pub/vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

up ver vault, add bank-vavult examples

Browse Source
This commit is contained in:
Vassiliy Yegorov
2025-01-27 14:25:50 +07:00
parent a6e9e7ca09
commit 55e333f0de
66 changed files with 2429 additions and 1595 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
bank-vaults/README.md Normal file
View File

@@ -0,0 +1,72 @@
# Bank-vault (от banzai-cloud)
[почитать тут](https://bank-vaults.dev/docs/mutating-webhook/)
1. helm upgrade --install --create-namespace -n vault vault helm/vault
**Vaults webhooks**
```bash
helm upgrade --install --create-namespace --namespace vswh --wait vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --set configMapMutation=true
kubectl kustomize https://github.com/bank-vaults/vault-operator/deploy/rbac | kubectl apply -f -
```
2. после запуска идем в первый vault-0 и инитим его (и открываем сразу)
```bash
vault operator init -key-shares=1 -key-threshold=1
vault operator unseal <key1>
vault login <key1>
```
3. настроим k8s для работы с вольтом
```bash
vault auth enable kubernetes
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
```
4. создаем политику доступа
```bash
vault policy write vault-test - <<EOF
path "kv/data/myenvs" {
capabilities = ["read"]
}
EOF
```
5. создаем роль
```bash
vault write auth/kubernetes/role/vault-test \
bound_service_account_names=vault \
bound_service_account_namespaces=vault-test,vswh \
policies=vault-test \
ttl=2h
```
```bash
vault write auth/kubernetes/role/default \
bound_service_account_names=* \
bound_service_account_namespaces=* \
policies=vault-test \
ttl=2h
```
6. импортируем секрет и запускаем деплой
создаем kv
```bash
vault secrets enable -path=kv -version=2 kv
```
создаем секрет `myenvs`, содержимое можно взять из примера keys.json
```bash
kubectl bank-vaults/vault-test.yaml
```

73
bank-vaults/vault-test.yaml Normal file
View File

@@ -0,0 +1,73 @@
apiVersion: v1
kind: Namespace
metadata:
name: vault-test
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault
namespace: vault-test
---
apiVersion: v1
kind: Secret
metadata:
name: test-key-secret
namespace: vault-test
annotations:
vault.security.banzaicloud.io/vault-addr: "http://vault.vault.svc:8200"
vault.security.banzaicloud.io/vault-skip-verify: "true"
vault.security.banzaicloud.io/vault-path: "kubernetes"
stringData:
APPLE: vault:kv/data/myenvs#APPLE
type: Opaque
---
apiVersion: v1
kind: ConfigMap
metadata:
name: test-key-configmap
namespace: vault-test
annotations:
vault.security.banzaicloud.io/vault-addr: "http://vault.vault.svc:8200"
vault.security.banzaicloud.io/vault-skip-verify: "true"
vault.security.banzaicloud.io/vault-path: "kubernetes"
data:
BANANA: vault:kv/data/myenvs#BANANA
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vault-test
namespace: vault-test
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: vault
template:
metadata:
labels:
app.kubernetes.io/name: vault
annotations:
vault.security.banzaicloud.io/vault-addr: "http://vault.vault.svc:8200"
vault.security.banzaicloud.io/vault-role: "vault-test"
vault.security.banzaicloud.io/vault-skip-verify: "true"
vault.security.banzaicloud.io/vault-path: "kubernetes"
vault.security.banzaicloud.io/vault-env-from-path: "kv/data/myenvs"
spec:
serviceAccountName: vault
containers:
- name: alpine
image: alpine
command: ["sh", "-c", "echo $BLUEBERRY && echo going to sleep... && sleep 10000"]
env:
- name: BLUEBERRY
value: vault:kv/data/myenvs#BLUEBERRY
- name: CARROT
value: vault:kv/data/myenvs#CARROT
- name: CUCUMBER
value: vault:kv/data/myenvs#CUCUMBER

97
helm/vault/.circleci/config.yml
View File

@@ -1,97 +0,0 @@
version: 2.1
orbs:
slack: circleci/slack@3.4.2
jobs:
bats-unit-test:
docker:
# This image is built from test/docker/Test.dockerfile
- image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0
steps:
- checkout
- run: bats ./test/unit -t
chart-verifier:
docker:
- image: docker.mirror.hashicorp.services/cimg/go:1.16
environment:
BATS_VERSION: "1.3.0"
CHART_VERIFIER_VERSION: "1.2.1"
steps:
- checkout
- run:
name: install chart-verifier
command: go get github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}
- run:
name: install bats
command: |
curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz
tar -zxf /tmp/bats.tgz -C /tmp
sudo /bin/bash /tmp/bats-core-${BATS_VERSION}/install.sh /usr/local
- run:
name: run chart-verifier tests
command: bats ./test/chart -t
acceptance:
docker:
# This image is build from test/docker/Test.dockerfile
- image: docker.mirror.hashicorp.services/hashicorpdev/vault-helm-test:0.2.0
steps:
- checkout
- run:
name: terraform init & apply
command: |
echo -e "${GOOGLE_APP_CREDS}" | base64 -d > vault-helm-test.json
export GOOGLE_CREDENTIALS=vault-helm-test.json
make provision-cluster
- run:
name: Run acceptance tests
command: bats ./test/acceptance -t
- run:
name: terraform destroy
command: |
export GOOGLE_CREDENTIALS=vault-helm-test.json
make destroy-cluster
when: always
update-helm-charts-index:
docker:
- image: docker.mirror.hashicorp.services/circleci/golang:1.15.3
steps:
- checkout
- run:
name: verify Chart version matches tag version
command: |
GO111MODULE=on go get github.com/mikefarah/yq/v2
git_tag=$(echo "${CIRCLE_TAG#v}")
chart_tag=$(yq r Chart.yaml version)
if [ "${git_tag}" != "${chart_tag}" ]; then
echo "chart version (${chart_tag}) did not match git version (${git_tag})"
exit 1
fi
- run:
name: update helm-charts index
command: |
curl --show-error --silent --fail --user "${CIRCLE_TOKEN}:" \
-X POST \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d "{\"branch\": \"master\",\"parameters\":{\"SOURCE_REPO\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\",\"SOURCE_TAG\": \"${CIRCLE_TAG}\"}}" \
"${CIRCLE_ENDPOINT}/${CIRCLE_PROJECT}/pipeline"
- slack/status:
fail_only: true
failure_message: "Failed to trigger an update to the helm charts index. Check the logs at: ${CIRCLE_BUILD_URL}"
workflows:
version: 2
# Note: unit and acceptance tests are now being run in GitHub Actions
update-helm-charts-index:
jobs:
- update-helm-charts-index:
context: helm-charts-trigger-vault
filters:
tags:
only: /^v.*/
branches:
ignore: /.*/

46
helm/vault/.github/ISSUE_TEMPLATE/bug_report.md vendored
View File

@@ -1,46 +0,0 @@
---
name: Bug report
about: Let us know about a bug!
title: ''
labels: bug
assignees: ''
---
<!-- Please reserve GitHub issues for bug reports and feature requests.
For questions, the best place to get answers is on our [discussion forum](https://discuss.hashicorp.com/c/vault), as they will get more visibility from experienced users than the issue tracker.
Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault Helm, _please responsibly disclose_ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).
-->
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Install chart
2. Run vault command
3. See error (vault logs, etc.)
Other useful info to include: vault pod logs, `kubectl describe statefulset vault` and `kubectl get statefulset vault -o yaml` output
**Expected behavior**
A clear and concise description of what you expected to happen.
**Environment**
* Kubernetes version:
* Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.):
* Other configuration options or runtime services (istio, etc.):
* vault-helm version:
Chart values:
```yaml
# Paste your user-supplied values here (`helm get values <release>`).
# Be sure to scrub any sensitive values!
```
**Additional context**
Add any other context about the problem here.

4
helm/vault/.github/ISSUE_TEMPLATE/config.yml vendored
View File

@@ -1,4 +0,0 @@
contact_links:
- name: Ask a question
url: https://discuss.hashicorp.com/c/vault
about: For increased visibility, please post questions on the discussion forum, and tag with `k8s`

20
helm/vault/.github/ISSUE_TEMPLATE/feature_request.md vendored
View File

@@ -1,20 +0,0 @@
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: enhancement
assignees: ''
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.

34
helm/vault/.github/workflows/acceptance.yaml vendored
View File

@@ -1,34 +0,0 @@
name: Acceptance Tests
on:
push:
branches:
- main
workflow_dispatch: {}
jobs:
kind:
strategy:
fail-fast: false
matrix:
kind-k8s-version: [1.14.10, 1.19.11, 1.20.7, 1.21.2, 1.22.4]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Setup test tools
uses: ./.github/workflows/setup-test-tools
- name: Create K8s Kind Cluster
uses: helm/kind-action@v1.2.0
with:
config: test/kind/config.yaml
node_image: kindest/node:v${{ matrix.kind-k8s-version }}
# Skip CSI tests if K8s version < 1.16.x
- run: echo K8S_MINOR=$(kubectl version -o json | jq -r .serverVersion.minor) >> $GITHUB_ENV
- if: ${{ env.K8S_MINOR < 16 }}
run: echo "SKIP_CSI=true" >> $GITHUB_ENV
- run: bats ./test/acceptance -t
env:
VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}

72
helm/vault/.github/workflows/jira.yaml vendored
View File

@@ -1,72 +0,0 @@
on:
issues:
types: [opened, closed, deleted, reopened]
pull_request_target:
types: [opened, closed, reopened]
issue_comment: # Also triggers when commenting on a PR from the conversation view
types: [created]
name: Jira Sync
jobs:
sync:
runs-on: ubuntu-latest
name: Jira sync
steps:
- name: Login
uses: atlassian/gajira-login@v2.0.0
env:
JIRA_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }}
JIRA_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }}
JIRA_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }}
- name: Preprocess
if: github.event.action == 'opened' || github.event.action == 'created'
id: preprocess
run: |
if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then
echo "::set-output name=type::PR"
else
echo "::set-output name=type::ISS"
fi
- name: Create ticket
if: github.event.action == 'opened'
uses: tomhjp/gh-action-jira-create@v0.2.0
with:
project: VAULT
issuetype: "GH Issue"
summary: "${{ github.event.repository.name }} [${{ steps.preprocess.outputs.type }} #${{ github.event.issue.number || github.event.pull_request.number }}]: ${{ github.event.issue.title || github.event.pull_request.title }}"
description: "${{ github.event.issue.body || github.event.pull_request.body }}\n\n_Created from GitHub Action for ${{ github.event.issue.html_url || github.event.pull_request.html_url }} from ${{ github.actor }}_"
# customfield_10089 is Issue Link custom field
# customfield_10091 is team custom field
extraFields: '{"fixVersions": [{"name": "TBD"}], "customfield_10091": ["ecosystem", "runtime"], "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}"}'
- name: Search
if: github.event.action != 'opened'
id: search
uses: tomhjp/gh-action-jira-search@v0.2.1
with:
# cf[10089] is Issue Link custom field
jql: 'project = "VAULT" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"'
- name: Sync comment
if: github.event.action == 'created' && steps.search.outputs.issue
uses: tomhjp/gh-action-jira-comment@v0.2.0
with:
issue: ${{ steps.search.outputs.issue }}
comment: "${{ github.actor }} ${{ github.event.review.state || 'commented' }}:\n\n${{ github.event.comment.body || github.event.review.body }}\n\n${{ github.event.comment.html_url || github.event.review.html_url }}"
- name: Close ticket
if: (github.event.action == 'closed' || github.event.action == 'deleted') && steps.search.outputs.issue
uses: atlassian/gajira-transition@v2.0.1
with:
issue: ${{ steps.search.outputs.issue }}
transition: Close
- name: Reopen ticket
if: github.event.action == 'reopened' && steps.search.outputs.issue
uses: atlassian/gajira-transition@v2.0.1
with:
issue: ${{ steps.search.outputs.issue }}
transition: "Pending Triage"

18
helm/vault/.github/workflows/setup-test-tools/action.yaml vendored
View File

@@ -1,18 +0,0 @@
name: Setup common testing tools
description: Install bats and python-yq
runs:
using: "composite"
steps:
- uses: actions/setup-node@v2
with:
node-version: '14'
- run: npm install -g bats@${BATS_VERSION}
shell: bash
env:
BATS_VERSION: '1.5.0'
- run: bats -v
shell: bash
- uses: actions/setup-python@v2
- run: pip install yq
shell: bash

25
helm/vault/.github/workflows/tests.yaml vendored
View File

@@ -1,25 +0,0 @@
name: Tests
on: [push, workflow_dispatch]
jobs:
bats-unit-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: ./.github/workflows/setup-test-tools
- run: bats ./test/unit -t
chart-verifier:
runs-on: ubuntu-latest
env:
CHART_VERIFIER_VERSION: '1.2.1'
steps:
- uses: actions/checkout@v2
- name: Setup test tools
uses: ./.github/workflows/setup-test-tools
- uses: actions/setup-go@v2
with:
go-version: '1.17.4'
- run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}
- run: bats ./test/chart -t

13
helm/vault/.gitignore vendored
View File

@@ -1,13 +0,0 @@
.DS_Store
.terraform/
.terraform.tfstate*
terraform.tfstate*
terraform.tfvars
values.dev.yaml
vaul-helm-dev-creds.json
./test/acceptance/vaul-helm-dev-creds.json
./test/terraform/vaul-helm-dev-creds.json
./test/unit/vaul-helm-dev-creds.json
./test/acceptance/values.yaml
./test/acceptance/values.yml
.idea

27
helm/vault/.helmignore
View File

@@ -1,4 +1,29 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.terraform/
bin/
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
# CI and test
.circleci/
.github/
.gitlab-ci.yml
test/
scratch/

218
helm/vault/CHANGELOG.md
View File

@@ -1,5 +1,223 @@
## Unreleased
## 0.29.1 (November 20, 2024)
Bugs:
* server: restore support for templated config [GH-1073](https://github.com/hashicorp/vault-helm/pull/1073)
## 0.29.0 (November 7, 2024)
KNOWN ISSUES:
* Template support in server config stopped working [GH-1072](https://github.com/hashicorp/vault-helm/issues/1072)
Changes:
* Default `vault` version updated to 1.18.1
* Default `vault-k8s` version updated to 1.5.0
* Default `vault-csi-provider` version updated to 1.5.0
* Tested with Kubernetes versions 1.27-1.31
Features:
* csi: Allow modification of the hostNetwork parameter on the DaemonSet [GH-1046](https://github.com/hashicorp/vault-helm/pull/1046)
Bugs:
* Properly handle JSON formatted server config [GH-1049](https://github.com/hashicorp/vault-helm/pull/1049)
## 0.28.1 (July 11, 2024)
Changes:
* Default `vault` version updated to 1.17.2
* Default `vault-k8s` version updated to 1.4.2
* Default `vault-csi-provider` version updated to 1.4.3
* Tested with Kubernetes versions 1.26-1.30
Improvements:
* Configurable `tlsConfig` and `authorization` for Prometheus ServiceMonitor [GH-1025](https://github.com/hashicorp/vault-helm/pull/1025)
* Remove UPDATE from injector-mutating-webhook [GH-783](https://github.com/hashicorp/vault-helm/pull/783)
* Add scope to mutating webhook [GH-1037](https://github.com/hashicorp/vault-helm/pull/1037)
## 0.28.0 (April 8, 2024)
Changes:
* Default `vault` version updated to 1.16.1
* Default `vault-k8s` version updated to 1.4.1
* Default `vault-csi-provider` version updated to 1.4.2
* Tested with Kubernetes versions 1.25-1.29
Features:
* server: Add annotation on config change [GH-1001](https://github.com/hashicorp/vault-helm/pull/1001)
Bugs:
* injector: add missing `get` `nodes` permission to ClusterRole [GH-1005](https://github.com/hashicorp/vault-helm/pull/1005)
## 0.27.0 (November 16, 2023)
Changes:
* Default `vault` version updated to 1.15.2
Features:
* server: Support setting `persistentVolumeClaimRetentionPolicy` on the StatefulSet [GH-965](https://github.com/hashicorp/vault-helm/pull/965)
* server: Support setting labels on PVCs [GH-969](https://github.com/hashicorp/vault-helm/pull/969)
* server: Support setting ingress rules for networkPolicy [GH-877](https://github.com/hashicorp/vault-helm/pull/877)
Improvements:
* Support exec in the server liveness probe [GH-971](https://github.com/hashicorp/vault-helm/pull/971)
## 0.26.1 (October 30, 2023)
Bugs:
* Fix templating of `server.ha.replicas` when set via override file. The `0.26.0` chart would ignore `server.ha.replicas` and always deploy 3 server replicas when `server.ha.enabled=true` unless overridden by command line when issuing the helm command: `--set server.ha.replicas=<some_number>`. Fixed in [GH-961](https://github.com/hashicorp/vault-helm/pull/961)
## 0.26.0 (October 27, 2023)
Changes:
* Default `vault` version updated to 1.15.1
* Default `vault-k8s` version updated to 1.3.1
* Default `vault-csi-provider` version updated to 1.4.1
* Tested with Kubernetes versions 1.24-1.28
* server: OpenShift default readiness probe returns 204 when uninitialized [GH-966](https://github.com/hashicorp/vault-helm/pull/966)
Features:
* server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833)
* server: Support `hostAliases` for the StatefulSet pods [GH-955](https://github.com/hashicorp/vault-helm/pull/955)
* server: Add `server.service.active.annotations` and `server.service.standby.annotations` [GH-896](https://github.com/hashicorp/vault-helm/pull/896)
* server: Add long-lived service account token option [GH-923](https://github.com/hashicorp/vault-helm/pull/923)
Bugs:
* csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909)
Improvements:
* global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909)
* server: use vault.fullname in Helm test [GH-912](https://github.com/hashicorp/vault-helm/pull/912)
* server: Allow scaling HA replicas to zero [GH-943](https://github.com/hashicorp/vault-helm/pull/943)
## 0.25.0 (June 26, 2023)
Changes:
* Latest Kubernetes version tested is now 1.27
* server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902)
* `vault` updated to 1.14.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
* `vault-csi-provider` updated to 1.4.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
Improvements:
* CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862)
* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798)
* Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version [GH-916](https://github.com/hashicorp/vault-helm/pull/916)
Bugs:
* server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886)
## 0.24.1 (April 17, 2023)
Bugs:
* csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions [GH-872](https://github.com/hashicorp/vault-helm/pull/872)
## 0.24.0 (April 6, 2023)
Changes:
* Earliest Kubernetes version tested is now 1.22
* `vault` updated to 1.13.1 [GH-863](https://github.com/hashicorp/vault-helm/pull/863)
* `vault-k8s` updated to 1.2.1 [GH-868](https://github.com/hashicorp/vault-helm/pull/868)
* `vault-csi-provider` updated to 1.3.0 [GH-749](https://github.com/hashicorp/vault-helm/pull/749)
Features:
* server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841)
* server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831)
* injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852)
* csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749)
## 0.23.0 (November 28th, 2022)
Changes:
* `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
* `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
* `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
Features:
* server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806)
* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811)
* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811)
* server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813)
Bugs:
* server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810)
## 0.22.1 (October 26th, 2022)
Changes:
* `vault` updated to 1.12.0 [GH-803](https://github.com/hashicorp/vault-helm/pull/803)
* `vault-k8s` updated to 1.0.1 [GH-803](https://github.com/hashicorp/vault-helm/pull/803)
## 0.22.0 (September 8th, 2022)
Features:
* Add PrometheusOperator support for collecting Vault server metrics. [GH-772](https://github.com/hashicorp/vault-helm/pull/772)
Changes:
* `vault-k8s` to 1.0.0 [GH-784](https://github.com/hashicorp/vault-helm/pull/784)
* Test against Kubernetes 1.25 [GH-784](https://github.com/hashicorp/vault-helm/pull/784)
* `vault` updated to 1.11.3 [GH-785](https://github.com/hashicorp/vault-helm/pull/785)
## 0.21.0 (August 10th, 2022)
CHANGES:
* `vault-k8s` updated to 0.17.0. [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
* `vault-csi-provider` updated to 1.2.0 [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
* `vault` updated to 1.11.2 [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
* Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744)
* Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745)
* CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745)
Features:
* server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
* csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
* injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
* Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610)
* Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753)
## 0.20.1 (May 25th, 2022)
CHANGES:
* `vault-k8s` updated to 0.16.1 [GH-739](https://github.com/hashicorp/vault-helm/pull/739)
Improvements:
* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736)
Bugs:
* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737)
## 0.20.0 (May 16th, 2022)
CHANGES:
* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
* Vault default image to 1.10.3
* CSI provider default image to 1.1.0
* Vault K8s default image to 0.16.0
* Earliest Kubernetes version tested is now 1.16
* Helm 3.6+ now required
Features:
* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652)
Improvements:
* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690)
* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683)
* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710)
* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709)
* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694)
* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684)
* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692)
## 0.19.0 (January 20th, 2022)
CHANGES:

1
helm/vault/CODEOWNERS Normal file
View File

@@ -0,0 +1 @@
* @hashicorp/vault-ecosystem

8
helm/vault/Chart.yaml
View File

@@ -1,5 +1,7 @@
annotations:
charts.openshift.io/name: HashiCorp Vault
apiVersion: v2
appVersion: 1.9.2
appVersion: 1.18.1
description: Official HashiCorp Vault Chart
home: https://www.vaultproject.io
icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
@@ -11,11 +13,11 @@ keywords:
- management
- automation
- infrastructure
kubeVersion: '>= 1.14.0-0'
kubeVersion: '>= 1.20.0-0'
name: vault
sources:
- https://github.com/hashicorp/vault
- https://github.com/hashicorp/vault-helm
- https://github.com/hashicorp/vault-k8s
- https://github.com/hashicorp/vault-csi-provider
version: 0.19.0
version: 0.29.1

2
helm/vault/LICENSE.md → helm/vault/LICENSE
View File

@@ -1,3 +1,5 @@
Copyright (c) 2018 HashiCorp, Inc.
Mozilla Public License, version 2.0
1. Definitions

4
helm/vault/Makefile
View File

@@ -14,7 +14,7 @@ LOCAL_ACCEPTANCE_TESTS?=false
KIND_CLUSTER_NAME?=vault-helm
# kind k8s version
KIND_K8S_VERSION?=v1.20.2
KIND_K8S_VERSION?=v1.31.2
# Generate json schema for chart values. See test/README.md for more details.
values-schema:
@@ -71,7 +71,7 @@ acceptance:
ifneq ($(LOCAL_ACCEPTANCE_TESTS),true)
gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS}
endif
bats test/${ACCEPTANCE_TESTS}
bats --tap --timing test/${ACCEPTANCE_TESTS}
# this target is for provisioning the GKE cluster
# it is run in the docker container above when the test-provision target is invoked

2
helm/vault/templates/NOTES.txt
View File

@@ -4,7 +4,7 @@ Thank you for installing HashiCorp Vault!
Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:
https://www.vaultproject.io/docs/
https://developer.hashicorp.com/vault/docs
Your release is named {{ .Release.Name }}. To learn more about the release, try:

441
helm/vault/templates/_helpers.tpl
View File

@@ -1,3 +1,8 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to
@@ -31,6 +36,94 @@ Expand the name of the chart.
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Allow the release namespace to be overridden
*/}}
{{- define "vault.namespace" -}}
{{- default .Release.Namespace .Values.global.namespace -}}
{{- end -}}
{{/*
Compute if the csi driver is enabled.
*/}}
{{- define "vault.csiEnabled" -}}
{{- $_ := set . "csiEnabled" (or
(eq (.Values.csi.enabled | toString) "true")
(and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the injector is enabled.
*/}}
{{- define "vault.injectorEnabled" -}}
{{- $_ := set . "injectorEnabled" (or
(eq (.Values.injector.enabled | toString) "true")
(and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server is enabled.
*/}}
{{- define "vault.serverEnabled" -}}
{{- $_ := set . "serverEnabled" (or
(eq (.Values.server.enabled | toString) "true")
(and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server serviceaccount is enabled.
*/}}
{{- define "vault.serverServiceAccountEnabled" -}}
{{- $_ := set . "serverServiceAccountEnabled"
(and
(eq (.Values.server.serviceAccount.create | toString) "true" )
(or
(eq (.Values.server.enabled | toString) "true")
(eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server serviceaccount should have a token created and mounted to the serviceaccount.
*/}}
{{- define "vault.serverServiceAccountSecretCreationEnabled" -}}
{{- $_ := set . "serverServiceAccountSecretCreationEnabled"
(and
(eq (.Values.server.serviceAccount.create | toString) "true")
(eq (.Values.server.serviceAccount.createSecret | toString) "true")) -}}
{{- end -}}
{{/*
Compute if the server auth delegator serviceaccount is enabled.
*/}}
{{- define "vault.serverAuthDelegator" -}}
{{- $_ := set . "serverAuthDelegator"
(and
(eq (.Values.server.authDelegator.enabled | toString) "true" )
(or (eq (.Values.server.serviceAccount.create | toString) "true")
(not (eq .Values.server.serviceAccount.name "")))
(or
(eq (.Values.server.enabled | toString) "true")
(eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server service is enabled.
*/}}
{{- define "vault.serverServiceEnabled" -}}
{{- template "vault.serverEnabled" . -}}
{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}}
{{- end -}}
{{/*
Compute if the ui is enabled.
*/}}
{{- define "vault.uiEnabled" -}}
{{- $_ := set . "uiEnabled" (or
(eq (.Values.ui.enabled | toString) "true")
(and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
This defaults to (n/2)-1 where n is the number of members of the server cluster.
@@ -51,9 +144,10 @@ Set the variable 'mode' to the server mode requested by the user to simplify
template logic.
*/}}
{{- define "vault.mode" -}}
{{- if .Values.injector.externalVaultAddr -}}
{{- template "vault.serverEnabled" . -}}
{{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}}
{{- $_ := set . "mode" "external" -}}
{{- else if ne (.Values.server.enabled | toString) "true" -}}
{{- else if not .serverEnabled -}}
{{- $_ := set . "mode" "external" -}}
{{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
{{- $_ := set . "mode" "dev" -}}
@@ -73,7 +167,11 @@ Set's the replica count based on the different modes configured by user
{{ if eq .mode "standalone" }}
{{- default 1 -}}
{{ else if eq .mode "ha" }}
{{- .Values.server.ha.replicas | default 3 -}}
{{- if or (kindIs "int64" .Values.server.ha.replicas) (kindIs "float64" .Values.server.ha.replicas) -}}
{{- .Values.server.ha.replicas -}}
{{ else }}
{{- 3 -}}
{{- end -}}
{{ else }}
{{- default 1 -}}
{{ end }}
@@ -85,7 +183,7 @@ defined a custom configuration. Additionally iterates over any
extra volumes the user may have specified (such as a secret with TLS).
*/}}
{{- define "vault.volumes" -}}
{{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
{{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config) (.Values.server.ha.raft.config)) }}
- name: config
configMap:
name: {{ template "vault.fullname" . }}-config
@@ -188,9 +286,12 @@ storage might be desired by the user.
{{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }}
volumeClaimTemplates:
{{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }}
- metadata:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
{{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }}
{{- include "vault.dataVolumeClaim.labels" . | nindent 6 }}
spec:
accessModes:
- {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }}
@@ -202,9 +303,12 @@ storage might be desired by the user.
{{- end }}
{{ end }}
{{- if eq (.Values.server.auditStorage.enabled | toString) "true" }}
- metadata:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audit
{{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }}
{{- include "vault.auditVolumeClaim.labels" . | nindent 6 }}
spec:
accessModes:
- {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }}
@@ -248,6 +352,37 @@ Sets the injector affinity for pod placement
{{ end }}
{{- end -}}
{{/*
Sets the topologySpreadConstraints when running in standalone and HA modes.
*/}}
{{- define "vault.topologySpreadConstraints" -}}
{{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }}
topologySpreadConstraints:
{{ $tp := typeOf .Values.server.topologySpreadConstraints }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.server.topologySpreadConstraints | nindent 8 }}
{{- end }}
{{ end }}
{{- end -}}
{{/*
Sets the injector topologySpreadConstraints for pod placement
*/}}
{{- define "injector.topologySpreadConstraints" -}}
{{- if .Values.injector.topologySpreadConstraints }}
topologySpreadConstraints:
{{ $tp := typeOf .Values.injector.topologySpreadConstraints }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.topologySpreadConstraints . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.injector.topologySpreadConstraints | nindent 8 }}
{{- end }}
{{ end }}
{{- end -}}
{{/*
Sets the toleration for pod placement when running in standalone and HA modes.
*/}}
@@ -326,9 +461,12 @@ Sets the injector deployment update strategy
{{/*
Sets extra pod annotations
*/}}
{{- define "vault.annotations" -}}
{{- if .Values.server.annotations }}
{{- define "vault.annotations" }}
annotations:
{{- if .Values.server.includeConfigAnnotation }}
vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }}
{{- end }}
{{- if .Values.server.annotations }}
{{- $tp := typeOf .Values.server.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.annotations . | nindent 8 }}
@@ -369,20 +507,133 @@ Sets extra injector service annotations
{{- end -}}
{{/*
Sets extra injector webhook annotations
securityContext for the injector pod level.
*/}}
{{- define "injector.webhookAnnotations" -}}
{{- if .Values.injector.webhookAnnotations }}
annotations:
{{- $tp := typeOf .Values.injector.webhookAnnotations }}
{{- define "injector.securityContext.pod" -}}
{{- if .Values.injector.securityContext.pod }}
securityContext:
{{- $tp := typeOf .Values.injector.securityContext.pod }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.webhookAnnotations . | nindent 4 }}
{{- tpl .Values.injector.securityContext.pod . | nindent 8 }}
{{- else }}
{{- toYaml .Values.injector.webhookAnnotations | nindent 4 }}
{{- toYaml .Values.injector.securityContext.pod | nindent 8 }}
{{- end }}
{{- else if not .Values.global.openshift }}
securityContext:
runAsNonRoot: true
runAsGroup: {{ .Values.injector.gid | default 1000 }}
runAsUser: {{ .Values.injector.uid | default 100 }}
fsGroup: {{ .Values.injector.gid | default 1000 }}
{{- end }}
{{- end -}}
{{/*
securityContext for the injector container level.
*/}}
{{- define "injector.securityContext.container" -}}
{{- if .Values.injector.securityContext.container}}
securityContext:
{{- $tp := typeOf .Values.injector.securityContext.container }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.securityContext.container . | nindent 12 }}
{{- else }}
{{- toYaml .Values.injector.securityContext.container | nindent 12 }}
{{- end }}
{{- else if not .Values.global.openshift }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
{{- end }}
{{- end -}}
{{/*
securityContext for the statefulset pod template.
*/}}
{{- define "server.statefulSet.securityContext.pod" -}}
{{- if .Values.server.statefulSet.securityContext.pod }}
securityContext:
{{- $tp := typeOf .Values.server.statefulSet.securityContext.pod }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.statefulSet.securityContext.pod . | nindent 8 }}
{{- else }}
{{- toYaml .Values.server.statefulSet.securityContext.pod | nindent 8 }}
{{- end }}
{{- else if not .Values.global.openshift }}
securityContext:
runAsNonRoot: true
runAsGroup: {{ .Values.server.gid | default 1000 }}
runAsUser: {{ .Values.server.uid | default 100 }}
fsGroup: {{ .Values.server.gid | default 1000 }}
{{- end }}
{{- end -}}
{{/*
securityContext for the statefulset vault container
*/}}
{{- define "server.statefulSet.securityContext.container" -}}
{{- if .Values.server.statefulSet.securityContext.container }}
securityContext:
{{- $tp := typeOf .Values.server.statefulSet.securityContext.container }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.statefulSet.securityContext.container . | nindent 12 }}
{{- else }}
{{- toYaml .Values.server.statefulSet.securityContext.container | nindent 12 }}
{{- end }}
{{- else if not .Values.global.openshift }}
securityContext:
allowPrivilegeEscalation: false
{{- end }}
{{- end -}}
{{/*
Sets extra injector service account annotations
*/}}
{{- define "injector.serviceAccount.annotations" -}}
{{- if and (ne .mode "dev") .Values.injector.serviceAccount.annotations }}
annotations:
{{- $tp := typeOf .Values.injector.serviceAccount.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.serviceAccount.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.injector.serviceAccount.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra injector webhook annotations
*/}}
{{- define "injector.webhookAnnotations" -}}
{{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations) }}
annotations:
{{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }}
{{- if eq $tp "string" }}
{{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }}
{{- else }}
{{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Set's the injector webhook objectSelector
*/}}
{{- define "injector.objectSelector" -}}
{{- $v := or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) -}}
{{ if $v }}
objectSelector:
{{- $tp := typeOf $v -}}
{{ if eq $tp "string" }}
{{ tpl $v . | indent 6 | trim }}
{{ else }}
{{ toYaml $v | indent 6 | trim }}
{{ end }}
{{ end }}
{{ end }}
{{/*
Sets extra ui service annotations
*/}}
@@ -468,6 +719,33 @@ Sets extra vault server Service annotations
{{- end }}
{{- end -}}
{{/*
Sets extra vault server Service (active) annotations
*/}}
{{- define "vault.service.active.annotations" -}}
{{- if .Values.server.service.active.annotations }}
{{- $tp := typeOf .Values.server.service.active.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.service.active.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.service.active.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra vault server Service annotations
*/}}
{{- define "vault.service.standby.annotations" -}}
{{- if .Values.server.service.standby.annotations }}
{{- $tp := typeOf .Values.server.service.standby.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.service.standby.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.service.standby.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets PodSecurityPolicy annotations
*/}}
@@ -513,6 +791,21 @@ Sets VolumeClaim annotations for data volume
{{- end }}
{{- end -}}
{{/*
Sets VolumeClaim labels for data volume
*/}}
{{- define "vault.dataVolumeClaim.labels" -}}
{{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }}
labels:
{{- $tp := typeOf .Values.server.dataStorage.labels }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.dataStorage.labels . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.dataStorage.labels | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets VolumeClaim annotations for audit volume
*/}}
@@ -528,6 +821,21 @@ Sets VolumeClaim annotations for audit volume
{{- end }}
{{- end -}}
{{/*
Sets VolumeClaim labels for audit volume
*/}}
{{- define "vault.auditVolumeClaim.labels" -}}
{{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }}
labels:
{{- $tp := typeOf .Values.server.auditStorage.labels }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.auditStorage.labels . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.auditStorage.labels | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Set's the container resources if the user has set any.
*/}}
@@ -558,6 +866,16 @@ Sets the container resources if the user has set any.
{{ end }}
{{- end -}}
{{/*
Sets the container resources for CSI's Agent sidecar if the user has set any.
*/}}
{{- define "csi.agent.resources" -}}
{{- if .Values.csi.agent.resources -}}
resources:
{{ toYaml .Values.csi.agent.resources | indent 12}}
{{ end }}
{{- end -}}
{{/*
Sets extra CSI daemonset annotations
*/}}
@@ -573,6 +891,37 @@ Sets extra CSI daemonset annotations
{{- end }}
{{- end -}}
{{/*
Sets CSI daemonset securityContext for pod template
*/}}
{{- define "csi.daemonSet.securityContext.pod" -}}
{{- if .Values.csi.daemonSet.securityContext.pod }}
securityContext:
{{- $tp := typeOf .Values.csi.daemonSet.securityContext.pod }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.daemonSet.securityContext.pod . | nindent 8 }}
{{- else }}
{{- toYaml .Values.csi.daemonSet.securityContext.pod | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets CSI daemonset securityContext for container
*/}}
{{- define "csi.daemonSet.securityContext.container" -}}
{{- if .Values.csi.daemonSet.securityContext.container }}
securityContext:
{{- $tp := typeOf .Values.csi.daemonSet.securityContext.container }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.daemonSet.securityContext.container . | nindent 12 }}
{{- else }}
{{- toYaml .Values.csi.daemonSet.securityContext.container | nindent 12 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets the injector toleration for pod placement
*/}}
@@ -588,6 +937,34 @@ Sets the injector toleration for pod placement
{{- end }}
{{- end -}}
{{/*
Sets the CSI provider nodeSelector for pod placement
*/}}
{{- define "csi.pod.nodeselector" -}}
{{- if .Values.csi.pod.nodeSelector }}
nodeSelector:
{{- $tp := typeOf .Values.csi.pod.nodeSelector }}
{{- if eq $tp "string" }}
{{ tpl .Values.csi.pod.nodeSelector . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.csi.pod.nodeSelector | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets the CSI provider affinity for pod placement.
*/}}
{{- define "csi.pod.affinity" -}}
{{- if .Values.csi.pod.affinity }}
affinity:
{{ $tp := typeOf .Values.csi.pod.affinity }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.pod.affinity . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.csi.pod.affinity | nindent 8 }}
{{- end }}
{{ end }}
{{- end -}}
{{/*
Sets extra CSI provider pod annotations
*/}}
@@ -705,3 +1082,37 @@ Supported inputs are Values.ui
{{- end -}}
{{- end }}
{{- end -}}
{{/*
config file from values
*/}}
{{- define "vault.config" -}}
{{- if or (eq .mode "ha") (eq .mode "standalone") }}
{{- $config := (index .Values.server .mode).config -}}
{{- if .Values.server.ha.raft.enabled -}}
{{- $config = .Values.server.ha.raft.config -}}
{{- end -}}
{{- $type := typeOf $config -}}
{{- if eq $type "string" -}}
{{/* Vault supports both HCL and JSON as its configuration format */}}
{{- $json := tpl $config . | fromJson -}}
{{/*
Helm's fromJson does not behave according to the corresponding sprig function nor Helm docs,
which claim that it should return empty string on invalid JSON, it actually returns
a map containing a single 'Error' element.
https://github.com/helm/helm/blob/50c22ed7f953fadb32755e5881ba95a92da852b2/pkg/engine/funcs.go#L158
*/}}
{{- if or (and (eq ($json | len) 1) (hasKey $json "Error")) (eq ($json | len) 0) -}}
{{- $config = printf "%s\n%s" $config "disable_mlock = true" -}}
{{- else -}}
{{- if not (hasKey $json "disable_mlock") -}}
{{- $_ := set $json "disable_mlock" true -}}
{{- end -}}
{{- $config = $json | mustToJson -}}
{{- end -}}
{{- else }}
{{- fail "structured server config is not supported, value must be a string"}}
{{- end }}
{{- tpl $config . | nindent 4 | trim }}
{{- end -}}
{{- end -}}

34
helm/vault/templates/csi-agent-configmap.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-agent-config
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
config.hcl: |
vault {
{{- if .Values.global.externalVaultAddr }}
"address" = "{{ .Values.global.externalVaultAddr }}"
{{- else }}
"address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}"
{{- end }}
}
cache {}
listener "unix" {
address = "/var/run/vault/agent.sock"
tls_disable = true
}
{{- end }}

8
helm/vault/templates/csi-clusterrole.yaml
View File

@@ -1,4 +1,10 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:

10
helm/vault/templates/csi-clusterrolebinding.yaml
View File

@@ -1,4 +1,10 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@@ -14,5 +20,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
{{- end }}

96
helm/vault/templates/csi-daemonset.yaml
View File

@@ -1,13 +1,22 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.daemonSet.extraLabels -}}
{{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "csi.daemonSet.annotations" . }}
spec:
updateStrategy:
@@ -25,30 +34,57 @@ spec:
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.csi.pod.extraLabels -}}
{{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}}
{{- end -}}
{{ template "csi.pod.annotations" . }}
spec:
{{ template "csi.daemonSet.securityContext.pod" . }}
{{- if .Values.csi.priorityClassName }}
priorityClassName: {{ .Values.csi.priorityClassName }}
{{- end }}
hostNetwork: {{ .Values.csi.hostNetwork }}
serviceAccountName: {{ template "vault.fullname" . }}-csi-provider
{{- template "csi.pod.tolerations" . }}
{{- template "csi.pod.nodeselector" . }}
{{- template "csi.pod.affinity" . }}
containers:
- name: {{ include "vault.name" . }}-csi-provider
{{ template "csi.resources" . }}
{{ template "csi.daemonSet.securityContext.container" . }}
image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
imagePullPolicy: {{ .Values.csi.image.pullPolicy }}
args:
- --endpoint=/provider/vault.sock
- --debug={{ .Values.csi.debug }}
{{- if .Values.csi.debug }}
- --log-level=debug
{{- else }}
- --log-level={{ .Values.csi.logLevel }}
{{- end }}
{{- if .Values.csi.hmacSecretName }}
- --hmac-secret-name={{ .Values.csi.hmacSecretName }}
{{- else }}
- --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key
{{- end }}
{{- if .Values.csi.extraArgs }}
{{- toYaml .Values.csi.extraArgs | nindent 12 }}
{{- end }}
env:
- name: VAULT_ADDR
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
value: "unix:///var/run/vault/agent.sock"
{{- else if .Values.global.externalVaultAddr }}
value: "{{ .Values.global.externalVaultAddr }}"
{{- else }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- end }}
volumeMounts:
- name: providervol
mountPath: "/provider"
- name: mountpoint-dir
mountPath: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods
mountPropagation: HostToContainer
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: agent-unix-socket
mountPath: /var/run/vault
{{- end }}
{{- if .Values.csi.volumeMounts }}
{{- toYaml .Values.csi.volumeMounts | nindent 12}}
{{- end }}
@@ -70,13 +106,55 @@ spec:
periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: {{ include "vault.name" . }}-agent
image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}"
imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }}
{{ template "csi.agent.resources" . }}
command:
- vault
args:
- agent
- -config=/etc/vault/config.hcl
{{- if .Values.csi.agent.extraArgs }}
{{- toYaml .Values.csi.agent.extraArgs | nindent 12 }}
{{- end }}
ports:
- containerPort: 8200
env:
- name: VAULT_LOG_LEVEL
value: "{{ .Values.csi.agent.logLevel }}"
- name: VAULT_LOG_FORMAT
value: "{{ .Values.csi.agent.logFormat }}"
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 100
runAsGroup: 1000
volumeMounts:
- name: agent-config
mountPath: /etc/vault/config.hcl
subPath: config.hcl
readOnly: true
- name: agent-unix-socket
mountPath: /var/run/vault
{{- if .Values.csi.volumeMounts }}
{{- toYaml .Values.csi.volumeMounts | nindent 12 }}
{{- end }}
{{- end }}
volumes:
- name: providervol
hostPath:
path: {{ .Values.csi.daemonSet.providersDir }}
- name: mountpoint-dir
hostPath:
path: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: agent-config
configMap:
name: {{ template "vault.fullname" . }}-csi-provider-agent-config
- name: agent-unix-socket
emptyDir:
medium: Memory
{{- end }}
{{- if .Values.csi.volumes }}
{{- toYaml .Values.csi.volumes | nindent 8}}
{{- end }}

32
helm/vault/templates/csi-role.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-role
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames:
{{- if .Values.csi.hmacSecretName }}
- {{ .Values.csi.hmacSecretName }}
{{- else }}
- {{ include "vault.name" . }}-csi-provider-hmac-key
{{- end }}
# 'create' permissions cannot be restricted by resource name:
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
{{- end }}

25
helm/vault/templates/csi-rolebinding.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-rolebinding
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "vault.fullname" . }}-csi-provider-role
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ include "vault.namespace" . }}
{{- end }}

13
helm/vault/templates/csi-serviceaccount.yaml
View File

@@ -1,12 +1,21 @@
{{- if and (eq (.Values.csi.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.serviceAccount.extraLabels -}}
{{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "csi.serviceAccount.annotations" . }}
{{- end }}

11
helm/vault/templates/injector-certs-secret.yaml
View File

@@ -1,10 +1,19 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: v1
kind: Secret
metadata:
name: vault-injector-certs
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- end }}

14
helm/vault/templates/injector-clusterrole.yaml
View File

@@ -1,4 +1,10 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
@@ -15,4 +21,10 @@ rules:
- "list"
- "watch"
- "patch"
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
- apiGroups: [""]
resources: ["nodes"]
verbs:
- "get"
{{ end }}
{{ end }}

10
helm/vault/templates/injector-clusterrolebinding.yaml
View File

@@ -1,4 +1,10 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@@ -14,5 +20,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
{{ end }}

67
helm/vault/templates/injector-deployment.yaml
View File

@@ -1,10 +1,16 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
# Deployment for the injector
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
@@ -30,38 +36,35 @@ spec:
{{ template "injector.annotations" . }}
spec:
{{ template "injector.affinity" . }}
{{ template "injector.topologySpreadConstraints" . }}
{{ template "injector.tolerations" . }}
{{ template "injector.nodeselector" . }}
{{- if .Values.injector.priorityClassName }}
priorityClassName: {{ .Values.injector.priorityClassName }}
{{- end }}
serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
{{ template "injector.securityContext.pod" . -}}
{{- if not .Values.global.openshift }}
hostNetwork: {{ .Values.injector.hostNetwork }}
securityContext:
runAsNonRoot: true
runAsGroup: {{ .Values.injector.gid | default 1000 }}
runAsUser: {{ .Values.injector.uid | default 100 }}
{{- end }}
containers:
- name: sidecar-injector
{{ template "injector.resources" . }}
image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
{{- if not .Values.global.openshift }}
securityContext:
allowPrivilegeEscalation: false
{{- end }}
{{- template "injector.securityContext.container" . }}
env:
- name: AGENT_INJECT_LISTEN
value: {{ printf ":%v" .Values.injector.port }}
- name: AGENT_INJECT_LOG_LEVEL
value: {{ .Values.injector.logLevel | default "info" }}
- name: AGENT_INJECT_VAULT_ADDR
{{- if .Values.injector.externalVaultAddr }}
{{- if .Values.global.externalVaultAddr }}
value: "{{ .Values.global.externalVaultAddr }}"
{{- else if .Values.injector.externalVaultAddr }}
value: "{{ .Values.injector.externalVaultAddr }}"
{{- else }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- end }}
- name: AGENT_INJECT_VAULT_AUTH_PATH
value: {{ .Values.injector.authPath }}
@@ -76,7 +79,7 @@ spec:
- name: AGENT_INJECT_TLS_AUTO
value: {{ template "vault.fullname" . }}-agent-injector-cfg
- name: AGENT_INJECT_TLS_AUTO_HOSTS
value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc
value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc
{{- end }}
- name: AGENT_INJECT_LOG_FORMAT
value: {{ .Values.injector.logFormat | default "standard" }}
@@ -106,6 +109,14 @@ spec:
value: "{{ .Values.injector.agentDefaults.memRequest }}"
- name: AGENT_INJECT_MEM_LIMIT
value: "{{ .Values.injector.agentDefaults.memLimit }}"
{{- if .Values.injector.agentDefaults.ephemeralRequest }}
- name: AGENT_INJECT_EPHEMERAL_REQUEST
value: "{{ .Values.injector.agentDefaults.ephemeralRequest }}"
{{- end }}
{{- if .Values.injector.agentDefaults.ephemeralLimit }}
- name: AGENT_INJECT_EPHEMERAL_LIMIT
value: "{{ .Values.injector.agentDefaults.ephemeralLimit }}"
{{- end }}
- name: AGENT_INJECT_DEFAULT_TEMPLATE
value: "{{ .Values.injector.agentDefaults.template }}"
- name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE
@@ -127,21 +138,31 @@ spec:
path: /health/ready
port: {{ .Values.injector.port }}
scheme: HTTPS
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 5
failureThreshold: {{ .Values.injector.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.injector.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.injector.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.injector.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.injector.livenessProbe.timeoutSeconds }}
readinessProbe:
httpGet:
path: /health/ready
port: {{ .Values.injector.port }}
scheme: HTTPS
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 5
failureThreshold: {{ .Values.injector.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.injector.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.injector.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.injector.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.injector.readinessProbe.timeoutSeconds }}
startupProbe:
httpGet:
path: /health/ready
port: {{ .Values.injector.port }}
scheme: HTTPS
failureThreshold: {{ .Values.injector.startupProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.injector.startupProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }}
successThreshold: {{ .Values.injector.startupProbe.successThreshold }}
timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }}
{{- if .Values.injector.certs.secretName }}
volumeMounts:
- name: webhook-certs

7
helm/vault/templates/injector-disruptionbudget.yaml
View File

@@ -1,9 +1,14 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if .Values.injector.podDisruptionBudget }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector

32
helm/vault/templates/injector-mutating-webhook.yaml
View File

@@ -1,4 +1,10 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1
{{- else }}
@@ -14,30 +20,26 @@ metadata:
{{- template "injector.webhookAnnotations" . }}
webhooks:
- name: vault.hashicorp.com
failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }}
matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }}
sideEffects: None
admissionReviewVersions:
- "v1beta1"
- "v1"
timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }}
admissionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: {{ template "vault.fullname" . }}-agent-injector-svc
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
path: "/mutate"
caBundle: {{ .Values.injector.certs.caBundle | quote }}
rules:
- operations: ["CREATE", "UPDATE"]
- operations: ["CREATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
{{- if .Values.injector.namespaceSelector }}
scope: "Namespaced"
{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }}
namespaceSelector:
{{ toYaml .Values.injector.namespaceSelector | indent 6}}
{{ end }}
{{- if .Values.injector.objectSelector }}
objectSelector:
{{ toYaml .Values.injector.objectSelector | indent 6}}
{{ end }}
{{- with .Values.injector.failurePolicy }}
failurePolicy: {{.}}
{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}}
{{ end }}
{{- template "injector.objectSelector" . -}}
{{ end }}

10
helm/vault/templates/injector-network-policy.yaml
View File

@@ -1,4 +1,11 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.openshift | toString) "true" }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
@@ -19,3 +26,4 @@ spec:
- port: 8080
protocol: TCP
{{ end }}
{{ end }}

12
helm/vault/templates/injector-psp-role.yaml
View File

@@ -1,9 +1,16 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
@@ -15,3 +22,4 @@ rules:
resourceNames:
- {{ template "vault.fullname" . }}-agent-injector
{{- end }}
{{- end }}

12
helm/vault/templates/injector-psp-rolebinding.yaml
View File

@@ -1,9 +1,16 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
@@ -16,3 +23,4 @@ subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
{{- end }}
{{- end }}

12
helm/vault/templates/injector-psp.yaml
View File

@@ -1,5 +1,12 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: policy/v1
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
@@ -41,3 +48,4 @@ spec:
max: 65535
readOnlyRootFilesystem: false
{{- end }}
{{- end }}

11
helm/vault/templates/injector-role.yaml
View File

@@ -1,8 +1,16 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
@@ -23,3 +31,4 @@ rules:
- "patch"
- "delete"
{{- end }}
{{- end }}

13
helm/vault/templates/injector-rolebinding.yaml
View File

@@ -1,8 +1,16 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
@@ -14,5 +22,6 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
{{- end }}
{{- end }}

10
helm/vault/templates/injector-service.yaml
View File

@@ -1,9 +1,15 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-svc
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}

11
helm/vault/templates/injector-serviceaccount.yaml
View File

@@ -1,11 +1,18 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "injector.serviceAccount.annotations" . }}
{{ end }}

31
helm/vault/templates/prometheus-prometheusrules.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ if and (.Values.serverTelemetry.prometheusRules.rules)
(or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) )
}}
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "vault.fullname" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
{{- $selectors := .Values.serverTelemetry.prometheusRules.selectors }}
{{- if $selectors }}
{{- toYaml $selectors | nindent 4 }}
{{- else }}
release: prometheus
{{- end }}
spec:
groups:
- name: {{ include "vault.fullname" . }}
rules:
{{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }}
{{- end }}

58
helm/vault/templates/prometheus-servicemonitor.yaml Normal file
View File

@@ -0,0 +1,58 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "vault.fullname" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
{{- $selectors := .Values.serverTelemetry.serviceMonitor.selectors }}
{{- if $selectors }}
{{- toYaml $selectors | nindent 4 }}
{{- else }}
release: prometheus
{{- end }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if eq .mode "ha" }}
vault-active: "true"
{{- else }}
vault-internal: "true"
{{- end }}
endpoints:
- port: {{ include "vault.scheme" . }}
interval: {{ .Values.serverTelemetry.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }}
scheme: {{ include "vault.scheme" . | lower }}
path: /v1/sys/metrics
params:
format:
- prometheus
{{- with .Values.serverTelemetry.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml . | nindent 6 }}
{{- else }}
tlsConfig:
insecureSkipVerify: true
{{- end }}
{{- with .Values.serverTelemetry.serviceMonitor.authorization }}
authorization:
{{- toYaml . | nindent 6 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ include "vault.namespace" . }}
{{ end }}

11
helm/vault/templates/server-clusterrolebinding.yaml
View File

@@ -1,5 +1,10 @@
{{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true") }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.serverAuthDelegator" . }}
{{- if .serverAuthDelegator -}}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
@@ -20,5 +25,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
{{ end }}

35
helm/vault/templates/server-config-configmap.yaml
View File

@@ -1,38 +1,31 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}}
{{- if .serverEnabled -}}
{{- if ne .mode "dev" -}}
{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "vault.fullname" . }}-config
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.server.includeConfigAnnotation }}
annotations:
vault.hashicorp.com/config-checksum: {{ include "vault.config" . | sha256sum }}
{{- end }}
data:
extraconfig-from-values.hcl: |-
{{- if or (eq .mode "ha") (eq .mode "standalone") }}
{{- $type := typeOf (index .Values.server .mode).config }}
{{- if eq $type "string" }}
disable_mlock = true
{{- if eq .mode "standalone" }}
{{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }}
{{ tpl .Values.server.ha.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }}
{{ end }}
{{- else }}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }}
{{- else }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{ template "vault.config" . }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

13
helm/vault/templates/server-discovery-role.yaml
View File

@@ -1,10 +1,16 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
name: {{ template "vault.fullname" . }}-discovery-role
labels:
helm.sh/chart: {{ include "vault.chart" . }}
@@ -17,3 +23,4 @@ rules:
verbs: ["get", "watch", "list", "update", "patch"]
{{ end }}
{{ end }}
{{ end }}

15
helm/vault/templates/server-discovery-rolebinding.yaml
View File

@@ -1,6 +1,12 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq .mode "ha" ) (eq (.Values.global.enabled | toString) "true") }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
@@ -9,7 +15,7 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-discovery-rolebinding
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
@@ -22,6 +28,7 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
{{ end }}
{{ end }}
{{ end }}

11
helm/vault/templates/server-disruptionbudget.yaml
View File

@@ -1,13 +1,19 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" -}}
{{- if and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
{{- if .serverEnabled -}}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
# PodDisruptionBudget to prevent degrading the server cluster through
# voluntary cluster changes.
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
@@ -22,3 +28,4 @@ spec:
component: server
{{- end -}}
{{- end -}}
{{- end -}}

34
helm/vault/templates/server-ha-active-service.yaml
View File

@@ -1,42 +1,64 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.service.active.enabled | toString) "true" }}
# Service for active Vault pod
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-active
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
vault-active: "true"
annotations:
{{ template "vault.service.annotations" .}}
{{- template "vault.service.active.annotations" . }}
{{- template "vault.service.annotations" . }}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
{{- end}}
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.server.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.server.service.ipFamilies }}
ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
{{- end }}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: true
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.nodePort }}
{{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.activeNodePort }}
{{- end }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
component: server
vault-active: "true"
{{- end }}
{{- end }}
{{- end }}
{{- end }}

33
helm/vault/templates/server-ha-standby-service.yaml
View File

@@ -1,42 +1,63 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.service.standby.enabled | toString) "true" }}
# Service for standby Vault pod
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-standby
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{ template "vault.service.annotations" .}}
{{- template "vault.service.standby.annotations" . }}
{{- template "vault.service.annotations" . }}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
{{- end}}
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.server.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.server.service.ipFamilies }}
ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
{{- end }}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: true
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.nodePort }}
{{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.standbyNodePort }}
{{- end }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
component: server
vault-active: "false"
{{- end }}
{{- end }}
{{- end }}
{{- end }}

19
helm/vault/templates/server-headless-service.yaml
View File

@@ -1,20 +1,35 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-internal
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
vault-internal: "true"
annotations:
{{ template "vault.service.annotations" .}}
spec:
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.server.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.server.service.ipFamilies }}
ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
{{- end }}
clusterIP: None
publishNotReadyAddresses: true
ports:

25
helm/vault/templates/server-ingress.yaml
View File

@@ -1,26 +1,27 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if not .Values.global.openshift }}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .Values.server.ingress.enabled -}}
{{- $extraPaths := .Values.server.ingress.extraPaths -}}
{{- $serviceName := include "vault.fullname" . -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.ingress.activeService | toString) "true") }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
{{- end }}
{{- $servicePort := .Values.server.service.port -}}
{{- $pathType := .Values.server.ingress.pathType -}}
{{- $kubeVersion := .Capabilities.KubeVersion.Version }}
{{ if semverCompare ">= 1.19.0-0" $kubeVersion }}
apiVersion: networking.k8s.io/v1
{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
apiVersion: networking.k8s.io/v1beta1
{{ else }}
apiVersion: extensions/v1beta1
{{ end }}
kind: Ingress
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
@@ -54,21 +55,15 @@ spec:
{{- end }}
{{- range (.paths | default (list "/")) }}
- path: {{ . }}
{{ if semverCompare ">= 1.19.0-0" $kubeVersion }}
pathType: {{ $pathType }}
{{ end }}
backend:
{{ if semverCompare ">= 1.19.0-0" $kubeVersion }}
service:
name: {{ $serviceName }}
port:
number: {{ $servicePort }}
{{ else }}
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{ end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

14
helm/vault/templates/server-network-policy.yaml
View File

@@ -1,3 +1,8 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
@@ -11,14 +16,7 @@ spec:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
ingress:
- from:
- namespaceSelector: {}
ports:
- port: 8200
protocol: TCP
- port: 8201
protocol: TCP
ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }}
{{- if .Values.server.networkPolicy.egress }}
egress:
{{- toYaml .Values.server.networkPolicy.egress | nindent 4 }}

11
helm/vault/templates/server-psp-role.yaml
View File

@@ -1,10 +1,16 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-psp
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
@@ -16,3 +22,4 @@ rules:
resourceNames:
- {{ template "vault.fullname" . }}
{{- end }}
{{- end }}

11
helm/vault/templates/server-psp-rolebinding.yaml
View File

@@ -1,10 +1,16 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-psp
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
@@ -17,3 +23,4 @@ subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}
{{- end }}
{{- end }}

11
helm/vault/templates/server-psp.yaml
View File

@@ -1,6 +1,12 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: policy/v1
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "vault.fullname" . }}
@@ -45,3 +51,4 @@ spec:
max: 65535
readOnlyRootFilesystem: false
{{- end }}
{{- end }}

7
helm/vault/templates/server-route.yaml
View File

@@ -1,3 +1,8 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if .Values.global.openshift }}
{{- if ne .mode "external" }}
{{- if .Values.server.route.enabled -}}
@@ -9,7 +14,7 @@ kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}

22
helm/vault/templates/server-service.yaml
View File

@@ -1,12 +1,18 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
@@ -18,13 +24,21 @@ spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
{{- end}}
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.server.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.server.service.ipFamilies }}
ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
{{- end }}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
# We want the servers to become available even if they're not ready
# since this DNS is also used for join operations.
publishNotReadyAddresses: true
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
@@ -37,7 +51,9 @@ spec:
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
component: server
{{- end }}
{{- end }}

21
helm/vault/templates/server-serviceaccount-secret.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.serverServiceAccountSecretCreationEnabled" . }}
{{- if .serverServiceAccountSecretCreationEnabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "vault.serviceAccount.name" . }}-token
namespace: {{ include "vault.namespace" . }}
annotations:
kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
type: kubernetes.io/service-account-token
{{ end }}

16
helm/vault/templates/server-serviceaccount.yaml
View File

@@ -1,16 +1,22 @@
{{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }}
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.serverServiceAccountEnabled" . }}
{{- if .serverServiceAccountEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.server.serviceAccount.extraLabels -}}
{{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "vault.serviceAccount.annotations" . }}
{{ end }}
{{ end }}

50
helm/vault/templates/server-statefulset.yaml
View File

@@ -1,12 +1,18 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
{{- if ne .mode "" }}
{{- if .serverEnabled -}}
# StatefulSet to run the actual vault server cluster.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
@@ -18,6 +24,9 @@ spec:
replicas: {{ template "vault.replicas" . }}
updateStrategy:
type: {{ .Values.server.updateStrategyType }}
{{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }}
persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
@@ -36,6 +45,7 @@ spec:
{{ template "vault.annotations" . }}
spec:
{{ template "vault.affinity" . }}
{{ template "vault.topologySpreadConstraints" . }}
{{ template "vault.tolerations" . }}
{{ template "vault.nodeselector" . }}
{{- if .Values.server.priorityClassName }}
@@ -46,17 +56,18 @@ spec:
{{ if .Values.server.shareProcessNamespace }}
shareProcessNamespace: true
{{ end }}
{{- template "server.statefulSet.securityContext.pod" . }}
{{- if not .Values.global.openshift }}
securityContext:
runAsNonRoot: true
runAsGroup: {{ .Values.server.gid | default 1000 }}
runAsUser: {{ .Values.server.uid | default 100 }}
fsGroup: {{ .Values.server.gid | default 1000 }}
hostNetwork: {{ .Values.server.hostNetwork }}
{{- end }}
volumes:
{{ template "vault.volumes" . }}
- name: home
emptyDir: {}
{{- if .Values.server.hostAliases }}
hostAliases:
{{ toYaml .Values.server.hostAliases | nindent 8}}
{{- end }}
{{- if .Values.server.extraInitContainers }}
initContainers:
{{ toYaml .Values.server.extraInitContainers | nindent 8}}
@@ -70,10 +81,7 @@ spec:
- "/bin/sh"
- "-ec"
args: {{ template "vault.args" . }}
{{- if not .Values.global.openshift }}
securityContext:
allowPrivilegeEscalation: false
{{- end }}
{{- template "server.statefulSet.securityContext.container" . }}
env:
- name: HOST_IP
valueFrom:
@@ -108,7 +116,11 @@ spec:
fieldRef:
fieldPath: metadata.name
- name: VAULT_CLUSTER_ADDR
{{- if .Values.server.ha.clusterAddr }}
value: {{ .Values.server.ha.clusterAddr | quote }}
{{- else }}
value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201"
{{- end }}
{{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }}
- name: VAULT_RAFT_NODE_ID
valueFrom:
@@ -143,12 +155,15 @@ spec:
name: https-internal
- containerPort: 8202
name: {{ include "vault.scheme" . }}-rep
{{- if .Values.server.extraPorts -}}
{{ toYaml .Values.server.extraPorts | nindent 12}}
{{- end }}
{{- if .Values.server.readinessProbe.enabled }}
readinessProbe:
{{- if .Values.server.readinessProbe.path }}
httpGet:
path: {{ .Values.server.readinessProbe.path | quote }}
port: 8200
port: {{ .Values.server.readinessProbe.port }}
scheme: {{ include "vault.scheme" . | upper }}
{{- else }}
# Check status; unsealed vault servers return 0
@@ -167,10 +182,18 @@ spec:
{{- end }}
{{- if .Values.server.livenessProbe.enabled }}
livenessProbe:
{{- if .Values.server.livenessProbe.execCommand }}
exec:
command:
{{- range (.Values.server.livenessProbe.execCommand) }}
- {{ . | quote }}
{{- end }}
{{- else }}
httpGet:
path: {{ .Values.server.livenessProbe.path | quote }}
port: 8200
port: {{ .Values.server.livenessProbe.port }}
scheme: {{ include "vault.scheme" . | upper }}
{{- end }}
failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }}
@@ -206,3 +229,4 @@ spec:
{{ template "vault.volumeclaims" . }}
{{ end }}
{{ end }}
{{ end }}

13
helm/vault/templates/tests/server-test.yaml
View File

@@ -1,11 +1,16 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
{{- if .serverEnabled -}}
apiVersion: v1
kind: Pod
metadata:
name: "{{ .Release.Name }}-server-test"
namespace: {{ .Release.Namespace }}
name: {{ template "vault.fullname" . }}-server-test
namespace: {{ include "vault.namespace" . }}
annotations:
"helm.sh/hook": test
spec:
@@ -16,7 +21,7 @@ spec:
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
env:
- name: VAULT_ADDR
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }}
command:
- /bin/sh

21
helm/vault/templates/ui-service.yaml
View File

@@ -1,12 +1,18 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
{{- if eq (.Values.ui.enabled | toString) "true" }}
{{- template "vault.uiEnabled" . -}}
{{- if .uiEnabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-ui
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-ui
@@ -14,6 +20,14 @@ metadata:
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.ui.annotations" . }}
spec:
{{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }}
{{- if .Values.ui.serviceIPFamilyPolicy }}
ipFamilyPolicy: {{ .Values.ui.serviceIPFamilyPolicy }}
{{- end }}
{{- if .Values.ui.serviceIPFamilies }}
ipFamilies: {{ .Values.ui.serviceIPFamilies | toYaml | nindent 2 }}
{{- end }}
{{- end }}
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
@@ -34,4 +48,3 @@ spec:
{{- include "service.loadBalancer" .Values.ui }}
{{- end -}}
{{- end }}
{{- end }}

1010
helm/vault/values-external.yaml
View File

File diff suppressed because it is too large Load Diff

12
helm/vault/values.openshift.yaml
View File

@@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# These overrides are appropriate defaults for deploying this chart on OpenShift
global:
@@ -6,13 +9,16 @@ global:
injector:
image:
repository: "registry.connect.redhat.com/hashicorp/vault-k8s"
tag: "0.14.2-ubi"
tag: "1.5.0-ubi"
agentImage:
repository: "registry.connect.redhat.com/hashicorp/vault"
tag: "1.9.2-ubi"
tag: "1.18.1-ubi"
server:
image:
repository: "registry.connect.redhat.com/hashicorp/vault"
tag: "1.9.2-ubi"
tag: "1.18.1-ubi"
readinessProbe:
path: "/v1/sys/health?uninitcode=204"

472
helm/vault/values.schema.json
View File

@@ -5,6 +5,40 @@
"csi": {
"type": "object",
"properties": {
"agent": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"extraArgs": {
"type": "array"
},
"image": {
"type": "object",
"properties": {
"pullPolicy": {
"type": "string"
},
"repository": {
"type": "string"
},
"tag": {
"type": "string"
}
}
},
"logFormat": {
"type": "string"
},
"logLevel": {
"type": "string"
},
"resources": {
"type": "object"
}
}
},
"daemonSet": {
"type": "object",
"properties": {
@@ -14,12 +48,32 @@
"string"
]
},
"extraLabels": {
"type": "object"
},
"kubeletRootDir": {
"type": "string"
},
"providersDir": {
"type": "string"
},
"securityContext": {
"type": "object",
"properties": {
"container": {
"type": [
"object",
"string"
]
},
"pod": {
"type": [
"object",
"string"
]
}
}
},
"updateStrategy": {
"type": "object",
"properties": {
@@ -33,18 +87,24 @@
}
}
},
"priorityClassName": {
"type": "string"
},
"debug": {
"type": "boolean"
},
"enabled": {
"type": "boolean"
"type": [
"boolean",
"string"
]
},
"extraArgs": {
"type": "array"
},
"hmacSecretName": {
"type": "string"
},
"hostNetwork": {
"type": "boolean"
},
"image": {
"type": "object",
"properties": {
@@ -79,15 +139,35 @@
}
}
},
"logLevel": {
"type": "string"
},
"pod": {
"type": "object",
"properties": {
"affinity": {
"type": [
"null",
"object",
"string"
]
},
"annotations": {
"type": [
"object",
"string"
]
},
"extraLabels": {
"type": "object"
},
"nodeSelector": {
"type": [
"null",
"object",
"string"
]
},
"tolerations": {
"type": [
"null",
@@ -97,6 +177,9 @@
}
}
},
"priorityClassName": {
"type": "string"
},
"readinessProbe": {
"type": "object",
"properties": {
@@ -128,6 +211,9 @@
"object",
"string"
]
},
"extraLabels": {
"type": "object"
}
}
},
@@ -151,9 +237,15 @@
"enabled": {
"type": "boolean"
},
"externalVaultAddr": {
"type": "string"
},
"imagePullSecrets": {
"type": "array"
},
"namespace": {
"type": "string"
},
"openshift": {
"type": "boolean"
},
@@ -171,6 +263,14 @@
}
}
},
"serverTelemetry": {
"type": "object",
"properties": {
"prometheusOperator": {
"type": "boolean"
}
}
},
"tlsDisable": {
"type": "boolean"
}
@@ -200,6 +300,12 @@
"memRequest": {
"type": "string"
},
"ephemeralLimit": {
"type": "string"
},
"ephemeralRequest": {
"type": "string"
},
"template": {
"type": "string"
},
@@ -257,7 +363,10 @@
}
},
"enabled": {
"type": "boolean"
"type": [
"boolean",
"string"
]
},
"externalVaultAddr": {
"type": "string"
@@ -296,6 +405,26 @@
}
}
},
"livenessProbe": {
"type": "object",
"properties": {
"failureThreshold": {
"type": "integer"
},
"initialDelaySeconds": {
"type": "integer"
},
"periodSeconds": {
"type": "integer"
},
"successThreshold": {
"type": "integer"
},
"timeoutSeconds": {
"type": "integer"
}
}
},
"logFormat": {
"type": "string"
},
@@ -321,7 +450,10 @@
]
},
"objectSelector": {
"type": "object"
"type": [
"object",
"string"
]
},
"podDisruptionBudget": {
"type": "object"
@@ -332,6 +464,26 @@
"priorityClassName": {
"type": "string"
},
"readinessProbe": {
"type": "object",
"properties": {
"failureThreshold": {
"type": "integer"
},
"initialDelaySeconds": {
"type": "integer"
},
"periodSeconds": {
"type": "integer"
},
"successThreshold": {
"type": "integer"
},
"timeoutSeconds": {
"type": "integer"
}
}
},
"replicas": {
"type": "integer"
},
@@ -341,6 +493,23 @@
"revokeOnShutdown": {
"type": "boolean"
},
"securityContext": {
"type": "object",
"properties": {
"container": {
"type": [
"object",
"string"
]
},
"pod": {
"type": [
"object",
"string"
]
}
}
},
"service": {
"type": "object",
"properties": {
@@ -352,6 +521,37 @@
}
}
},
"serviceAccount": {
"type": "object",
"properties": {
"annotations": {
"type": [
"object",
"string"
]
}
}
},
"startupProbe": {
"type": "object",
"properties": {
"failureThreshold": {
"type": "integer"
},
"initialDelaySeconds": {
"type": "integer"
},
"periodSeconds": {
"type": "integer"
},
"successThreshold": {
"type": "integer"
},
"timeoutSeconds": {
"type": "integer"
}
}
},
"strategy": {
"type": [
"object",
@@ -365,6 +565,42 @@
"string"
]
},
"topologySpreadConstraints": {
"type": [
"null",
"array",
"string"
]
},
"webhook": {
"type": "object",
"properties": {
"annotations": {
"type": [
"object",
"string"
]
},
"failurePolicy": {
"type": "string"
},
"matchPolicy": {
"type": "string"
},
"namespaceSelector": {
"type": "object"
},
"objectSelector": {
"type": [
"object",
"string"
]
},
"timeoutSeconds": {
"type": "integer"
}
}
},
"webhookAnnotations": {
"type": [
"object",
@@ -406,6 +642,12 @@
"string"
]
},
"labels": {
"type": [
"object",
"string"
]
},
"mountPath": {
"type": "string"
},
@@ -446,6 +688,12 @@
"string"
]
},
"labels": {
"type": [
"object",
"string"
]
},
"mountPath": {
"type": "string"
},
@@ -472,7 +720,10 @@
}
},
"enabled": {
"type": "boolean"
"type": [
"boolean",
"string"
]
},
"enterpriseLicense": {
"type": "object",
@@ -506,6 +757,12 @@
"extraLabels": {
"type": "object"
},
"extraPorts": {
"type": [
"null",
"array"
]
},
"extraSecretEnvironmentVars": {
"type": "array"
},
@@ -521,8 +778,17 @@
"string"
]
},
"clusterAddr": {
"type": [
"null",
"string"
]
},
"config": {
"type": "string"
"type": [
"string",
"object"
]
},
"disruptionBudget": {
"type": "object",
@@ -545,7 +811,10 @@
"type": "object",
"properties": {
"config": {
"type": "string"
"type": [
"string",
"object"
]
},
"enabled": {
"type": "boolean"
@@ -560,6 +829,12 @@
}
}
},
"hostAliases": {
"type": "array"
},
"hostNetwork": {
"type": "boolean"
},
"image": {
"type": "object",
"properties": {
@@ -574,6 +849,9 @@
}
}
},
"includeConfigAnnotation": {
"type": "boolean"
},
"ingress": {
"type": "object",
"properties": {
@@ -626,6 +904,9 @@
"enabled": {
"type": "boolean"
},
"execCommand": {
"type": "array"
},
"failureThreshold": {
"type": "integer"
},
@@ -638,6 +919,9 @@
"periodSeconds": {
"type": "integer"
},
"port": {
"type": "integer"
},
"successThreshold": {
"type": "integer"
},
@@ -660,6 +944,9 @@
},
"enabled": {
"type": "boolean"
},
"ingress": {
"type": "array"
}
}
},
@@ -670,6 +957,17 @@
"string"
]
},
"persistentVolumeClaimRetentionPolicy": {
"type": "object",
"properties": {
"whenDeleted": {
"type": "string"
},
"whenScaled": {
"type": "string"
}
}
},
"postStart": {
"type": "array"
},
@@ -694,6 +992,9 @@
"periodSeconds": {
"type": "integer"
},
"port": {
"type": "integer"
},
"successThreshold": {
"type": "integer"
},
@@ -725,12 +1026,32 @@
},
"labels": {
"type": "object"
},
"tls": {
"type": "object"
}
}
},
"service": {
"type": "object",
"properties": {
"active": {
"type": "object",
"properties": {
"annotations": {
"type": [
"object",
"string"
]
},
"enabled": {
"type": "boolean"
}
}
},
"activeNodePort": {
"type": "integer"
},
"annotations": {
"type": [
"object",
@@ -743,9 +1064,46 @@
"externalTrafficPolicy": {
"type": "string"
},
"instanceSelector": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
}
},
"ipFamilies": {
"type": "array"
},
"ipFamilyPolicy": {
"type": "string"
},
"nodePort": {
"type": "integer"
},
"port": {
"type": "integer"
},
"publishNotReadyAddresses": {
"type": "boolean"
},
"standby": {
"type": "object",
"properties": {
"annotations": {
"type": [
"object",
"string"
]
},
"enabled": {
"type": "boolean"
}
}
},
"standbyNodePort": {
"type": "integer"
},
"targetPort": {
"type": "integer"
}
@@ -763,8 +1121,22 @@
"create": {
"type": "boolean"
},
"createSecret": {
"type": "boolean"
},
"extraLabels": {
"type": "object"
},
"name": {
"type": "string"
},
"serviceDiscovery": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
}
}
}
},
@@ -775,7 +1147,10 @@
"type": "object",
"properties": {
"config": {
"type": "string"
"type": [
"string",
"object"
]
},
"enabled": {
"type": [
@@ -793,6 +1168,23 @@
"object",
"string"
]
},
"securityContext": {
"type": "object",
"properties": {
"container": {
"type": [
"object",
"string"
]
},
"pod": {
"type": [
"object",
"string"
]
}
}
}
}
},
@@ -806,6 +1198,13 @@
"string"
]
},
"topologySpreadConstraints": {
"type": [
"null",
"array",
"string"
]
},
"updateStrategyType": {
"type": "string"
},
@@ -823,6 +1222,48 @@
}
}
},
"serverTelemetry": {
"type": "object",
"properties": {
"prometheusRules": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"rules": {
"type": "array"
},
"selectors": {
"type": "object"
}
}
},
"serviceMonitor": {
"type": "object",
"properties": {
"authorization": {
"type": "object"
},
"enabled": {
"type": "boolean"
},
"interval": {
"type": "string"
},
"scrapeTimeout": {
"type": "string"
},
"selectors": {
"type": "object"
},
"tlsConfig": {
"type": "object"
}
}
}
}
},
"ui": {
"type": "object",
"properties": {
@@ -836,7 +1277,10 @@
]
},
"enabled": {
"type": "boolean"
"type": [
"boolean",
"string"
]
},
"externalPort": {
"type": "integer"
@@ -847,6 +1291,12 @@
"publishNotReadyAddresses": {
"type": "boolean"
},
"serviceIPFamilies": {
"type": "array"
},
"serviceIPFamilyPolicy": {
"type": "string"
},
"serviceNodePort": {
"type": [
"null",

407
helm/vault/values.yaml
View File

@@ -1,3 +1,6 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# Available parameters and their default values for the Vault chart.
global:
@@ -5,6 +8,9 @@ global:
# will enable or disable all the components within this chart by default.
enabled: true
# The namespace to deploy to. Defaults to the `helm` installation namespace.
namespace: ""
# Image pull secret to use for registry authentication.
# Alternatively, the value may be specified as an array of strings.
imagePullSecrets: []
@@ -32,10 +38,15 @@ global:
seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
serverTelemetry:
# Enable integration with the Prometheus Operator
# See the top level serverTelemetry section below before enabling this feature.
prometheusOperator: false
injector:
# True if you want to enable vault agent injection.
# @default: global.enabled
enabled: true
enabled: "-"
replicas: 1
@@ -57,7 +68,7 @@ injector:
# image sets the repo and tag of the vault-k8s image to use for the injector.
image:
repository: "hashicorp/vault-k8s"
tag: "0.17.0"
tag: "1.5.0"
pullPolicy: IfNotPresent
# agentImage sets the repo and tag of the Vault image to use for the Vault Agent
@@ -65,7 +76,7 @@ injector:
# required.
agentImage:
repository: "hashicorp/vault"
tag: "1.11.2"
tag: "1.18.1"
# The default values for the injected Vault Agent containers.
agentDefaults:
@@ -75,6 +86,8 @@ injector:
cpuRequest: "250m"
memLimit: "128Mi"
memRequest: "64Mi"
# ephemeralLimit: "128Mi"
# ephemeralRequest: "64Mi"
# Default template type for secrets when no custom template is specified.
# Possible values include: "json" and "map".
@@ -85,6 +98,43 @@ injector:
exitOnRetryFailure: true
staticSecretRenderInterval: ""
# Used to define custom livenessProbe settings
livenessProbe:
# When a probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 2
# Number of seconds after the container has started before probe initiates
initialDelaySeconds: 5
# How often (in seconds) to perform the probe
periodSeconds: 2
# Minimum consecutive successes for the probe to be considered successful after having failed
successThreshold: 1
# Number of seconds after which the probe times out.
timeoutSeconds: 5
# Used to define custom readinessProbe settings
readinessProbe:
# When a probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 2
# Number of seconds after the container has started before probe initiates
initialDelaySeconds: 5
# How often (in seconds) to perform the probe
periodSeconds: 2
# Minimum consecutive successes for the probe to be considered successful after having failed
successThreshold: 1
# Number of seconds after which the probe times out.
timeoutSeconds: 5
# Used to define custom startupProbe settings
startupProbe:
# When a probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 12
# Number of seconds after the container has started before probe initiates
initialDelaySeconds: 5
# How often (in seconds) to perform the probe
periodSeconds: 5
# Minimum consecutive successes for the probe to be considered successful after having failed
successThreshold: 1
# Number of seconds after which the probe times out.
timeoutSeconds: 5
# Mount Path of the Vault Kubernetes Auth Method.
authPath: "auth/kubernetes"
@@ -101,7 +151,7 @@ injector:
webhook:
# Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
# API Version of the WebHook.
# To block pod creation while webhook is unavailable, set the policy to `Fail` below.
# To block pod creation while the webhook is unavailable, set the policy to `Fail` below.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
#
failurePolicy: Ignore
@@ -192,7 +242,7 @@ injector:
# caBundle is a base64-encoded PEM-encoded certificate bundle for the CA
# that signed the TLS certificate that the webhook serves. This must be set
# if secretName is non-null, unless an external service like cert-manager is
# if secretName is non-null unless an external service like cert-manager is
# keeping the caBundle updated.
caBundle: ""
@@ -232,7 +282,7 @@ injector:
# KUBERNETES_SERVICE_HOST: kubernetes.default.svc
# Affinity Settings for injector pods
# This can either be multi-line string or YAML matching the PodSpec's affinity field.
# This can either be a multi-line string or YAML matching the PodSpec's affinity field.
# Commenting out or setting as empty the affinity variable, will allow
# deployment of multiple replicas to single node services such as Minikube.
affinity: |
@@ -307,7 +357,7 @@ injector:
server:
# If true, or "-" with global.enabled true, Vault server will be installed.
# See vault.mode in _helpers.tpl for implementation details.
enabled: true
enabled: "-"
# [Enterprise Only] This value refers to a Kubernetes secret that you have
# created that contains your enterprise license. If you are not using an
@@ -327,7 +377,7 @@ server:
image:
repository: "hashicorp/vault"
tag: "1.11.2"
tag: "1.18.1"
# Overrides the default Image Pull Policy
pullPolicy: IfNotPresent
@@ -395,6 +445,12 @@ server:
# hosts:
# - chart-example.local
# hostAliases is a list of aliases to be added to /etc/hosts. Specified as a YAML list.
hostAliases: []
# - ip: 127.0.0.1
# hostnames:
# - chart-example.local
# OpenShift only - create a route to expose the service
# By default the created route will be of type passthrough
route:
@@ -415,7 +471,7 @@ server:
# authDelegator enables a cluster role binding to be attached to the service
# account. This cluster role binding can be used to setup Kubernetes auth
# method. https://www.vaultproject.io/docs/auth/kubernetes.html
# method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes
authDelegator:
enabled: true
@@ -442,18 +498,26 @@ server:
extraContainers: null
# shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
# This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation
# This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation
shareProcessNamespace: false
# extraArgs is a string containing additional Vault server arguments.
extraArgs: ""
# extraPorts is a list of extra ports. Specified as a YAML list.
# This is useful if you need to add additional ports to the statefulset in dynamic way.
extraPorts: null
# - containerPort: 8300
# name: http-monitoring
# Used to define custom readinessProbe settings
readinessProbe:
enabled: true
# If you need to use a http path instead of the default exec
# path: /v1/sys/health?standbyok=true
# Port number on which readinessProbe will be checked.
port: 8200
# When a probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 2
# Number of seconds after the container has started before probe initiates
@@ -467,7 +531,15 @@ server:
# Used to enable a livenessProbe for the pods
livenessProbe:
enabled: false
# Used to define a liveness exec command. If provided, exec is preferred to httpGet (path) as the livenessProbe handler.
execCommand: []
# - /bin/sh
# - -c
# - /vault/userconfig/mylivenessscript/run.sh
# Path for the livenessProbe to use httpGet as the livenessProbe handler
path: "/v1/sys/health?standbyok=true"
# Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler
port: 8200
# When a probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 2
# Number of seconds after the container has started before probe initiates
@@ -575,6 +647,14 @@ server:
# ports:
# - protocol: TCP
# port: 443
ingress:
- from:
- namespaceSelector: {}
ports:
- port: 8200
protocol: TCP
- port: 8201
protocol: TCP
# Priority class for server pods
priorityClassName: ""
@@ -588,14 +668,42 @@ server:
# of the annotations to apply to the server pods
annotations: {}
# Add an annotation to the server configmap and the statefulset pods,
# vaultproject.io/config-checksum, that is a hash of the Vault configuration.
# This can be used together with an OnDelete deployment strategy to help
# identify which pods still need to be deleted during a deployment to pick up
# any configuration changes.
includeConfigAnnotation: false
# Enables a headless service to be used by the Vault Statefulset
service:
enabled: true
# Enable or disable the vault-active service, which selects Vault pods that
# have labeled themselves as the cluster leader with `vault-active: "true"`.
active:
enabled: true
# Extra annotations for the service definition. This can either be YAML or a
# YAML-formatted multi-line templated string map of the annotations to apply
# to the active service.
annotations: {}
# Enable or disable the vault-standby service, which selects Vault pods that
# have labeled themselves as a cluster follower with `vault-active: "false"`.
standby:
enabled: true
# Extra annotations for the service definition. This can either be YAML or a
# YAML-formatted multi-line templated string map of the annotations to apply
# to the standby service.
annotations: {}
# If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}`
# When disabled, services may select Vault pods not deployed from the chart.
# Does not affect the headless vault-internal service with `ClusterIP: None`
instanceSelector:
enabled: true
# clusterIP controls whether a Cluster IP address is attached to the
# Vault service within Kubernetes. By default the Vault service will
# Vault service within Kubernetes. By default, the Vault service will
# be given a Cluster IP address, set to None to disable. When disabled
# Kubernetes will create a "headless" service. Headless services can be
# used to communicate with pods directly through DNS instead of a round robin
# used to communicate with pods directly through DNS instead of a round-robin
# load balancer.
# clusterIP: None
@@ -603,7 +711,24 @@ server:
# or NodePort.
#type: ClusterIP
# Do not wait for pods to be ready
# The IP family and IP families options are to set the behaviour in a dual-stack environment.
# Omitting these values will let the service fall back to whatever the CNI dictates the defaults
# should be.
# These are only supported for kubernetes versions >=1.23.0
#
# Configures the service's supported IP family policy, can be either:
# SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range.
# PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service.
# RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges.
ipFamilyPolicy: ""
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well.
# Can be IPv4 and/or IPv6.
ipFamilies: []
# Do not wait for pods to be ready before including them in the services'
# targets. Does not apply to the headless service, which is used for
# cluster-internal communication.
publishNotReadyAddresses: true
# The externalTrafficPolicy can be set to either Cluster or Local
@@ -637,11 +762,11 @@ server:
# This configures the Vault Statefulset to create a PVC for data
# storage when using the file or raft backend storage engines.
# See https://www.vaultproject.io/docs/configuration/storage/index.html to know more
# See https://developer.hashicorp.com/vault/docs/configuration/storage to know more
dataStorage:
enabled: true
# Size of the PVC created
size: 1Gi
size: 10Gi
# Location where the PVC will be mounted.
mountPath: "/vault/data"
# Name of the storage class to use. If null it will use the
@@ -651,12 +776,22 @@ server:
accessMode: ReadWriteOnce
# Annotations to apply to the PVC
annotations: {}
# Labels to apply to the PVC
labels: {}
# Persistent Volume Claim (PVC) retention policy
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
# Example:
# persistentVolumeClaimRetentionPolicy:
# whenDeleted: Retain
# whenScaled: Retain
persistentVolumeClaimRetentionPolicy: {}
# This configures the Vault Statefulset to create a PVC for audit
# logs. Once Vault is deployed, initialized and unsealed, Vault must
# logs. Once Vault is deployed, initialized, and unsealed, Vault must
# be configured to use this for audit logs. This will be mounted to
# /vault/audit
# See https://www.vaultproject.io/docs/audit/index.html to know more
# See https://developer.hashicorp.com/vault/docs/audit to know more
auditStorage:
enabled: false
# Size of the PVC created
@@ -670,12 +805,14 @@ server:
accessMode: ReadWriteOnce
# Annotations to apply to the PVC
annotations: {}
# Labels to apply to the PVC
labels: {}
# Run Vault in "dev" mode. This requires no further setup, no state management,
# and no initialization. This is useful for experimenting with Vault without
# needing to unseal, store keys, et. al. All data is lost on restart - do not
# use dev mode for anything other than experimenting.
# See https://www.vaultproject.io/docs/concepts/dev-server.html to know more
# See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more
dev:
enabled: false
@@ -692,19 +829,23 @@ server:
# config is a raw string of default configuration when using a Stateful
# deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
# and store data there. This is only used when using a Replica count of 1, and
# using a stateful set. This should be HCL.
# using a stateful set. Supported formats are HCL and JSON.
# Note: Configuration files are stored in ConfigMaps so sensitive data
# such as passwords should be either mounted through extraSecretEnvironmentVars
# or through a Kube secret. For more information see:
# https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
config: |
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
config: |-
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
# Enable unauthenticated metrics access (necessary for Prometheus Operator)
#telemetry {
# unauthenticated_metrics_access = "true"
#}
}
storage "file" {
path = "/vault/data"
@@ -720,22 +861,28 @@ server:
# crypto_key = "vault-helm-unseal-key"
#}
# Run Vault in "HA" mode. There are no storage requirements unless audit log
# Example configuration for enabling Prometheus metrics in your config.
#telemetry {
# prometheus_retention_time = "30s"
# disable_hostname = true
#}
# Run Vault in "HA" mode. There are no storage requirements unless the audit log
# persistence is required. In HA mode Vault will configure itself to use Consul
# for its storage backend. The default configuration provided will work the Consul
# Helm project by default. It is possible to manually configure Vault to use a
# different HA backend.
ha:
enabled: true
enabled: false
replicas: 3
# Set the api_addr configuration for Vault HA
# See https://www.vaultproject.io/docs/configuration#api_addr
# See https://developer.hashicorp.com/vault/docs/configuration#api_addr
# If set to null, this will be set to the Pod IP Address
apiAddr: null
# Set the cluster_addr confuguration for Vault HA
# See https://www.vaultproject.io/docs/configuration#cluster_addr
# Set the cluster_addr configuration for Vault HA
# See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr
# If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201
clusterAddr: null
@@ -746,14 +893,15 @@ server:
raft:
# Enables Raft integrated storage
enabled: true
enabled: false
# Set the Node Raft ID to the name of the pod
setNodeId: false
# Note: Configuration files are stored in ConfigMaps so sensitive data
# such as passwords should be either mounted through extraSecretEnvironmentVars
# or through a Kube secret. For more information see:
# https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
# Supported formats are HCL and JSON.
config: |
ui = true
@@ -761,6 +909,10 @@ server:
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
# Enable unauthenticated metrics access (necessary for Prometheus Operator)
#telemetry {
# unauthenticated_metrics_access = "true"
#}
}
storage "raft" {
@@ -771,12 +923,12 @@ server:
# config is a raw string of default configuration when using a Stateful
# deployment. Default is to use a Consul for its HA storage backend.
# This should be HCL.
# Supported formats are HCL and JSON.
# Note: Configuration files are stored in ConfigMaps so sensitive data
# such as passwords should be either mounted through extraSecretEnvironmentVars
# or through a Kube secret. For more information see:
# https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
config: |
ui = true
@@ -802,6 +954,14 @@ server:
# crypto_key = "vault-helm-unseal-key"
#}
# Example configuration for enabling Prometheus metrics.
# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.
# You may wish to enable unauthenticated metrics in the listener block above.
#telemetry {
# prometheus_retention_time = "30s"
# disable_hostname = true
#}
# A disruption budget limits the number of pods of a replicated application
# that are down simultaneously from voluntary disruptions
disruptionBudget:
@@ -820,10 +980,24 @@ server:
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# Create a Secret API object to store a non-expiring token for the service account.
# Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default.
# Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible.
# For more details, see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets
# serviceAccount.create must be equal to 'true' in order to use this feature.
createSecret: false
# Extra annotations for the serviceAccount definition. This can either be
# YAML or a YAML-formatted multi-line templated string map of the
# annotations to apply to the serviceAccount.
annotations: {}
# Extra labels to attach to the serviceAccount
# This should be a YAML map of the labels to apply to the serviceAccount
extraLabels: {}
# Enable or disable a service account role binding with the permissions required for
# Vault's Kubernetes service_registration config option.
# See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes
serviceDiscovery:
enabled: true
# Settings for the statefulSet used to run Vault.
statefulSet:
@@ -839,16 +1013,18 @@ server:
# runAsGroup: {{ .Values.server.gid | default 1000 }}
# runAsUser: {{ .Values.server.uid | default 100 }}
# fsGroup: {{ .Values.server.gid | default 1000 }}
# container: {}
# container:
# allowPrivilegeEscalation: false
#
# If not set, these will default to, and for OpenShift:
# pod: {}
# container:
# allowPrivilegeEscalation: false
# container: {}
securityContext:
pod: {}
container: {}
# Should the server pods run on the host network
hostNetwork: false
# Vault UI
ui:
@@ -866,6 +1042,21 @@ ui:
externalPort: 8200
targetPort: 8200
# The IP family and IP families options are to set the behaviour in a dual-stack environment.
# Omitting these values will let the service fall back to whatever the CNI dictates the defaults
# should be.
# These are only supported for kubernetes versions >=1.23.0
#
# Configures the service's supported IP family, can be either:
# SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range.
# PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service.
# RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges.
serviceIPFamilyPolicy: ""
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well
# Can be IPv4 and/or IPv6.
serviceIPFamilies: []
# The externalTrafficPolicy can be set to either Cluster or Local
# and is only valid for LoadBalancer and NodePort service types.
# The default value is Cluster.
@@ -897,7 +1088,7 @@ csi:
image:
repository: "hashicorp/vault-csi-provider"
tag: "1.2.0"
tag: "1.5.0"
pullPolicy: IfNotPresent
# volumes is a list of volumes made available to all containers. These are rendered
@@ -925,6 +1116,14 @@ csi:
# cpu: 50m
# memory: 128Mi
# Override the default secret name for the CSI Provider's HMAC key used for
# generating secret versions.
hmacSecretName: ""
# Allow modification of the hostNetwork parameter to avoid the need of a
# dedicated pod ip
hostNetwork: false
# Settings for the daemonSet used to run the provider.
daemonSet:
updateStrategy:
@@ -957,11 +1156,41 @@ csi:
# in a PodSpec.
tolerations: []
# nodeSelector labels for csi pod assignment, formatted as a multi-line string or YAML map.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example:
# nodeSelector:
# beta.kubernetes.io/arch: amd64
nodeSelector: {}
# Affinity Settings
# This should be either a multi-line string or YAML matching the PodSpec's affinity field.
affinity: {}
# Extra labels to attach to the vault-csi-provider pod
# This should be a YAML map of the labels to apply to the csi provider pod
extraLabels: {}
agent:
enabled: true
extraArgs: []
image:
repository: "hashicorp/vault"
tag: "1.18.1"
pullPolicy: IfNotPresent
logFormat: standard
logLevel: info
resources: {}
# resources:
# requests:
# memory: 256Mi
# cpu: 250m
# limits:
# memory: 256Mi
# cpu: 250m
# Priority class for csi pods
priorityClassName: ""
@@ -1001,10 +1230,116 @@ csi:
# Number of seconds after which the probe times out.
timeoutSeconds: 3
# Enables debug logging.
# Configures the log level for the Vault CSI provider.
# Supported log levels include: trace, debug, info, warn, error, and off
logLevel: "info"
# Deprecated, set logLevel to debug instead.
# If set to true, the logLevel will be set to debug.
debug: false
# Pass arbitrary additional arguments to vault-csi-provider.
# See https://www.vaultproject.io/docs/platform/k8s/csi/configurations#command-line-arguments
# See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments
# for the available command line flags.
extraArgs: []
# Vault is able to collect and publish various runtime metrics.
# Enabling this feature requires setting adding `telemetry{}` stanza to
# the Vault configuration. There are a few examples included in the `config` sections above.
#
# For more information see:
# https://developer.hashicorp.com/vault/docs/configuration/telemetry
# https://developer.hashicorp.com/vault/docs/internals/telemetry
serverTelemetry:
# Enable support for the Prometheus Operator. If authorization is not set for authenticating
# to Vault's metrics endpoint, the following Vault server `telemetry{}` config must be included
# in the `listener "tcp"{}` stanza
# telemetry {
# unauthenticated_metrics_access = "true"
# }
#
# See the `standalone.config` for a more complete example of this.
#
# In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration:
#
# example:
# telemetry {
# prometheus_retention_time = "30s"
# disable_hostname = true
# }
#
# Configuration for monitoring the Vault server.
serviceMonitor:
# The Prometheus operator *must* be installed before enabling this feature,
# if not the chart will fail to install due to missing CustomResourceDefinitions
# provided by the operator.
#
# Instructions on how to install the Helm chart can be found here:
# https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
# More information can be found here:
# https://github.com/prometheus-operator/prometheus-operator
# https://github.com/prometheus-operator/kube-prometheus
# Enable deployment of the Vault Server ServiceMonitor CustomResource.
enabled: false
# Selector labels to add to the ServiceMonitor.
# When empty, defaults to:
# release: prometheus
selectors: {}
# Interval at which Prometheus scrapes metrics
interval: 30s
# Timeout for Prometheus scrapes
scrapeTimeout: 10s
# tlsConfig used for scraping the Vault metrics API.
# See API reference: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.TLSConfig
# example:
# tlsConfig:
# ca:
# secret:
# name: vault-metrics-client
# key: ca.crt
tlsConfig: {}
# authorization used for scraping the Vault metrics API.
# See API reference: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.SafeAuthorization
# example:
# authorization:
# credentials:
# name: vault-metrics-client
# key: token
authorization: {}
prometheusRules:
# The Prometheus operator *must* be installed before enabling this feature,
# if not the chart will fail to install due to missing CustomResourceDefinitions
# provided by the operator.
# Deploy the PrometheusRule custom resource for AlertManager based alerts.
# Requires that AlertManager is properly deployed.
enabled: false
# Selector labels to add to the PrometheusRules.
# When empty, defaults to:
# release: prometheus
selectors: {}
# Some example rules.
rules: []
# - alert: vault-HighResponseTime
# annotations:
# message: The response time of Vault is over 500ms on average over the last 5 minutes.
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
# for: 5m
# labels:
# severity: warning
# - alert: vault-HighResponseTime
# annotations:
# message: The response time of Vault is over 1s on average over the last 5 minutes.
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
# for: 5m
# labels:
# severity: critical