diff --git a/content/vault/v1.20.x/content/docs/configuration/service-registration/kubernetes.mdx b/content/vault/v1.20.x/content/docs/configuration/service-registration/kubernetes.mdx index bf7383b316..6c95b58269 100644 --- a/content/vault/v1.20.x/content/docs/configuration/service-registration/kubernetes.mdx +++ b/content/vault/v1.20.x/content/docs/configuration/service-registration/kubernetes.mdx @@ -70,7 +70,7 @@ metadata: vault-initialized: "true" vault-perf-standby: "false" vault-sealed: "false" - vault-version: 1.20.1 + vault-version: 1.20.4 ``` After shutdowns, Vault pods will bear the following labels: @@ -85,7 +85,7 @@ metadata: vault-initialized: "false" vault-perf-standby: "false" vault-sealed: "true" - vault-version: 1.20.1 + vault-version: 1.20.4 ``` ## Label definitions @@ -101,7 +101,7 @@ metadata: - `vault-sealed` `(string: "true"/"false")` – Vault sealed is updated dynamically each time Vault's sealed/unsealed status changes. True indicates that Vault is currently sealed. False indicates that Vault is currently unsealed. -- `vault-version` `(string: "1.20.1")` – Vault version is a string that will not change during a pod's lifecycle. +- `vault-version` `(string: "1.20.4")` – Vault version is a string that will not change during a pod's lifecycle. ## Working with vault's service discovery labels @@ -117,7 +117,7 @@ metadata: labels: app.kubernetes.io/instance: vault app.kubernetes.io/name: vault - helm.sh/chart: vault-0.30.1 + helm.sh/chart: vault-0.31.0 name: vault-active-us-east namespace: default spec: @@ -155,7 +155,7 @@ $ vault write -f sys/replication/performance/primary/enable \ In conjunction with the pod labels and the `OnDelete` upgrade strategy, upgrades are much easier to orchestrate: ```shell-session -$ helm upgrade vault --set='server.image.tag=1.20.1' +$ helm upgrade vault --set='server.image.tag=1.20.4' $ kubectl delete pod --selector=vault-active=false \ --selector=vault-version=1.2.3 diff --git a/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/configuration.mdx b/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/configuration.mdx index 67d6337fc2..45297f0905 100644 --- a/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/configuration.mdx +++ b/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/configuration.mdx @@ -87,7 +87,7 @@ and consider if they're appropriate for your deployment. - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image. - - `tag` (`string: "1.20.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**. + - `tag` (`string: "1.20.4"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**. - `agentDefaults` - Values that configure the injected Vault Agent containers default values. @@ -351,7 +351,7 @@ and consider if they're appropriate for your deployment. - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the containers running Vault. - - `tag` (`string: "1.20.1"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. + - `tag` (`string: "1.20.4"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists. @@ -1099,7 +1099,7 @@ and consider if they're appropriate for your deployment. - `repository` (`string: "hashicorp/vault-csi-provider"`) - The name of the Docker image for the Vault CSI Provider. - - `tag` (`string: "1.5.1"`) - The tag of the Docker image for the Vault CSI Provider.. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your CSI provider. + - `tag` (`string: "1.6.0"`) - The tag of the Docker image for the Vault CSI Provider.. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your CSI provider. - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists locally. @@ -1159,11 +1159,11 @@ and consider if they're appropriate for your deployment. - `extraLabels` (`dictionary: {}`) - This value defines additional labels for the CSI provider daemonset. - - `providersDir` (`string: "/etc/kubernetes/secrets-store-csi-providers"`) - Provider host path (must match the CSI provider's path) + - `providersDir` (`string: "/var/run/secrets-store-csi-providers"`) - Provider host path (must match the CSI provider's path) - `kubeletRootDir` (`string: "/var/lib/kubelet"`) - Kubelet host path - - `securityContext` - Security context for the pod template and container in the csi provider daemonSet + - `securityContext` - Security context for the pod template and container in the csi provider daemonSet. If `global.openshift=true`, the container securityContext defaults to `privileged: true`. - `pod` (`dictionary: {}`) - Pod-level securityContext. May be specified as YAML or a YAML-formatted multi-line templated string. @@ -1255,7 +1255,7 @@ and consider if they're appropriate for your deployment. - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image. - - `tag` (`string: "1.20.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. + - `tag` (`string: "1.20.4"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. - `logFormat` (`string: "standard"`) - - `logLevel` (`string: "info"`) - @@ -1270,6 +1270,20 @@ and consider if they're appropriate for your deployment. cpu: '250m' ``` + - `securityContext` + - `container` (`dictionary: {}`) - Security context for the Vault Agent sidecar container. Defaults to: + + ```yaml + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 + runAsGroup: 1000 + ``` + - `serverTelemetry` - Values the configure metrics and telemetry. Enabling these features requires setting the `telemetry {}` stanza in the Vault configuration. See the [telemetry](/vault/docs/configuration/telemetry) [docs](/vault/docs/internals/telemetry) for more on the Vault configuration. @@ -1342,6 +1356,14 @@ and consider if they're appropriate for your deployment. key: token ``` + - `metricRelabelings` (`array: []`) - Metric relabeling rules to apply to samples before ingestion. See the prometheus [API reference](https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.RelabelConfig) for more details. Example: + + ```yaml + metricRelabelings: + - sourceLabels: [cluster] + targetLabel: vault_cluster + ``` + - `prometheusRules` - Values that configure Prometheus rules. - `enabled` (`boolean: false`) - Deploy the PrometheusRule custom resource for AlertManager-based diff --git a/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/enterprise.mdx b/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/enterprise.mdx index 6e2fd0ea86..24a7ad00bb 100644 --- a/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/enterprise.mdx +++ b/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/enterprise.mdx @@ -33,7 +33,7 @@ In your chart overrides, set the values of [`server.image`](/vault/docs/platform server: image: repository: hashicorp/vault-enterprise - tag: 1.20.1-ent + tag: 1.20.4-ent enterpriseLicense: secretName: vault-ent-license ``` diff --git a/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/examples/enterprise-dr-with-raft.mdx b/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/examples/enterprise-dr-with-raft.mdx index 8d01068738..046a9ac72a 100644 --- a/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/examples/enterprise-dr-with-raft.mdx +++ b/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/examples/enterprise-dr-with-raft.mdx @@ -23,7 +23,7 @@ First, create the primary cluster: ```shell helm install vault-primary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.20.1-ent' \ + --set='server.image.tag=1.20.4-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` @@ -75,7 +75,7 @@ disaster recovery replication. ```shell helm install vault-secondary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.20.1-ent' \ + --set='server.image.tag=1.20.4-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` diff --git a/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/examples/enterprise-perf-with-raft.mdx b/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/examples/enterprise-perf-with-raft.mdx index 7cf52185b4..a99f08332c 100644 --- a/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/examples/enterprise-perf-with-raft.mdx +++ b/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/examples/enterprise-perf-with-raft.mdx @@ -23,7 +23,7 @@ First, create the primary cluster: ```shell helm install vault-primary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.20.1-ent' \ + --set='server.image.tag=1.20.4-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` @@ -74,7 +74,7 @@ With the primary cluster created, next create a secondary cluster. ```shell helm install vault-secondary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.20.1-ent' \ + --set='server.image.tag=1.20.4-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` diff --git a/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/examples/enterprise-with-raft.mdx b/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/examples/enterprise-with-raft.mdx index 407b803212..37c94e6657 100644 --- a/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/examples/enterprise-with-raft.mdx +++ b/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/examples/enterprise-with-raft.mdx @@ -15,7 +15,7 @@ Integrated Storage (raft) can be enabled using the `server.ha.raft.enabled` valu ```shell helm install vault hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.20.1-ent' \ + --set='server.image.tag=1.20.4-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` diff --git a/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/run.mdx b/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/run.mdx index 0ac4e7b83d..c678814139 100644 --- a/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/run.mdx +++ b/content/vault/v1.20.x/content/docs/deploy/kubernetes/helm/run.mdx @@ -409,14 +409,14 @@ Next, list the Helm versions and choose the desired version to install. ```bash $ helm search repo hashicorp/vault NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/vault 0.30.1 1.20.1 Official HashiCorp Vault Chart +hashicorp/vault 0.31.0 1.20.4 Official HashiCorp Vault Chart ``` Next, test the upgrade with `--dry-run` first to verify the changes sent to the Kubernetes cluster. ```shell-session -$ helm upgrade vault hashicorp/vault --version=0.30.1 \ +$ helm upgrade vault hashicorp/vault --version=0.31.0 \ --set='server.image.repository=vault' \ --set='server.image.tag=123.456' \ --dry-run diff --git a/content/vault/v1.20.x/content/partials/helm/install.mdx b/content/vault/v1.20.x/content/partials/helm/install.mdx index b9487a36f8..31f61ec510 100644 --- a/content/vault/v1.20.x/content/partials/helm/install.mdx +++ b/content/vault/v1.20.x/content/partials/helm/install.mdx @@ -2,16 +2,16 @@ # List the available releases $ helm search repo hashicorp/vault -l NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/vault 0.30.1 1.20.1 Official HashiCorp Vault Chart -hashicorp/vault 0.30.0 1.19.0 Official HashiCorp Vault Chart +hashicorp/vault 0.31.0 1.20.4 Official HashiCorp Vault Chart +hashicorp/vault 0.30.1 1.20.1 Official HashiCorp Vault Chart +hashicorp/vault 0.30.0 1.19.0 Official HashiCorp Vault Chart hashicorp/vault 0.29.1 1.18.1 Official HashiCorp Vault Chart hashicorp/vault 0.29.0 1.18.1 Official HashiCorp Vault Chart hashicorp/vault 0.28.1 1.17.2 Official HashiCorp Vault Chart hashicorp/vault 0.28.0 1.16.1 Official HashiCorp Vault Chart hashicorp/vault 0.27.0 1.15.2 Official HashiCorp Vault Chart -hashicorp/vault 0.26.1 1.15.1 Official HashiCorp Vault Chart ... -# Install version 0.30.1 -$ helm install vault hashicorp/vault --version 0.30.1 +# Install version 0.31.0 +$ helm install vault hashicorp/vault --version 0.31.0 ``` diff --git a/content/vault/v1.20.x/content/partials/helm/repo.mdx b/content/vault/v1.20.x/content/partials/helm/repo.mdx index 741f20a624..b474617a48 100644 --- a/content/vault/v1.20.x/content/partials/helm/repo.mdx +++ b/content/vault/v1.20.x/content/partials/helm/repo.mdx @@ -4,5 +4,5 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm search repo hashicorp/vault NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/vault 0.30.1 1.20.1 Official HashiCorp Vault Chart +hashicorp/vault 0.31.0 1.20.4 Official HashiCorp Vault Chart ```