From 42ec7fbd4e445201c94837133f07cb95b597dee2 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 11 Nov 2019 11:07:35 -0500 Subject: [PATCH] doc: update vault-helm for 0.2.0 (#7759) * doc: update vault-helm for 0.2.0 * Update website/source/docs/platform/k8s/helm.html.md Co-Authored-By: Jim Kalafut * Update website/source/docs/platform/k8s/helm.html.md Co-Authored-By: Jim Kalafut * Update website/source/docs/platform/k8s/helm.html.md Co-Authored-By: Jim Kalafut * Remove commas from example --- website/source/docs/platform/k8s/helm.html.md | 108 ++++++++++++++-- website/source/docs/platform/k8s/run.html.md | 119 +++++++++++++++++- 2 files changed, 216 insertions(+), 11 deletions(-) diff --git a/website/source/docs/platform/k8s/helm.html.md b/website/source/docs/platform/k8s/helm.html.md index fd5e885b01..8a34d327f3 100644 --- a/website/source/docs/platform/k8s/helm.html.md +++ b/website/source/docs/platform/k8s/helm.html.md @@ -52,7 +52,7 @@ $ git clone https://github.com/hashicorp/vault-helm.git $ cd vault-helm # Checkout a tagged version -$ git checkout v0.1.2 +$ git checkout v0.2.0 # Run Helm $ helm install --dry-run ./ @@ -71,11 +71,22 @@ and consider if they're appropriate for your deployment. * `enabled` (`boolean: true`) - The master enabled/disabled configuration. If this is true, most components will be installed by default. If this is false, no components will be installed by default and manually opting-in is required, such as by setting `server.enabled` to true. * `image` (`string: "vault:latest"`) - The name of the Docker image (including any tag) for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your Vault version. + + * `imagePullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists. + + * `imagePullSecrets` (`string: ""`) - Defines secrets to be used when pulling images from private registries. + + - `name`: (`string: required`) - + Name of the secret containing files required for authentication to private image registries. * `tlsDisable` (`boolean: true`) - When set to `true`, changes URLs from `https` to `http` (such as the `VAULT_ADDR=http://127.0.0.1:8200` environment variable set on the Vault pods). * `server` - Values that configure running a Vault server within Kubernetes. + * `securityContext` - Values that configure Vault pods security context. + + - `readOnlyRootFilesystem` (`boolean: true`) - When set to `true`, the root filesystem of the container is read only. + * `resources` (`string: null`) - The resource requests and limits (CPU, memory, etc.) for each of the server. This should be a multi-line string mapping directly to a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources. **Setting this is highly recommended.** ```yaml @@ -86,6 +97,43 @@ and consider if they're appropriate for your deployment. limits: memory: "10Gi" ``` + + * `ingress` - Values that configure Ingress services for Vault. + + - `enabled` (`boolean: false`) - When set to `true`, an [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) service will be created. + + - `annotations` (`string`) - This value defines additional annotations to add to the Ingress service. This should be formatted as a multi-line string. + + ```yaml + annotations: | + kubernetes.io/ingress.class: nginx + kubernetes.io/tls-acme: "true" + ``` + * `hosts` - Values that configure the Ingress host rules. + + - `host`: Name of the host to use for Ingress. + + - `paths`: This value defines the types of host rules for the Ingress service. + + ```yaml + paths: + - backend: + serviceName: service2 + servicePort: 80 + ``` + + * `tls` - Values that configure the Ingress TLS rules. + + - `hosts`: Name of the hosts defined in the Common Name of the TLS Certificate. This should be formated as a multi-line string. + + - `secretName`: Name of the secret containing the required TLS files such as certificates and keys. + + ```yaml + hosts: + - sslexample.foo.com + - sslexample.bar.com + secretName: testsecret-tls + ``` * `authDelegator` - Values that configure the Cluster Role Binding attached to the Vault service account. @@ -173,6 +221,14 @@ and consider if they're appropriate for your deployment. disktype: ssd ``` + * `extraLabels` (`string`) - This value defines additional labels for server pods. This should be formatted as a multi-line string. + + ```yaml + extraLabels: | + "sample/label1": "foo" + "sample/label2": "bar" + ``` + * `annotations` (`string`) - This value defines additional annotations for server pods. This should be a formatted as a multi-line string. ```yaml @@ -186,6 +242,28 @@ and consider if they're appropriate for your deployment. - `enabled` (`boolean: true`) - When set to `true`, a Kubernetes service will be created for Vault. - `clusterIP` (`string`) - ClusterIP controls whether an IP address (cluster IP) is attached to the Vault service within Kubernetes. By default the Vault service will be given a Cluster IP address, set to `None` to disable. When disabled Kubernetes will create a "headless" service. Headless services can be used to communicate with pods directly through DNS instead of a round robin load balancer. + + - `port` (`int: 8200`) - Port on which Vault server is listening inside the pod. + + - `targetPort` (`int: 8200`) - Port on which the service is listening. + + - `annotations` (`string`) - This value defines additional annotations for the service. This should be formatted as a multi-line string. + + ```yaml + annotations: | + "sample/annotation1": "foo" + "sample/annotation2": "bar" + ``` + + * `serviceAccount` - Values that configure the Kubernetes service account created for Vault. + + - `annotations` (`string`) - This value defines additional annotations for the service account. This should be formatted as a multi-line string. + + ```yaml + annotations: | + "sample/annotation1": "foo" + "sample/annotation2": "bar" + ``` * `extraVolumes` - This configures the `Service` resource created for the Vault server. @@ -319,6 +397,19 @@ and consider if they're appropriate for your deployment. - `serviceNodePort` (`int: null`) - Sets the Node Port value when using `serviceType: NodePort` on the Vault UI service. + + - `externalPort` (`int: 8200`) - + Sets the external port value of the service. + + - `loadBalancerSourceRanges` (`string`) - This value defines additional source CIDRs when using `serviceType: LoadBalancer`. This should be formatted as a multi-line string. + + ```yaml + loadBalancerSourceRanges: + - 10.0.0.0/16 + - 120.78.23.3/32 + ``` + + - `loadBalancerIP` (`string`) - This value defines the IP address of the load balancer when using `serviceType: LoadBalancer`. - `annotations` (`string`) - This value defines additional annotations for the UI service. This should be a formatted as a multi-line string. @@ -340,7 +431,7 @@ The below `values.yaml` can be used to set up a single server Vault cluster with ```yaml global: enabled: true - image: "vault:1.2.2" + image: "vault:1.2.4" server: standalone: @@ -380,7 +471,7 @@ certificate authority: ```yaml global: enabled: true - image: "vault:1.2.2" + image: "vault:1.2.4" tlsDisable: false server: @@ -421,7 +512,7 @@ auditing enabled. ```yaml global: enabled: true - image: "vault:1.2.2" + image: "vault:1.2.4" server: standalone: @@ -468,18 +559,17 @@ Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal. ```yaml global: enabled: true - image: "vault:1.2.2" + image: "vault:1.2.4" server: extraEnvironmentVars: - GOOGLE_REGION: global, - GOOGLE_PROJECT: myproject, - GOOGLE_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json + GOOGLE_REGION: global + GOOGLE_PROJECT: myproject + GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json extraVolumes: [] - type: secret name: my-gcp-iam - load: false affinity: | podAntiAffinity: diff --git a/website/source/docs/platform/k8s/run.html.md b/website/source/docs/platform/k8s/run.html.md index 2a5569dcc8..4290a94e5e 100644 --- a/website/source/docs/platform/k8s/run.html.md +++ b/website/source/docs/platform/k8s/run.html.md @@ -60,7 +60,7 @@ $ git clone https://github.com/hashicorp/vault-helm.git $ cd vault-helm # Checkout a tagged version -$ git checkout v0.1.2 +$ git checkout v0.2.0 # Run Helm $ helm install --name vault ./ @@ -118,7 +118,7 @@ global: Next, run the upgrade. You should run this with `--dry-run` first to verify the changes that will be sent to the Kubernetes cluster. -``` +```shell $ helm upgrade vault ./ ... ``` @@ -174,6 +174,121 @@ $ kubectl exec -ti -- vault operator unseal After a few moments the Vault cluster should elect a new active primary. The Vault cluster is now upgraded! +#### Google KMS Auto Unseal + +In order to authenticate and use KMS in Google Cloud, Vault Helm needs credentials. The `credentials.json` +file will need to be mounted as a secret to the Vault container. + + +##### Create the Secret + +First, create the secret in Kubernetes: + +```bash +kubectl create secret generic kms-creds --from-file=credentials.json +``` + +Vault Helm will mount this to `/vault/userconfig/kms-creds/credentials.json`. + +##### Config Example + +The following is an example of how to configure Vault Helm to use Google KMS: + +```yaml +global: + enabled: true + image: "vault:1.2.4" + +server: + extraEnvironmentVars: + GOOGLE_REGION: + GOOGLE_PROJECT: + GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json + + extraVolumes: + - type: "secret" + name: "kms-creds" + + ha: + enabled: true + replicas: 3 + + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + } + + seal "gcpckms" { + project = "" + region = "" + key_ring = "" + crypto_key = "" + } + + storage "consul" { + path = "vault" + address = "HOST_IP:8500" + } +``` + +#### Amazon EKS Auto Unseal + +In order to authenticate and use EKS in AWS, Vault Helm needs credentials. The AWS access key +ID and key will be mounted as secret environment variables in the Vault pods. + +##### Create the Secret + +First, create a secret with your EKS access key/secret: + +```bash +kubectl create secret generic eks-creds\ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID?}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY?}" +``` + +##### Config Example + +The following is an example of how to configure Vault Helm to use AWS EKS: + +```yaml +global: + enabled: true + image: "vault:1.2.4" + +server: + extraSecretEnvironmentVars: + - envName: AWS_ACCESS_KEY_ID + secretName: eks-creds + secretKey: AWS_ACCESS_KEY_ID + - envName: AWS_SECRET_ACCESS_KEY + secretName: eks-creds + secretKey: AWS_SECRET_ACCESS_KEY + + ha: + enabled: true + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + } + + seal "awskms" { + region = "KMS_REGION_HERE" + kms_key_id = "KMS_KEY_ID_HERE" + } + + storage "consul" { + path = "vault" + address = "HOST_IP:8500" + } +``` ## Architecture