clear helm

2022-08-21 22:33:22 +07:00
parent dd1e392213
commit 0f2234f446
2 changed files with 174 additions and 22 deletions
--- a/helm/vault/templates/injector-psp.yaml
+++ b/helm/vault/templates/injector-psp.yaml
@@ -1,5 +1,5 @@
 {{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
 kind: PodSecurityPolicy
 metadata:
  name: {{ template "vault.fullname" . }}-agent-injector
--- a/helm/vault/values.yaml
+++ b/helm/vault/values.yaml
@@ -4,15 +4,23 @@ global:
  # enabled is the master enabled switch. Setting this to true or false
  # will enable or disable all the components within this chart by default.
  enabled: true
+
  # Image pull secret to use for registry authentication.
  # Alternatively, the value may be specified as an array of strings.
  imagePullSecrets: []
  # imagePullSecrets:
  #   - name: image-pull-secret
+
  # TLS for end-to-end encrypted transport
  tlsDisable: true
+
+  # External vault server address for the injector and CSI provider to use.
+  # Setting this will disable deployment of a vault server.
+  externalVaultAddr: ""
+
  # If deploying to OpenShift
  openshift: false
+
  # Create PodSecurityPolicy for pods
  psp:
    enable: false
@@ -26,6 +34,7 @@ global:

 injector:
  # True if you want to enable vault agent injection.
+  # @default: global.enabled
  enabled: true

  replicas: 1
@@ -40,16 +49,15 @@ injector:

  # If true, will enable a node exporter metrics endpoint at /metrics.
  metrics:
-    enabled: true
+    enabled: false

-  # External vault server address for the injector to use. Setting this will
-  # disable deployment of a vault server along with the injector.
-  externalVaultAddr: "https://vault.bildme.ru"
+  # Deprecated: Please use global.externalVaultAddr instead.
+  externalVaultAddr: ""

  # image sets the repo and tag of the vault-k8s image to use for the injector.
  image:
    repository: "hashicorp/vault-k8s"
-    tag: "0.16.1"
+    tag: "0.17.0"
    pullPolicy: IfNotPresent

  # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
@@ -57,7 +65,7 @@ injector:
  # required.
  agentImage:
    repository: "hashicorp/vault"
-    tag: "1.10.5"
+    tag: "1.11.2"

  # The default values for the injected Vault Agent containers.
  agentDefaults:
@@ -90,6 +98,66 @@ injector:
  # Configures all Vault Agent sidecars to revoke their token when shutting down
  revokeOnShutdown: false

+  webhook:
+    # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
+    # API Version of the WebHook.
+    # To block pod creation while webhook is unavailable, set the policy to `Fail` below.
+    # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
+    #
+    failurePolicy: Ignore
+
+    # matchPolicy specifies the approach to accepting changes based on the rules of
+    # the MutatingWebhookConfiguration.
+    # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy
+    # for more details.
+    #
+    matchPolicy: Exact
+
+    # timeoutSeconds is the amount of seconds before the webhook request will be ignored
+    # or fails.
+    # If it is ignored or fails depends on the failurePolicy
+    # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts
+    # for more details.
+    #
+    timeoutSeconds: 30
+
+    # namespaceSelector is the selector for restricting the webhook to only
+    # specific namespaces.
+    # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
+    # for more details.
+    # Example:
+    # namespaceSelector:
+    #    matchLabels:
+    #      sidecar-injector: enabled
+    namespaceSelector: {}
+
+    # objectSelector is the selector for restricting the webhook to only
+    # specific labels.
+    # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
+    # for more details.
+    # Example:
+    # objectSelector:
+    #    matchLabels:
+    #      vault-sidecar-injector: enabled
+    objectSelector: |
+      matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: NotIn
+        values:
+        - {{ template "vault.name" . }}-agent-injector
+
+    # Extra annotations to attach to the webhook
+    annotations: {}
+
+  # Deprecated: please use 'webhook.failurePolicy' instead
+  # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
+  # API Version of the WebHook.
+  # To block pod creation while webhook is unavailable, set the policy to `Fail` below.
+  # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
+  #
+  failurePolicy: Ignore
+
+  # Deprecated: please use 'webhook.namespaceSelector' instead
  # namespaceSelector is the selector for restricting the webhook to only
  # specific namespaces.
  # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
@@ -99,6 +167,8 @@ injector:
  #    matchLabels:
  #      sidecar-injector: enabled
  namespaceSelector: {}
+
+  # Deprecated: please use 'webhook.objectSelector' instead
  # objectSelector is the selector for restricting the webhook to only
  # specific labels.
  # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
@@ -109,13 +179,7 @@ injector:
  #      vault-sidecar-injector: enabled
  objectSelector: {}

-  # Configures failurePolicy of the webhook. The "unspecified" default behaviour deoends on the
-  # API Version of the WebHook.
-  # To block pod creation while webhook is unavailable, set the policy to `Fail` below.
-  # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
-  #
-  failurePolicy: Ignore
-
+  # Deprecated: please use 'webhook.annotations' instead
  # Extra annotations to attach to the webhook
  webhookAnnotations: {}

@@ -138,6 +202,21 @@ injector:
    certName: tls.crt
    keyName: tls.key

+  # Security context for the pod template and the injector container
+  # The default pod securityContext is:
+  #   runAsNonRoot: true
+  #   runAsGroup: {{ .Values.injector.gid | default 1000 }}
+  #   runAsUser: {{ .Values.injector.uid | default 100 }}
+  #   fsGroup: {{ .Values.injector.gid | default 1000 }}
+  # and for container is
+  #    allowPrivilegeEscalation: false
+  #    capabilities:
+  #      drop:
+  #        - ALL
+  securityContext:
+    pod: {}
+    container: {}
+
  resources: {}
  # resources:
  #   requests:
@@ -166,6 +245,12 @@ injector:
              component: webhook
          topologyKey: kubernetes.io/hostname

+  # Topology settings for injector pods
+  # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+  # This should be either a multi-line string or YAML matching the topologySpreadConstraints array
+  # in a PodSpec.
+  topologySpreadConstraints: []
+
  # Toleration Settings for injector pods
  # This should be either a multi-line string or YAML matching the Toleration array
  # in a PodSpec.
@@ -199,6 +284,11 @@ injector:
    # Extra annotations to attach to the injector service
    annotations: {}

+  # Injector serviceAccount specific config
+  serviceAccount:
+    # Extra annotations to attach to the injector serviceAccount
+    annotations: {}
+
  # A disruption budget limits the number of pods of a replicated application
  # that are down simultaneously from voluntary disruptions
  podDisruptionBudget: {}
@@ -215,8 +305,9 @@ injector:
  #   type: RollingUpdate

 server:
-  # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details
-  enabled: false
+  # If true, or "-" with global.enabled true, Vault server will be installed.
+  # See vault.mode in _helpers.tpl for implementation details.
+  enabled: true

  # [Enterprise Only] This value refers to a Kubernetes secret that you have
  # created that contains your enterprise license. If you are not using an
@@ -236,7 +327,7 @@ server:

  image:
    repository: "hashicorp/vault"
-    tag: "1.10.5"
+    tag: "1.11.2"
    # Overrides the default Image Pull Policy
    pullPolicy: IfNotPresent

@@ -455,6 +546,12 @@ server:
              component: server
          topologyKey: kubernetes.io/hostname

+  # Topology settings for server pods
+  # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+  # This should be either a multi-line string or YAML matching the topologySpreadConstraints array
+  # in a PodSpec.
+  topologySpreadConstraints: []
+
  # Toleration Settings for server pods
  # This should be either a multi-line string or YAML matching the Toleration array
  # in a PodSpec.
@@ -506,6 +603,9 @@ server:
    # or NodePort.
    #type: ClusterIP

+    # Do not wait for pods to be ready
+    publishNotReadyAddresses: true
+
    # The externalTrafficPolicy can be set to either Cluster or Local
    # and is only valid for LoadBalancer and NodePort service types.
    # The default value is Cluster.
@@ -516,6 +616,16 @@ server:
    # will be random if left blank.
    #nodePort: 30000

+    # When HA mode is enabled
+    # If type is set to "NodePort", a specific nodePort value can be configured,
+    # will be random if left blank.
+    #activeNodePort: 30001
+
+    # When HA mode is enabled
+    # If type is set to "NodePort", a specific nodePort value can be configured,
+    # will be random if left blank.
+    #standbyNodePort: 30002
+
    # Port on which Vault server is listening
    port: 8200
    # Target port to which the service should be mapped to
@@ -536,7 +646,7 @@ server:
    mountPath: "/vault/data"
    # Name of the storage class to use.  If null it will use the
    # configured default Storage Class.
-    storageClass: nfs-client
+    storageClass: null
    # Access Mode of the storage device being used for the PVC
    accessMode: ReadWriteOnce
    # Annotations to apply to the PVC
@@ -550,12 +660,12 @@ server:
  auditStorage:
    enabled: false
    # Size of the PVC created
-    size: 1Gi
+    size: 10Gi
    # Location where the PVC will be mounted.
    mountPath: "/vault/audit"
    # Name of the storage class to use.  If null it will use the
    # configured default Storage Class.
-    storageClass: nfs-client
+    storageClass: null
    # Access Mode of the storage device being used for the PVC
    accessMode: ReadWriteOnce
    # Annotations to apply to the PVC
@@ -624,6 +734,11 @@ server:
    # If set to null, this will be set to the Pod IP Address
    apiAddr: null

+    # Set the cluster_addr confuguration for Vault HA
+    # See https://www.vaultproject.io/docs/configuration#cluster_addr
+    # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201
+    clusterAddr: null
+
    # Enables Vault's integrated Raft storage.  Unlike the typical HA modes where
    # Vault's persistence is external (such as Consul), enabling Raft mode will create
    # persistent volumes for Vault to store data according to the configuration under server.dataStorage.
@@ -631,7 +746,7 @@ server:
    raft:

      # Enables Raft integrated storage
-      enabled: false
+      enabled: true
      # Set the Node Raft ID to the name of the pod
      setNodeId: false

@@ -717,6 +832,24 @@ server:
    # to the statefulSet.
    annotations: {}

+    # Set the pod and container security contexts.
+    # If not set, these will default to, and for *not* OpenShift:
+    # pod:
+    #   runAsNonRoot: true
+    #   runAsGroup: {{ .Values.server.gid | default 1000 }}
+    #   runAsUser: {{ .Values.server.uid | default 100 }}
+    #   fsGroup: {{ .Values.server.gid | default 1000 }}
+    # container: {}
+    #
+    # If not set, these will default to, and for OpenShift:
+    # pod: {}
+    # container:
+    #   allowPrivilegeEscalation: false
+    securityContext:
+      pod: {}
+      container: {}
+
+
 # Vault UI
 ui:
  # True if you want to create a Service entry for the Vault UI.
@@ -764,7 +897,7 @@ csi:

  image:
    repository: "hashicorp/vault-csi-provider"
-    tag: "1.1.0"
+    tag: "1.2.0"
    pullPolicy: IfNotPresent

  # volumes is a list of volumes made available to all containers. These are rendered
@@ -805,6 +938,13 @@ csi:
    providersDir: "/etc/kubernetes/secrets-store-csi-providers"
    # Kubelet host path
    kubeletRootDir: "/var/lib/kubelet"
+    # Extra labels to attach to the vault-csi-provider daemonSet
+    # This should be a YAML map of the labels to apply to the csi provider daemonSet
+    extraLabels: {}
+    # security context for the pod template and container in the csi provider daemonSet
+    securityContext:
+      pod: {}
+      container: {}

  pod:
    # Extra annotations for the provider pods. This can either be YAML or a
@@ -817,6 +957,12 @@ csi:
    # in a PodSpec.
    tolerations: []

+    # Extra labels to attach to the vault-csi-provider pod
+    # This should be a YAML map of the labels to apply to the csi provider pod
+    extraLabels: {}
+
+
+
  # Priority class for csi pods
  priorityClassName: ""

@@ -826,6 +972,10 @@ csi:
    # annotations to apply to the serviceAccount.
    annotations: {}

+    # Extra labels to attach to the vault-csi-provider serviceAccount
+    # This should be a YAML map of the labels to apply to the csi provider serviceAccount
+    extraLabels: {}
+
  # Used to configure readinessProbe for the pods.
  readinessProbe:
    # When a probe fails, Kubernetes will try failureThreshold times before giving up
@@ -855,4 +1005,6 @@ csi:
  debug: false

  # Pass arbitrary additional arguments to vault-csi-provider.
+  # See https://www.vaultproject.io/docs/platform/k8s/csi/configurations#command-line-arguments
+  # for the available command line flags.
  extraArgs: []