From e251cc50419b5ad21bab3c2a6c92a2795d98c143 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Tue, 26 Jul 2022 20:49:52 -0400 Subject: [PATCH] backport of commit 09696daf9681d10773db00d891cef866017d7db3 (#16457) Co-authored-by: Theron Voran --- .../docs/platform/k8s/helm/terraform.mdx | 275 ++++++++++++++++++ website/data/docs-nav-data.json | 4 + 2 files changed, 279 insertions(+) create mode 100644 website/content/docs/platform/k8s/helm/terraform.mdx diff --git a/website/content/docs/platform/k8s/helm/terraform.mdx b/website/content/docs/platform/k8s/helm/terraform.mdx new file mode 100644 index 000000000000..b1b96c407226 --- /dev/null +++ b/website/content/docs/platform/k8s/helm/terraform.mdx @@ -0,0 +1,275 @@ +--- +layout: 'docs' +page_title: 'Configure Vault Helm using Terraform' +sidebar_current: 'docs-platform-k8s-terraform' +description: |- + Describes how to configure the Vault Helm chart using Terraform +--- + +# Configuring Vault Helm with Terraform + +Terraform may also be used to configure and deploy the Vault Helm chart, by using the [Helm provider](https://registry.terraform.io/providers/hashicorp/helm/latest/docs). + +For example, to configure the chart to deploy [HA Vault with integrated storage (raft)](/docs/platform/k8s/helm/examples/ha-with-raft), the values overrides can be set on the command-line, in a values yaml file, or with a Terraform configuration: + + + + +```shell-session +$ helm install vault hashicorp/vault \ + --set='server.ha.enabled=true' \ + --set='server.ha.raft.enabled=true' +``` + + + + + +```yaml +server: + ha: + enabled: true + raft: + enabled: true +``` + + + + + +```hcl +provider "helm" { + kubernetes { + config_path = "~/.kube/config" + } +} + +resource "helm_release" "vault" { + name = "vault" + repository = "https://helm.releases.hashicorp.com" + chart = "vault" + + set { + name = "server.ha.enabled" + value = "true" + } + set { + name = "server.ha.raft.enabled" + value = "true" + } +} +``` + + + + +The values file can also be used directly in the Terraform configuration with the [`values` directive](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release#values). + +## Further Examples + +### Vault config as a multi-line string + + + + +```yaml +server: + ha: + enabled: true + raft: + enabled: true + setNodeId: true + config: | + ui = false + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + } + + storage "raft" { + path = "/vault/data" + } + + service_registration "kubernetes" {} + + seal "awskms" { + region = "us-west-2" + kms_key_id = "alias/my-kms-key" + } +``` + + + + +```hcl +resource "helm_release" "vault" { + name = "vault" + repository = "https://helm.releases.hashicorp.com" + chart = "vault" + + set { + name = "server.ha.enabled" + value = "true" + } + set { + name = "server.ha.raft.enabled" + value = "true" + } + set { + name = "server.ha.raft.setNodeId" + value = "true" + } + set { + name = "server.ha.raft.config" + value = < + + +### Lists of volumes and volumeMounts + + + + +```yaml +server: + volumes: + - name: userconfig-my-gcp-iam + secret: + defaultMode: 420 + secretName: my-gcp-iam + + volumeMounts: + - mountPath: /vault/userconfig/my-gcp-iam + name: userconfig-my-gcp-iam + readOnly: true +``` + + + + + +```hcl +resource "helm_release" "vault" { + name = "vault" + repository = "https://helm.releases.hashicorp.com" + chart = "vault" + + set { + name = "server.volumes[0].name" + value = "userconfig-my-gcp-iam" + } + set { + name = "server.volumes[0].secret.defaultMode" + value = "420" + } + set { + name = "server.volumes[0].secret.secretName" + value = "my-gcp-iam" + } + + set { + name = "server.volumeMounts[0].mountPath" + value = "/vault/userconfig/my-gcp-iam" + } + set { + name = "server.volumeMounts[0].name" + value = "userconfig-my-gcp-iam" + } + set { + name = "server.volumeMounts[0].readOnly" + value = "true" + } +} +``` + + + + +### Annotations + +Annotations can be set as a YAML map: + + + + + +```yaml +server: + ingress: + annotations: + service.beta.kubernetes.io/azure-load-balancer-internal: true + service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet +``` + + + + +```hcl + set { + name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal" + value = "true" + } + + set { + name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal-subnet" + value = "apps-subnet" + } +``` + + + + +or as a multi-line string: + + + + +```yaml +server: + ingress: + annotations: | + service.beta.kubernetes.io/azure-load-balancer-internal: true + service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet +``` + + + + +```hcl + set { + name = "server.ingress.annotations" + value = yamlencode({ + "service.beta.kubernetes.io/azure-load-balancer-internal": "true" + "service.beta.kubernetes.io/azure-load-balancer-internal-subnet": "apps-subnet" + }) + type = "auto" + } +``` + + + diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 384a1cffbe60..e61d23d9717e 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -1446,6 +1446,10 @@ "title": "Configuration", "path": "platform/k8s/helm/configuration" }, + { + "title": "Terraform", + "path": "platform/k8s/helm/terraform" + }, { "title": "Examples", "routes": [