mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-11-19 09:41:29 +01:00
Code Issues Projects Releases Wiki Activity
vault/website/pages/docs/platform/k8s/helm/examples.mdx
Jeff Escalante 0c9affe582 New Website! (#8154) 
* new documentation website

* ci job adjustment

* update to latest version on downloads page

* remove transition-period scripts

* add netlify toml file

* fix docs patch

* fix ci config?

* revert go.mod changes

* a couple last markdown formatting fixes
2020-01-17 16:18:09 -08:00

212 lines
4.2 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: Examples
sidebar_title: Examples
description: This section documents configuration options for the Vault Helm chart
---
# Helm Chart Examples
~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
The following are different configuration examples to support a variety of
deployment models.
## Standalone Server with Load Balanced UI
The below `values.yaml` can be used to set up a single server Vault cluster with a LoadBalancer to allow external access to the UI and API.
```yaml
global:
enabled: true
server:
image:
repository: 'vault'
tag: '1.3.1'
standalone:
enabled: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "file" {
path = "/vault/data"
}
service:
enabled: true
dataStorage:
enabled: true
size: 10Gi
storageClass: null
accessMode: ReadWriteOnce
ui:
enabled: true
serviceType: LoadBalancer
```
## Standalone Server with TLS
The below `values.yaml` can be used to set up a single server Vault cluster using TLS.
This assumes that a Kubernetes `secret` exists with the server certificate, key and
certificate authority:
```yaml
global:
enabled: true
tlsDisable: false
server:
image:
repository: 'vault'
tag: '1.3.1'
extraVolumes:
- type: secret
name: vault-server-tls
standalone:
enabled: true
config: |
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
tls_key_file = "/vault/userconfig/vault-server-tls/vault.key"
tls_client_ca_file = "/vault/userconfig/vault-server-tls/vault.ca"
}
storage "file" {
path = "/vault/data"
}
service:
enabled: true
dataStorage:
enabled: true
size: 10Gi
storageClass: null
accessMode: ReadWriteOnce
```
## Standalone Server with Audit Storage
The below `values.yaml` can be used to set up a single server Vault cluster with
auditing enabled.
```yaml
global:
enabled: true
server:
image:
repository: 'vault'
tag: '1.3.1'
standalone:
enabled: true
config: |
listener "tcp" {
tls_disable = true
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "file" {
path = "/vault/data"
}
service:
enabled: true
dataStorage:
enabled: true
size: 10Gi
storageClass: null
accessMode: ReadWriteOnce
auditStorage:
enabled: true
size: 10Gi
storageClass: null
accessMode: ReadWriteOnce
```
After Vault has been deployed, initialized and unsealed, auditing can be enabled
by running the following command against the Vault pod:
```bash
$ kubectl exec -ti <POD NAME> -- vault audit enable file file_path=/vault/audit/vault_audit.log
```
## Highly Available Vault Cluster with Consul
The below `values.yaml` can be used to set up a five server Vault cluster using
Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal.
```yaml
global:
enabled: true
server:
image:
repository: "vault"
tag: "1.3.1"
extraEnvironmentVars:
GOOGLE_REGION: global
GOOGLE_PROJECT: myproject
GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json
extraVolumes: []
- type: secret
name: my-gcp-iam
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: {{ template "vault.name" . }}
release: "{{ .Release.Name }}"
component: server
topologyKey: kubernetes.io/hostname
service:
enabled: true
ha:
enabled: true
replicas: 5
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "consul" {
path = "vault"
address = "HOST_IP:8500"
}
seal "gcpckms" {
project = "myproject"
region = "global"
key_ring = "vault-unseal-kr"
crypto_key = "vault-unseal-key"
}
```
Reference in New Issue View Git Blame Copy Permalink