From 53b8cdb8c2502e39fa9cbdaf506546bfbbbeb9ce Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 3 Jun 2020 08:44:32 -0700 Subject: [PATCH] Docs updates for vault-helm 0.6.0 release (#9116) * Docs updates for vault-helm 0.6.0 release * added openshift and postStart values * noting that openshift support is a beta feature --- .../docs/platform/k8s/helm/configuration.mdx | 79 ++++++++++++++++--- 1 file changed, 67 insertions(+), 12 deletions(-) diff --git a/website/pages/docs/platform/k8s/helm/configuration.mdx b/website/pages/docs/platform/k8s/helm/configuration.mdx index e69564a6c7..a09ba23baf 100644 --- a/website/pages/docs/platform/k8s/helm/configuration.mdx +++ b/website/pages/docs/platform/k8s/helm/configuration.mdx @@ -25,6 +25,10 @@ and consider if they're appropriate for your deployment. - `tlsDisable` (`boolean: true`) - When set to `true`, changes URLs from `https` to `http` (such as the `VAULT_ADDR=http://127.0.0.1:8200` environment variable set on the Vault pods). + - `openshift` (`boolean: false`) - If `true`, enables configuration specific to OpenShift such as NetworkPolicy, SecurityContext, and Route. + + ~> **Note:** OpenShift support is a beta feature. + - `injector` - Values that configure running a Vault Agent Injector Admission Webhook Controller within Kubernetes. - `enabled` (`boolean: true`) - When set to `true`, the Vault Agent Injector Admission Webhook controller will be created. @@ -91,6 +95,8 @@ and consider if they're appropriate for your deployment. - `nodeSelector` (`string: null`) - nodeSelector labels for injector pod assignment, formatted as a muli-line string. + - `priorityClassName` (`string: ""`) - Priority class for injector pods + - `server` - Values that configure running a Vault server within Kubernetes. - `image` - Values that configure the Vault Docker image. @@ -115,13 +121,21 @@ and consider if they're appropriate for your deployment. * `ingress` - Values that configure Ingress services for Vault. - - `enabled` (`boolean: false`) - When set to `true`, an [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) service will be created. + ~> If deploying on OpenShift, these ingress settings are ignored. Use the [`route`](#route) configuration to expose Vault on OpenShift. + + - `enabled` (`boolean: false`) - When set to `true`, an [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) service will be created. If [`ha`](#ha) is enabled the Ingress will point to the active vault server via the `active` Service. - `labels` (`dictionary: {}`) - Labels for the ingress service. - - `annotations` (`string`) - This value defines additional annotations to add to the Ingress service. This should be formatted as a multi-line string. + - `annotations` (`dictionary: {}`) - This value defines additional annotations to + add to the Ingress service. This can either be YAML or a YAML-formatted + multi-line templated string. ```yaml + annotations: + kubernetes.io/ingress.class: nginx + kubernetes.io/tls-acme: "true" + # or annotations: | kubernetes.io/ingress.class: nginx kubernetes.io/tls-acme: "true" @@ -139,6 +153,16 @@ and consider if they're appropriate for your deployment. - /vault ``` + * `route` - Values that configure Route services for Vault in OpenShift + + - `enabled` (`boolean: false`) - When set to `true`, a Route for Vault will be created. If [`ha`](#ha) is enabled the Route will point to the active vault server via the `active` Service. + + - `labels` (`dictionary: {}`) - Labels for the Route + + - `annotations` (`dictionary: {}`) - Annotations to add to the Route. This can either be YAML or a YAML-formatted multi-line templated string. + + - `host` (`string: "chart-example.local"`) - Sets the hostname for the Route. + * `tls` - Values that configure the Ingress TLS rules. - `hosts` (`array: []`): List of the hosts defined in the Common Name of the TLS Certificate. @@ -185,7 +209,18 @@ and consider if they're appropriate for your deployment. - `preStopSleepSeconds` (`int: 5`) - Used to set the sleep time during the preStop step. - - `extraContainers` (`array: []`) - The extra containers to be applied to the Vault server pods. + - `postStart` (`array: []`) - Used to define commands to run after the pod is ready. This can be used to automate processes such as initialization or bootstrapping auth methods. + + ```yaml + postStart: + - /bin/sh + - -c + - /vault/userconfig/myscript/run.sh + ``` + + - `extraInitContainers` (`array: null`) - extraInitContainers is a list of init containers. Specified as a YAML list. This is useful if you need to run a script to provision TLS certificates or write out configuration files in a dynamic way. + + - `extraContainers` (`array: null`) - The extra containers to be applied to the Vault server pods. ```yaml extraContainers: @@ -267,23 +302,25 @@ and consider if they're appropriate for your deployment. topologyKey: kubernetes.io/hostname ``` - - `tolerations` (`array []`) - This value defines the [tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) that are acceptable when being scheduled. + - `tolerations` (`string: null`) - This value defines the [tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) that are acceptable when being scheduled. This should be a multi-line string matching the Toleration array in a PodSpec. ```yaml - tolerations: + tolerations: | - key: 'node.kubernetes.io/unreachable' operator: 'Exists' effect: 'NoExecute' tolerationSeconds: 6000 ``` - - `nodeSelector` - This value defines additional node selection criteria for more control over where the Vault servers are deployed. + - `nodeSelector` - This value defines additional node selection criteria for more control over where the Vault servers are deployed. This should be formatted as a multi-line string. ```yaml - nodeSelector: + nodeSelector: | disktype: ssd ``` + - `priorityClassName` (`string: ""`) - Priority class for server pods + - `extraLabels` (`dictionary: {}`) - This value defines additional labels for server pods. ```yaml @@ -292,15 +329,19 @@ and consider if they're appropriate for your deployment. "sample/label2": "bar" ``` - - `annotations` - This value defines additional annotations for server pods. This should be a formatted as a multi-line string. + - `annotations` (`dictionary: {}`) - This value defines additional annotations for server pods. This can either be YAML or a YAML-formatted multi-line templated string. ```yaml + annotations: + "sample/annotation1": "foo" + "sample/annotation2": "bar" + # or annotations: | "sample/annotation1": "foo" "sample/annotation2": "bar" ``` - - `service` - Values that configure the Kubernetes service created for Vault. + - `service` - Values that configure the Kubernetes service created for Vault. These options are also used for the `active` and `standby` services when [`ha`](#ha) is enabled. - `enabled` (`boolean: true`) - When set to `true`, a Kubernetes service will be created for Vault. @@ -314,9 +355,13 @@ and consider if they're appropriate for your deployment. - `nodePort` (`int:`) - When type is set to `NodePort`, the bound node port can be configured using this value. A random port will be assigned if this is left blank. - - `annotations` (`string`) - This value defines additional annotations for the service. This should be formatted as a multi-line string. + - `annotations` (`dictionary: {}`) - This value defines additional annotations for the service. This can either be YAML or a YAML-formatted multi-line templated string. ```yaml + annotations: + "sample/annotation1": "foo" + "sample/annotation2": "bar" + # or annotations: | "sample/annotation1": "foo" "sample/annotation2": "bar" @@ -324,9 +369,13 @@ and consider if they're appropriate for your deployment. - `serviceAccount` - Values that configure the Kubernetes service account created for Vault. - - `annotations` (`string`) - This value defines additional annotations for the service account. This should be formatted as a multi-line string. + - `annotations` (`dictionary: {}`) - This value defines additional annotations for the service account. This can either be YAML or a YAML-formatted multi-line templated string. ```yaml + annotations: + "sample/annotation1": "foo" + "sample/annotation2": "bar" + # or annotations: | "sample/annotation1": "foo" "sample/annotation2": "bar" @@ -413,6 +462,8 @@ and consider if they're appropriate for your deployment. - `enabled` (`boolean: false`) - Enables `raft` integrated storage mode for the Vault server. This mode uses persistent volumes for storage. + - `setNodeId` (`boolean: false`) - Set the Node Raft ID to the name of the pod. + - `config` (`string: "{}"`) - A raw string of extra HCL or JSON [configuration](/docs/configuration) for Vault servers. This will be saved as-is into a ConfigMap that is read by the Vault servers. @@ -488,9 +539,13 @@ and consider if they're appropriate for your deployment. - `loadBalancerIP` (`string`) - This value defines the IP address of the load balancer when using `serviceType: LoadBalancer`. - - `annotations` (`string`) - This value defines additional annotations for the UI service. This should be a formatted as a multi-line string. + - `annotations` (`dictionary: {}`) - This value defines additional annotations for the UI service. This can either be YAML or a YAML-formatted multi-line templated string. ```yaml + annotations: + "sample/annotation1": "foo" + "sample/annotation2": "bar" + # or annotations: | "sample/annotation1": "foo" "sample/annotation2": "bar"