backport of commit 41cc3b31bf374c43dec139944a541a297bc7faa9 (#23860)

docs/vault-helm: updates for the last release (v0.25.0) (#23844)
This commit is contained in:
Theron Voran 2023-10-26 10:31:15 -07:00 committed by GitHub
parent 9820d6b0ee
commit ca456021b0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 39 additions and 24 deletions

View File

@ -71,7 +71,7 @@ metadata:
vault-initialized: "true" vault-initialized: "true"
vault-perf-standby: "false" vault-perf-standby: "false"
vault-sealed: "false" vault-sealed: "false"
vault-version: 1.13.1 vault-version: 1.14.0
``` ```
After shutdowns, Vault pods will bear the following labels: After shutdowns, Vault pods will bear the following labels:
@ -86,7 +86,7 @@ metadata:
vault-initialized: "false" vault-initialized: "false"
vault-perf-standby: "false" vault-perf-standby: "false"
vault-sealed: "true" vault-sealed: "true"
vault-version: 1.13.1 vault-version: 1.14.0
``` ```
## Label definitions ## Label definitions
@ -102,7 +102,7 @@ metadata:
- `vault-sealed` `(string: "true"/"false")` Vault sealed is updated dynamically each - `vault-sealed` `(string: "true"/"false")` Vault sealed is updated dynamically each
time Vault's sealed/unsealed status changes. True indicates that Vault is currently sealed. False indicates that Vault time Vault's sealed/unsealed status changes. True indicates that Vault is currently sealed. False indicates that Vault
is currently unsealed. is currently unsealed.
- `vault-version` `(string: "1.13.1")` Vault version is a string that will not change during a pod's lifecycle. - `vault-version` `(string: "1.14.0")` Vault version is a string that will not change during a pod's lifecycle.
## Working with vault's service discovery labels ## Working with vault's service discovery labels
@ -156,7 +156,7 @@ $ vault write -f sys/replication/performance/primary/enable \
In conjunction with the pod labels and the `OnDelete` upgrade strategy, upgrades are much easier to orchestrate: In conjunction with the pod labels and the `OnDelete` upgrade strategy, upgrades are much easier to orchestrate:
```shell-session ```shell-session
$ helm upgrade vault --set='server.image.tag=1.13.1' $ helm upgrade vault --set='server.image.tag=1.14.0'
$ kubectl delete pod --selector=vault-active=false \ $ kubectl delete pod --selector=vault-active=false \
--selector=vault-version=1.2.3 --selector=vault-version=1.2.3

View File

@ -85,7 +85,7 @@ and consider if they're appropriate for your deployment.
- `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image. - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image.
- `tag` (`string: "1.13.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**. - `tag` (`string: "1.14.0"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**.
- `agentDefaults` - Values that configure the injected Vault Agent containers default values. - `agentDefaults` - Values that configure the injected Vault Agent containers default values.
@ -97,6 +97,10 @@ and consider if they're appropriate for your deployment.
- `memRequest` (`string: "64Mi"`) - The default memory request for injected Vault Agent containers. - `memRequest` (`string: "64Mi"`) - The default memory request for injected Vault Agent containers.
- `ephemeralLimit` (`string: ""`) - The default ephemeral storage limit for injected Vault Agent containers.
- `ephemeralRequest` (`string: ""`) - The default ephemeral storage request for injected Vault Agent containers.
- `template` (`string: "map"`) - The default template type for rendered secrets if no custom templates are defined. - `template` (`string: "map"`) - The default template type for rendered secrets if no custom templates are defined.
Possible values include `map` and `json`. Possible values include `map` and `json`.
@ -345,7 +349,7 @@ and consider if they're appropriate for your deployment.
- `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the containers running Vault. - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the containers running Vault.
- `tag` (`string: "1.13.1"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. - `tag` (`string: "1.14.0"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists. - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
@ -357,7 +361,7 @@ and consider if they're appropriate for your deployment.
- `logFormat` (`string: ""`) - Configures the Vault server logging format. If set this will override values defined in the Vault configuration file. - `logFormat` (`string: ""`) - Configures the Vault server logging format. If set this will override values defined in the Vault configuration file.
Supported log formats include: `standard`, `json`. Supported log formats include: `standard`, `json`.
- `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for each container of the server. This should be a YAML dictionary of a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.15/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources, which limits the ability for Kubernetes to make efficient use of compute resources. **Setting this is highly recommended.** - `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for each container of the server. This should be a YAML dictionary of a Kubernetes [resource](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) object. If this isn't specified, then the pods won't request any specific amount of resources, which limits the ability for Kubernetes to make efficient use of compute resources. **Setting this is highly recommended.**
```yaml ```yaml
resources: resources:
@ -722,7 +726,7 @@ and consider if they're appropriate for your deployment.
- `standbyNodePort` (`int:`) - (When HA mode is enabled) If type is set to "NodePort", a specific nodePort value can be configured for the `standby` service, will be random if left blank. - `standbyNodePort` (`int:`) - (When HA mode is enabled) If type is set to "NodePort", a specific nodePort value can be configured for the `standby` service, will be random if left blank.
- `publishNotReadyAddresses` (`boolean: true`) - If true, do not wait for server pods to be ready before adding them to the service pool. - `publishNotReadyAddresses` (`boolean: true`) - If true, do not wait for pods to be ready before including them in the services' targets. Does not apply to the headless service, which is used for cluster-internal communication.
- `instanceSelector` - `instanceSelector`
@ -1028,7 +1032,7 @@ and consider if they're appropriate for your deployment.
- `repository` (`string: "hashicorp/vault-csi-provider"`) - The name of the Docker image for the Vault CSI Provider. - `repository` (`string: "hashicorp/vault-csi-provider"`) - The name of the Docker image for the Vault CSI Provider.
- `tag` (`string: "1.3.0"`) - The tag of the Docker image for the Vault CSI Provider.. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your CSI provider. - `tag` (`string: "1.4.0"`) - The tag of the Docker image for the Vault CSI Provider.. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your CSI provider.
- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists locally. - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists locally.
@ -1051,7 +1055,7 @@ and consider if they're appropriate for your deployment.
readOnly: true readOnly: true
``` ```
- `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for each of the CSI containers. This should be a YAML dictionary of a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.15/#resourcerequirements-v1-core) objects. If this isn't specified, then the pods won't request any specific amount of resources, which limits the ability for Kubernetes to make efficient use of compute resources.<br /> **Setting this is highly recommended.** - `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for each of the CSI containers. This should be a YAML dictionary of a Kubernetes [resource](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) object. If this isn't specified, then the pods won't request any specific amount of resources, which limits the ability for Kubernetes to make efficient use of compute resources.<br /> **Setting this is highly recommended.**
```yaml ```yaml
resources: resources:
@ -1061,6 +1065,8 @@ and consider if they're appropriate for your deployment.
memory: '10Gi' memory: '10Gi'
``` ```
- `hmacSecretName` (`string: ""`) - Override the default secret name for the CSI Provider's HMAC key used for generating secret versions.
- `daemonSet` - Values that configure the Vault CSI Provider daemonSet. - `daemonSet` - Values that configure the Vault CSI Provider daemonSet.
- `updateStrategy` - Values that configure the Vault CSI Provider update strategy. - `updateStrategy` - Values that configure the Vault CSI Provider update strategy.
@ -1109,6 +1115,15 @@ and consider if they're appropriate for your deployment.
- `extraLabels` (`dictionary: {}`) - This value defines additional labels for CSI provider pods. - `extraLabels` (`dictionary: {}`) - This value defines additional labels for CSI provider pods.
- `nodeSelector` (`dictionary: {}`) - [nodeSelector](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) labels for csi pod assignment, formatted as a multi-line string or YAML map.
```yaml
nodeSelector:
beta.kubernetes.io/arch: amd64
```
- `affinity` (`dictionary: {}`) - This should be either a multi-line string or YAML matching the PodSpec's affinity field.
- `tolerations` (`array: []`) - Toleration Settings for CSI pods. This should be a multi-line string or YAML matching the Toleration array in a PodSpec. - `tolerations` (`array: []`) - Toleration Settings for CSI pods. This should be a multi-line string or YAML matching the Toleration array in a PodSpec.
- `priorityClassName` (`string: ""`) - Priority class for CSI Provider pods - `priorityClassName` (`string: ""`) - Priority class for CSI Provider pods
@ -1166,7 +1181,7 @@ and consider if they're appropriate for your deployment.
- `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image. - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image.
- `tag` (`string: "1.13.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. - `tag` (`string: "1.14.0"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar.
- `logFormat` (`string: "standard"`) - - `logFormat` (`string: "standard"`) -
- `logLevel` (`string: "info"`) - - `logLevel` (`string: "info"`) -
@ -1233,7 +1248,7 @@ and consider if they're appropriate for your deployment.
- `selectors` (`dictionary: {}`) - Selector labels to add to the Prometheus rules. - `selectors` (`dictionary: {}`) - Selector labels to add to the Prometheus rules.
- `rules`: (`dictionary: {}`) - Prometheus rules to create. - `rules`: (`array: []`) - Prometheus rules to create.
For example: For example:
```yaml ```yaml

View File

@ -33,7 +33,7 @@ In your chart overrides, set the values of [`server.image`](/vault/docs/platform
server: server:
image: image:
repository: hashicorp/vault-enterprise repository: hashicorp/vault-enterprise
tag: 1.13.1-ent tag: 1.14.0-ent
enterpriseLicense: enterpriseLicense:
secretName: vault-ent-license secretName: vault-ent-license
``` ```

View File

@ -23,7 +23,7 @@ First, create the primary cluster:
```shell ```shell
helm install vault-primary hashicorp/vault \ helm install vault-primary hashicorp/vault \
--set='server.image.repository=hashicorp/vault-enterprise' \ --set='server.image.repository=hashicorp/vault-enterprise' \
--set='server.image.tag=1.13.1-ent' \ --set='server.image.tag=1.14.0-ent' \
--set='server.ha.enabled=true' \ --set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' --set='server.ha.raft.enabled=true'
``` ```
@ -75,7 +75,7 @@ disaster recovery replication.
```shell ```shell
helm install vault-secondary hashicorp/vault \ helm install vault-secondary hashicorp/vault \
--set='server.image.repository=hashicorp/vault-enterprise' \ --set='server.image.repository=hashicorp/vault-enterprise' \
--set='server.image.tag=1.13.1-ent' \ --set='server.image.tag=1.14.0-ent' \
--set='server.ha.enabled=true' \ --set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' --set='server.ha.raft.enabled=true'
``` ```

View File

@ -23,7 +23,7 @@ First, create the primary cluster:
```shell ```shell
helm install vault-primary hashicorp/vault \ helm install vault-primary hashicorp/vault \
--set='server.image.repository=hashicorp/vault-enterprise' \ --set='server.image.repository=hashicorp/vault-enterprise' \
--set='server.image.tag=1.13.1-ent' \ --set='server.image.tag=1.14.0-ent' \
--set='server.ha.enabled=true' \ --set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' --set='server.ha.raft.enabled=true'
``` ```
@ -74,7 +74,7 @@ With the primary cluster created, next create a secondary cluster.
```shell ```shell
helm install vault-secondary hashicorp/vault \ helm install vault-secondary hashicorp/vault \
--set='server.image.repository=hashicorp/vault-enterprise' \ --set='server.image.repository=hashicorp/vault-enterprise' \
--set='server.image.tag=1.13.1-ent' \ --set='server.image.tag=1.14.0-ent' \
--set='server.ha.enabled=true' \ --set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' --set='server.ha.raft.enabled=true'
``` ```

View File

@ -15,7 +15,7 @@ Integrated Storage (raft) can be enabled using the `server.ha.raft.enabled` valu
```shell ```shell
helm install vault hashicorp/vault \ helm install vault hashicorp/vault \
--set='server.image.repository=hashicorp/vault-enterprise' \ --set='server.image.repository=hashicorp/vault-enterprise' \
--set='server.image.tag=1.13.1-ent' \ --set='server.image.tag=1.14.0-ent' \
--set='server.ha.enabled=true' \ --set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true' --set='server.ha.raft.enabled=true'
``` ```

View File

@ -409,14 +409,14 @@ Next, list the Helm versions and choose the desired version to install.
```bash ```bash
$ helm search repo hashicorp/vault $ helm search repo hashicorp/vault
NAME CHART VERSION APP VERSION DESCRIPTION NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart hashicorp/vault 0.25.0 1.14.0 Official HashiCorp Vault Chart
``` ```
Next, test the upgrade with `--dry-run` first to verify the changes sent to the Next, test the upgrade with `--dry-run` first to verify the changes sent to the
Kubernetes cluster. Kubernetes cluster.
```shell-session ```shell-session
$ helm upgrade vault hashicorp/vault --version=0.24.0 \ $ helm upgrade vault hashicorp/vault --version=0.25.0 \
--set='server.image.repository=vault' \ --set='server.image.repository=vault' \
--set='server.image.tag=123.456' \ --set='server.image.tag=123.456' \
--dry-run --dry-run

View File

@ -2,15 +2,15 @@
# List the available releases # List the available releases
$ helm search repo hashicorp/vault -l $ helm search repo hashicorp/vault -l
NAME CHART VERSION APP VERSION DESCRIPTION NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.25.0 1.14.0 Official HashiCorp Vault Chart
hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart
hashicorp/vault 0.23.0 1.12.1 Official HashiCorp Vault Chart hashicorp/vault 0.23.0 1.12.1 Official HashiCorp Vault Chart
hashicorp/vault 0.22.1 1.12.0 Official HashiCorp Vault Chart hashicorp/vault 0.22.1 1.12.0 Official HashiCorp Vault Chart
hashicorp/vault 0.22.0 1.11.3 Official HashiCorp Vault Chart hashicorp/vault 0.22.0 1.11.3 Official HashiCorp Vault Chart
hashicorp/vault 0.21.0 1.11.2 Official HashiCorp Vault Chart hashicorp/vault 0.21.0 1.11.2 Official HashiCorp Vault Chart
hashicorp/vault 0.20.1 1.10.3 Official HashiCorp Vault Chart hashicorp/vault 0.20.1 1.10.3 Official HashiCorp Vault Chart
hashicorp/vault 0.20.0 1.10.3 Official HashiCorp Vault Chart
... ...
# Install version 0.24.0 # Install version 0.25.0
$ helm install vault hashicorp/vault --version 0.24.0 $ helm install vault hashicorp/vault --version 0.25.0
``` ```

View File

@ -4,5 +4,5 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm search repo hashicorp/vault $ helm search repo hashicorp/vault
NAME CHART VERSION APP VERSION DESCRIPTION NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart hashicorp/vault 0.25.0 1.14.0 Official HashiCorp Vault Chart
``` ```