From b26f9dea0d0859f13f2761d5073b1265dee6d7c7 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 21 Feb 2020 12:10:38 -0800 Subject: [PATCH] docs: vault-helm 0.4.0 updates (#8318) Updated docs for vault-helm 0.4.0 configuration changes, and helm 3 support (dropping helm 2). Also some spelling changes, and shortened page titles for the k8s helm examples. --- .../docs/platform/k8s/helm/configuration.mdx | 26 +++++++++---------- .../k8s/helm/examples/ha-with-consul.mdx | 4 +-- .../docs/platform/k8s/helm/examples/index.mdx | 2 +- .../k8s/helm/examples/kubernetes-auth.mdx | 2 +- .../k8s/helm/examples/standalone-audit.mdx | 4 +-- .../examples/standalone-load-balanced-ui.mdx | 4 +-- .../k8s/helm/examples/standalone-tls.mdx | 4 +-- .../pages/docs/platform/k8s/helm/index.mdx | 8 +++--- website/pages/docs/platform/k8s/helm/run.mdx | 18 ++++++------- .../platform/k8s/injector/installation.mdx | 6 ++--- 10 files changed, 39 insertions(+), 39 deletions(-) diff --git a/website/pages/docs/platform/k8s/helm/configuration.mdx b/website/pages/docs/platform/k8s/helm/configuration.mdx index f3a3804473..4841ffa91d 100644 --- a/website/pages/docs/platform/k8s/helm/configuration.mdx +++ b/website/pages/docs/platform/k8s/helm/configuration.mdx @@ -7,10 +7,10 @@ description: This section documents configuration options for the Vault Helm cha # Configuration -~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart. +~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart. The chart is highly customizable using -[Helm configuration values](https://docs.helm.sh/using_helm/#customizing-the-chart-before-installing). +[Helm configuration values](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). Each value has a default tuned for an optimal getting started experience with Vault. Before going into production, please review the parameters below and consider if they're appropriate for your deployment. @@ -29,6 +29,8 @@ and consider if they're appropriate for your deployment. - `enabled` (`boolean: true`) - When set to `true`, the Vault Agent Injector Admission Webhook controller will be created. + - `externalVaultAddr` (`string: ""`) - External vault server address for the injector to use. Setting this will disable deployment of the vault server, and only deploy the injector. + - `image` - Values that configure the Vault Agent Injector Docker image. - `repository` (`string: "hashicorp/vault-k8s"`) - The name of the Docker image for Vault Agent Injector. @@ -84,6 +86,8 @@ and consider if they're appropriate for your deployment. - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists. + - `updateStrategyType` (`string: "OnDelete"`) - Configure the [Update Strategy Type](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies) for the StatefulSet. + - `resources` (`string: null`) - The resource requests and limits (CPU, memory, etc.) for each of the server. This should be a multi-line string mapping directly to a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources. **Setting this is highly recommended.** ```yaml @@ -141,7 +145,7 @@ and consider if they're appropriate for your deployment. - `enabled` (`boolean: true`) - When set to `true`, a readiness probe will be applied to the Vault pods. - - `path` (`string: ""`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controled by the `tlsDisable` value. + - `path` (`string: ""`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controlled by the `tlsDisable` value. ```yaml readinessProbe: @@ -153,7 +157,7 @@ and consider if they're appropriate for your deployment. - `enabled` (`boolean: false`) - When set to `true`, a liveliness probe will be applied to the Vault pods. - - `path` (`string: "/v1/sys/health?standbyok=true"`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controled by the `tlsDisable` value. + - `path` (`string: "/v1/sys/health?standbyok=true"`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controlled by the `tlsDisable` value. - `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the liveliness probe when the container starts. @@ -164,6 +168,8 @@ and consider if they're appropriate for your deployment. initialDelaySeconds: 60 ``` + - `preStopSleepSeconds` (`int: 5`) - Used to set the sleep time during the preStop step. + - `extraContainers` (`array: []`) - The extra containers to be applied to the Vault server pods. ```yaml @@ -173,14 +179,6 @@ and consider if they're appropriate for your deployment. env: ... ``` - ```yaml - # Extra Environment Variables are defined as key/value strings. - extraEnvironmentVars: - GOOGLE_REGION: global - GOOGLE_PROJECT: myproject - GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json - ``` - - `extraEnvironmentVars` - The extra environment variables to be applied to the Vault server. This should be a multi-line key/value string. ```yaml @@ -191,6 +189,8 @@ and consider if they're appropriate for your deployment. GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json ``` + - `shareProcessNamespace` (`boolean: false`) - Enables process namespace sharing between Vault and the extraContainers. This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation. + - `extraArgs` (`string: null`) - The extra arguments to be applied to the Vault server startup command. ```yaml @@ -397,7 +397,7 @@ and consider if they're appropriate for your deployment. The number of pods to deploy to create a highly available cluster of Vault servers. - `updatePartition` (`int: 0`) - - If an updatePartition is specified, all Pods with an ordinal that is greater than or equal to the partition will be updated when the StatefulSet’s `.spec.template` is updated. If set to `0`, this disables parition updates. For more information see the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#rolling-updates). + If an updatePartition is specified, all Pods with an ordinal that is greater than or equal to the partition will be updated when the StatefulSet’s `.spec.template` is updated. If set to `0`, this disables partition updates. For more information see the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#rolling-updates). - `config` (`string: "{}"`) - A raw string of extra HCL or JSON [configuration](/docs/configuration) for Vault servers. diff --git a/website/pages/docs/platform/k8s/helm/examples/ha-with-consul.mdx b/website/pages/docs/platform/k8s/helm/examples/ha-with-consul.mdx index 98f13a758f..ef7e72cfa5 100644 --- a/website/pages/docs/platform/k8s/helm/examples/ha-with-consul.mdx +++ b/website/pages/docs/platform/k8s/helm/examples/ha-with-consul.mdx @@ -2,14 +2,14 @@ layout: "docs" page_title: "Highly Available Vault Cluster with Consul" sidebar_current: "docs-platform-k8s-examples-ha-with-consul" -sidebar_title: "Highly Available Vault Cluster with Consul" +sidebar_title: "Highly Available Cluster with Consul" description: |- Describes how to set up a highly available Vault cluster with Consul backend --- # Highly Available Vault Cluster with Consul -~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart. +~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart. The below `values.yaml` can be used to set up a five server Vault cluster using Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal. diff --git a/website/pages/docs/platform/k8s/helm/examples/index.mdx b/website/pages/docs/platform/k8s/helm/examples/index.mdx index 32be2bd514..c8db55ba47 100644 --- a/website/pages/docs/platform/k8s/helm/examples/index.mdx +++ b/website/pages/docs/platform/k8s/helm/examples/index.mdx @@ -9,7 +9,7 @@ description: |- # Helm Chart Examples -~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart. +~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart. These are a collection of examples of common configurations for Vault using the Helm chart. diff --git a/website/pages/docs/platform/k8s/helm/examples/kubernetes-auth.mdx b/website/pages/docs/platform/k8s/helm/examples/kubernetes-auth.mdx index c5c55da35b..1a3843f0cc 100644 --- a/website/pages/docs/platform/k8s/helm/examples/kubernetes-auth.mdx +++ b/website/pages/docs/platform/k8s/helm/examples/kubernetes-auth.mdx @@ -9,7 +9,7 @@ description: |- # Bootstrapping Kubernetes Auth Method -~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart. +~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart. In this example, we will walk through how to set up the [Kubernetes Auth Method](/docs/auth/kubernetes.html). diff --git a/website/pages/docs/platform/k8s/helm/examples/standalone-audit.mdx b/website/pages/docs/platform/k8s/helm/examples/standalone-audit.mdx index fb86b2a89e..1a48f7fa19 100644 --- a/website/pages/docs/platform/k8s/helm/examples/standalone-audit.mdx +++ b/website/pages/docs/platform/k8s/helm/examples/standalone-audit.mdx @@ -2,14 +2,14 @@ layout: "docs" page_title: "Standalone Server with Audit Storage" sidebar_current: "docs-platform-k8s-examples-standalone-audit" -sidebar_title: "Standalone Server with Audit Storage" +sidebar_title: "Standalone with Audit Storage" description: |- Describes how to set up a standalone Vault with audit storage --- # Standalone Server with Audit Storage -~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart. +~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart. The below `values.yaml` can be used to set up a single server Vault cluster with auditing enabled. diff --git a/website/pages/docs/platform/k8s/helm/examples/standalone-load-balanced-ui.mdx b/website/pages/docs/platform/k8s/helm/examples/standalone-load-balanced-ui.mdx index accb096b70..57301f8583 100644 --- a/website/pages/docs/platform/k8s/helm/examples/standalone-load-balanced-ui.mdx +++ b/website/pages/docs/platform/k8s/helm/examples/standalone-load-balanced-ui.mdx @@ -2,14 +2,14 @@ layout: "docs" page_title: "Standalone Server with Load Balanced UI" sidebar_current: "docs-platform-k8s-examples-standalone-load-balanced-ui" -sidebar_title: "Standalone Server with Load Balanced UI" +sidebar_title: "Standalone with Load Balanced UI" description: |- Describes how to set up a standalone Vault with a load balanced UI --- # Standalone Server with Load Balanced UI -~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart. +~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart. The below `values.yaml` can be used to set up a single server Vault cluster with a LoadBalancer to allow external access to the UI and API. diff --git a/website/pages/docs/platform/k8s/helm/examples/standalone-tls.mdx b/website/pages/docs/platform/k8s/helm/examples/standalone-tls.mdx index ee7be33987..04acdf56e7 100644 --- a/website/pages/docs/platform/k8s/helm/examples/standalone-tls.mdx +++ b/website/pages/docs/platform/k8s/helm/examples/standalone-tls.mdx @@ -2,14 +2,14 @@ layout: "docs" page_title: "Standalone Server with TLS" sidebar_current: "docs-platform-k8s-examples-standalone-tls" -sidebar_title: "Standalone Server with TLS" +sidebar_title: "Standalone with TLS" description: |- Describes how to set up a standalone Vault with TLS certificate --- # Standalone Server with TLS -~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart. +~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart. This example can be used to set up a single server Vault cluster using TLS. diff --git a/website/pages/docs/platform/k8s/helm/index.mdx b/website/pages/docs/platform/k8s/helm/index.mdx index 9ab814ced8..00a6237da5 100644 --- a/website/pages/docs/platform/k8s/helm/index.mdx +++ b/website/pages/docs/platform/k8s/helm/index.mdx @@ -9,7 +9,7 @@ description: >- # Helm Chart -~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart. +~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart. The [Vault Helm chart](https://github.com/hashicorp/vault-helm) is the recommended way to install and configure Vault on Kubernetes. @@ -17,7 +17,7 @@ In addition to running Vault itself, the Helm chart is the primary method for installing and configuring Vault to integrate with other services such as Consul for High Availability deployments. -This page assumes general knowledge of [Helm](https://v2.helm.sh/) and +This page assumes general knowledge of [Helm](https://helm.sh/) and how to use it. Using Helm to install Vault will require that Helm is properly installed and configured with your Kubernetes cluster. @@ -54,8 +54,8 @@ $ git clone https://github.com/hashicorp/vault-helm.git $ cd vault-helm # Checkout a tagged version -$ git checkout v0.3.3 +$ git checkout v0.4.0 # Run Helm -$ helm install --dry-run ./ +$ helm install vault ./ ``` diff --git a/website/pages/docs/platform/k8s/helm/run.mdx b/website/pages/docs/platform/k8s/helm/run.mdx index e27c3a3205..4ca3d4ef10 100644 --- a/website/pages/docs/platform/k8s/helm/run.mdx +++ b/website/pages/docs/platform/k8s/helm/run.mdx @@ -4,7 +4,7 @@ page_title: Running Vault - Kubernetes sidebar_title: Running Vault description: >- Vault can run directly on Kubernetes in various configurations. For - pure-Kubernetes worloads, this enables Vault to also exist purely within + pure-Kubernetes workloads, this enables Vault to also exist purely within Kubernetes. --- @@ -19,7 +19,7 @@ This page starts with a large how-to section for various specific tasks. !> **IMPORTANT NOTE:** Vault Enterprise is currently not supported. We are actively working a version for Vault Enterprise and it will be available in the future. -~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart. +~> **Important Note:** This chart is not compatible with Helm 2. Please use Helm 3 with this chart. ## Helm Chart @@ -63,10 +63,10 @@ $ git clone https://github.com/hashicorp/vault-helm.git $ cd vault-helm # Checkout a tagged version -$ git checkout v0.3.3 +$ git checkout v0.4.0 # Run Helm -$ helm install --name vault ./ +$ helm install vault ./ ... ``` @@ -109,11 +109,11 @@ the [`ui.service` chart values](/docs/platform/k8s/helm#v-ui). To upgrade Vault on Kubernetes, we follow the same pattern as [generally upgrading Vault](/docs/upgrading), except we can use -the Helm chart to update the Vault server Statefulset. It is important to understand +the Helm chart to update the Vault server StatefulSet. It is important to understand how to [generally upgrade Vault](/docs/upgrading) before reading this section. -The Vault Statefulset uses `OnDelete` update strategy. It is critical to use `OnDelete` instead +The Vault StatefulSet uses `OnDelete` update strategy. It is critical to use `OnDelete` instead of `RollingUpdate` because standbys must be updated before the active primary. A failover to an older version of Vault must always be avoided. @@ -149,7 +149,7 @@ $ helm upgrade vault ./ This should cause no changes (although the resource will be updated). If everything is stable, `helm upgrade` can be run. -The `helm upgrade` command should have updated the Statefulset template for +The `helm upgrade` command should have updated the StatefulSet template for the Vault servers, however, no pods have been deleted. The pods must be manually deleted to upgrade. Deleting the pods will not delete any persisted data. @@ -161,7 +161,7 @@ $ kubectl delete pod ``` If Vault is deployed using `ha` mode, the standby pods must be upgraded first. -To identify which pod is currently the active primary, run the following commad +To identify which pod is currently the active primary, run the following command on each Vault pod: ```bash @@ -232,7 +232,7 @@ Finally, mount this secret as an extra volume and add an additional `-config` fl to the Vault startup command: ```bash -helm install --name=vault \ +helm install vault \ --set='server.extraVolumes[0].type=secret' \ --set='server.extraVolumes[0].name=vault-storage-config' \ --set='server.extraArgs=-config=/vault/userconfig/vault-storage-config/config.hcl' . diff --git a/website/pages/docs/platform/k8s/injector/installation.mdx b/website/pages/docs/platform/k8s/injector/installation.mdx index 7c41429e8f..d96b99a07d 100644 --- a/website/pages/docs/platform/k8s/injector/installation.mdx +++ b/website/pages/docs/platform/k8s/injector/installation.mdx @@ -20,9 +20,9 @@ upgrade the installation using `helm upgrade` for existing installs or To install a new instance of Vault and the Vault Agent Injector, run the following: ```bash -helm install --name=vault \ +helm install vault \ --set="injector.enabled=true" \ - https://github.com/hashicorp/vault-helm/archive/v0.3.3.tar.gz + https://github.com/hashicorp/vault-helm/archive/v0.4.0.tar.gz ``` Other values in the Helm chart can be used to limit the namespaces the injector @@ -40,7 +40,7 @@ the Vault Agent Injector supports two TLS options: By default, the Vault Agent Injector will bootstrap TLS by generating a certificate authority and creating a certificate/key to be used by the controller. If using -Vault Helm, the chart will automatically create the neccessary DNS entries for the +Vault Helm, the chart will automatically create the necessary DNS entries for the controller's service used to verify the certificate. ### Manual TLS