Skip to content

Commit

Permalink
backport of commit d697b08 (hashicorp#20052)
Browse files Browse the repository at this point in the history
Co-authored-by: Christopher Swenson <[email protected]>
  • Loading branch information
hc-github-team-secure-vault-core and Christopher Swenson authored Apr 7, 2023
1 parent 3dff0ae commit d881a2c
Show file tree
Hide file tree
Showing 9 changed files with 101 additions and 27 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ metadata:
vault-initialized: "true"
vault-perf-standby: "false"
vault-sealed: "false"
vault-version: 1.3.0
vault-version: 1.13.1
```

After shutdowns, Vault pods will bear the following labels:
Expand All @@ -86,7 +86,7 @@ metadata:
vault-initialized: "false"
vault-perf-standby: "false"
vault-sealed: "true"
vault-version: 1.3.0
vault-version: 1.13.1
```

## Label Definitions
Expand All @@ -102,7 +102,7 @@ metadata:
- `vault-sealed` `(string: "true"/"false")` – Vault sealed is updated dynamically each
time Vault's sealed/unsealed status changes. True indicates that Vault is currently sealed. False indicates that Vault
is currently unsealed.
- `vault-version` `(string: "1.3.0")` – Vault version is a string that will not change during a pod's lifecycle.
- `vault-version` `(string: "1.13.1")` – Vault version is a string that will not change during a pod's lifecycle.

## Working with Vault's Service Discovery Labels

Expand Down Expand Up @@ -156,7 +156,7 @@ $ vault write -f sys/replication/performance/primary/enable \
In conjunction with the pod labels and the `OnDelete` upgrade strategy, upgrades are much easier to orchestrate:

```shell-session
$ helm upgrade vault --set='server.image.tag=1.12.0'
$ helm upgrade vault --set='server.image.tag=1.13.1'
$ kubectl delete pod --selector=vault-active=false \
--selector=vault-version=1.2.3
Expand Down
96 changes: 85 additions & 11 deletions website/content/docs/platform/k8s/helm/configuration.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -77,15 +77,15 @@ and consider if they're appropriate for your deployment.

- `repository` (`string: "hashicorp/vault-k8s"`) - The name of the Docker image for Vault Agent Injector.
- `tag` (`string: "1.1.0"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
- `tag` (`string: "1.2.1"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.

- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.

- `agentImage` - Values that configure the Vault Agent sidecar image.

- `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image.
- `tag` (`string: "1.12.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**.
- `tag` (`string: "1.13.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**.

- `agentDefaults` - Values that configure the injected Vault Agent containers default values.

Expand Down Expand Up @@ -295,6 +295,42 @@ and consider if they're appropriate for your deployment.
type: RollingUpdate
```

- `livenessProbe` - Values that configure the liveness probe for the injector.

- `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes.

- `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the liveness probe when the container starts.

- `periodSeconds` (`int: 5`) - When set to a value, configures how often (in seconds) to perform the probe.

- `successThreshold` (`int: 1`) - When set to a value, configures the minimum consecutive successes for the probe to be considered successful after having failed.

- `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out.

- `readinessProbe` - Values that configure the readiness probe for the injector.

- `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes.

- `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the readiness probe when the container starts.

- `periodSeconds` (`int: 5`) - When set to a value, configures how often (in seconds) to perform the probe.

- `successThreshold` (`int: 1`) - When set to a value, configures the minimum consecutive successes for the probe to be considered successful after having failed.

- `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out.

- `startupProbe` - Values that configure the startup probe for the injector.

- `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes.

- `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the startup probe when the container starts.

- `periodSeconds` (`int: 5`) - When set to a value, configures how often (in seconds) to perform the probe.

- `successThreshold` (`int: 1`) - When set to a value, configures the minimum consecutive successes for the probe to be considered successful after having failed.

- `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out.

- `server` - Values that configure running a Vault server within Kubernetes.

- `enabled` (`boolean or string: "-"`) - When set to `true`, the Vault server will be created. When set to `"-"`, defaults to the value of `global.enabled`.
Expand All @@ -309,7 +345,7 @@ and consider if they're appropriate for your deployment.

- `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the containers running Vault.
- `tag` (`string: "1.12.1"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
- `tag` (`string: "1.13.1"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.

- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.

Expand Down Expand Up @@ -429,6 +465,8 @@ and consider if they're appropriate for your deployment.

- `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out.

- `port` (`int: 8200`) - When set to a value, overrides the default port used for the server readiness probe.

```yaml
readinessProbe:
enabled: true
Expand All @@ -438,15 +476,16 @@ and consider if they're appropriate for your deployment.
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
port: 8200
```

- `livenessProbe` - Values that configure the liveliness probe for the Vault pods.
- `livenessProbe` - Values that configure the liveness probe for the Vault pods.

- `enabled` (`boolean: false`) - When set to `true`, a liveliness probe will be applied to the Vault pods.
- `enabled` (`boolean: false`) - When set to `true`, a liveness probe will be applied to the Vault pods.

- `path` (`string: "/v1/sys/health?standbyok=true"`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controlled by the `tlsDisable` value.

- `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the liveliness probe when the container starts.
- `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the liveness probe when the container starts.

- `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes.

Expand All @@ -456,15 +495,18 @@ and consider if they're appropriate for your deployment.

- `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out.

- `port` (`int: 8200`) - When set to a value, overrides the default port used for the server liveness probe.

```yaml
livelinessProbe:
livenessProbe:
enabled: true
path: /v1/sys/health?standbyok=true
initialDelaySeconds: 60
failureThreshold: 2
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
port: 8200
```

- `terminationGracePeriodSeconds` (`int: 10`) - Optional duration in seconds the pod needs to terminate gracefully. See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
Expand Down Expand Up @@ -509,6 +551,14 @@ and consider if they're appropriate for your deployment.
extraArgs: '-config=/path/to/extra/config.hcl -log-format=json'
```

- `extraPorts` (`array: []`) - additional ports to add to the server statefulset

```yaml
extraPorts:
- containerPort: 8300
name: http-monitoring
```

- `extraSecretEnvironmentVars` (`array: []`) - The extra environment variables populated from a secret to be applied to the Vault server.

- `envName` (`string: required`) -
Expand Down Expand Up @@ -978,7 +1028,7 @@ and consider if they're appropriate for your deployment.

- `repository` (`string: "hashicorp/vault-csi-provider"`) - The name of the Docker image for the Vault CSI Provider.
- `tag` (`string: "1.2.1"`) - The tag of the Docker image for the Vault CSI Provider.. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your CSI provider.
- `tag` (`string: "1.3.0"`) - The tag of the Docker image for the Vault CSI Provider.. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your CSI provider.

- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists locally.

Expand Down Expand Up @@ -1091,9 +1141,9 @@ and consider if they're appropriate for your deployment.

- `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out.

- `livenessProbe` - Values that configure the liveliness probe for the Vault CSI Provider pods.
- `livenessProbe` - Values that configure the liveness probe for the Vault CSI Provider pods.

- `initialDelaySeconds` (`int: 5`) - Sets the initial delay of the liveliness probe when the container starts.
- `initialDelaySeconds` (`int: 5`) - Sets the initial delay of the liveness probe when the container starts.

- `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes.

Expand All @@ -1105,7 +1155,31 @@ and consider if they're appropriate for your deployment.

- `debug` (`bool: false`) - When set to true, enables debug logging on the Vault CSI Provider daemonset.

- `extraArgs` (`string: array`) - The extra arguments to be applied to the CSI pod startup command. See [here](/vault/docs/platform/k8s/csi/configurations#command-line-arguments) for available flags.
- `extraArgs` (`array: []`) - The extra arguments to be applied to the CSI pod startup command. See [here](/vault/docs/platform/k8s/csi/configurations#command-line-arguments) for available flags.

- `agent` - Configures the Vault Agent sidecar for the CSI Provider
- `enabled` (`bool: true`) - whether to enable the agent sidecar for the CSI provider
- `extraArgs` (`array: []`) - The extra arguments to be applied to the agent startup command.

- `image` - Values that configure the Vault Agent sidecar image for the CSI Provider.
- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for agent image. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.

- `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image.
- `tag` (`string: "1.13.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar.

- `logFormat` (`string: "standard"`) -
- `logLevel` (`string: "info"`) -
- `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for the agent. This should be a YAML dictionary of a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core) object.
```yaml
resources:
requests:
memory: '256Mi'
cpu: '250m'
limits:
memory: '256Mi'
cpu: '250m'
```

- `serverTelemetry` - Values the configure metrics and telemetry. Enabling these features requires setting
the `telemetry {}` stanza in the Vault configuration. See the [telemetry](/vault/docs/configuration/telemetry)
Expand Down
2 changes: 1 addition & 1 deletion website/content/docs/platform/k8s/helm/enterprise.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ In your chart overrides, set the values of [`server.image`](/vault/docs/platform
server:
image:
repository: hashicorp/vault-enterprise
tag: 1.12.1-ent
tag: 1.13.1-ent
enterpriseLicense:
secretName: vault-ent-license
```
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ First, create the primary cluster:
```shell
helm install vault-primary hashicorp/vault \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set='server.image.tag=1.12.1-ent' \
--set='server.image.tag=1.13.1-ent' \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true'
```
Expand Down Expand Up @@ -75,7 +75,7 @@ disaster recovery replication.
```shell
helm install vault-secondary hashicorp/vault \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set='server.image.tag=1.12.1-ent' \
--set='server.image.tag=1.13.1-ent' \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true'
```
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ First, create the primary cluster:
```shell
helm install vault-primary hashicorp/vault \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set='server.image.tag=1.12.1-ent' \
--set='server.image.tag=1.13.1-ent' \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true'
```
Expand Down Expand Up @@ -74,7 +74,7 @@ With the primary cluster created, next create a secondary cluster.
```shell
helm install vault-secondary hashicorp/vault \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set='server.image.tag=1.12.1-ent' \
--set='server.image.tag=1.13.1-ent' \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true'
```
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Integrated Storage (raft) can be enabled using the `server.ha.raft.enabled` valu
```shell
helm install vault hashicorp/vault \
--set='server.image.repository=hashicorp/vault-enterprise' \
--set='server.image.tag=1.12.1-ent' \
--set='server.image.tag=1.13.1-ent' \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true'
```
Expand Down
4 changes: 2 additions & 2 deletions website/content/docs/platform/k8s/helm/run.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -409,14 +409,14 @@ Next, list the Helm versions and choose the desired version to install.
```bash
$ helm search repo hashicorp/vault
NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.23.0 1.12.1 Official HashiCorp Vault Chart
hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart
```

Next, test the upgrade with `--dry-run` first to verify the changes sent to the
Kubernetes cluster.

```shell-session
$ helm upgrade vault hashicorp/vault --version=0.23.0 \
$ helm upgrade vault hashicorp/vault --version=0.24.0 \
--set='server.image.repository=vault' \
--set='server.image.tag=123.456' \
--dry-run
Expand Down
6 changes: 3 additions & 3 deletions website/content/partials/helm/install.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,15 @@
# List the available releases
$ helm search repo hashicorp/vault -l
NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart
hashicorp/vault 0.23.0 1.12.1 Official HashiCorp Vault Chart
hashicorp/vault 0.22.1 1.12.0 Official HashiCorp Vault Chart
hashicorp/vault 0.22.0 1.11.3 Official HashiCorp Vault Chart
hashicorp/vault 0.21.0 1.11.2 Official HashiCorp Vault Chart
hashicorp/vault 0.20.1 1.10.3 Official HashiCorp Vault Chart
hashicorp/vault 0.20.0 1.10.3 Official HashiCorp Vault Chart
hashicorp/vault 0.19.0 1.9.2 Official HashiCorp Vault Chart
...

# Install version 0.23.0
$ helm install vault hashicorp/vault --version 0.23.0
# Install version 0.24.0
$ helm install vault hashicorp/vault --version 0.24.0
```
2 changes: 1 addition & 1 deletion website/content/partials/helm/repo.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,5 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm search repo hashicorp/vault
NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.23.0 1.12.1 Official HashiCorp Vault Chart
hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart
```

0 comments on commit d881a2c

Please sign in to comment.