Update Kubernetes docs to include Kubernetes Auth method (#8046)

* Improve standalone with TLS example

- Documented creating a key & cert for serving Vault endpoints
- Removed unneeded configuration in custom values.yaml
- Updated examples to 1.3.0

* Add 127.0.0.1 to CSR

* Grammar & minor formatting

* Add additional DNS entry for CSR

* Split examples into individual pages

* Add Kubernetes Auth Method example

* Remove old examples file

* Fix rebase fail

* Remove global section of yaml files that aren't needed

* Fix minor typos

* Fix typos that didn't get carried over from previous PR

* Re-copy from previous examples file to resolve rebase issues

* update dependencies

Co-authored-by: Jeff Escalante <[email protected]>

website/data/docs-navigation.js

@@ -314,7 +314,20 @@ export default [
         content: [
           {
             category: 'helm',
-            content: ['run', 'configuration', 'examples']
+            content: [
+              'run',
+              'configuration',
+              {
+                category: 'examples',
+                content: [
+                  'standalone-load-balanced-ui',
+                  'standalone-tls',
+                  'standalone-audit',
+                  'ha-with-consul',
+                  'kubernetes-auth'
+                ]
+              },
+            ],
           },
           {
             category: 'injector',

website/pages/docs/platform/k8s/helm/examples/ha-with-consul.mdx

@@ -0,0 +1,65 @@
+---
+layout: "docs"
+page_title: "Highly Available Vault Cluster with Consul"
+sidebar_current: "docs-platform-k8s-examples-ha-with-consul"
+sidebar_title: "Highly Available Vault Cluster with Consul"
+description: |-
+  Describes how to set up a highly available Vault cluster with Consul backend
+---
+
+# Highly Available Vault Cluster with Consul
+
+~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
+
+The below `values.yaml` can be used to set up a five server Vault cluster using
+Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal.
+
+```yaml
+server:
+  extraEnvironmentVars:
+    GOOGLE_REGION: global
+    GOOGLE_PROJECT: myproject
+    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json
+
+  extraVolumes:
+    - type: secret
+      name: my-gcp-iam
+
+  affinity: |
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        - labelSelector:
+            matchLabels:
+              app: {{ template "vault.name" . }}
+              release: "{{ .Release.Name }}"
+              component: server
+          topologyKey: kubernetes.io/hostname
+
+  service:
+    enabled: true
+
+  ha:
+    enabled: true
+    replicas: 5
+
+    config: |
+      ui = true
+
+      listener "tcp" {
+        tls_disable = 1
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+      }
+
+      storage "consul" {
+        path = "vault"
+        address = "HOST_IP:8500"
+      }
+
+      seal "gcpckms" {
+         project     = "myproject"
+         region      = "global"
+         key_ring    = "vault-unseal-kr"
+         crypto_key  = "vault-unseal-key"
+      }
+```

website/pages/docs/platform/k8s/helm/examples/index.mdx

@@ -0,0 +1,17 @@
+---
+layout: "docs"
+page_title: "Examples"
+sidebar_current: "docs-platform-k8s-examples"
+sidebar_title: "Examples"
+description: |-
+  This section documents configuration options for the Vault Helm chart
+---
+
+# Helm Chart Examples
+
+~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
+
+These are a collection of examples of common configurations for Vault using the Helm chart. 
+
+The following are different configuration examples to support a variety of
+deployment models. You can view the different examples from the list on the left.

website/pages/docs/platform/k8s/helm/examples/kubernetes-auth.mdx

@@ -0,0 +1,47 @@
+---
+layout: "docs"
+page_title: "Using Kubernetes Auth Method"
+sidebar_current: "docs-platform-k8s-examples-kubernetes-auth"
+sidebar_title: "Using Kubernetes Auth Method"
+description: |-
+  Describes how to set up Kubernetes Auth method
+---
+
+# Bootstrapping Kubernetes Auth Method
+
+~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
+
+In this example, we will walk through how to set up the [Kubernetes Auth Method](/docs/auth/kubernetes.html).
+
+This assumes the following commands will be run inside a Vault pod running in Kubernetes.
+
+You will optionally need the following variables:
+
+```bash
+# JWT is a service account token that has access to the Kubernetes TokenReview API
+# You can retrieve this from inside a pod at: /var/run/secrets/kubernetes.io/serviceaccount/token
+JWT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+
+# Address of Kubernetes itself as viewed from inside a running pod
+KUBERNETES_HOST=https://${KUBERNETES_PORT_443_TCP_ADDR}:443
+
+# Kubernetes internal CA
+KUBERNETES_CA_CERT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)
+```
+
+Exec into the Vault pod:
+
+```bash
+kubectl exec -it vault-0 /bin/sh
+```
+
+Then run the following command to configure the Kubernetes Auth Method:
+
+```bash
+vault write auth/kubernetes/config \
+   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
+   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+```
+
+From here you can continue to configure Vault from the [Kubernetes Auth Method](/docs/auth/kubernetes.html) documentation.

website/pages/docs/platform/k8s/helm/examples/standalone-audit.mdx

@@ -0,0 +1,53 @@
+---
+layout: "docs"
+page_title: "Standalone Server with Audit Storage"
+sidebar_current: "docs-platform-k8s-examples-standalone-audit"
+sidebar_title: "Standalone Server with Audit Storage"
+description: |-
+  Describes how to set up a standalone Vault with audit storage
+---
+
+# Standalone Server with Audit Storage
+
+~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
+
+The below `values.yaml` can be used to set up a single server Vault cluster with
+auditing enabled.
+
+```yaml
+server:
+  standalone:
+    enabled: true
+    config: |
+      listener "tcp" {
+        tls_disable = true
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+      }
+
+      storage "file" {
+        path = "/vault/data"
+      }
+
+  service:
+    enabled: true
+
+  dataStorage:
+    enabled: true
+    size: 10Gi
+    storageClass: null
+    accessMode: ReadWriteOnce
+
+  auditStorage:
+    enabled: true
+    size: 10Gi
+    storageClass: null
+    accessMode: ReadWriteOnce
+```
+
+After Vault has been deployed, initialized and unsealed, auditing can be enabled
+by running the following command against the Vault pod:
+
+```bash
+$ kubectl exec -ti <POD NAME> --  vault audit enable file file_path=/vault/audit/vault_audit.log
+```

website/pages/docs/platform/k8s/helm/examples/standalone-load-balanced-ui.mdx

@@ -0,0 +1,44 @@
+---
+layout: "docs"
+page_title: "Standalone Server with Load Balanced UI"
+sidebar_current: "docs-platform-k8s-examples-standalone-load-balanced-ui"
+sidebar_title: "Standalone Server with Load Balanced UI"
+description: |-
+  Describes how to set up a standalone Vault with a load balanced UI
+---
+
+# Standalone Server with Load Balanced UI
+
+~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
+
+The below `values.yaml` can be used to set up a single server Vault cluster with a LoadBalancer to allow external access to the UI and API.
+
+```yaml
+server:
+  standalone:
+    enabled: true
+    config: |
+      ui = true
+
+      listener "tcp" {
+        tls_disable = 1
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+      }
+      storage "file" {
+        path = "/vault/data"
+      }
+
+  service:
+    enabled: true
+
+  dataStorage:
+    enabled: true
+    size: 10Gi
+    storageClass: null
+    accessMode: ReadWriteOnce
+
+ui:
+  enabled: true
+  serviceType: LoadBalancer
+```