Branch: master
Find file History
tarokkk and ahma Refactor Control Plane charts (#615)
* telescope new version support

* bump version

* Fix ui version, add appVersion tag

* remove Vault requirements from pipeline

* fix prometheus configMapOverrideName

* cicd refactor

* telescopes fixess

* extend template handler

* fix vault helper

* pipeline: refactor anchore credentials

* remove anchore-engine from requirements

* fix pipeline and cicd path

* refactor pipeline for standalone chart

* fix acme value

* bump version

* remove ReleaseName from configmap

* remove cache
Latest commit 2c94081 Jan 17, 2019

README.md

Vault Helm Chart

This directory contains a Kubernetes Helm chart to deploy a Vault server. For further details of how are we using Vault read this post.

Prerequisites Details

  • Kubernetes 1.6+

Chart Details

This chart will do the following:

  • Implement a Vault deployment

Please note that a backend service for Vault (for example, Consul) must be deployed beforehand and configured with the vault.config option. YAML provided under this option will be converted to JSON for the final vault config.json file.

See https://www.vaultproject.io/docs/configuration/ for more information.

Installing the Chart

To install the chart, use the following, this backs Vault with a Consul cluster:

helm init -c; 
helm repo add banzaicloud-stable http://kubernetes-charts.banzaicloud.com/branch/master
helm install vault

To install the chart backed with a Consul cluster, use the following:

helm install banzaicloud-stable/vault --set vault.config.storage.consul.address="myconsul-svc-name:8500",vault.config.storage.consul.path="vault"

An alternative values.yaml example using the Amazon S3 backend can be specified using:

vault:
  config:
    storage:
      s3:
        access_key: "AWS-ACCESS-KEY"
        secret_key: "AWS-SECRET-KEY"
        bucket: "AWS-BUCKET"
        region: "eu-central-1"

An alternate example using Amazon custom secrets passed as environment variables to Vault:

# Create an aws secret with your AWS credentials
kubectl create secret generic aws --from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY

# Tell the chart to pass these as env vars to Vault and as a file mount if needed
helm install banzaicloud-stable/vault --set "vault.customSecrets[0].secretName=aws" --set "vault.customSecrets[0].mountPath=/vault/aws"

Configuration

The following tables lists the configurable parameters of the vault chart and their default values.

Parameter Description Default
image.pullPolicy Container pull policy IfNotPresent
image.repository Container image to use vault
image.tag Container image tag to deploy 0.9.1
vault.customSecrets Custom secrets available to Vault []
vault.config Vault configuration No default backend
vault.externalConfig Vault API based configuration No default backend
replicaCount k8s replicas 1
resources.limits.cpu Container requested CPU nil
resources.limits.memory Container requested memory nil
unsealer.args Bank Vaults args ["--mode", "k8s", "--k8s-secret-namespace", "default", "--k8s-secret-name", "bank-vaults"]

Specify each parameter using the --set key=value[,key=value] argument to helm install.

Using Vault

Once the Vault pod is ready, it can be accessed using a kubectl port-forward:

$ kubectl port-forward vault-pod 8200
$ export VAULT_ADDR=http://127.0.0.1:8200
$ vault status