diff --git a/bank-vaults/README.md b/bank-vaults/README.md new file mode 100644 index 0000000..f8fb4fd --- /dev/null +++ b/bank-vaults/README.md @@ -0,0 +1,72 @@ +# Bank-vault (от banzai-cloud) + +[почитать тут](https://bank-vaults.dev/docs/mutating-webhook/) + +1. helm upgrade --install --create-namespace -n vault vault helm/vault + +**Vaults webhooks** + +```bash +helm upgrade --install --create-namespace --namespace vswh --wait vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --set configMapMutation=true +kubectl kustomize https://github.com/bank-vaults/vault-operator/deploy/rbac | kubectl apply -f - +``` + +2. после запуска идем в первый vault-0 и инитим его (и открываем сразу) + +```bash +vault operator init -key-shares=1 -key-threshold=1 +vault operator unseal +vault login +``` + +3. настроим k8s для работы с вольтом + +```bash +vault auth enable kubernetes +vault write auth/kubernetes/config \ + token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ + kubernetes_host="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" \ + kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt +``` + +4. создаем политику доступа + +```bash +vault policy write vault-test - < vault-helm-test.json - export GOOGLE_CREDENTIALS=vault-helm-test.json - make provision-cluster - - run: - name: Run acceptance tests - command: bats ./test/acceptance -t - - - run: - name: terraform destroy - command: | - export GOOGLE_CREDENTIALS=vault-helm-test.json - make destroy-cluster - when: always - update-helm-charts-index: - docker: - - image: docker.mirror.hashicorp.services/circleci/golang:1.15.3 - steps: - - checkout - - run: - name: verify Chart version matches tag version - command: | - GO111MODULE=on go get github.com/mikefarah/yq/v2 - git_tag=$(echo "${CIRCLE_TAG#v}") - chart_tag=$(yq r Chart.yaml version) - if [ "${git_tag}" != "${chart_tag}" ]; then - echo "chart version (${chart_tag}) did not match git version (${git_tag})" - exit 1 - fi - - run: - name: update helm-charts index - command: | - curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \ - -X POST \ - -H 'Content-Type: application/json' \ - -H 'Accept: application/json' \ - -d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \ - "${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline" - - slack/status: - fail_only: true - failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}" - -workflows: - version: 2 - # Note: unit and acceptance tests are now being run in GitHub Actions - update-helm-charts-index: - jobs: - - update-helm-charts-index: - context: helm-charts-trigger-vault - filters: - tags: - only: /^v.*/ - branches: - ignore: /.*/ diff --git a/helm/vault/.github/ISSUE_TEMPLATE/bug_report.md b/helm/vault/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index cb69c51..0000000 --- a/helm/vault/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -name: Bug report -about: Let us know about a bug! -title: '' -labels: bug -assignees: '' - ---- - - - -**Describe the bug** -A clear and concise description of what the bug is. - -**To Reproduce** -Steps to reproduce the behavior: -1. Install chart -2. Run vault command -3. See error (vault logs, etc.) - -Other useful info to include: vault pod logs, `kubectl describe statefulset vault` and `kubectl get statefulset vault -o yaml` output - -**Expected behavior** -A clear and concise description of what you expected to happen. - -**Environment** -* Kubernetes version: - * Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.): - * Other configuration options or runtime services (istio, etc.): -* vault-helm version: - -Chart values: - -```yaml -# Paste your user-supplied values here (`helm get values `). -# Be sure to scrub any sensitive values! -``` - -**Additional context** -Add any other context about the problem here. diff --git a/helm/vault/.github/ISSUE_TEMPLATE/config.yml b/helm/vault/.github/ISSUE_TEMPLATE/config.yml deleted file mode 100644 index b24b36b..0000000 --- a/helm/vault/.github/ISSUE_TEMPLATE/config.yml +++ /dev/null @@ -1,4 +0,0 @@ -contact_links: - - name: Ask a question - url: https://discuss.hashicorp.com/c/vault - about: For increased visibility, please post questions on the discussion forum, and tag with `k8s` diff --git a/helm/vault/.github/ISSUE_TEMPLATE/feature_request.md b/helm/vault/.github/ISSUE_TEMPLATE/feature_request.md deleted file mode 100644 index 11fc491..0000000 --- a/helm/vault/.github/ISSUE_TEMPLATE/feature_request.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project -title: '' -labels: enhancement -assignees: '' - ---- - -**Is your feature request related to a problem? Please describe.** -A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] - -**Describe the solution you'd like** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Additional context** -Add any other context or screenshots about the feature request here. diff --git a/helm/vault/.github/workflows/acceptance.yaml b/helm/vault/.github/workflows/acceptance.yaml deleted file mode 100644 index 644875e..0000000 --- a/helm/vault/.github/workflows/acceptance.yaml +++ /dev/null @@ -1,34 +0,0 @@ -name: Acceptance Tests - -on: - push: - branches: - - main - workflow_dispatch: {} - -jobs: - kind: - strategy: - fail-fast: false - matrix: - kind-k8s-version: [1.14.10, 1.19.11, 1.20.7, 1.21.2, 1.22.4] - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Setup test tools - uses: ./.github/workflows/setup-test-tools - - - name: Create K8s Kind Cluster - uses: helm/kind-action@v1.2.0 - with: - config: test/kind/config.yaml - node_image: kindest/node:v${{ matrix.kind-k8s-version }} - - # Skip CSI tests if K8s version < 1.16.x - - run: echo K8S_MINOR=$(kubectl version -o json | jq -r .serverVersion.minor) >> $GITHUB_ENV - - if: ${{ env.K8S_MINOR < 16 }} - run: echo "SKIP_CSI=true" >> $GITHUB_ENV - - - run: bats ./test/acceptance -t - env: - VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} diff --git a/helm/vault/.github/workflows/jira.yaml b/helm/vault/.github/workflows/jira.yaml deleted file mode 100644 index eb369f3..0000000 --- a/helm/vault/.github/workflows/jira.yaml +++ /dev/null @@ -1,72 +0,0 @@ -on: - issues: - types: [opened, closed, deleted, reopened] - pull_request_target: - types: [opened, closed, reopened] - issue_comment: # Also triggers when commenting on a PR from the conversation view - types: [created] - -name: Jira Sync - -jobs: - sync: - runs-on: ubuntu-latest - name: Jira sync - steps: - - name: Login - uses: atlassian/gajira-login@v2.0.0 - env: - JIRA_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }} - JIRA_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }} - JIRA_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }} - - - name: Preprocess - if: github.event.action == 'opened' || github.event.action == 'created' - id: preprocess - run: | - if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then - echo "::set-output name=type::PR" - else - echo "::set-output name=type::ISS" - fi - - - name: Create ticket - if: github.event.action == 'opened' - uses: tomhjp/gh-action-jira-create@v0.2.0 - with: - project: VAULT - issuetype: "GH Issue" - summary: "${{ github.event.repository.name }} [${{ steps.preprocess.outputs.type }} #${{ github.event.issue.number || github.event.pull_request.number }}]: ${{ github.event.issue.title || github.event.pull_request.title }}" - description: "${{ github.event.issue.body || github.event.pull_request.body }}\n\n_Created from GitHub Action for ${{ github.event.issue.html_url || github.event.pull_request.html_url }} from ${{ github.actor }}_" - # customfield_10089 is Issue Link custom field - # customfield_10091 is team custom field - extraFields: '{"fixVersions": [{"name": "TBD"}], "customfield_10091": ["ecosystem", "runtime"], "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}"}' - - - name: Search - if: github.event.action != 'opened' - id: search - uses: tomhjp/gh-action-jira-search@v0.2.1 - with: - # cf[10089] is Issue Link custom field - jql: 'project = "VAULT" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"' - - - name: Sync comment - if: github.event.action == 'created' && steps.search.outputs.issue - uses: tomhjp/gh-action-jira-comment@v0.2.0 - with: - issue: ${{ steps.search.outputs.issue }} - comment: "${{ github.actor }} ${{ github.event.review.state || 'commented' }}:\n\n${{ github.event.comment.body || github.event.review.body }}\n\n${{ github.event.comment.html_url || github.event.review.html_url }}" - - - name: Close ticket - if: (github.event.action == 'closed' || github.event.action == 'deleted') && steps.search.outputs.issue - uses: atlassian/gajira-transition@v2.0.1 - with: - issue: ${{ steps.search.outputs.issue }} - transition: Close - - - name: Reopen ticket - if: github.event.action == 'reopened' && steps.search.outputs.issue - uses: atlassian/gajira-transition@v2.0.1 - with: - issue: ${{ steps.search.outputs.issue }} - transition: "Pending Triage" diff --git a/helm/vault/.github/workflows/setup-test-tools/action.yaml b/helm/vault/.github/workflows/setup-test-tools/action.yaml deleted file mode 100644 index 3fa2854..0000000 --- a/helm/vault/.github/workflows/setup-test-tools/action.yaml +++ /dev/null @@ -1,18 +0,0 @@ -name: Setup common testing tools -description: Install bats and python-yq - -runs: - using: "composite" - steps: - - uses: actions/setup-node@v2 - with: - node-version: '14' - - run: npm install -g bats@${BATS_VERSION} - shell: bash - env: - BATS_VERSION: '1.5.0' - - run: bats -v - shell: bash - - uses: actions/setup-python@v2 - - run: pip install yq - shell: bash diff --git a/helm/vault/.github/workflows/tests.yaml b/helm/vault/.github/workflows/tests.yaml deleted file mode 100644 index 0aba6ee..0000000 --- a/helm/vault/.github/workflows/tests.yaml +++ /dev/null @@ -1,25 +0,0 @@ -name: Tests - -on: [push, workflow_dispatch] - -jobs: - bats-unit-tests: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - uses: ./.github/workflows/setup-test-tools - - run: bats ./test/unit -t - - chart-verifier: - runs-on: ubuntu-latest - env: - CHART_VERIFIER_VERSION: '1.2.1' - steps: - - uses: actions/checkout@v2 - - name: Setup test tools - uses: ./.github/workflows/setup-test-tools - - uses: actions/setup-go@v2 - with: - go-version: '1.17.4' - - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION} - - run: bats ./test/chart -t diff --git a/helm/vault/.gitignore b/helm/vault/.gitignore deleted file mode 100644 index 2e23aca..0000000 --- a/helm/vault/.gitignore +++ /dev/null @@ -1,13 +0,0 @@ -.DS_Store -.terraform/ -.terraform.tfstate* -terraform.tfstate* -terraform.tfvars -values.dev.yaml -vaul-helm-dev-creds.json -./test/acceptance/vaul-helm-dev-creds.json -./test/terraform/vaul-helm-dev-creds.json -./test/unit/vaul-helm-dev-creds.json -./test/acceptance/values.yaml -./test/acceptance/values.yml -.idea diff --git a/helm/vault/.helmignore b/helm/vault/.helmignore index d1180d2..18dbc2b 100644 --- a/helm/vault/.helmignore +++ b/helm/vault/.helmignore @@ -1,4 +1,29 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs .git/ +.gitignore .terraform/ -bin/ +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +# CI and test +.circleci/ +.github/ +.gitlab-ci.yml test/ +scratch/ diff --git a/helm/vault/CHANGELOG.md b/helm/vault/CHANGELOG.md index ea6d367..920c6e0 100644 --- a/helm/vault/CHANGELOG.md +++ b/helm/vault/CHANGELOG.md @@ -1,5 +1,223 @@ ## Unreleased +## 0.29.1 (November 20, 2024) + +Bugs: +* server: restore support for templated config [GH-1073](https://github.com/hashicorp/vault-helm/pull/1073) + +## 0.29.0 (November 7, 2024) + +KNOWN ISSUES: +* Template support in server config stopped working [GH-1072](https://github.com/hashicorp/vault-helm/issues/1072) + +Changes: + +* Default `vault` version updated to 1.18.1 +* Default `vault-k8s` version updated to 1.5.0 +* Default `vault-csi-provider` version updated to 1.5.0 +* Tested with Kubernetes versions 1.27-1.31 + +Features: + +* csi: Allow modification of the hostNetwork parameter on the DaemonSet [GH-1046](https://github.com/hashicorp/vault-helm/pull/1046) + +Bugs: + +* Properly handle JSON formatted server config [GH-1049](https://github.com/hashicorp/vault-helm/pull/1049) + +## 0.28.1 (July 11, 2024) + +Changes: + +* Default `vault` version updated to 1.17.2 +* Default `vault-k8s` version updated to 1.4.2 +* Default `vault-csi-provider` version updated to 1.4.3 +* Tested with Kubernetes versions 1.26-1.30 + +Improvements: + +* Configurable `tlsConfig` and `authorization` for Prometheus ServiceMonitor [GH-1025](https://github.com/hashicorp/vault-helm/pull/1025) +* Remove UPDATE from injector-mutating-webhook [GH-783](https://github.com/hashicorp/vault-helm/pull/783) +* Add scope to mutating webhook [GH-1037](https://github.com/hashicorp/vault-helm/pull/1037) + +## 0.28.0 (April 8, 2024) + +Changes: + +* Default `vault` version updated to 1.16.1 +* Default `vault-k8s` version updated to 1.4.1 +* Default `vault-csi-provider` version updated to 1.4.2 +* Tested with Kubernetes versions 1.25-1.29 + +Features: + +* server: Add annotation on config change [GH-1001](https://github.com/hashicorp/vault-helm/pull/1001) + +Bugs: + +* injector: add missing `get` `nodes` permission to ClusterRole [GH-1005](https://github.com/hashicorp/vault-helm/pull/1005) + +## 0.27.0 (November 16, 2023) + +Changes: + +* Default `vault` version updated to 1.15.2 + +Features: + +* server: Support setting `persistentVolumeClaimRetentionPolicy` on the StatefulSet [GH-965](https://github.com/hashicorp/vault-helm/pull/965) +* server: Support setting labels on PVCs [GH-969](https://github.com/hashicorp/vault-helm/pull/969) +* server: Support setting ingress rules for networkPolicy [GH-877](https://github.com/hashicorp/vault-helm/pull/877) + +Improvements: + +* Support exec in the server liveness probe [GH-971](https://github.com/hashicorp/vault-helm/pull/971) + +## 0.26.1 (October 30, 2023) + +Bugs: +* Fix templating of `server.ha.replicas` when set via override file. The `0.26.0` chart would ignore `server.ha.replicas` and always deploy 3 server replicas when `server.ha.enabled=true` unless overridden by command line when issuing the helm command: `--set server.ha.replicas=`. Fixed in [GH-961](https://github.com/hashicorp/vault-helm/pull/961) + +## 0.26.0 (October 27, 2023) + +Changes: +* Default `vault` version updated to 1.15.1 +* Default `vault-k8s` version updated to 1.3.1 +* Default `vault-csi-provider` version updated to 1.4.1 +* Tested with Kubernetes versions 1.24-1.28 +* server: OpenShift default readiness probe returns 204 when uninitialized [GH-966](https://github.com/hashicorp/vault-helm/pull/966) + +Features: +* server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833) +* server: Support `hostAliases` for the StatefulSet pods [GH-955](https://github.com/hashicorp/vault-helm/pull/955) +* server: Add `server.service.active.annotations` and `server.service.standby.annotations` [GH-896](https://github.com/hashicorp/vault-helm/pull/896) +* server: Add long-lived service account token option [GH-923](https://github.com/hashicorp/vault-helm/pull/923) + +Bugs: +* csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) + +Improvements: +* global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) +* server: use vault.fullname in Helm test [GH-912](https://github.com/hashicorp/vault-helm/pull/912) +* server: Allow scaling HA replicas to zero [GH-943](https://github.com/hashicorp/vault-helm/pull/943) + +## 0.25.0 (June 26, 2023) + +Changes: +* Latest Kubernetes version tested is now 1.27 +* server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902) +* `vault` updated to 1.14.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) +* `vault-csi-provider` updated to 1.4.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) + +Improvements: +* CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862) +* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798) +* Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version [GH-916](https://github.com/hashicorp/vault-helm/pull/916) + +Bugs: +* server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886) + +## 0.24.1 (April 17, 2023) + +Bugs: +* csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions [GH-872](https://github.com/hashicorp/vault-helm/pull/872) + +## 0.24.0 (April 6, 2023) + +Changes: +* Earliest Kubernetes version tested is now 1.22 +* `vault` updated to 1.13.1 [GH-863](https://github.com/hashicorp/vault-helm/pull/863) +* `vault-k8s` updated to 1.2.1 [GH-868](https://github.com/hashicorp/vault-helm/pull/868) +* `vault-csi-provider` updated to 1.3.0 [GH-749](https://github.com/hashicorp/vault-helm/pull/749) + +Features: +* server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) +* server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831) +* injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852) +* csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749) + +## 0.23.0 (November 28th, 2022) + +Changes: +* `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) +* `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) +* `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) + +Features: +* server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) +* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813) + +Bugs: +* server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) + +## 0.22.1 (October 26th, 2022) + +Changes: +* `vault` updated to 1.12.0 [GH-803](https://github.com/hashicorp/vault-helm/pull/803) +* `vault-k8s` updated to 1.0.1 [GH-803](https://github.com/hashicorp/vault-helm/pull/803) + +## 0.22.0 (September 8th, 2022) + +Features: +* Add PrometheusOperator support for collecting Vault server metrics. [GH-772](https://github.com/hashicorp/vault-helm/pull/772) + +Changes: +* `vault-k8s` to 1.0.0 [GH-784](https://github.com/hashicorp/vault-helm/pull/784) +* Test against Kubernetes 1.25 [GH-784](https://github.com/hashicorp/vault-helm/pull/784) +* `vault` updated to 1.11.3 [GH-785](https://github.com/hashicorp/vault-helm/pull/785) + +## 0.21.0 (August 10th, 2022) + +CHANGES: +* `vault-k8s` updated to 0.17.0. [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* `vault-csi-provider` updated to 1.2.0 [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* `vault` updated to 1.11.2 [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) +* Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) +* CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) + +Features: +* server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610) +* Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) + +## 0.20.1 (May 25th, 2022) +CHANGES: +* `vault-k8s` updated to 0.16.1 [GH-739](https://github.com/hashicorp/vault-helm/pull/739) + +Improvements: +* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736) + +Bugs: +* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737) + +## 0.20.0 (May 16th, 2022) + +CHANGES: +* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703) +* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703) +* Vault default image to 1.10.3 +* CSI provider default image to 1.1.0 +* Vault K8s default image to 0.16.0 +* Earliest Kubernetes version tested is now 1.16 +* Helm 3.6+ now required + +Features: +* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652) + +Improvements: +* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) +* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683) +* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710) +* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709) +* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694) +* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684) +* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692) + ## 0.19.0 (January 20th, 2022) CHANGES: diff --git a/helm/vault/CODEOWNERS b/helm/vault/CODEOWNERS new file mode 100644 index 0000000..a765f7e --- /dev/null +++ b/helm/vault/CODEOWNERS @@ -0,0 +1 @@ +* @hashicorp/vault-ecosystem diff --git a/helm/vault/Chart.yaml b/helm/vault/Chart.yaml index be12989..9bb4d93 100644 --- a/helm/vault/Chart.yaml +++ b/helm/vault/Chart.yaml @@ -1,5 +1,7 @@ +annotations: + charts.openshift.io/name: HashiCorp Vault apiVersion: v2 -appVersion: 1.9.2 +appVersion: 1.18.1 description: Official HashiCorp Vault Chart home: https://www.vaultproject.io icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png @@ -11,11 +13,11 @@ keywords: - management - automation - infrastructure -kubeVersion: '>= 1.14.0-0' +kubeVersion: '>= 1.20.0-0' name: vault sources: - https://github.com/hashicorp/vault - https://github.com/hashicorp/vault-helm - https://github.com/hashicorp/vault-k8s - https://github.com/hashicorp/vault-csi-provider -version: 0.19.0 +version: 0.29.1 diff --git a/helm/vault/LICENSE.md b/helm/vault/LICENSE similarity index 99% rename from helm/vault/LICENSE.md rename to helm/vault/LICENSE index 82b4de9..74f38c0 100644 --- a/helm/vault/LICENSE.md +++ b/helm/vault/LICENSE @@ -1,3 +1,5 @@ +Copyright (c) 2018 HashiCorp, Inc. + Mozilla Public License, version 2.0 1. Definitions diff --git a/helm/vault/Makefile b/helm/vault/Makefile index 0ac6850..b7cb034 100644 --- a/helm/vault/Makefile +++ b/helm/vault/Makefile @@ -14,7 +14,7 @@ LOCAL_ACCEPTANCE_TESTS?=false KIND_CLUSTER_NAME?=vault-helm # kind k8s version -KIND_K8S_VERSION?=v1.20.2 +KIND_K8S_VERSION?=v1.31.2 # Generate json schema for chart values. See test/README.md for more details. values-schema: @@ -71,7 +71,7 @@ acceptance: ifneq ($(LOCAL_ACCEPTANCE_TESTS),true) gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} endif - bats test/${ACCEPTANCE_TESTS} + bats --tap --timing test/${ACCEPTANCE_TESTS} # this target is for provisioning the GKE cluster # it is run in the docker container above when the test-provision target is invoked diff --git a/helm/vault/templates/NOTES.txt b/helm/vault/templates/NOTES.txt index 8e26712..60d99a4 100644 --- a/helm/vault/templates/NOTES.txt +++ b/helm/vault/templates/NOTES.txt @@ -4,7 +4,7 @@ Thank you for installing HashiCorp Vault! Now that you have deployed Vault, you should look over the docs on using Vault with Kubernetes available here: -https://www.vaultproject.io/docs/ +https://developer.hashicorp.com/vault/docs Your release is named {{ .Release.Name }}. To learn more about the release, try: diff --git a/helm/vault/templates/_helpers.tpl b/helm/vault/templates/_helpers.tpl index 12afeab..4b2e42d 100644 --- a/helm/vault/templates/_helpers.tpl +++ b/helm/vault/templates/_helpers.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to @@ -31,6 +36,94 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Allow the release namespace to be overridden +*/}} +{{- define "vault.namespace" -}} +{{- default .Release.Namespace .Values.global.namespace -}} +{{- end -}} + +{{/* +Compute if the csi driver is enabled. +*/}} +{{- define "vault.csiEnabled" -}} +{{- $_ := set . "csiEnabled" (or + (eq (.Values.csi.enabled | toString) "true") + (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the injector is enabled. +*/}} +{{- define "vault.injectorEnabled" -}} +{{- $_ := set . "injectorEnabled" (or + (eq (.Values.injector.enabled | toString) "true") + (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server is enabled. +*/}} +{{- define "vault.serverEnabled" -}} +{{- $_ := set . "serverEnabled" (or + (eq (.Values.server.enabled | toString) "true") + (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server serviceaccount is enabled. +*/}} +{{- define "vault.serverServiceAccountEnabled" -}} +{{- $_ := set . "serverServiceAccountEnabled" + (and + (eq (.Values.server.serviceAccount.create | toString) "true" ) + (or + (eq (.Values.server.enabled | toString) "true") + (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server serviceaccount should have a token created and mounted to the serviceaccount. +*/}} +{{- define "vault.serverServiceAccountSecretCreationEnabled" -}} +{{- $_ := set . "serverServiceAccountSecretCreationEnabled" + (and + (eq (.Values.server.serviceAccount.create | toString) "true") + (eq (.Values.server.serviceAccount.createSecret | toString) "true")) -}} +{{- end -}} + + +{{/* +Compute if the server auth delegator serviceaccount is enabled. +*/}} +{{- define "vault.serverAuthDelegator" -}} +{{- $_ := set . "serverAuthDelegator" + (and + (eq (.Values.server.authDelegator.enabled | toString) "true" ) + (or (eq (.Values.server.serviceAccount.create | toString) "true") + (not (eq .Values.server.serviceAccount.name ""))) + (or + (eq (.Values.server.enabled | toString) "true") + (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server service is enabled. +*/}} +{{- define "vault.serverServiceEnabled" -}} +{{- template "vault.serverEnabled" . -}} +{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}} +{{- end -}} + +{{/* +Compute if the ui is enabled. +*/}} +{{- define "vault.uiEnabled" -}} +{{- $_ := set . "uiEnabled" (or + (eq (.Values.ui.enabled | toString) "true") + (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + {{/* Compute the maximum number of unavailable replicas for the PodDisruptionBudget. This defaults to (n/2)-1 where n is the number of members of the server cluster. @@ -51,9 +144,10 @@ Set the variable 'mode' to the server mode requested by the user to simplify template logic. */}} {{- define "vault.mode" -}} - {{- if .Values.injector.externalVaultAddr -}} + {{- template "vault.serverEnabled" . -}} + {{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}} {{- $_ := set . "mode" "external" -}} - {{- else if ne (.Values.server.enabled | toString) "true" -}} + {{- else if not .serverEnabled -}} {{- $_ := set . "mode" "external" -}} {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} {{- $_ := set . "mode" "dev" -}} @@ -73,7 +167,11 @@ Set's the replica count based on the different modes configured by user {{ if eq .mode "standalone" }} {{- default 1 -}} {{ else if eq .mode "ha" }} - {{- .Values.server.ha.replicas | default 3 -}} + {{- if or (kindIs "int64" .Values.server.ha.replicas) (kindIs "float64" .Values.server.ha.replicas) -}} + {{- .Values.server.ha.replicas -}} + {{ else }} + {{- 3 -}} + {{- end -}} {{ else }} {{- default 1 -}} {{ end }} @@ -85,7 +183,7 @@ defined a custom configuration. Additionally iterates over any extra volumes the user may have specified (such as a secret with TLS). */}} {{- define "vault.volumes" -}} - {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} + {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config) (.Values.server.ha.raft.config)) }} - name: config configMap: name: {{ template "vault.fullname" . }}-config @@ -188,9 +286,12 @@ storage might be desired by the user. {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }} volumeClaimTemplates: {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }} - - metadata: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: name: data {{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }} + {{- include "vault.dataVolumeClaim.labels" . | nindent 6 }} spec: accessModes: - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }} @@ -202,9 +303,12 @@ storage might be desired by the user. {{- end }} {{ end }} {{- if eq (.Values.server.auditStorage.enabled | toString) "true" }} - - metadata: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: name: audit {{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }} + {{- include "vault.auditVolumeClaim.labels" . | nindent 6 }} spec: accessModes: - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }} @@ -248,6 +352,37 @@ Sets the injector affinity for pod placement {{ end }} {{- end -}} +{{/* +Sets the topologySpreadConstraints when running in standalone and HA modes. +*/}} +{{- define "vault.topologySpreadConstraints" -}} + {{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ $tp := typeOf .Values.server.topologySpreadConstraints }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + + +{{/* +Sets the injector topologySpreadConstraints for pod placement +*/}} +{{- define "injector.topologySpreadConstraints" -}} + {{- if .Values.injector.topologySpreadConstraints }} + topologySpreadConstraints: + {{ $tp := typeOf .Values.injector.topologySpreadConstraints }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.topologySpreadConstraints . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + {{/* Sets the toleration for pod placement when running in standalone and HA modes. */}} @@ -326,9 +461,12 @@ Sets the injector deployment update strategy {{/* Sets extra pod annotations */}} -{{- define "vault.annotations" -}} - {{- if .Values.server.annotations }} +{{- define "vault.annotations" }} annotations: + {{- if .Values.server.includeConfigAnnotation }} + vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }} + {{- end }} + {{- if .Values.server.annotations }} {{- $tp := typeOf .Values.server.annotations }} {{- if eq $tp "string" }} {{- tpl .Values.server.annotations . | nindent 8 }} @@ -369,20 +507,133 @@ Sets extra injector service annotations {{- end -}} {{/* -Sets extra injector webhook annotations +securityContext for the injector pod level. */}} -{{- define "injector.webhookAnnotations" -}} - {{- if .Values.injector.webhookAnnotations }} +{{- define "injector.securityContext.pod" -}} + {{- if .Values.injector.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.injector.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.injector.securityContext.pod | nindent 8 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + runAsNonRoot: true + runAsGroup: {{ .Values.injector.gid | default 1000 }} + runAsUser: {{ .Values.injector.uid | default 100 }} + fsGroup: {{ .Values.injector.gid | default 1000 }} + {{- end }} +{{- end -}} + +{{/* +securityContext for the injector container level. +*/}} +{{- define "injector.securityContext.container" -}} + {{- if .Values.injector.securityContext.container}} + securityContext: + {{- $tp := typeOf .Values.injector.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.injector.securityContext.container | nindent 12 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + {{- end }} +{{- end -}} + +{{/* +securityContext for the statefulset pod template. +*/}} +{{- define "server.statefulSet.securityContext.pod" -}} + {{- if .Values.server.statefulSet.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.server.statefulSet.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.statefulSet.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.server.statefulSet.securityContext.pod | nindent 8 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + runAsNonRoot: true + runAsGroup: {{ .Values.server.gid | default 1000 }} + runAsUser: {{ .Values.server.uid | default 100 }} + fsGroup: {{ .Values.server.gid | default 1000 }} + {{- end }} +{{- end -}} + +{{/* +securityContext for the statefulset vault container +*/}} +{{- define "server.statefulSet.securityContext.container" -}} + {{- if .Values.server.statefulSet.securityContext.container }} + securityContext: + {{- $tp := typeOf .Values.server.statefulSet.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.statefulSet.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.server.statefulSet.securityContext.container | nindent 12 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + allowPrivilegeEscalation: false + {{- end }} +{{- end -}} + + +{{/* +Sets extra injector service account annotations +*/}} +{{- define "injector.serviceAccount.annotations" -}} + {{- if and (ne .mode "dev") .Values.injector.serviceAccount.annotations }} annotations: - {{- $tp := typeOf .Values.injector.webhookAnnotations }} + {{- $tp := typeOf .Values.injector.serviceAccount.annotations }} {{- if eq $tp "string" }} - {{- tpl .Values.injector.webhookAnnotations . | nindent 4 }} + {{- tpl .Values.injector.serviceAccount.annotations . | nindent 4 }} {{- else }} - {{- toYaml .Values.injector.webhookAnnotations | nindent 4 }} + {{- toYaml .Values.injector.serviceAccount.annotations | nindent 4 }} {{- end }} {{- end }} {{- end -}} +{{/* +Sets extra injector webhook annotations +*/}} +{{- define "injector.webhookAnnotations" -}} + {{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations) }} + annotations: + {{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }} + {{- if eq $tp "string" }} + {{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }} + {{- else }} + {{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Set's the injector webhook objectSelector +*/}} +{{- define "injector.objectSelector" -}} + {{- $v := or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) -}} + {{ if $v }} + objectSelector: + {{- $tp := typeOf $v -}} + {{ if eq $tp "string" }} + {{ tpl $v . | indent 6 | trim }} + {{ else }} + {{ toYaml $v | indent 6 | trim }} + {{ end }} + {{ end }} +{{ end }} + {{/* Sets extra ui service annotations */}} @@ -468,6 +719,33 @@ Sets extra vault server Service annotations {{- end }} {{- end -}} +{{/* +Sets extra vault server Service (active) annotations +*/}} +{{- define "vault.service.active.annotations" -}} + {{- if .Values.server.service.active.annotations }} + {{- $tp := typeOf .Values.server.service.active.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.active.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.active.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} +{{/* +Sets extra vault server Service annotations +*/}} +{{- define "vault.service.standby.annotations" -}} + {{- if .Values.server.service.standby.annotations }} + {{- $tp := typeOf .Values.server.service.standby.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.standby.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.standby.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets PodSecurityPolicy annotations */}} @@ -513,6 +791,21 @@ Sets VolumeClaim annotations for data volume {{- end }} {{- end -}} +{{/* +Sets VolumeClaim labels for data volume +*/}} +{{- define "vault.dataVolumeClaim.labels" -}} + {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }} + labels: + {{- $tp := typeOf .Values.server.dataStorage.labels }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.dataStorage.labels . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.dataStorage.labels | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets VolumeClaim annotations for audit volume */}} @@ -528,6 +821,21 @@ Sets VolumeClaim annotations for audit volume {{- end }} {{- end -}} +{{/* +Sets VolumeClaim labels for audit volume +*/}} +{{- define "vault.auditVolumeClaim.labels" -}} + {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }} + labels: + {{- $tp := typeOf .Values.server.auditStorage.labels }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.auditStorage.labels . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.auditStorage.labels | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Set's the container resources if the user has set any. */}} @@ -558,6 +866,16 @@ Sets the container resources if the user has set any. {{ end }} {{- end -}} +{{/* +Sets the container resources for CSI's Agent sidecar if the user has set any. +*/}} +{{- define "csi.agent.resources" -}} + {{- if .Values.csi.agent.resources -}} + resources: +{{ toYaml .Values.csi.agent.resources | indent 12}} + {{ end }} +{{- end -}} + {{/* Sets extra CSI daemonset annotations */}} @@ -573,6 +891,37 @@ Sets extra CSI daemonset annotations {{- end }} {{- end -}} +{{/* +Sets CSI daemonset securityContext for pod template +*/}} +{{- define "csi.daemonSet.securityContext.pod" -}} + {{- if .Values.csi.daemonSet.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.csi.daemonSet.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.securityContext.pod | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets CSI daemonset securityContext for container +*/}} +{{- define "csi.daemonSet.securityContext.container" -}} + {{- if .Values.csi.daemonSet.securityContext.container }} + securityContext: + {{- $tp := typeOf .Values.csi.daemonSet.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.securityContext.container | nindent 12 }} + {{- end }} + {{- end }} +{{- end -}} + + {{/* Sets the injector toleration for pod placement */}} @@ -588,6 +937,34 @@ Sets the injector toleration for pod placement {{- end }} {{- end -}} +{{/* +Sets the CSI provider nodeSelector for pod placement +*/}} +{{- define "csi.pod.nodeselector" -}} + {{- if .Values.csi.pod.nodeSelector }} + nodeSelector: + {{- $tp := typeOf .Values.csi.pod.nodeSelector }} + {{- if eq $tp "string" }} + {{ tpl .Values.csi.pod.nodeSelector . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.nodeSelector | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} +{{/* +Sets the CSI provider affinity for pod placement. +*/}} +{{- define "csi.pod.affinity" -}} + {{- if .Values.csi.pod.affinity }} + affinity: + {{ $tp := typeOf .Values.csi.pod.affinity }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.pod.affinity . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.affinity | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} {{/* Sets extra CSI provider pod annotations */}} @@ -705,3 +1082,37 @@ Supported inputs are Values.ui {{- end -}} {{- end }} {{- end -}} + +{{/* +config file from values +*/}} +{{- define "vault.config" -}} +{{- if or (eq .mode "ha") (eq .mode "standalone") }} +{{- $config := (index .Values.server .mode).config -}} +{{- if .Values.server.ha.raft.enabled -}} +{{- $config = .Values.server.ha.raft.config -}} +{{- end -}} +{{- $type := typeOf $config -}} +{{- if eq $type "string" -}} +{{/* Vault supports both HCL and JSON as its configuration format */}} +{{- $json := tpl $config . | fromJson -}} +{{/* +Helm's fromJson does not behave according to the corresponding sprig function nor Helm docs, +which claim that it should return empty string on invalid JSON, it actually returns +a map containing a single 'Error' element. +https://github.com/helm/helm/blob/50c22ed7f953fadb32755e5881ba95a92da852b2/pkg/engine/funcs.go#L158 + */}} +{{- if or (and (eq ($json | len) 1) (hasKey $json "Error")) (eq ($json | len) 0) -}} +{{- $config = printf "%s\n%s" $config "disable_mlock = true" -}} +{{- else -}} +{{- if not (hasKey $json "disable_mlock") -}} +{{- $_ := set $json "disable_mlock" true -}} +{{- end -}} +{{- $config = $json | mustToJson -}} +{{- end -}} +{{- else }} +{{- fail "structured server config is not supported, value must be a string"}} +{{- end }} +{{- tpl $config . | nindent 4 | trim }} +{{- end -}} +{{- end -}} diff --git a/helm/vault/templates/csi-agent-configmap.yaml b/helm/vault/templates/csi-agent-configmap.yaml new file mode 100644 index 0000000..18cdb04 --- /dev/null +++ b/helm/vault/templates/csi-agent-configmap.yaml @@ -0,0 +1,34 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-agent-config + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + config.hcl: | + vault { + {{- if .Values.global.externalVaultAddr }} + "address" = "{{ .Values.global.externalVaultAddr }}" + {{- else }} + "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}" + {{- end }} + } + + cache {} + + listener "unix" { + address = "/var/run/vault/agent.sock" + tls_disable = true + } +{{- end }} diff --git a/helm/vault/templates/csi-clusterrole.yaml b/helm/vault/templates/csi-clusterrole.yaml index a19e520..6d979ea 100644 --- a/helm/vault/templates/csi-clusterrole.yaml +++ b/helm/vault/templates/csi-clusterrole.yaml @@ -1,4 +1,10 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/helm/vault/templates/csi-clusterrolebinding.yaml b/helm/vault/templates/csi-clusterrolebinding.yaml index 63d69c7..506ec94 100644 --- a/helm/vault/templates/csi-clusterrolebinding.yaml +++ b/helm/vault/templates/csi-clusterrolebinding.yaml @@ -1,4 +1,10 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -14,5 +20,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{- end }} diff --git a/helm/vault/templates/csi-daemonset.yaml b/helm/vault/templates/csi-daemonset.yaml index f0bf639..aacce0a 100644 --- a/helm/vault/templates/csi-daemonset.yaml +++ b/helm/vault/templates/csi-daemonset.yaml @@ -1,13 +1,22 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: apps/v1 kind: DaemonSet metadata: name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.daemonSet.extraLabels -}} + {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}} + {{- end -}} {{ template "csi.daemonSet.annotations" . }} spec: updateStrategy: @@ -25,30 +34,57 @@ spec: labels: app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.csi.pod.extraLabels -}} + {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}} + {{- end -}} {{ template "csi.pod.annotations" . }} spec: + {{ template "csi.daemonSet.securityContext.pod" . }} {{- if .Values.csi.priorityClassName }} priorityClassName: {{ .Values.csi.priorityClassName }} {{- end }} + hostNetwork: {{ .Values.csi.hostNetwork }} serviceAccountName: {{ template "vault.fullname" . }}-csi-provider {{- template "csi.pod.tolerations" . }} + {{- template "csi.pod.nodeselector" . }} + {{- template "csi.pod.affinity" . }} containers: - name: {{ include "vault.name" . }}-csi-provider {{ template "csi.resources" . }} + {{ template "csi.daemonSet.securityContext.container" . }} image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" imagePullPolicy: {{ .Values.csi.image.pullPolicy }} args: - --endpoint=/provider/vault.sock - - --debug={{ .Values.csi.debug }} + {{- if .Values.csi.debug }} + - --log-level=debug + {{- else }} + - --log-level={{ .Values.csi.logLevel }} + {{- end }} + {{- if .Values.csi.hmacSecretName }} + - --hmac-secret-name={{ .Values.csi.hmacSecretName }} + {{- else }} + - --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key + {{- end }} {{- if .Values.csi.extraArgs }} - {{- toYaml .Values.csi.extraArgs | nindent 12 }} + {{- toYaml .Values.csi.extraArgs | nindent 12 }} + {{- end }} + env: + - name: VAULT_ADDR + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + value: "unix:///var/run/vault/agent.sock" + {{- else if .Values.global.externalVaultAddr }} + value: "{{ .Values.global.externalVaultAddr }}" + {{- else }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} {{- end }} volumeMounts: - name: providervol mountPath: "/provider" - - name: mountpoint-dir - mountPath: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods - mountPropagation: HostToContainer + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: agent-unix-socket + mountPath: /var/run/vault + {{- end }} {{- if .Values.csi.volumeMounts }} {{- toYaml .Values.csi.volumeMounts | nindent 12}} {{- end }} @@ -70,15 +106,57 @@ spec: periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: {{ include "vault.name" . }}-agent + image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}" + imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }} + {{ template "csi.agent.resources" . }} + command: + - vault + args: + - agent + - -config=/etc/vault/config.hcl + {{- if .Values.csi.agent.extraArgs }} + {{- toYaml .Values.csi.agent.extraArgs | nindent 12 }} + {{- end }} + ports: + - containerPort: 8200 + env: + - name: VAULT_LOG_LEVEL + value: "{{ .Values.csi.agent.logLevel }}" + - name: VAULT_LOG_FORMAT + value: "{{ .Values.csi.agent.logFormat }}" + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 100 + runAsGroup: 1000 + volumeMounts: + - name: agent-config + mountPath: /etc/vault/config.hcl + subPath: config.hcl + readOnly: true + - name: agent-unix-socket + mountPath: /var/run/vault + {{- if .Values.csi.volumeMounts }} + {{- toYaml .Values.csi.volumeMounts | nindent 12 }} + {{- end }} + {{- end }} volumes: - name: providervol hostPath: path: {{ .Values.csi.daemonSet.providersDir }} - - name: mountpoint-dir - hostPath: - path: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods - {{- if .Values.csi.volumes }} - {{- toYaml .Values.csi.volumes | nindent 8}} - {{- end }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: agent-config + configMap: + name: {{ template "vault.fullname" . }}-csi-provider-agent-config + - name: agent-unix-socket + emptyDir: + medium: Memory + {{- end }} + {{- if .Values.csi.volumes }} + {{- toYaml .Values.csi.volumes | nindent 8}} + {{- end }} {{- include "imagePullSecrets" . | nindent 6 }} {{- end }} diff --git a/helm/vault/templates/csi-role.yaml b/helm/vault/templates/csi-role.yaml new file mode 100644 index 0000000..17e1918 --- /dev/null +++ b/helm/vault/templates/csi-role.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-role + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + resourceNames: + {{- if .Values.csi.hmacSecretName }} + - {{ .Values.csi.hmacSecretName }} + {{- else }} + - {{ include "vault.name" . }}-csi-provider-hmac-key + {{- end }} +# 'create' permissions cannot be restricted by resource name: +# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +{{- end }} diff --git a/helm/vault/templates/csi-rolebinding.yaml b/helm/vault/templates/csi-rolebinding.yaml new file mode 100644 index 0000000..3d3b981 --- /dev/null +++ b/helm/vault/templates/csi-rolebinding.yaml @@ -0,0 +1,25 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-rolebinding + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "vault.fullname" . }}-csi-provider-role +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ include "vault.namespace" . }} +{{- end }} diff --git a/helm/vault/templates/csi-serviceaccount.yaml b/helm/vault/templates/csi-serviceaccount.yaml index ee12748..6327a7b 100644 --- a/helm/vault/templates/csi-serviceaccount.yaml +++ b/helm/vault/templates/csi-serviceaccount.yaml @@ -1,12 +1,21 @@ -{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.serviceAccount.extraLabels -}} + {{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} {{ template "csi.serviceAccount.annotations" . }} {{- end }} diff --git a/helm/vault/templates/injector-certs-secret.yaml b/helm/vault/templates/injector-certs-secret.yaml index 78363be..f6995af 100644 --- a/helm/vault/templates/injector-certs-secret.yaml +++ b/helm/vault/templates/injector-certs-secret.yaml @@ -1,10 +1,19 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: v1 kind: Secret metadata: name: vault-injector-certs + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/vault/templates/injector-clusterrole.yaml b/helm/vault/templates/injector-clusterrole.yaml index 4ff25ab..df603f2 100644 --- a/helm/vault/templates/injector-clusterrole.yaml +++ b/helm/vault/templates/injector-clusterrole.yaml @@ -1,4 +1,10 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -10,9 +16,15 @@ metadata: rules: - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] - verbs: + verbs: - "get" - "list" - "watch" - "patch" +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +- apiGroups: [""] + resources: ["nodes"] + verbs: + - "get" +{{ end }} {{ end }} diff --git a/helm/vault/templates/injector-clusterrolebinding.yaml b/helm/vault/templates/injector-clusterrolebinding.yaml index 35d30b3..82cbce0 100644 --- a/helm/vault/templates/injector-clusterrolebinding.yaml +++ b/helm/vault/templates/injector-clusterrolebinding.yaml @@ -1,4 +1,10 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -14,5 +20,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{ end }} diff --git a/helm/vault/templates/injector-deployment.yaml b/helm/vault/templates/injector-deployment.yaml index 95e2c2d..822e8e4 100644 --- a/helm/vault/templates/injector-deployment.yaml +++ b/helm/vault/templates/injector-deployment.yaml @@ -1,10 +1,16 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} # Deployment for the injector apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} @@ -30,38 +36,35 @@ spec: {{ template "injector.annotations" . }} spec: {{ template "injector.affinity" . }} + {{ template "injector.topologySpreadConstraints" . }} {{ template "injector.tolerations" . }} {{ template "injector.nodeselector" . }} {{- if .Values.injector.priorityClassName }} priorityClassName: {{ .Values.injector.priorityClassName }} {{- end }} serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" + {{ template "injector.securityContext.pod" . -}} {{- if not .Values.global.openshift }} hostNetwork: {{ .Values.injector.hostNetwork }} - securityContext: - runAsNonRoot: true - runAsGroup: {{ .Values.injector.gid | default 1000 }} - runAsUser: {{ .Values.injector.uid | default 100 }} {{- end }} containers: - name: sidecar-injector {{ template "injector.resources" . }} image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}" - {{- if not .Values.global.openshift }} - securityContext: - allowPrivilegeEscalation: false - {{- end }} + {{- template "injector.securityContext.container" . }} env: - name: AGENT_INJECT_LISTEN value: {{ printf ":%v" .Values.injector.port }} - name: AGENT_INJECT_LOG_LEVEL value: {{ .Values.injector.logLevel | default "info" }} - name: AGENT_INJECT_VAULT_ADDR - {{- if .Values.injector.externalVaultAddr }} + {{- if .Values.global.externalVaultAddr }} + value: "{{ .Values.global.externalVaultAddr }}" + {{- else if .Values.injector.externalVaultAddr }} value: "{{ .Values.injector.externalVaultAddr }}" {{- else }} - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} {{- end }} - name: AGENT_INJECT_VAULT_AUTH_PATH value: {{ .Values.injector.authPath }} @@ -76,7 +79,7 @@ spec: - name: AGENT_INJECT_TLS_AUTO value: {{ template "vault.fullname" . }}-agent-injector-cfg - name: AGENT_INJECT_TLS_AUTO_HOSTS - value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc + value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc {{- end }} - name: AGENT_INJECT_LOG_FORMAT value: {{ .Values.injector.logFormat | default "standard" }} @@ -106,6 +109,14 @@ spec: value: "{{ .Values.injector.agentDefaults.memRequest }}" - name: AGENT_INJECT_MEM_LIMIT value: "{{ .Values.injector.agentDefaults.memLimit }}" + {{- if .Values.injector.agentDefaults.ephemeralRequest }} + - name: AGENT_INJECT_EPHEMERAL_REQUEST + value: "{{ .Values.injector.agentDefaults.ephemeralRequest }}" + {{- end }} + {{- if .Values.injector.agentDefaults.ephemeralLimit }} + - name: AGENT_INJECT_EPHEMERAL_LIMIT + value: "{{ .Values.injector.agentDefaults.ephemeralLimit }}" + {{- end }} - name: AGENT_INJECT_DEFAULT_TEMPLATE value: "{{ .Values.injector.agentDefaults.template }}" - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE @@ -127,21 +138,31 @@ spec: path: /health/ready port: {{ .Values.injector.port }} scheme: HTTPS - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 + failureThreshold: {{ .Values.injector.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.injector.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.livenessProbe.timeoutSeconds }} readinessProbe: httpGet: path: /health/ready port: {{ .Values.injector.port }} scheme: HTTPS - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 + failureThreshold: {{ .Values.injector.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.injector.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.readinessProbe.timeoutSeconds }} + startupProbe: + httpGet: + path: /health/ready + port: {{ .Values.injector.port }} + scheme: HTTPS + failureThreshold: {{ .Values.injector.startupProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }} + successThreshold: {{ .Values.injector.startupProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }} {{- if .Values.injector.certs.secretName }} volumeMounts: - name: webhook-certs diff --git a/helm/vault/templates/injector-disruptionbudget.yaml b/helm/vault/templates/injector-disruptionbudget.yaml index 20c451a..2b2a61c 100644 --- a/helm/vault/templates/injector-disruptionbudget.yaml +++ b/helm/vault/templates/injector-disruptionbudget.yaml @@ -1,9 +1,14 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if .Values.injector.podDisruptionBudget }} apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector diff --git a/helm/vault/templates/injector-mutating-webhook.yaml b/helm/vault/templates/injector-mutating-webhook.yaml index de7dd56..d0cafa6 100644 --- a/helm/vault/templates/injector-mutating-webhook.yaml +++ b/helm/vault/templates/injector-mutating-webhook.yaml @@ -1,4 +1,10 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} {{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} apiVersion: admissionregistration.k8s.io/v1 {{- else }} @@ -14,30 +20,26 @@ metadata: {{- template "injector.webhookAnnotations" . }} webhooks: - name: vault.hashicorp.com + failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }} + matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }} sideEffects: None - admissionReviewVersions: - - "v1beta1" - - "v1" + timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }} + admissionReviewVersions: ["v1", "v1beta1"] clientConfig: service: name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} path: "/mutate" caBundle: {{ .Values.injector.certs.caBundle | quote }} rules: - - operations: ["CREATE", "UPDATE"] + - operations: ["CREATE"] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] -{{- if .Values.injector.namespaceSelector }} + scope: "Namespaced" +{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }} namespaceSelector: -{{ toYaml .Values.injector.namespaceSelector | indent 6}} -{{ end }} -{{- if .Values.injector.objectSelector }} - objectSelector: -{{ toYaml .Values.injector.objectSelector | indent 6}} -{{ end }} -{{- with .Values.injector.failurePolicy }} - failurePolicy: {{.}} +{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}} {{ end }} +{{- template "injector.objectSelector" . -}} {{ end }} diff --git a/helm/vault/templates/injector-network-policy.yaml b/helm/vault/templates/injector-network-policy.yaml index 7a399a5..4c3b087 100644 --- a/helm/vault/templates/injector-network-policy.yaml +++ b/helm/vault/templates/injector-network-policy.yaml @@ -1,4 +1,11 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.openshift | toString) "true" }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -19,3 +26,4 @@ spec: - port: 8080 protocol: TCP {{ end }} +{{ end }} diff --git a/helm/vault/templates/injector-psp-role.yaml b/helm/vault/templates/injector-psp-role.yaml index 20c87bb..a07f8f6 100644 --- a/helm/vault/templates/injector-psp-role.yaml +++ b/helm/vault/templates/injector-psp-role.yaml @@ -1,9 +1,16 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-agent-injector-psp - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} @@ -15,3 +22,4 @@ rules: resourceNames: - {{ template "vault.fullname" . }}-agent-injector {{- end }} +{{- end }} diff --git a/helm/vault/templates/injector-psp-rolebinding.yaml b/helm/vault/templates/injector-psp-rolebinding.yaml index d6d0d5e..3c97e8d 100644 --- a/helm/vault/templates/injector-psp-rolebinding.yaml +++ b/helm/vault/templates/injector-psp-rolebinding.yaml @@ -1,9 +1,16 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-agent-injector-psp - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} @@ -16,3 +23,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-agent-injector {{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/vault/templates/injector-psp.yaml b/helm/vault/templates/injector-psp.yaml index 6d624dc..0eca9a8 100644 --- a/helm/vault/templates/injector-psp.yaml +++ b/helm/vault/templates/injector-psp.yaml @@ -1,5 +1,12 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} -apiVersion: policy/v1 +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} +apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ template "vault.fullname" . }}-agent-injector @@ -41,3 +48,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/vault/templates/injector-role.yaml b/helm/vault/templates/injector-role.yaml index e7e383d..b2ad0c7 100644 --- a/helm/vault/templates/injector-role.yaml +++ b/helm/vault/templates/injector-role.yaml @@ -1,8 +1,16 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} @@ -23,3 +31,4 @@ rules: - "patch" - "delete" {{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/vault/templates/injector-rolebinding.yaml b/helm/vault/templates/injector-rolebinding.yaml index aa81794..6ad25ca 100644 --- a/helm/vault/templates/injector-rolebinding.yaml +++ b/helm/vault/templates/injector-rolebinding.yaml @@ -1,8 +1,16 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} @@ -14,5 +22,6 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/vault/templates/injector-service.yaml b/helm/vault/templates/injector-service.yaml index 3138b7a..1479cd1 100644 --- a/helm/vault/templates/injector-service.yaml +++ b/helm/vault/templates/injector-service.yaml @@ -1,9 +1,15 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/helm/vault/templates/injector-serviceaccount.yaml b/helm/vault/templates/injector-serviceaccount.yaml index a28d38f..2f91c3d 100644 --- a/helm/vault/templates/injector-serviceaccount.yaml +++ b/helm/vault/templates/injector-serviceaccount.yaml @@ -1,11 +1,18 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{ template "injector.serviceAccount.annotations" . }} {{ end }} diff --git a/helm/vault/templates/prometheus-prometheusrules.yaml b/helm/vault/templates/prometheus-prometheusrules.yaml new file mode 100644 index 0000000..7e58a0e --- /dev/null +++ b/helm/vault/templates/prometheus-prometheusrules.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ if and (.Values.serverTelemetry.prometheusRules.rules) + (or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) ) +}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "vault.fullname" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} + {{- $selectors := .Values.serverTelemetry.prometheusRules.selectors }} + {{- if $selectors }} + {{- toYaml $selectors | nindent 4 }} + {{- else }} + release: prometheus + {{- end }} +spec: + groups: + - name: {{ include "vault.fullname" . }} + rules: + {{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }} +{{- end }} diff --git a/helm/vault/templates/prometheus-servicemonitor.yaml b/helm/vault/templates/prometheus-servicemonitor.yaml new file mode 100644 index 0000000..62d924a --- /dev/null +++ b/helm/vault/templates/prometheus-servicemonitor.yaml @@ -0,0 +1,58 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "vault.fullname" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} + {{- $selectors := .Values.serverTelemetry.serviceMonitor.selectors }} + {{- if $selectors }} + {{- toYaml $selectors | nindent 4 }} + {{- else }} + release: prometheus + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if eq .mode "ha" }} + vault-active: "true" + {{- else }} + vault-internal: "true" + {{- end }} + endpoints: + - port: {{ include "vault.scheme" . }} + interval: {{ .Values.serverTelemetry.serviceMonitor.interval }} + scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }} + scheme: {{ include "vault.scheme" . | lower }} + path: /v1/sys/metrics + params: + format: + - prometheus + {{- with .Values.serverTelemetry.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml . | nindent 6 }} + {{- else }} + tlsConfig: + insecureSkipVerify: true + {{- end }} + {{- with .Values.serverTelemetry.serviceMonitor.authorization }} + authorization: + {{- toYaml . | nindent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ include "vault.namespace" . }} +{{ end }} diff --git a/helm/vault/templates/server-clusterrolebinding.yaml b/helm/vault/templates/server-clusterrolebinding.yaml index e5e0f5f..14ec838 100644 --- a/helm/vault/templates/server-clusterrolebinding.yaml +++ b/helm/vault/templates/server-clusterrolebinding.yaml @@ -1,5 +1,10 @@ -{{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.serverAuthDelegator" . }} +{{- if .serverAuthDelegator -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} @@ -20,5 +25,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ .Release.Namespace }} -{{ end }} + namespace: {{ include "vault.namespace" . }} +{{ end }} \ No newline at end of file diff --git a/helm/vault/templates/server-config-configmap.yaml b/helm/vault/templates/server-config-configmap.yaml index b8093ad..1fed2e6 100644 --- a/helm/vault/templates/server-config-configmap.yaml +++ b/helm/vault/templates/server-config-configmap.yaml @@ -1,38 +1,31 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}} +{{- if .serverEnabled -}} +{{- if ne .mode "dev" -}} {{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} apiVersion: v1 kind: ConfigMap metadata: name: {{ template "vault.fullname" . }}-config - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.server.includeConfigAnnotation }} + annotations: + vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }} +{{- end }} data: extraconfig-from-values.hcl: |- - {{- if or (eq .mode "ha") (eq .mode "standalone") }} - {{- $type := typeOf (index .Values.server .mode).config }} - {{- if eq $type "string" }} - disable_mlock = true - {{- if eq .mode "standalone" }} - {{ tpl .Values.server.standalone.config . | nindent 4 | trim }} - {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }} - {{ tpl .Values.server.ha.config . | nindent 4 | trim }} - {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} - {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }} - {{ end }} - {{- else }} - {{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} -{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }} - {{- else }} -{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }} - {{- end }} - {{- end }} - {{- end }} + {{ template "vault.config" . }} +{{- end }} {{- end }} {{- end }} {{- end }} diff --git a/helm/vault/templates/server-discovery-role.yaml b/helm/vault/templates/server-discovery-role.yaml index 4a39cec..0cbdefa 100644 --- a/helm/vault/templates/server-discovery-role.yaml +++ b/helm/vault/templates/server-discovery-role.yaml @@ -1,10 +1,16 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} name: {{ template "vault.fullname" . }}-discovery-role labels: helm.sh/chart: {{ include "vault.chart" . }} @@ -17,3 +23,4 @@ rules: verbs: ["get", "watch", "list", "update", "patch"] {{ end }} {{ end }} +{{ end }} diff --git a/helm/vault/templates/server-discovery-rolebinding.yaml b/helm/vault/templates/server-discovery-rolebinding.yaml index 4752665..87b0f61 100644 --- a/helm/vault/templates/server-discovery-rolebinding.yaml +++ b/helm/vault/templates/server-discovery-rolebinding.yaml @@ -1,6 +1,12 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} @@ -9,7 +15,7 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-discovery-rolebinding - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} @@ -22,6 +28,7 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} +{{ end }} {{ end }} {{ end }} diff --git a/helm/vault/templates/server-disruptionbudget.yaml b/helm/vault/templates/server-disruptionbudget.yaml index c8f0388..bbe9eb2 100644 --- a/helm/vault/templates/server-disruptionbudget.yaml +++ b/helm/vault/templates/server-disruptionbudget.yaml @@ -1,13 +1,19 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" -}} -{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} +{{- if .serverEnabled -}} +{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} @@ -22,3 +28,4 @@ spec: component: server {{- end -}} {{- end -}} +{{- end -}} diff --git a/helm/vault/templates/server-ha-active-service.yaml b/helm/vault/templates/server-ha-active-service.yaml index c2a4f02..9d2abfb 100644 --- a/helm/vault/templates/server-ha-active-service.yaml +++ b/helm/vault/templates/server-ha-active-service.yaml @@ -1,42 +1,64 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.active.enabled | toString) "true" }} # Service for active Vault pod apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-active - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + vault-active: "true" annotations: -{{ template "vault.service.annotations" .}} +{{- template "vault.service.active.annotations" . }} +{{- template "vault.service.annotations" . }} spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} - {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} - nodePort: {{ .Values.server.service.nodePort }} + {{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.activeNodePort }} {{- end }} - name: https-internal port: 8201 targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server vault-active: "true" {{- end }} {{- end }} +{{- end }} +{{- end }} diff --git a/helm/vault/templates/server-ha-standby-service.yaml b/helm/vault/templates/server-ha-standby-service.yaml index fef92a1..bae1e28 100644 --- a/helm/vault/templates/server-ha-standby-service.yaml +++ b/helm/vault/templates/server-ha-standby-service.yaml @@ -1,42 +1,63 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.standby.enabled | toString) "true" }} # Service for standby Vault pod apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-standby - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: -{{ template "vault.service.annotations" .}} +{{- template "vault.service.standby.annotations" . }} +{{- template "vault.service.annotations" . }} spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} - {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} - nodePort: {{ .Values.server.service.nodePort }} + {{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.standbyNodePort }} {{- end }} - name: https-internal port: 8201 targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server vault-active: "false" {{- end }} {{- end }} +{{- end }} +{{- end }} diff --git a/helm/vault/templates/server-headless-service.yaml b/helm/vault/templates/server-headless-service.yaml index a37c639..c0f4d34 100644 --- a/helm/vault/templates/server-headless-service.yaml +++ b/helm/vault/templates/server-headless-service.yaml @@ -1,20 +1,35 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} # Service for Vault cluster apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-internal - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + vault-internal: "true" annotations: {{ template "vault.service.annotations" .}} spec: + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} clusterIP: None publishNotReadyAddresses: true ports: diff --git a/helm/vault/templates/server-ingress.yaml b/helm/vault/templates/server-ingress.yaml index 48c76a8..d796bae 100644 --- a/helm/vault/templates/server-ingress.yaml +++ b/helm/vault/templates/server-ingress.yaml @@ -1,26 +1,27 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if not .Values.global.openshift }} {{ template "vault.mode" . }} {{- if ne .mode "external" }} {{- if .Values.server.ingress.enabled -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}} {{- $serviceName := include "vault.fullname" . -}} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.ingress.activeService | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }} {{- $serviceName = printf "%s-%s" $serviceName "active" -}} {{- end }} {{- $servicePort := .Values.server.service.port -}} {{- $pathType := .Values.server.ingress.pathType -}} {{- $kubeVersion := .Capabilities.KubeVersion.Version }} -{{ if semverCompare ">= 1.19.0-0" $kubeVersion }} apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end }} kind: Ingress metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} @@ -54,21 +55,15 @@ spec: {{- end }} {{- range (.paths | default (list "/")) }} - path: {{ . }} - {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} pathType: {{ $pathType }} - {{ end }} backend: - {{ if semverCompare ">= 1.19.0-0" $kubeVersion }} service: name: {{ $serviceName }} port: number: {{ $servicePort }} - {{ else }} - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{ end }} {{- end }} {{- end }} {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/helm/vault/templates/server-network-policy.yaml b/helm/vault/templates/server-network-policy.yaml index 5f4c21a..43dcdb1 100644 --- a/helm/vault/templates/server-network-policy.yaml +++ b/helm/vault/templates/server-network-policy.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -11,14 +16,7 @@ spec: matchLabels: app.kubernetes.io/name: {{ template "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} - ingress: - - from: - - namespaceSelector: {} - ports: - - port: 8200 - protocol: TCP - - port: 8201 - protocol: TCP + ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }} {{- if .Values.server.networkPolicy.egress }} egress: {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }} diff --git a/helm/vault/templates/server-psp-role.yaml b/helm/vault/templates/server-psp-role.yaml index fd12e1e..64cd6c5 100644 --- a/helm/vault/templates/server-psp-role.yaml +++ b/helm/vault/templates/server-psp-role.yaml @@ -1,10 +1,16 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-psp - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} @@ -16,3 +22,4 @@ rules: resourceNames: - {{ template "vault.fullname" . }} {{- end }} +{{- end }} diff --git a/helm/vault/templates/server-psp-rolebinding.yaml b/helm/vault/templates/server-psp-rolebinding.yaml index b2a43c8..342f553 100644 --- a/helm/vault/templates/server-psp-rolebinding.yaml +++ b/helm/vault/templates/server-psp-rolebinding.yaml @@ -1,10 +1,16 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-psp - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} @@ -17,3 +23,4 @@ subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }} {{- end }} +{{- end }} diff --git a/helm/vault/templates/server-psp.yaml b/helm/vault/templates/server-psp.yaml index c4fe200..567e662 100644 --- a/helm/vault/templates/server-psp.yaml +++ b/helm/vault/templates/server-psp.yaml @@ -1,6 +1,12 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }} -apiVersion: policy/v1 +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} +apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ template "vault.fullname" . }} @@ -45,3 +51,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} +{{- end }} diff --git a/helm/vault/templates/server-route.yaml b/helm/vault/templates/server-route.yaml index e122d93..4e95555 100644 --- a/helm/vault/templates/server-route.yaml +++ b/helm/vault/templates/server-route.yaml @@ -1,3 +1,8 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{- if .Values.global.openshift }} {{- if ne .mode "external" }} {{- if .Values.server.route.enabled -}} @@ -9,7 +14,7 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/helm/vault/templates/server-service.yaml b/helm/vault/templates/server-service.yaml index 00996aa..c12e190 100644 --- a/helm/vault/templates/server-service.yaml +++ b/helm/vault/templates/server-service.yaml @@ -1,12 +1,18 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} # Service for Vault cluster apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} @@ -18,13 +24,21 @@ spec: {{- if .Values.server.service.type}} type: {{ .Values.server.service.type }} {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} {{- if .Values.server.service.clusterIP }} clusterIP: {{ .Values.server.service.clusterIP }} {{- end }} {{- include "service.externalTrafficPolicy" .Values.server.service }} # We want the servers to become available even if they're not ready # since this DNS is also used for join operations. - publishNotReadyAddresses: true + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} @@ -37,7 +51,9 @@ spec: targetPort: 8201 selector: app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} component: server {{- end }} {{- end }} diff --git a/helm/vault/templates/server-serviceaccount-secret.yaml b/helm/vault/templates/server-serviceaccount-secret.yaml new file mode 100644 index 0000000..74d70f9 --- /dev/null +++ b/helm/vault/templates/server-serviceaccount-secret.yaml @@ -0,0 +1,21 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.serverServiceAccountSecretCreationEnabled" . }} +{{- if .serverServiceAccountSecretCreationEnabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "vault.serviceAccount.name" . }}-token + namespace: {{ include "vault.namespace" . }} + annotations: + kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: kubernetes.io/service-account-token +{{ end }} \ No newline at end of file diff --git a/helm/vault/templates/server-serviceaccount.yaml b/helm/vault/templates/server-serviceaccount.yaml index 925b166..216ea61 100644 --- a/helm/vault/templates/server-serviceaccount.yaml +++ b/helm/vault/templates/server-serviceaccount.yaml @@ -1,16 +1,22 @@ -{{ template "vault.mode" . }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} -{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }} +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.serverServiceAccountEnabled" . }} +{{- if .serverServiceAccountEnabled -}} apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.server.serviceAccount.extraLabels -}} + {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} {{ template "vault.serviceAccount.annotations" . }} {{ end }} -{{ end }} diff --git a/helm/vault/templates/server-statefulset.yaml b/helm/vault/templates/server-statefulset.yaml index cbcda96..0d8e604 100644 --- a/helm/vault/templates/server-statefulset.yaml +++ b/helm/vault/templates/server-statefulset.yaml @@ -1,12 +1,18 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- if ne .mode "" }} +{{- if .serverEnabled -}} # StatefulSet to run the actual vault server cluster. apiVersion: apps/v1 kind: StatefulSet metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} @@ -18,6 +24,9 @@ spec: replicas: {{ template "vault.replicas" . }} updateStrategy: type: {{ .Values.server.updateStrategyType }} + {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} + persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }} + {{- end }} selector: matchLabels: app.kubernetes.io/name: {{ template "vault.name" . }} @@ -36,6 +45,7 @@ spec: {{ template "vault.annotations" . }} spec: {{ template "vault.affinity" . }} + {{ template "vault.topologySpreadConstraints" . }} {{ template "vault.tolerations" . }} {{ template "vault.nodeselector" . }} {{- if .Values.server.priorityClassName }} @@ -46,17 +56,18 @@ spec: {{ if .Values.server.shareProcessNamespace }} shareProcessNamespace: true {{ end }} + {{- template "server.statefulSet.securityContext.pod" . }} {{- if not .Values.global.openshift }} - securityContext: - runAsNonRoot: true - runAsGroup: {{ .Values.server.gid | default 1000 }} - runAsUser: {{ .Values.server.uid | default 100 }} - fsGroup: {{ .Values.server.gid | default 1000 }} + hostNetwork: {{ .Values.server.hostNetwork }} {{- end }} volumes: {{ template "vault.volumes" . }} - name: home emptyDir: {} + {{- if .Values.server.hostAliases }} + hostAliases: + {{ toYaml .Values.server.hostAliases | nindent 8}} + {{- end }} {{- if .Values.server.extraInitContainers }} initContainers: {{ toYaml .Values.server.extraInitContainers | nindent 8}} @@ -70,10 +81,7 @@ spec: - "/bin/sh" - "-ec" args: {{ template "vault.args" . }} - {{- if not .Values.global.openshift }} - securityContext: - allowPrivilegeEscalation: false - {{- end }} + {{- template "server.statefulSet.securityContext.container" . }} env: - name: HOST_IP valueFrom: @@ -108,7 +116,11 @@ spec: fieldRef: fieldPath: metadata.name - name: VAULT_CLUSTER_ADDR + {{- if .Values.server.ha.clusterAddr }} + value: {{ .Values.server.ha.clusterAddr | quote }} + {{- else }} value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" + {{- end }} {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }} - name: VAULT_RAFT_NODE_ID valueFrom: @@ -143,12 +155,15 @@ spec: name: https-internal - containerPort: 8202 name: {{ include "vault.scheme" . }}-rep + {{- if .Values.server.extraPorts -}} + {{ toYaml .Values.server.extraPorts | nindent 12}} + {{- end }} {{- if .Values.server.readinessProbe.enabled }} readinessProbe: {{- if .Values.server.readinessProbe.path }} httpGet: path: {{ .Values.server.readinessProbe.path | quote }} - port: 8200 + port: {{ .Values.server.readinessProbe.port }} scheme: {{ include "vault.scheme" . | upper }} {{- else }} # Check status; unsealed vault servers return 0 @@ -167,10 +182,18 @@ spec: {{- end }} {{- if .Values.server.livenessProbe.enabled }} livenessProbe: + {{- if .Values.server.livenessProbe.execCommand }} + exec: + command: + {{- range (.Values.server.livenessProbe.execCommand) }} + - {{ . | quote }} + {{- end }} + {{- else }} httpGet: path: {{ .Values.server.livenessProbe.path | quote }} - port: 8200 + port: {{ .Values.server.livenessProbe.port }} scheme: {{ include "vault.scheme" . | upper }} + {{- end }} failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }} @@ -206,3 +229,4 @@ spec: {{ template "vault.volumeclaims" . }} {{ end }} {{ end }} +{{ end }} diff --git a/helm/vault/templates/tests/server-test.yaml b/helm/vault/templates/tests/server-test.yaml index d983b9d..20e2e5a 100644 --- a/helm/vault/templates/tests/server-test.yaml +++ b/helm/vault/templates/tests/server-test.yaml @@ -1,11 +1,16 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} +{{- if .serverEnabled -}} apiVersion: v1 kind: Pod metadata: - name: "{{ .Release.Name }}-server-test" - namespace: {{ .Release.Namespace }} + name: {{ template "vault.fullname" . }}-server-test + namespace: {{ include "vault.namespace" . }} annotations: "helm.sh/hook": test spec: @@ -16,7 +21,7 @@ spec: imagePullPolicy: {{ .Values.server.image.pullPolicy }} env: - name: VAULT_ADDR - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }} command: - /bin/sh diff --git a/helm/vault/templates/ui-service.yaml b/helm/vault/templates/ui-service.yaml index ea27de2..9537084 100644 --- a/helm/vault/templates/ui-service.yaml +++ b/helm/vault/templates/ui-service.yaml @@ -1,12 +1,18 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} -{{- if eq (.Values.ui.enabled | toString) "true" }} +{{- template "vault.uiEnabled" . -}} +{{- if .uiEnabled -}} + apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-ui - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }}-ui @@ -14,6 +20,14 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} {{- template "vault.ui.annotations" . }} spec: + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.ui.serviceIPFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ui.serviceIPFamilyPolicy }} + {{- end }} + {{- if .Values.ui.serviceIPFamilies }} + ipFamilies: {{ .Values.ui.serviceIPFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} selector: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} @@ -34,4 +48,3 @@ spec: {{- include "service.loadBalancer" .Values.ui }} {{- end -}} {{- end }} -{{- end }} diff --git a/helm/vault/values-external.yaml b/helm/vault/values-external.yaml deleted file mode 100644 index 8732db3..0000000 --- a/helm/vault/values-external.yaml +++ /dev/null @@ -1,1010 +0,0 @@ -# Available parameters and their default values for the Vault chart. - -global: - # enabled is the master enabled switch. Setting this to true or false - # will enable or disable all the components within this chart by default. - enabled: true - - # Image pull secret to use for registry authentication. - # Alternatively, the value may be specified as an array of strings. - imagePullSecrets: [] - # imagePullSecrets: - # - name: image-pull-secret - - # TLS for end-to-end encrypted transport - tlsDisable: true - - # External vault server address for the injector and CSI provider to use. - # Setting this will disable deployment of a vault server. - externalVaultAddr: "" - - # If deploying to OpenShift - openshift: false - - # Create PodSecurityPolicy for pods - psp: - enable: false - # Annotation for PodSecurityPolicy. - # This is a multi-line templated string map, and can also be set as YAML. - annotations: | - seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default - apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default - apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - -injector: - # True if you want to enable vault agent injection. - # @default: global.enabled - enabled: true - - replicas: 1 - - # Configures the port the injector should listen on - port: 8080 - - # If multiple replicas are specified, by default a leader will be determined - # so that only one injector attempts to create TLS certificates. - leaderElector: - enabled: true - - # If true, will enable a node exporter metrics endpoint at /metrics. - metrics: - enabled: false - - # Deprecated: Please use global.externalVaultAddr instead. - externalVaultAddr: "https://vault.bildme.ru" - - # image sets the repo and tag of the vault-k8s image to use for the injector. - image: - repository: "hashicorp/vault-k8s" - tag: "0.17.0" - pullPolicy: IfNotPresent - - # agentImage sets the repo and tag of the Vault image to use for the Vault Agent - # containers. This should be set to the official Vault image. Vault 1.3.1+ is - # required. - agentImage: - repository: "hashicorp/vault" - tag: "1.11.2" - - # The default values for the injected Vault Agent containers. - agentDefaults: - # For more information on configuring resources, see the K8s documentation: - # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - cpuLimit: "500m" - cpuRequest: "250m" - memLimit: "128Mi" - memRequest: "64Mi" - - # Default template type for secrets when no custom template is specified. - # Possible values include: "json" and "map". - template: "map" - - # Default values within Agent's template_config stanza. - templateConfig: - exitOnRetryFailure: true - staticSecretRenderInterval: "" - - # Mount Path of the Vault Kubernetes Auth Method. - authPath: "auth/kubernetes" - - # Configures the log verbosity of the injector. - # Supported log levels include: trace, debug, info, warn, error - logLevel: "info" - - # Configures the log format of the injector. Supported log formats: "standard", "json". - logFormat: "standard" - - # Configures all Vault Agent sidecars to revoke their token when shutting down - revokeOnShutdown: false - - webhook: - # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the - # API Version of the WebHook. - # To block pod creation while webhook is unavailable, set the policy to `Fail` below. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy - # - failurePolicy: Ignore - - # matchPolicy specifies the approach to accepting changes based on the rules of - # the MutatingWebhookConfiguration. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy - # for more details. - # - matchPolicy: Exact - - # timeoutSeconds is the amount of seconds before the webhook request will be ignored - # or fails. - # If it is ignored or fails depends on the failurePolicy - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts - # for more details. - # - timeoutSeconds: 30 - - # namespaceSelector is the selector for restricting the webhook to only - # specific namespaces. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector - # for more details. - # Example: - # namespaceSelector: - # matchLabels: - # sidecar-injector: enabled - namespaceSelector: {} - - # objectSelector is the selector for restricting the webhook to only - # specific labels. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector - # for more details. - # Example: - # objectSelector: - # matchLabels: - # vault-sidecar-injector: enabled - objectSelector: | - matchExpressions: - - key: app.kubernetes.io/name - operator: NotIn - values: - - {{ template "vault.name" . }}-agent-injector - - # Extra annotations to attach to the webhook - annotations: {} - - # Deprecated: please use 'webhook.failurePolicy' instead - # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the - # API Version of the WebHook. - # To block pod creation while webhook is unavailable, set the policy to `Fail` below. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy - # - failurePolicy: Ignore - - # Deprecated: please use 'webhook.namespaceSelector' instead - # namespaceSelector is the selector for restricting the webhook to only - # specific namespaces. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector - # for more details. - # Example: - # namespaceSelector: - # matchLabels: - # sidecar-injector: enabled - namespaceSelector: {} - - # Deprecated: please use 'webhook.objectSelector' instead - # objectSelector is the selector for restricting the webhook to only - # specific labels. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector - # for more details. - # Example: - # objectSelector: - # matchLabels: - # vault-sidecar-injector: enabled - objectSelector: {} - - # Deprecated: please use 'webhook.annotations' instead - # Extra annotations to attach to the webhook - webhookAnnotations: {} - - certs: - # secretName is the name of the secret that has the TLS certificate and - # private key to serve the injector webhook. If this is null, then the - # injector will default to its automatic management mode that will assign - # a service account to the injector to generate its own certificates. - secretName: null - - # caBundle is a base64-encoded PEM-encoded certificate bundle for the CA - # that signed the TLS certificate that the webhook serves. This must be set - # if secretName is non-null, unless an external service like cert-manager is - # keeping the caBundle updated. - caBundle: "" - - # certName and keyName are the names of the files within the secret for - # the TLS cert and private key, respectively. These have reasonable - # defaults but can be customized if necessary. - certName: tls.crt - keyName: tls.key - - # Security context for the pod template and the injector container - # The default pod securityContext is: - # runAsNonRoot: true - # runAsGroup: {{ .Values.injector.gid | default 1000 }} - # runAsUser: {{ .Values.injector.uid | default 100 }} - # fsGroup: {{ .Values.injector.gid | default 1000 }} - # and for container is - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - ALL - securityContext: - pod: {} - container: {} - - resources: {} - # resources: - # requests: - # memory: 256Mi - # cpu: 250m - # limits: - # memory: 256Mi - # cpu: 250m - - # extraEnvironmentVars is a list of extra environment variables to set in the - # injector deployment. - extraEnvironmentVars: {} - # KUBERNETES_SERVICE_HOST: kubernetes.default.svc - - # Affinity Settings for injector pods - # This can either be multi-line string or YAML matching the PodSpec's affinity field. - # Commenting out or setting as empty the affinity variable, will allow - # deployment of multiple replicas to single node services such as Minikube. - affinity: | - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector - app.kubernetes.io/instance: "{{ .Release.Name }}" - component: webhook - topologyKey: kubernetes.io/hostname - - # Topology settings for injector pods - # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - # This should be either a multi-line string or YAML matching the topologySpreadConstraints array - # in a PodSpec. - topologySpreadConstraints: [] - - # Toleration Settings for injector pods - # This should be either a multi-line string or YAML matching the Toleration array - # in a PodSpec. - tolerations: [] - - # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map. - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - # Example: - # nodeSelector: - # beta.kubernetes.io/arch: amd64 - nodeSelector: {} - - # Priority class for injector pods - priorityClassName: "" - - # Extra annotations to attach to the injector pods - # This can either be YAML or a YAML-formatted multi-line templated string map - # of the annotations to apply to the injector pods - annotations: {} - - # Extra labels to attach to the agent-injector - # This should be a YAML map of the labels to apply to the injector - extraLabels: {} - - # Should the injector pods run on the host network (useful when using - # an alternate CNI in EKS) - hostNetwork: false - - # Injector service specific config - service: - # Extra annotations to attach to the injector service - annotations: {} - - # Injector serviceAccount specific config - serviceAccount: - # Extra annotations to attach to the injector serviceAccount - annotations: {} - - # A disruption budget limits the number of pods of a replicated application - # that are down simultaneously from voluntary disruptions - podDisruptionBudget: {} - # podDisruptionBudget: - # maxUnavailable: 1 - - # strategy for updating the deployment. This can be a multi-line string or a - # YAML map. - strategy: {} - # strategy: | - # rollingUpdate: - # maxSurge: 25% - # maxUnavailable: 25% - # type: RollingUpdate - -server: - # If true, or "-" with global.enabled true, Vault server will be installed. - # See vault.mode in _helpers.tpl for implementation details. - enabled: false - - # [Enterprise Only] This value refers to a Kubernetes secret that you have - # created that contains your enterprise license. If you are not using an - # enterprise image or if you plan to introduce the license key via another - # route, then leave secretName blank ("") or set it to null. - # Requires Vault Enterprise 1.8 or later. - enterpriseLicense: - # The name of the Kubernetes secret that holds the enterprise license. The - # secret must be in the same namespace that Vault is installed into. - secretName: "" - # The key within the Kubernetes secret that holds the enterprise license. - secretKey: "license" - - # Resource requests, limits, etc. for the server cluster placement. This - # should map directly to the value of the resources field for a PodSpec. - # By default no direct resource request is made. - - image: - repository: "hashicorp/vault" - tag: "1.11.2" - # Overrides the default Image Pull Policy - pullPolicy: IfNotPresent - - # Configure the Update Strategy Type for the StatefulSet - # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - updateStrategyType: "OnDelete" - - # Configure the logging verbosity for the Vault server. - # Supported log levels include: trace, debug, info, warn, error - logLevel: "" - - # Configure the logging format for the Vault server. - # Supported log formats include: standard, json - logFormat: "" - - resources: {} - # resources: - # requests: - # memory: 256Mi - # cpu: 250m - # limits: - # memory: 256Mi - # cpu: 250m - - # Ingress allows ingress services to be created to allow external access - # from Kubernetes to access Vault pods. - # If deployment is on OpenShift, the following block is ignored. - # In order to expose the service, use the route section below - ingress: - enabled: false - labels: {} - # traffic: external - annotations: {} - # | - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - # or - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - - # Optionally use ingressClassName instead of deprecated annotation. - # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation - ingressClassName: "" - - # As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases. - # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values. - pathType: Prefix - - # When HA mode is enabled and K8s service registration is being used, - # configure the ingress to point to the Vault active service. - activeService: true - hosts: - - host: chart-example.local - paths: [] - ## Extra paths to prepend to the host configuration. This is useful when working with annotation based services. - extraPaths: [] - # - path: /* - # backend: - # service: - # name: ssl-redirect - # port: - # number: use-annotation - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - - # OpenShift only - create a route to expose the service - # By default the created route will be of type passthrough - route: - enabled: false - - # When HA mode is enabled and K8s service registration is being used, - # configure the route to point to the Vault active service. - activeService: true - - labels: {} - annotations: {} - host: chart-example.local - # tls will be passed directly to the route's TLS config, which - # can be used to configure other termination methods that terminate - # TLS at the router - tls: - termination: passthrough - - # authDelegator enables a cluster role binding to be attached to the service - # account. This cluster role binding can be used to setup Kubernetes auth - # method. https://www.vaultproject.io/docs/auth/kubernetes.html - authDelegator: - enabled: true - - # extraInitContainers is a list of init containers. Specified as a YAML list. - # This is useful if you need to run a script to provision TLS certificates or - # write out configuration files in a dynamic way. - extraInitContainers: null - # # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder, - # # which is defined in the volumes value. - # - name: oauthapp - # image: "alpine" - # command: [sh, -c] - # args: - # - cd /tmp && - # wget https://github.com/puppetlabs/vault-plugin-secrets-oauthapp/releases/download/v1.2.0/vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64.tar.xz -O oauthapp.xz && - # tar -xf oauthapp.xz && - # mv vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64 /usr/local/libexec/vault/oauthapp && - # chmod +x /usr/local/libexec/vault/oauthapp - # volumeMounts: - # - name: plugins - # mountPath: /usr/local/libexec/vault - - # extraContainers is a list of sidecar containers. Specified as a YAML list. - extraContainers: null - - # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers - # This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation - shareProcessNamespace: false - - # extraArgs is a string containing additional Vault server arguments. - extraArgs: "" - - # Used to define custom readinessProbe settings - readinessProbe: - enabled: true - # If you need to use a http path instead of the default exec - # path: /v1/sys/health?standbyok=true - - # When a probe fails, Kubernetes will try failureThreshold times before giving up - failureThreshold: 2 - # Number of seconds after the container has started before probe initiates - initialDelaySeconds: 5 - # How often (in seconds) to perform the probe - periodSeconds: 5 - # Minimum consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - # Number of seconds after which the probe times out. - timeoutSeconds: 3 - # Used to enable a livenessProbe for the pods - livenessProbe: - enabled: false - path: "/v1/sys/health?standbyok=true" - # When a probe fails, Kubernetes will try failureThreshold times before giving up - failureThreshold: 2 - # Number of seconds after the container has started before probe initiates - initialDelaySeconds: 60 - # How often (in seconds) to perform the probe - periodSeconds: 5 - # Minimum consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - # Number of seconds after which the probe times out. - timeoutSeconds: 3 - - # Optional duration in seconds the pod needs to terminate gracefully. - # See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ - terminationGracePeriodSeconds: 10 - - # Used to set the sleep time during the preStop step - preStopSleepSeconds: 5 - - # Used to define commands to run after the pod is ready. - # This can be used to automate processes such as initialization - # or boostrapping auth methods. - postStart: [] - # - /bin/sh - # - -c - # - /vault/userconfig/myscript/run.sh - - # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be - # used to include variables required for auto-unseal. - extraEnvironmentVars: {} - # GOOGLE_REGION: global - # GOOGLE_PROJECT: myproject - # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json - - # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set. - # These variables take value from existing Secret objects. - extraSecretEnvironmentVars: [] - # - envName: AWS_SECRET_ACCESS_KEY - # secretName: vault - # secretKey: AWS_SECRET_ACCESS_KEY - - # Deprecated: please use 'volumes' instead. - # extraVolumes is a list of extra volumes to mount. These will be exposed - # to Vault in the path `/vault/userconfig//`. The value below is - # an array of objects, examples are shown below. - extraVolumes: [] - # - type: secret (or "configMap") - # name: my-secret - # path: null # default is `/vault/userconfig` - - # volumes is a list of volumes made available to all containers. These are rendered - # via toYaml rather than pre-processed like the extraVolumes value. - # The purpose is to make it easy to share volumes between containers. - volumes: null - # - name: plugins - # emptyDir: {} - - # volumeMounts is a list of volumeMounts for the main server container. These are rendered - # via toYaml rather than pre-processed like the extraVolumes value. - # The purpose is to make it easy to share volumes between containers. - volumeMounts: null - # - mountPath: /usr/local/libexec/vault - # name: plugins - # readOnly: true - - # Affinity Settings - # Commenting out or setting as empty the affinity variable, will allow - # deployment to single node services such as Minikube - # This should be either a multi-line string or YAML matching the PodSpec's affinity field. - affinity: | - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} - app.kubernetes.io/instance: "{{ .Release.Name }}" - component: server - topologyKey: kubernetes.io/hostname - - # Topology settings for server pods - # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - # This should be either a multi-line string or YAML matching the topologySpreadConstraints array - # in a PodSpec. - topologySpreadConstraints: [] - - # Toleration Settings for server pods - # This should be either a multi-line string or YAML matching the Toleration array - # in a PodSpec. - tolerations: [] - - # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map. - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - # Example: - # nodeSelector: - # beta.kubernetes.io/arch: amd64 - nodeSelector: {} - - # Enables network policy for server pods - networkPolicy: - enabled: false - egress: [] - # egress: - # - to: - # - ipBlock: - # cidr: 10.0.0.0/24 - # ports: - # - protocol: TCP - # port: 443 - - # Priority class for server pods - priorityClassName: "" - - # Extra labels to attach to the server pods - # This should be a YAML map of the labels to apply to the server pods - extraLabels: {} - - # Extra annotations to attach to the server pods - # This can either be YAML or a YAML-formatted multi-line templated string map - # of the annotations to apply to the server pods - annotations: {} - - # Enables a headless service to be used by the Vault Statefulset - service: - enabled: true - # clusterIP controls whether a Cluster IP address is attached to the - # Vault service within Kubernetes. By default the Vault service will - # be given a Cluster IP address, set to None to disable. When disabled - # Kubernetes will create a "headless" service. Headless services can be - # used to communicate with pods directly through DNS instead of a round robin - # load balancer. - # clusterIP: None - - # Configures the service type for the main Vault service. Can be ClusterIP - # or NodePort. - #type: ClusterIP - - # Do not wait for pods to be ready - publishNotReadyAddresses: true - - # The externalTrafficPolicy can be set to either Cluster or Local - # and is only valid for LoadBalancer and NodePort service types. - # The default value is Cluster. - # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy - externalTrafficPolicy: Cluster - - # If type is set to "NodePort", a specific nodePort value can be configured, - # will be random if left blank. - #nodePort: 30000 - - # When HA mode is enabled - # If type is set to "NodePort", a specific nodePort value can be configured, - # will be random if left blank. - #activeNodePort: 30001 - - # When HA mode is enabled - # If type is set to "NodePort", a specific nodePort value can be configured, - # will be random if left blank. - #standbyNodePort: 30002 - - # Port on which Vault server is listening - port: 8200 - # Target port to which the service should be mapped to - targetPort: 8200 - # Extra annotations for the service definition. This can either be YAML or a - # YAML-formatted multi-line templated string map of the annotations to apply - # to the service. - annotations: {} - - # This configures the Vault Statefulset to create a PVC for data - # storage when using the file or raft backend storage engines. - # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more - dataStorage: - enabled: true - # Size of the PVC created - size: 1Gi - # Location where the PVC will be mounted. - mountPath: "/vault/data" - # Name of the storage class to use. If null it will use the - # configured default Storage Class. - storageClass: null - # Access Mode of the storage device being used for the PVC - accessMode: ReadWriteOnce - # Annotations to apply to the PVC - annotations: {} - - # This configures the Vault Statefulset to create a PVC for audit - # logs. Once Vault is deployed, initialized and unsealed, Vault must - # be configured to use this for audit logs. This will be mounted to - # /vault/audit - # See https://www.vaultproject.io/docs/audit/index.html to know more - auditStorage: - enabled: false - # Size of the PVC created - size: 10Gi - # Location where the PVC will be mounted. - mountPath: "/vault/audit" - # Name of the storage class to use. If null it will use the - # configured default Storage Class. - storageClass: null - # Access Mode of the storage device being used for the PVC - accessMode: ReadWriteOnce - # Annotations to apply to the PVC - annotations: {} - - # Run Vault in "dev" mode. This requires no further setup, no state management, - # and no initialization. This is useful for experimenting with Vault without - # needing to unseal, store keys, et. al. All data is lost on restart - do not - # use dev mode for anything other than experimenting. - # See https://www.vaultproject.io/docs/concepts/dev-server.html to know more - dev: - enabled: false - - # Set VAULT_DEV_ROOT_TOKEN_ID value - devRootToken: "root" - - # Run Vault in "standalone" mode. This is the default mode that will deploy if - # no arguments are given to helm. This requires a PVC for data storage to use - # the "file" backend. This mode is not highly available and should not be scaled - # past a single replica. - standalone: - enabled: "-" - - # config is a raw string of default configuration when using a Stateful - # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data - # and store data there. This is only used when using a Replica count of 1, and - # using a stateful set. This should be HCL. - - # Note: Configuration files are stored in ConfigMaps so sensitive data - # such as passwords should be either mounted through extraSecretEnvironmentVars - # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations - config: | - ui = true - - listener "tcp" { - tls_disable = 1 - address = "[::]:8200" - cluster_address = "[::]:8201" - } - storage "file" { - path = "/vault/data" - } - - # Example configuration for using auto-unseal, using Google Cloud KMS. The - # GKMS keys must already exist, and the cluster must have a service account - # that is authorized to access GCP KMS. - #seal "gcpckms" { - # project = "vault-helm-dev" - # region = "global" - # key_ring = "vault-helm-unseal-kr" - # crypto_key = "vault-helm-unseal-key" - #} - - # Run Vault in "HA" mode. There are no storage requirements unless audit log - # persistence is required. In HA mode Vault will configure itself to use Consul - # for its storage backend. The default configuration provided will work the Consul - # Helm project by default. It is possible to manually configure Vault to use a - # different HA backend. - ha: - enabled: true - replicas: 3 - - # Set the api_addr configuration for Vault HA - # See https://www.vaultproject.io/docs/configuration#api_addr - # If set to null, this will be set to the Pod IP Address - apiAddr: null - - # Set the cluster_addr confuguration for Vault HA - # See https://www.vaultproject.io/docs/configuration#cluster_addr - # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 - clusterAddr: null - - # Enables Vault's integrated Raft storage. Unlike the typical HA modes where - # Vault's persistence is external (such as Consul), enabling Raft mode will create - # persistent volumes for Vault to store data according to the configuration under server.dataStorage. - # The Vault cluster will coordinate leader elections and failovers internally. - raft: - - # Enables Raft integrated storage - enabled: true - # Set the Node Raft ID to the name of the pod - setNodeId: false - - # Note: Configuration files are stored in ConfigMaps so sensitive data - # such as passwords should be either mounted through extraSecretEnvironmentVars - # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations - config: | - ui = true - - listener "tcp" { - tls_disable = 1 - address = "[::]:8200" - cluster_address = "[::]:8201" - } - - storage "raft" { - path = "/vault/data" - } - - service_registration "kubernetes" {} - - # config is a raw string of default configuration when using a Stateful - # deployment. Default is to use a Consul for its HA storage backend. - # This should be HCL. - - # Note: Configuration files are stored in ConfigMaps so sensitive data - # such as passwords should be either mounted through extraSecretEnvironmentVars - # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations - config: | - ui = true - - listener "tcp" { - tls_disable = 1 - address = "[::]:8200" - cluster_address = "[::]:8201" - } - storage "consul" { - path = "vault" - address = "HOST_IP:8500" - } - - service_registration "kubernetes" {} - - # Example configuration for using auto-unseal, using Google Cloud KMS. The - # GKMS keys must already exist, and the cluster must have a service account - # that is authorized to access GCP KMS. - #seal "gcpckms" { - # project = "vault-helm-dev-246514" - # region = "global" - # key_ring = "vault-helm-unseal-kr" - # crypto_key = "vault-helm-unseal-key" - #} - - # A disruption budget limits the number of pods of a replicated application - # that are down simultaneously from voluntary disruptions - disruptionBudget: - enabled: true - - # maxUnavailable will default to (n/2)-1 where n is the number of - # replicas. If you'd like a custom value, you can specify an override here. - maxUnavailable: null - - # Definition of the serviceAccount used to run Vault. - # These options are also used when using an external Vault server to validate - # Kubernetes tokens. - serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - # Extra annotations for the serviceAccount definition. This can either be - # YAML or a YAML-formatted multi-line templated string map of the - # annotations to apply to the serviceAccount. - annotations: {} - - # Settings for the statefulSet used to run Vault. - statefulSet: - # Extra annotations for the statefulSet. This can either be YAML or a - # YAML-formatted multi-line templated string map of the annotations to apply - # to the statefulSet. - annotations: {} - - # Set the pod and container security contexts. - # If not set, these will default to, and for *not* OpenShift: - # pod: - # runAsNonRoot: true - # runAsGroup: {{ .Values.server.gid | default 1000 }} - # runAsUser: {{ .Values.server.uid | default 100 }} - # fsGroup: {{ .Values.server.gid | default 1000 }} - # container: {} - # - # If not set, these will default to, and for OpenShift: - # pod: {} - # container: - # allowPrivilegeEscalation: false - securityContext: - pod: {} - container: {} - - -# Vault UI -ui: - # True if you want to create a Service entry for the Vault UI. - # - # serviceType can be used to control the type of service created. For - # example, setting this to "LoadBalancer" will create an external load - # balancer (for supported K8S installations) to access the UI. - enabled: false - publishNotReadyAddresses: true - # The service should only contain selectors for active Vault pod - activeVaultPodOnly: false - serviceType: "ClusterIP" - serviceNodePort: null - externalPort: 8200 - targetPort: 8200 - - # The externalTrafficPolicy can be set to either Cluster or Local - # and is only valid for LoadBalancer and NodePort service types. - # The default value is Cluster. - # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy - externalTrafficPolicy: Cluster - - #loadBalancerSourceRanges: - # - 10.0.0.0/16 - # - 1.78.23.3/32 - - # loadBalancerIP: - - # Extra annotations to attach to the ui service - # This can either be YAML or a YAML-formatted multi-line templated string map - # of the annotations to apply to the ui service - annotations: {} - -# secrets-store-csi-driver-provider-vault -csi: - # True if you want to install a secrets-store-csi-driver-provider-vault daemonset. - # - # Requires installing the secrets-store-csi-driver separately, see: - # https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver - # - # With the driver and provider installed, you can mount Vault secrets into volumes - # similar to the Vault Agent injector, and you can also sync those secrets into - # Kubernetes secrets. - enabled: false - - image: - repository: "hashicorp/vault-csi-provider" - tag: "1.2.0" - pullPolicy: IfNotPresent - - # volumes is a list of volumes made available to all containers. These are rendered - # via toYaml rather than pre-processed like the extraVolumes value. - # The purpose is to make it easy to share volumes between containers. - volumes: null - # - name: tls - # secret: - # secretName: vault-tls - - # volumeMounts is a list of volumeMounts for the main server container. These are rendered - # via toYaml rather than pre-processed like the extraVolumes value. - # The purpose is to make it easy to share volumes between containers. - volumeMounts: null - # - name: tls - # mountPath: "/vault/tls" - # readOnly: true - - resources: {} - # resources: - # requests: - # cpu: 50m - # memory: 128Mi - # limits: - # cpu: 50m - # memory: 128Mi - - # Settings for the daemonSet used to run the provider. - daemonSet: - updateStrategy: - type: RollingUpdate - maxUnavailable: "" - # Extra annotations for the daemonSet. This can either be YAML or a - # YAML-formatted multi-line templated string map of the annotations to apply - # to the daemonSet. - annotations: {} - # Provider host path (must match the CSI provider's path) - providersDir: "/etc/kubernetes/secrets-store-csi-providers" - # Kubelet host path - kubeletRootDir: "/var/lib/kubelet" - # Extra labels to attach to the vault-csi-provider daemonSet - # This should be a YAML map of the labels to apply to the csi provider daemonSet - extraLabels: {} - # security context for the pod template and container in the csi provider daemonSet - securityContext: - pod: {} - container: {} - - pod: - # Extra annotations for the provider pods. This can either be YAML or a - # YAML-formatted multi-line templated string map of the annotations to apply - # to the pod. - annotations: {} - - # Toleration Settings for provider pods - # This should be either a multi-line string or YAML matching the Toleration array - # in a PodSpec. - tolerations: [] - - # Extra labels to attach to the vault-csi-provider pod - # This should be a YAML map of the labels to apply to the csi provider pod - extraLabels: {} - - - - # Priority class for csi pods - priorityClassName: "" - - serviceAccount: - # Extra annotations for the serviceAccount definition. This can either be - # YAML or a YAML-formatted multi-line templated string map of the - # annotations to apply to the serviceAccount. - annotations: {} - - # Extra labels to attach to the vault-csi-provider serviceAccount - # This should be a YAML map of the labels to apply to the csi provider serviceAccount - extraLabels: {} - - # Used to configure readinessProbe for the pods. - readinessProbe: - # When a probe fails, Kubernetes will try failureThreshold times before giving up - failureThreshold: 2 - # Number of seconds after the container has started before probe initiates - initialDelaySeconds: 5 - # How often (in seconds) to perform the probe - periodSeconds: 5 - # Minimum consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - # Number of seconds after which the probe times out. - timeoutSeconds: 3 - # Used to configure livenessProbe for the pods. - livenessProbe: - # When a probe fails, Kubernetes will try failureThreshold times before giving up - failureThreshold: 2 - # Number of seconds after the container has started before probe initiates - initialDelaySeconds: 5 - # How often (in seconds) to perform the probe - periodSeconds: 5 - # Minimum consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - # Number of seconds after which the probe times out. - timeoutSeconds: 3 - - # Enables debug logging. - debug: false - - # Pass arbitrary additional arguments to vault-csi-provider. - # See https://www.vaultproject.io/docs/platform/k8s/csi/configurations#command-line-arguments - # for the available command line flags. - extraArgs: [] diff --git a/helm/vault/values.openshift.yaml b/helm/vault/values.openshift.yaml index d24ac6e..a1fb346 100644 --- a/helm/vault/values.openshift.yaml +++ b/helm/vault/values.openshift.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # These overrides are appropriate defaults for deploying this chart on OpenShift global: @@ -6,13 +9,16 @@ global: injector: image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "0.14.2-ubi" + tag: "1.5.0-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.2-ubi" + tag: "1.18.1-ubi" server: image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.9.2-ubi" + tag: "1.18.1-ubi" + + readinessProbe: + path: "/v1/sys/health?uninitcode=204" diff --git a/helm/vault/values.schema.json b/helm/vault/values.schema.json index 1544043..34506f9 100644 --- a/helm/vault/values.schema.json +++ b/helm/vault/values.schema.json @@ -5,6 +5,40 @@ "csi": { "type": "object", "properties": { + "agent": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "extraArgs": { + "type": "array" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "resources": { + "type": "object" + } + } + }, "daemonSet": { "type": "object", "properties": { @@ -14,12 +48,32 @@ "string" ] }, + "extraLabels": { + "type": "object" + }, "kubeletRootDir": { "type": "string" }, "providersDir": { "type": "string" }, + "securityContext": { + "type": "object", + "properties": { + "container": { + "type": [ + "object", + "string" + ] + }, + "pod": { + "type": [ + "object", + "string" + ] + } + } + }, "updateStrategy": { "type": "object", "properties": { @@ -33,18 +87,24 @@ } } }, - "priorityClassName": { - "type": "string" - }, "debug": { "type": "boolean" }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "extraArgs": { "type": "array" }, + "hmacSecretName": { + "type": "string" + }, + "hostNetwork": { + "type": "boolean" + }, "image": { "type": "object", "properties": { @@ -79,15 +139,35 @@ } } }, + "logLevel": { + "type": "string" + }, "pod": { "type": "object", "properties": { + "affinity": { + "type": [ + "null", + "object", + "string" + ] + }, "annotations": { "type": [ "object", "string" ] }, + "extraLabels": { + "type": "object" + }, + "nodeSelector": { + "type": [ + "null", + "object", + "string" + ] + }, "tolerations": { "type": [ "null", @@ -97,6 +177,9 @@ } } }, + "priorityClassName": { + "type": "string" + }, "readinessProbe": { "type": "object", "properties": { @@ -128,6 +211,9 @@ "object", "string" ] + }, + "extraLabels": { + "type": "object" } } }, @@ -151,9 +237,15 @@ "enabled": { "type": "boolean" }, + "externalVaultAddr": { + "type": "string" + }, "imagePullSecrets": { "type": "array" }, + "namespace": { + "type": "string" + }, "openshift": { "type": "boolean" }, @@ -171,6 +263,14 @@ } } }, + "serverTelemetry": { + "type": "object", + "properties": { + "prometheusOperator": { + "type": "boolean" + } + } + }, "tlsDisable": { "type": "boolean" } @@ -200,6 +300,12 @@ "memRequest": { "type": "string" }, + "ephemeralLimit": { + "type": "string" + }, + "ephemeralRequest": { + "type": "string" + }, "template": { "type": "string" }, @@ -257,7 +363,10 @@ } }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "externalVaultAddr": { "type": "string" @@ -296,6 +405,26 @@ } } }, + "livenessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, "logFormat": { "type": "string" }, @@ -321,7 +450,10 @@ ] }, "objectSelector": { - "type": "object" + "type": [ + "object", + "string" + ] }, "podDisruptionBudget": { "type": "object" @@ -332,6 +464,26 @@ "priorityClassName": { "type": "string" }, + "readinessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, "replicas": { "type": "integer" }, @@ -341,6 +493,23 @@ "revokeOnShutdown": { "type": "boolean" }, + "securityContext": { + "type": "object", + "properties": { + "container": { + "type": [ + "object", + "string" + ] + }, + "pod": { + "type": [ + "object", + "string" + ] + } + } + }, "service": { "type": "object", "properties": { @@ -352,6 +521,37 @@ } } }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "startupProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, "strategy": { "type": [ "object", @@ -365,6 +565,42 @@ "string" ] }, + "topologySpreadConstraints": { + "type": [ + "null", + "array", + "string" + ] + }, + "webhook": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "failurePolicy": { + "type": "string" + }, + "matchPolicy": { + "type": "string" + }, + "namespaceSelector": { + "type": "object" + }, + "objectSelector": { + "type": [ + "object", + "string" + ] + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, "webhookAnnotations": { "type": [ "object", @@ -406,6 +642,12 @@ "string" ] }, + "labels": { + "type": [ + "object", + "string" + ] + }, "mountPath": { "type": "string" }, @@ -446,6 +688,12 @@ "string" ] }, + "labels": { + "type": [ + "object", + "string" + ] + }, "mountPath": { "type": "string" }, @@ -472,7 +720,10 @@ } }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "enterpriseLicense": { "type": "object", @@ -506,6 +757,12 @@ "extraLabels": { "type": "object" }, + "extraPorts": { + "type": [ + "null", + "array" + ] + }, "extraSecretEnvironmentVars": { "type": "array" }, @@ -521,8 +778,17 @@ "string" ] }, + "clusterAddr": { + "type": [ + "null", + "string" + ] + }, "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "disruptionBudget": { "type": "object", @@ -545,7 +811,10 @@ "type": "object", "properties": { "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "enabled": { "type": "boolean" @@ -560,6 +829,12 @@ } } }, + "hostAliases": { + "type": "array" + }, + "hostNetwork": { + "type": "boolean" + }, "image": { "type": "object", "properties": { @@ -574,6 +849,9 @@ } } }, + "includeConfigAnnotation": { + "type": "boolean" + }, "ingress": { "type": "object", "properties": { @@ -626,6 +904,9 @@ "enabled": { "type": "boolean" }, + "execCommand": { + "type": "array" + }, "failureThreshold": { "type": "integer" }, @@ -638,6 +919,9 @@ "periodSeconds": { "type": "integer" }, + "port": { + "type": "integer" + }, "successThreshold": { "type": "integer" }, @@ -660,6 +944,9 @@ }, "enabled": { "type": "boolean" + }, + "ingress": { + "type": "array" } } }, @@ -670,6 +957,17 @@ "string" ] }, + "persistentVolumeClaimRetentionPolicy": { + "type": "object", + "properties": { + "whenDeleted": { + "type": "string" + }, + "whenScaled": { + "type": "string" + } + } + }, "postStart": { "type": "array" }, @@ -694,6 +992,9 @@ "periodSeconds": { "type": "integer" }, + "port": { + "type": "integer" + }, "successThreshold": { "type": "integer" }, @@ -725,12 +1026,32 @@ }, "labels": { "type": "object" + }, + "tls": { + "type": "object" } } }, "service": { "type": "object", "properties": { + "active": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + } + } + }, + "activeNodePort": { + "type": "integer" + }, "annotations": { "type": [ "object", @@ -743,9 +1064,46 @@ "externalTrafficPolicy": { "type": "string" }, + "instanceSelector": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "ipFamilies": { + "type": "array" + }, + "ipFamilyPolicy": { + "type": "string" + }, + "nodePort": { + "type": "integer" + }, "port": { "type": "integer" }, + "publishNotReadyAddresses": { + "type": "boolean" + }, + "standby": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + } + } + }, + "standbyNodePort": { + "type": "integer" + }, "targetPort": { "type": "integer" } @@ -763,8 +1121,22 @@ "create": { "type": "boolean" }, + "createSecret": { + "type": "boolean" + }, + "extraLabels": { + "type": "object" + }, "name": { "type": "string" + }, + "serviceDiscovery": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } } } }, @@ -775,7 +1147,10 @@ "type": "object", "properties": { "config": { - "type": "string" + "type": [ + "string", + "object" + ] }, "enabled": { "type": [ @@ -793,6 +1168,23 @@ "object", "string" ] + }, + "securityContext": { + "type": "object", + "properties": { + "container": { + "type": [ + "object", + "string" + ] + }, + "pod": { + "type": [ + "object", + "string" + ] + } + } } } }, @@ -806,6 +1198,13 @@ "string" ] }, + "topologySpreadConstraints": { + "type": [ + "null", + "array", + "string" + ] + }, "updateStrategyType": { "type": "string" }, @@ -823,6 +1222,48 @@ } } }, + "serverTelemetry": { + "type": "object", + "properties": { + "prometheusRules": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "rules": { + "type": "array" + }, + "selectors": { + "type": "object" + } + } + }, + "serviceMonitor": { + "type": "object", + "properties": { + "authorization": { + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "interval": { + "type": "string" + }, + "scrapeTimeout": { + "type": "string" + }, + "selectors": { + "type": "object" + }, + "tlsConfig": { + "type": "object" + } + } + } + } + }, "ui": { "type": "object", "properties": { @@ -836,7 +1277,10 @@ ] }, "enabled": { - "type": "boolean" + "type": [ + "boolean", + "string" + ] }, "externalPort": { "type": "integer" @@ -847,6 +1291,12 @@ "publishNotReadyAddresses": { "type": "boolean" }, + "serviceIPFamilies": { + "type": "array" + }, + "serviceIPFamilyPolicy": { + "type": "string" + }, "serviceNodePort": { "type": [ "null", diff --git a/helm/vault/values.yaml b/helm/vault/values.yaml index 9c3e752..7d2c2dd 100644 --- a/helm/vault/values.yaml +++ b/helm/vault/values.yaml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + # Available parameters and their default values for the Vault chart. global: @@ -5,6 +8,9 @@ global: # will enable or disable all the components within this chart by default. enabled: true + # The namespace to deploy to. Defaults to the `helm` installation namespace. + namespace: "" + # Image pull secret to use for registry authentication. # Alternatively, the value may be specified as an array of strings. imagePullSecrets: [] @@ -32,10 +38,15 @@ global: seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + serverTelemetry: + # Enable integration with the Prometheus Operator + # See the top level serverTelemetry section below before enabling this feature. + prometheusOperator: false + injector: # True if you want to enable vault agent injection. # @default: global.enabled - enabled: true + enabled: "-" replicas: 1 @@ -57,7 +68,7 @@ injector: # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "0.17.0" + tag: "1.5.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent @@ -65,7 +76,7 @@ injector: # required. agentImage: repository: "hashicorp/vault" - tag: "1.11.2" + tag: "1.18.1" # The default values for the injected Vault Agent containers. agentDefaults: @@ -75,6 +86,8 @@ injector: cpuRequest: "250m" memLimit: "128Mi" memRequest: "64Mi" + # ephemeralLimit: "128Mi" + # ephemeralRequest: "64Mi" # Default template type for secrets when no custom template is specified. # Possible values include: "json" and "map". @@ -85,6 +98,43 @@ injector: exitOnRetryFailure: true staticSecretRenderInterval: "" + # Used to define custom livenessProbe settings + livenessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 2 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Used to define custom readinessProbe settings + readinessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 2 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Used to define custom startupProbe settings + startupProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 12 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" @@ -101,7 +151,7 @@ injector: webhook: # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the # API Version of the WebHook. - # To block pod creation while webhook is unavailable, set the policy to `Fail` below. + # To block pod creation while the webhook is unavailable, set the policy to `Fail` below. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy # failurePolicy: Ignore @@ -192,7 +242,7 @@ injector: # caBundle is a base64-encoded PEM-encoded certificate bundle for the CA # that signed the TLS certificate that the webhook serves. This must be set - # if secretName is non-null, unless an external service like cert-manager is + # if secretName is non-null unless an external service like cert-manager is # keeping the caBundle updated. caBundle: "" @@ -232,7 +282,7 @@ injector: # KUBERNETES_SERVICE_HOST: kubernetes.default.svc # Affinity Settings for injector pods - # This can either be multi-line string or YAML matching the PodSpec's affinity field. + # This can either be a multi-line string or YAML matching the PodSpec's affinity field. # Commenting out or setting as empty the affinity variable, will allow # deployment of multiple replicas to single node services such as Minikube. affinity: | @@ -307,7 +357,7 @@ injector: server: # If true, or "-" with global.enabled true, Vault server will be installed. # See vault.mode in _helpers.tpl for implementation details. - enabled: true + enabled: "-" # [Enterprise Only] This value refers to a Kubernetes secret that you have # created that contains your enterprise license. If you are not using an @@ -327,7 +377,7 @@ server: image: repository: "hashicorp/vault" - tag: "1.11.2" + tag: "1.18.1" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent @@ -395,6 +445,12 @@ server: # hosts: # - chart-example.local + # hostAliases is a list of aliases to be added to /etc/hosts. Specified as a YAML list. + hostAliases: [] + # - ip: 127.0.0.1 + # hostnames: + # - chart-example.local + # OpenShift only - create a route to expose the service # By default the created route will be of type passthrough route: @@ -415,7 +471,7 @@ server: # authDelegator enables a cluster role binding to be attached to the service # account. This cluster role binding can be used to setup Kubernetes auth - # method. https://www.vaultproject.io/docs/auth/kubernetes.html + # method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes authDelegator: enabled: true @@ -442,18 +498,26 @@ server: extraContainers: null # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers - # This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation + # This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation shareProcessNamespace: false # extraArgs is a string containing additional Vault server arguments. extraArgs: "" + # extraPorts is a list of extra ports. Specified as a YAML list. + # This is useful if you need to add additional ports to the statefulset in dynamic way. + extraPorts: null + # - containerPort: 8300 + # name: http-monitoring + # Used to define custom readinessProbe settings readinessProbe: enabled: true # If you need to use a http path instead of the default exec # path: /v1/sys/health?standbyok=true + # Port number on which readinessProbe will be checked. + port: 8200 # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 # Number of seconds after the container has started before probe initiates @@ -467,7 +531,15 @@ server: # Used to enable a livenessProbe for the pods livenessProbe: enabled: false + # Used to define a liveness exec command. If provided, exec is preferred to httpGet (path) as the livenessProbe handler. + execCommand: [] + # - /bin/sh + # - -c + # - /vault/userconfig/mylivenessscript/run.sh + # Path for the livenessProbe to use httpGet as the livenessProbe handler path: "/v1/sys/health?standbyok=true" + # Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler + port: 8200 # When a probe fails, Kubernetes will try failureThreshold times before giving up failureThreshold: 2 # Number of seconds after the container has started before probe initiates @@ -575,6 +647,14 @@ server: # ports: # - protocol: TCP # port: 443 + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8200 + protocol: TCP + - port: 8201 + protocol: TCP # Priority class for server pods priorityClassName: "" @@ -588,14 +668,42 @@ server: # of the annotations to apply to the server pods annotations: {} + # Add an annotation to the server configmap and the statefulset pods, + # vaultproject.io/config-checksum, that is a hash of the Vault configuration. + # This can be used together with an OnDelete deployment strategy to help + # identify which pods still need to be deleted during a deployment to pick up + # any configuration changes. + includeConfigAnnotation: false + # Enables a headless service to be used by the Vault Statefulset service: enabled: true + # Enable or disable the vault-active service, which selects Vault pods that + # have labeled themselves as the cluster leader with `vault-active: "true"`. + active: + enabled: true + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the active service. + annotations: {} + # Enable or disable the vault-standby service, which selects Vault pods that + # have labeled themselves as a cluster follower with `vault-active: "false"`. + standby: + enabled: true + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the standby service. + annotations: {} + # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` + # When disabled, services may select Vault pods not deployed from the chart. + # Does not affect the headless vault-internal service with `ClusterIP: None` + instanceSelector: + enabled: true # clusterIP controls whether a Cluster IP address is attached to the - # Vault service within Kubernetes. By default the Vault service will + # Vault service within Kubernetes. By default, the Vault service will # be given a Cluster IP address, set to None to disable. When disabled # Kubernetes will create a "headless" service. Headless services can be - # used to communicate with pods directly through DNS instead of a round robin + # used to communicate with pods directly through DNS instead of a round-robin # load balancer. # clusterIP: None @@ -603,7 +711,24 @@ server: # or NodePort. #type: ClusterIP - # Do not wait for pods to be ready + # The IP family and IP families options are to set the behaviour in a dual-stack environment. + # Omitting these values will let the service fall back to whatever the CNI dictates the defaults + # should be. + # These are only supported for kubernetes versions >=1.23.0 + # + # Configures the service's supported IP family policy, can be either: + # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. + # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. + # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. + ipFamilyPolicy: "" + + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. + # Can be IPv4 and/or IPv6. + ipFamilies: [] + + # Do not wait for pods to be ready before including them in the services' + # targets. Does not apply to the headless service, which is used for + # cluster-internal communication. publishNotReadyAddresses: true # The externalTrafficPolicy can be set to either Cluster or Local @@ -637,11 +762,11 @@ server: # This configures the Vault Statefulset to create a PVC for data # storage when using the file or raft backend storage engines. - # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more + # See https://developer.hashicorp.com/vault/docs/configuration/storage to know more dataStorage: enabled: true # Size of the PVC created - size: 1Gi + size: 10Gi # Location where the PVC will be mounted. mountPath: "/vault/data" # Name of the storage class to use. If null it will use the @@ -651,12 +776,22 @@ server: accessMode: ReadWriteOnce # Annotations to apply to the PVC annotations: {} + # Labels to apply to the PVC + labels: {} + + # Persistent Volume Claim (PVC) retention policy + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + # Example: + # persistentVolumeClaimRetentionPolicy: + # whenDeleted: Retain + # whenScaled: Retain + persistentVolumeClaimRetentionPolicy: {} # This configures the Vault Statefulset to create a PVC for audit - # logs. Once Vault is deployed, initialized and unsealed, Vault must + # logs. Once Vault is deployed, initialized, and unsealed, Vault must # be configured to use this for audit logs. This will be mounted to # /vault/audit - # See https://www.vaultproject.io/docs/audit/index.html to know more + # See https://developer.hashicorp.com/vault/docs/audit to know more auditStorage: enabled: false # Size of the PVC created @@ -670,12 +805,14 @@ server: accessMode: ReadWriteOnce # Annotations to apply to the PVC annotations: {} + # Labels to apply to the PVC + labels: {} # Run Vault in "dev" mode. This requires no further setup, no state management, # and no initialization. This is useful for experimenting with Vault without # needing to unseal, store keys, et. al. All data is lost on restart - do not # use dev mode for anything other than experimenting. - # See https://www.vaultproject.io/docs/concepts/dev-server.html to know more + # See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more dev: enabled: false @@ -692,19 +829,23 @@ server: # config is a raw string of default configuration when using a Stateful # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data # and store data there. This is only used when using a Replica count of 1, and - # using a stateful set. This should be HCL. + # using a stateful set. Supported formats are HCL and JSON. # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars - # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations - config: | + # or through a Kube secret. For more information see: + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + config: |- ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" + # Enable unauthenticated metrics access (necessary for Prometheus Operator) + #telemetry { + # unauthenticated_metrics_access = "true" + #} } storage "file" { path = "/vault/data" @@ -720,22 +861,28 @@ server: # crypto_key = "vault-helm-unseal-key" #} - # Run Vault in "HA" mode. There are no storage requirements unless audit log + # Example configuration for enabling Prometheus metrics in your config. + #telemetry { + # prometheus_retention_time = "30s" + # disable_hostname = true + #} + + # Run Vault in "HA" mode. There are no storage requirements unless the audit log # persistence is required. In HA mode Vault will configure itself to use Consul # for its storage backend. The default configuration provided will work the Consul # Helm project by default. It is possible to manually configure Vault to use a # different HA backend. ha: - enabled: true + enabled: false replicas: 3 # Set the api_addr configuration for Vault HA - # See https://www.vaultproject.io/docs/configuration#api_addr + # See https://developer.hashicorp.com/vault/docs/configuration#api_addr # If set to null, this will be set to the Pod IP Address apiAddr: null - # Set the cluster_addr confuguration for Vault HA - # See https://www.vaultproject.io/docs/configuration#cluster_addr + # Set the cluster_addr configuration for Vault HA + # See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 clusterAddr: null @@ -746,14 +893,15 @@ server: raft: # Enables Raft integrated storage - enabled: true + enabled: false # Set the Node Raft ID to the name of the pod setNodeId: false # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # Supported formats are HCL and JSON. config: | ui = true @@ -761,6 +909,10 @@ server: tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" + # Enable unauthenticated metrics access (necessary for Prometheus Operator) + #telemetry { + # unauthenticated_metrics_access = "true" + #} } storage "raft" { @@ -771,12 +923,12 @@ server: # config is a raw string of default configuration when using a Stateful # deployment. Default is to use a Consul for its HA storage backend. - # This should be HCL. + # Supported formats are HCL and JSON. # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars - # or through a Kube secret. For more information see: - # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + # or through a Kube secret. For more information see: + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true @@ -802,6 +954,14 @@ server: # crypto_key = "vault-helm-unseal-key" #} + # Example configuration for enabling Prometheus metrics. + # If you are using Prometheus Operator you can enable a ServiceMonitor resource below. + # You may wish to enable unauthenticated metrics in the listener block above. + #telemetry { + # prometheus_retention_time = "30s" + # disable_hostname = true + #} + # A disruption budget limits the number of pods of a replicated application # that are down simultaneously from voluntary disruptions disruptionBudget: @@ -820,10 +980,24 @@ server: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" + # Create a Secret API object to store a non-expiring token for the service account. + # Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default. + # Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible. + # For more details, see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets + # serviceAccount.create must be equal to 'true' in order to use this feature. + createSecret: false # Extra annotations for the serviceAccount definition. This can either be # YAML or a YAML-formatted multi-line templated string map of the # annotations to apply to the serviceAccount. annotations: {} + # Extra labels to attach to the serviceAccount + # This should be a YAML map of the labels to apply to the serviceAccount + extraLabels: {} + # Enable or disable a service account role binding with the permissions required for + # Vault's Kubernetes service_registration config option. + # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes + serviceDiscovery: + enabled: true # Settings for the statefulSet used to run Vault. statefulSet: @@ -839,16 +1013,18 @@ server: # runAsGroup: {{ .Values.server.gid | default 1000 }} # runAsUser: {{ .Values.server.uid | default 100 }} # fsGroup: {{ .Values.server.gid | default 1000 }} - # container: {} + # container: + # allowPrivilegeEscalation: false # # If not set, these will default to, and for OpenShift: # pod: {} - # container: - # allowPrivilegeEscalation: false + # container: {} securityContext: pod: {} container: {} + # Should the server pods run on the host network + hostNetwork: false # Vault UI ui: @@ -866,6 +1042,21 @@ ui: externalPort: 8200 targetPort: 8200 + # The IP family and IP families options are to set the behaviour in a dual-stack environment. + # Omitting these values will let the service fall back to whatever the CNI dictates the defaults + # should be. + # These are only supported for kubernetes versions >=1.23.0 + # + # Configures the service's supported IP family, can be either: + # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. + # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. + # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. + serviceIPFamilyPolicy: "" + + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well + # Can be IPv4 and/or IPv6. + serviceIPFamilies: [] + # The externalTrafficPolicy can be set to either Cluster or Local # and is only valid for LoadBalancer and NodePort service types. # The default value is Cluster. @@ -897,7 +1088,7 @@ csi: image: repository: "hashicorp/vault-csi-provider" - tag: "1.2.0" + tag: "1.5.0" pullPolicy: IfNotPresent # volumes is a list of volumes made available to all containers. These are rendered @@ -925,6 +1116,14 @@ csi: # cpu: 50m # memory: 128Mi + # Override the default secret name for the CSI Provider's HMAC key used for + # generating secret versions. + hmacSecretName: "" + + # Allow modification of the hostNetwork parameter to avoid the need of a + # dedicated pod ip + hostNetwork: false + # Settings for the daemonSet used to run the provider. daemonSet: updateStrategy: @@ -957,11 +1156,41 @@ csi: # in a PodSpec. tolerations: [] + # nodeSelector labels for csi pod assignment, formatted as a multi-line string or YAML map. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: + # beta.kubernetes.io/arch: amd64 + nodeSelector: {} + + # Affinity Settings + # This should be either a multi-line string or YAML matching the PodSpec's affinity field. + affinity: {} + # Extra labels to attach to the vault-csi-provider pod # This should be a YAML map of the labels to apply to the csi provider pod extraLabels: {} + agent: + enabled: true + extraArgs: [] + image: + repository: "hashicorp/vault" + tag: "1.18.1" + pullPolicy: IfNotPresent + + logFormat: standard + logLevel: info + + resources: {} + # resources: + # requests: + # memory: 256Mi + # cpu: 250m + # limits: + # memory: 256Mi + # cpu: 250m # Priority class for csi pods priorityClassName: "" @@ -1001,10 +1230,116 @@ csi: # Number of seconds after which the probe times out. timeoutSeconds: 3 - # Enables debug logging. + # Configures the log level for the Vault CSI provider. + # Supported log levels include: trace, debug, info, warn, error, and off + logLevel: "info" + + # Deprecated, set logLevel to debug instead. + # If set to true, the logLevel will be set to debug. debug: false # Pass arbitrary additional arguments to vault-csi-provider. - # See https://www.vaultproject.io/docs/platform/k8s/csi/configurations#command-line-arguments + # See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments # for the available command line flags. extraArgs: [] + +# Vault is able to collect and publish various runtime metrics. +# Enabling this feature requires setting adding `telemetry{}` stanza to +# the Vault configuration. There are a few examples included in the `config` sections above. +# +# For more information see: +# https://developer.hashicorp.com/vault/docs/configuration/telemetry +# https://developer.hashicorp.com/vault/docs/internals/telemetry +serverTelemetry: + # Enable support for the Prometheus Operator. If authorization is not set for authenticating + # to Vault's metrics endpoint, the following Vault server `telemetry{}` config must be included + # in the `listener "tcp"{}` stanza + # telemetry { + # unauthenticated_metrics_access = "true" + # } + # + # See the `standalone.config` for a more complete example of this. + # + # In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration: + # + # example: + # telemetry { + # prometheus_retention_time = "30s" + # disable_hostname = true + # } + # + # Configuration for monitoring the Vault server. + serviceMonitor: + # The Prometheus operator *must* be installed before enabling this feature, + # if not the chart will fail to install due to missing CustomResourceDefinitions + # provided by the operator. + # + # Instructions on how to install the Helm chart can be found here: + # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack + # More information can be found here: + # https://github.com/prometheus-operator/prometheus-operator + # https://github.com/prometheus-operator/kube-prometheus + + # Enable deployment of the Vault Server ServiceMonitor CustomResource. + enabled: false + + # Selector labels to add to the ServiceMonitor. + # When empty, defaults to: + # release: prometheus + selectors: {} + + # Interval at which Prometheus scrapes metrics + interval: 30s + + # Timeout for Prometheus scrapes + scrapeTimeout: 10s + + # tlsConfig used for scraping the Vault metrics API. + # See API reference: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.TLSConfig + # example: + # tlsConfig: + # ca: + # secret: + # name: vault-metrics-client + # key: ca.crt + tlsConfig: {} + + # authorization used for scraping the Vault metrics API. + # See API reference: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.SafeAuthorization + # example: + # authorization: + # credentials: + # name: vault-metrics-client + # key: token + authorization: {} + + prometheusRules: + # The Prometheus operator *must* be installed before enabling this feature, + # if not the chart will fail to install due to missing CustomResourceDefinitions + # provided by the operator. + + # Deploy the PrometheusRule custom resource for AlertManager based alerts. + # Requires that AlertManager is properly deployed. + enabled: false + + # Selector labels to add to the PrometheusRules. + # When empty, defaults to: + # release: prometheus + selectors: {} + + # Some example rules. + rules: [] + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 500ms on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 + # for: 5m + # labels: + # severity: warning + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 1s on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 + # for: 5m + # labels: + # severity: critical