchestrate:
|
In conjunction with the pod labels and the `OnDelete` upgrade strategy, upgrades are much easier to orchestrate:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ helm upgrade vault --set='server.image.tag=1.13.1'
|
$ helm upgrade vault --set='server.image.tag=1.14.0'
|
||||||
|
|
||||||
$ kubectl delete pod --selector=vault-active=false \
|
$ kubectl delete pod --selector=vault-active=false \
|
||||||
--selector=vault-version=1.2.3
|
--selector=vault-version=1.2.3
|
||||||
|
|
|
@ -85,7 +85,7 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
- `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image.
|
- `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image.
|
||||||
|
|
||||||
- `tag` (`string: "1.13.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**.
|
- `tag` (`string: "1.14.0"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**.
|
||||||
|
|
||||||
- `agentDefaults` - Values that configure the injected Vault Agent containers default values.
|
- `agentDefaults` - Values that configure the injected Vault Agent containers default values.
|
||||||
|
|
||||||
|
@ -97,6 +97,10 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
- `memRequest` (`string: "64Mi"`) - The default memory request for injected Vault Agent containers.
|
- `memRequest` (`string: "64Mi"`) - The default memory request for injected Vault Agent containers.
|
||||||
|
|
||||||
|
- `ephemeralLimit` (`string: ""`) - The default ephemeral storage limit for injected Vault Agent containers.
|
||||||
|
|
||||||
|
- `ephemeralRequest` (`string: ""`) - The default ephemeral storage request for injected Vault Agent containers.
|
||||||
|
|
||||||
- `template` (`string: "map"`) - The default template type for rendered secrets if no custom templates are defined.
|
- `template` (`string: "map"`) - The default template type for rendered secrets if no custom templates are defined.
|
||||||
Possible values include `map` and `json`.
|
Possible values include `map` and `json`.
|
||||||
|
|
||||||
|
@ -345,7 +349,7 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
- `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the containers running Vault.
|
- `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the containers running Vault.
|
||||||
|
|
||||||
- `tag` (`string: "1.13.1"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
|
- `tag` (`string: "1.14.0"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
|
||||||
|
|
||||||
- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
|
- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
|
||||||
|
|
||||||
|
@ -357,7 +361,7 @@ and consider if they're appropriate for your deployment.
|
||||||
- `logFormat` (`string: ""`) - Configures the Vault server logging format. If set this will override values defined in the Vault configuration file.
|
- `logFormat` (`string: ""`) - Configures the Vault server logging format. If set this will override values defined in the Vault configuration file.
|
||||||
Supported log formats include: `standard`, `json`.
|
Supported log formats include: `standard`, `json`.
|
||||||
|
|
||||||
- `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for each container of the server. This should be a YAML dictionary of a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.15/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources, which limits the ability for Kubernetes to make efficient use of compute resources. **Setting this is highly recommended.**
|
- `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for each container of the server. This should be a YAML dictionary of a Kubernetes [resource](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) object. If this isn't specified, then the pods won't request any specific amount of resources, which limits the ability for Kubernetes to make efficient use of compute resources. **Setting this is highly recommended.**
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
resources:
|
resources:
|
||||||
|
@ -722,7 +726,7 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
- `standbyNodePort` (`int:`) - (When HA mode is enabled) If type is set to "NodePort", a specific nodePort value can be configured for the `standby` service, will be random if left blank.
|
- `standbyNodePort` (`int:`) - (When HA mode is enabled) If type is set to "NodePort", a specific nodePort value can be configured for the `standby` service, will be random if left blank.
|
||||||
|
|
||||||
- `publishNotReadyAddresses` (`boolean: true`) - If true, do not wait for server pods to be ready before adding them to the service pool.
|
- `publishNotReadyAddresses` (`boolean: true`) - If true, do not wait for pods to be ready before including them in the services' targets. Does not apply to the headless service, which is used for cluster-internal communication.
|
||||||
|
|
||||||
- `instanceSelector`
|
- `instanceSelector`
|
||||||
|
|
||||||
|
@ -1028,7 +1032,7 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
- `repository` (`string: "hashicorp/vault-csi-provider"`) - The name of the Docker image for the Vault CSI Provider.
|
- `repository` (`string: "hashicorp/vault-csi-provider"`) - The name of the Docker image for the Vault CSI Provider.
|
||||||
|
|
||||||
- `tag` (`string: "1.3.0"`) - The tag of the Docker image for the Vault CSI Provider.. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your CSI provider.
|
- `tag` (`string: "1.4.0"`) - The tag of the Docker image for the Vault CSI Provider.. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your CSI provider.
|
||||||
|
|
||||||
- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists locally.
|
- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists locally.
|
||||||
|
|
||||||
|
@ -1051,7 +1055,7 @@ and consider if they're appropriate for your deployment.
|
||||||
readOnly: true
|
readOnly: true
|
||||||
```
|
```
|
||||||
|
|
||||||
- `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for each of the CSI containers. This should be a YAML dictionary of a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.15/#resourcerequirements-v1-core) objects. If this isn't specified, then the pods won't request any specific amount of resources, which limits the ability for Kubernetes to make efficient use of compute resources.<br /> **Setting this is highly recommended.**
|
- `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for each of the CSI containers. This should be a YAML dictionary of a Kubernetes [resource](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) object. If this isn't specified, then the pods won't request any specific amount of resources, which limits the ability for Kubernetes to make efficient use of compute resources.<br /> **Setting this is highly recommended.**
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
resources:
|
resources:
|
||||||
|
@ -1061,6 +1065,8 @@ and consider if they're appropriate for your deployment.
|
||||||
memory: '10Gi'
|
memory: '10Gi'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
- `hmacSecretName` (`string: ""`) - Override the default secret name for the CSI Provider's HMAC key used for generating secret versions.
|
||||||
|
|
||||||
- `daemonSet` - Values that configure the Vault CSI Provider daemonSet.
|
- `daemonSet` - Values that configure the Vault CSI Provider daemonSet.
|
||||||
|
|
||||||
- `updateStrategy` - Values that configure the Vault CSI Provider update strategy.
|
- `updateStrategy` - Values that configure the Vault CSI Provider update strategy.
|
||||||
|
@ -1109,6 +1115,15 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
- `extraLabels` (`dictionary: {}`) - This value defines additional labels for CSI provider pods.
|
- `extraLabels` (`dictionary: {}`) - This value defines additional labels for CSI provider pods.
|
||||||
|
|
||||||
|
- `nodeSelector` (`dictionary: {}`) - [nodeSelector](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) labels for csi pod assignment, formatted as a multi-line string or YAML map.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
nodeSelector:
|
||||||
|
beta.kubernetes.io/arch: amd64
|
||||||
|
```
|
||||||
|
|
||||||
|
- `affinity` (`dictionary: {}`) - This should be either a multi-line string or YAML matching the PodSpec's affinity field.
|
||||||
|
|
||||||
- `tolerations` (`array: []`) - Toleration Settings for CSI pods. This should be a multi-line string or YAML matching the Toleration array in a PodSpec.
|
- `tolerations` (`array: []`) - Toleration Settings for CSI pods. This should be a multi-line string or YAML matching the Toleration array in a PodSpec.
|
||||||
|
|
||||||
- `priorityClassName` (`string: ""`) - Priority class for CSI Provider pods
|
- `priorityClassName` (`string: ""`) - Priority class for CSI Provider pods
|
||||||
|
@ -1166,7 +1181,7 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
- `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image.
|
- `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image.
|
||||||
|
|
||||||
- `tag` (`string: "1.13.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar.
|
- `tag` (`string: "1.14.0"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar.
|
||||||
|
|
||||||
- `logFormat` (`string: "standard"`) -
|
- `logFormat` (`string: "standard"`) -
|
||||||
- `logLevel` (`string: "info"`) -
|
- `logLevel` (`string: "info"`) -
|
||||||
|
@ -1233,7 +1248,7 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
- `selectors` (`dictionary: {}`) - Selector labels to add to the Prometheus rules.
|
- `selectors` (`dictionary: {}`) - Selector labels to add to the Prometheus rules.
|
||||||
|
|
||||||
- `rules`: (`dictionary: {}`) - Prometheus rules to create.
|
- `rules`: (`array: []`) - Prometheus rules to create.
|
||||||
|
|
||||||
For example:
|
For example:
|
||||||
```yaml
|
```yaml
|
||||||
|
|
|
@ -33,7 +33,7 @@ In your chart overrides, set the values of [`server.image`](/vault/docs/platform
|
||||||
server:
|
server:
|
||||||
image:
|
image:
|
||||||
repository: hashicorp/vault-enterprise
|
repository: hashicorp/vault-enterprise
|
||||||
tag: 1.13.1-ent
|
tag: 1.14.0-ent
|
||||||
enterpriseLicense:
|
enterpriseLicense:
|
||||||
secretName: vault-ent-license
|
secretName: vault-ent-license
|
||||||
```
|
```
|
||||||
|
|
|
@ -23,7 +23,7 @@ First, create the primary cluster:
|
||||||
```shell
|
```shell
|
||||||
helm install vault-primary hashicorp/vault \
|
helm install vault-primary hashicorp/vault \
|
||||||
--set='server.image.repository=hashicorp/vault-enterprise' \
|
--set='server.image.repository=hashicorp/vault-enterprise' \
|
||||||
--set='server.image.tag=1.13.1-ent' \
|
--set='server.image.tag=1.14.0-ent' \
|
||||||
--set='server.ha.enabled=true' \
|
--set='server.ha.enabled=true' \
|
||||||
--set='server.ha.raft.enabled=true'
|
--set='server.ha.raft.enabled=true'
|
||||||
```
|
```
|
||||||
|
@ -75,7 +75,7 @@ disaster recovery replication.
|
||||||
```shell
|
```shell
|
||||||
helm install vault-secondary hashicorp/vault \
|
helm install vault-secondary hashicorp/vault \
|
||||||
--set='server.image.repository=hashicorp/vault-enterprise' \
|
--set='server.image.repository=hashicorp/vault-enterprise' \
|
||||||
--set='server.image.tag=1.13.1-ent' \
|
--set='server.image.tag=1.14.0-ent' \
|
||||||
--set='server.ha.enabled=true' \
|
--set='server.ha.enabled=true' \
|
||||||
--set='server.ha.raft.enabled=true'
|
--set='server.ha.raft.enabled=true'
|
||||||
```
|
```
|
||||||
|
|
|
@ -23,7 +23,7 @@ First, create the primary cluster:
|
||||||
```shell
|
```shell
|
||||||
helm install vault-primary hashicorp/vault \
|
helm install vault-primary hashicorp/vault \
|
||||||
--set='server.image.repository=hashicorp/vault-enterprise' \
|
--set='server.image.repository=hashicorp/vault-enterprise' \
|
||||||
--set='server.image.tag=1.13.1-ent' \
|
--set='server.image.tag=1.14.0-ent' \
|
||||||
--set='server.ha.enabled=true' \
|
--set='server.ha.enabled=true' \
|
||||||
--set='server.ha.raft.enabled=true'
|
--set='server.ha.raft.enabled=true'
|
||||||
```
|
```
|
||||||
|
@ -74,7 +74,7 @@ With the primary cluster created, next create a secondary cluster.
|
||||||
```shell
|
```shell
|
||||||
helm install vault-secondary hashicorp/vault \
|
helm install vault-secondary hashicorp/vault \
|
||||||
--set='server.image.repository=hashicorp/vault-enterprise' \
|
--set='server.image.repository=hashicorp/vault-enterprise' \
|
||||||
--set='server.image.tag=1.13.1-ent' \
|
--set='server.image.tag=1.14.0-ent' \
|
||||||
--set='server.ha.enabled=true' \
|
--set='server.ha.enabled=true' \
|
||||||
--set='server.ha.raft.enabled=true'
|
--set='server.ha.raft.enabled=true'
|
||||||
```
|
```
|
||||||
|
|
|
@ -15,7 +15,7 @@ Integrated Storage (raft) can be enabled using the `server.ha.raft.enabled` valu
|
||||||
```shell
|
```shell
|
||||||
helm install vault hashicorp/vault \
|
helm install vault hashicorp/vault \
|
||||||
--set='server.image.repository=hashicorp/vault-enterprise' \
|
--set='server.image.repository=hashicorp/vault-enterprise' \
|
||||||
--set='server.image.tag=1.13.1-ent' \
|
--set='server.image.tag=1.14.0-ent' \
|
||||||
--set='server.ha.enabled=true' \
|
--set='server.ha.enabled=true' \
|
||||||
--set='server.ha.raft.enabled=true'
|
--set='server.ha.raft.enabled=true'
|
||||||
```
|
```
|
||||||
|
|
|
@ -409,14 +409,14 @@ Next, list the Helm versions and choose the desired version to install.
|
||||||
```bash
|
```bash
|
||||||
$ helm search repo hashicorp/vault
|
$ helm search repo hashicorp/vault
|
||||||
NAME CHART VERSION APP VERSION DESCRIPTION
|
NAME CHART VERSION APP VERSION DESCRIPTION
|
||||||
hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart
|
hashicorp/vault 0.25.0 1.14.0 Official HashiCorp Vault Chart
|
||||||
```
|
```
|
||||||
|
|
||||||
Next, test the upgrade with `--dry-run` first to verify the changes sent to the
|
Next, test the upgrade with `--dry-run` first to verify the changes sent to the
|
||||||
Kubernetes cluster.
|
Kubernetes cluster.
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ helm upgrade vault hashicorp/vault --version=0.24.0 \
|
$ helm upgrade vault hashicorp/vault --version=0.25.0 \
|
||||||
--set='server.image.repository=vault' \
|
--set='server.image.repository=vault' \
|
||||||
--set='server.image.tag=123.456' \
|
--set='server.image.tag=123.456' \
|
||||||
--dry-run
|
--dry-run
|
||||||
|
|
|
@ -2,15 +2,15 @@
|
||||||
# List the available releases
|
# List the available releases
|
||||||
$ helm search repo hashicorp/vault -l
|
$ helm search repo hashicorp/vault -l
|
||||||
NAME CHART VERSION APP VERSION DESCRIPTION
|
NAME CHART VERSION APP VERSION DESCRIPTION
|
||||||
|
hashicorp/vault 0.25.0 1.14.0 Official HashiCorp Vault Chart
|
||||||
hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart
|
hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart
|
||||||
hashicorp/vault 0.23.0 1.12.1 Official HashiCorp Vault Chart
|
hashicorp/vault 0.23.0 1.12.1 Official HashiCorp Vault Chart
|
||||||
hashicorp/vault 0.22.1 1.12.0 Official HashiCorp Vault Chart
|
hashicorp/vault 0.22.1 1.12.0 Official HashiCorp Vault Chart
|
||||||
hashicorp/vault 0.22.0 1.11.3 Official HashiCorp Vault Chart
|
hashicorp/vault 0.22.0 1.11.3 Official HashiCorp Vault Chart
|
||||||
hashicorp/vault 0.21.0 1.11.2 Official HashiCorp Vault Chart
|
hashicorp/vault 0.21.0 1.11.2 Official HashiCorp Vault Chart
|
||||||
hashicorp/vault 0.20.1 1.10.3 Official HashiCorp Vault Chart
|
hashicorp/vault 0.20.1 1.10.3 Official HashiCorp Vault Chart
|
||||||
hashicorp/vault 0.20.0 1.10.3 Official HashiCorp Vault Chart
|
|
||||||
...
|
...
|
||||||
|
|
||||||
# Install version 0.24.0
|
# Install version 0.25.0
|
||||||
$ helm install vault hashicorp/vault --version 0.24.0
|
$ helm install vault hashicorp/vault --version 0.25.0
|
||||||
```
|
```
|
||||||
|
|
|
@ -4,5 +4,5 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
|
||||||
|
|
||||||
$ helm search repo hashicorp/vault
|
$ helm search repo hashicorp/vault
|
||||||
NAME CHART VERSION APP VERSION DESCRIPTION
|
NAME CHART VERSION APP VERSION DESCRIPTION
|
||||||
hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart
|
hashicorp/vault 0.25.0 1.14.0 Official HashiCorp Vault Chart
|
||||||
```
|
```
|
||||||
|
|
Loading…
Reference in New Issue