luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/content/docs/platform/k8s/helm/terraform.mdx
Bryce Kalow dfc3ad015a
website: content updates for developer (#17035) 
* Chore (dev portal): update learn nav data links  (#15515)

* Update docs-nav-data.json

* Update docs-nav-data.json

* website: fixes internal redirects (#15750)

* chore: remove duplicate overview item (#15805)

* Use `badge` for `<sup>` tags in nav data JSON files (#15928)

* Replacing <sup> tags with badge

* Adding type and color to badges

* fix broken links in vault docs (#15976)

* website: Update old learn links to redirect locations (#16047)

* update previews to render developer UI

* update redirects

* adjust content so it is backwards compat

Co-authored-by: HashiBot <62622282+hashibot-web@users.noreply.github.com>
Co-authored-by: Kendall Strautman <36613477+kendallstrautman@users.noreply.github.com>
Co-authored-by: Ashlee M Boyer <43934258+ashleemboyer@users.noreply.github.com>
2022-09-22 08:11:04 -07:00

276 lines
5.1 KiB
Plaintext
Raw Blame History

---
layout: 'docs'
page_title: 'Configure Vault Helm using Terraform'
sidebar_current: 'docs-platform-k8s-terraform'
description: |-
Describes how to configure the Vault Helm chart using Terraform
---
# Configuring Vault Helm with Terraform
Terraform may also be used to configure and deploy the Vault Helm chart, by using the [Helm provider](https://registry.terraform.io/providers/hashicorp/helm/latest/docs).
For example, to configure the chart to deploy [HA Vault with integrated storage (raft)](/docs/platform/k8s/helm/examples/ha-with-raft), the values overrides can be set on the command-line, in a values yaml file, or with a Terraform configuration:
<CodeTabs>
<CodeBlockConfig>
```shell-session
$ helm install vault hashicorp/vault \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true'
```
</CodeBlockConfig>
<CodeBlockConfig>
```yaml
server:
ha:
enabled: true
raft:
enabled: true
```
</CodeBlockConfig>
<CodeBlockConfig>
```hcl
provider "helm" {
kubernetes {
config_path = "~/.kube/config"
}
}
resource "helm_release" "vault" {
name = "vault"
repository = "https://helm.releases.hashicorp.com"
chart = "vault"
set {
name = "server.ha.enabled"
value = "true"
}
set {
name = "server.ha.raft.enabled"
value = "true"
}
}
```
</CodeBlockConfig>
</CodeTabs>
The values file can also be used directly in the Terraform configuration with the [`values` directive](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release#values#values).
## Further Examples
### Vault config as a multi-line string
<CodeTabs>
<CodeBlockConfig>
```yaml
server:
ha:
enabled: true
raft:
enabled: true
setNodeId: true
config: |
ui = false
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "raft" {
path = "/vault/data"
}
service_registration "kubernetes" {}
seal "awskms" {
region = "us-west-2"
kms_key_id = "alias/my-kms-key"
}
```
</CodeBlockConfig>
<CodeBlockConfig>
```hcl
resource "helm_release" "vault" {
name = "vault"
repository = "https://helm.releases.hashicorp.com"
chart = "vault"
set {
name = "server.ha.enabled"
value = "true"
}
set {
name = "server.ha.raft.enabled"
value = "true"
}
set {
name = "server.ha.raft.setNodeId"
value = "true"
}
set {
name = "server.ha.raft.config"
value = <<EOT
ui = false
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "raft" {
path = "/vault/data"
}
service_registration "kubernetes" {}
seal "awskms" {
region = "us-west-2"
kms_key_id = "alias/my-kms-key"
}
EOT
}
}
```
</CodeBlockConfig>
</CodeTabs>
### Lists of volumes and volumeMounts
<CodeTabs>
<CodeBlockConfig>
```yaml
server:
volumes:
- name: userconfig-my-gcp-iam
secret:
defaultMode: 420
secretName: my-gcp-iam
volumeMounts:
- mountPath: /vault/userconfig/my-gcp-iam
name: userconfig-my-gcp-iam
readOnly: true
```
</CodeBlockConfig>
<CodeBlockConfig>
```hcl
resource "helm_release" "vault" {
name = "vault"
repository = "https://helm.releases.hashicorp.com"
chart = "vault"
set {
name = "server.volumes[0].name"
value = "userconfig-my-gcp-iam"
}
set {
name = "server.volumes[0].secret.defaultMode"
value = "420"
}
set {
name = "server.volumes[0].secret.secretName"
value = "my-gcp-iam"
}
set {
name = "server.volumeMounts[0].mountPath"
value = "/vault/userconfig/my-gcp-iam"
}
set {
name = "server.volumeMounts[0].name"
value = "userconfig-my-gcp-iam"
}
set {
name = "server.volumeMounts[0].readOnly"
value = "true"
}
}
```
</CodeBlockConfig>
</CodeTabs>
### Annotations
Annotations can be set as a YAML map:
<CodeTabs>
<CodeBlockConfig>
```yaml
server:
ingress:
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: true
service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet
```
</CodeBlockConfig>
<CodeBlockConfig>
```hcl
set {
name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal"
value = "true"
}
set {
name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal-subnet"
value = "apps-subnet"
}
```
</CodeBlockConfig>
</CodeTabs>
or as a multi-line string:
<CodeTabs>
<CodeBlockConfig>
```yaml
server:
ingress:
annotations: |
service.beta.kubernetes.io/azure-load-balancer-internal: true
service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet
```
</CodeBlockConfig>
<CodeBlockConfig>
```hcl
set {
name = "server.ingress.annotations"
value = yamlencode({
"service.beta.kubernetes.io/azure-load-balancer-internal": "true"
"service.beta.kubernetes.io/azure-load-balancer-internal-subnet": "apps-subnet"
})
type = "auto"
}
```
</CodeBlockConfig>
</CodeTabs>
Reference in a new issue View git blame Copy permalink