This repository has been archived by the owner on Feb 22, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[incubator/vault-operator] Introducing the Vault Operator chart (#5574)
* Starting work on the Vault Operator Get us some chart-y goodness! * Starting work on the Vault Operator Get us some chart-y goodness! * Vault operator chart lints Time to see if it works? * Vault operators deploys! Need to test on a real k8s instance, now * Starting work on the Vault Operator Get us some chart-y goodness! * Vault operator chart lints Time to see if it works? * Vault operators deploys! Need to test on a real k8s instance, now * Don't set the etcd-operator to cluster-wide Cuz that'd be bad, mmkay? * Validated to be awesome! Last step is to update docs * Updated README with all of the values * Updated values Things noticed while documenting them * Syncing up with the 2.8+ Helm chart style * Fix indentation issue * Updating as per code review * Migrate the `vault-operator` to `stable` * Replace references to incubator with stable
- Loading branch information
1 parent
ac526fa
commit 02dc414
Showing
14 changed files
with
495 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Patterns to ignore when building packages. | ||
# This supports shell glob matching, relative path matching, and | ||
# negation (prefixed with !). Only one pattern per line. | ||
.DS_Store | ||
# Common VCS dirs | ||
.git/ | ||
.gitignore | ||
.bzr/ | ||
.bzrignore | ||
.hg/ | ||
.hgignore | ||
.svn/ | ||
# Common backup files | ||
*.swp | ||
*.bak | ||
*.tmp | ||
*~ | ||
# Various IDEs | ||
.project | ||
.idea/ | ||
*.tmproj |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
description: CoreOS vault-operator Helm chart for Kubernetes | ||
name: vault-operator | ||
version: 0.1.0 | ||
appVersion: 0.1.9 | ||
home: https://github.com/coreos/vault-operator | ||
icon: https://s3.amazonaws.com/hashicorp-marketing-web-assets/brand/Vault_VerticalLogo_FullColor.B1xPC0pSax.svg | ||
sources: | ||
- https://github.com/coreos/vault-operator | ||
maintainers: | ||
- name: mlaccetti | ||
email: michael@laccetti.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
approvers: | ||
- mlaccetti | ||
reviewers: | ||
- mlaccetti |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,141 @@ | ||
# CoreOS vault-operator | ||
|
||
[vault-operator](https://coreos.com/blog/introducing-vault-operator-project) Simplify vault cluster | ||
configuration and management. | ||
|
||
__DISCLAIMER:__ While this chart has been well-tested, the vault-operator is still currently in beta. | ||
Current project status is available [here](https://github.com/coreos/vault-operator). | ||
|
||
## Introduction | ||
|
||
This chart bootstraps a vault-operator and allows the deployment of vault cluster(s). It depends on the `etcd-operator` being installed. | ||
|
||
## Official Documentation | ||
|
||
Official project documentation found [here](https://github.com/coreos/vault-operator) | ||
|
||
## Pre-requisites | ||
|
||
- Kubernetes 1.9+ | ||
- __Suggested:__ RBAC setup for the Kubernetes cluster | ||
- [`etcd-operator`](https://github.com/kubernetes/charts/tree/master/stable/etcd-operator) | ||
|
||
## Installing the Chart | ||
|
||
To install the chart with the release name `my-release`: | ||
|
||
```bash | ||
$ helm install stable/vault-operator --name my-release | ||
``` | ||
|
||
If you do not want to deploy the `etcd-operator` manually, you can deploy it at the same time as when you deploy the `vault-operator`: | ||
|
||
```bash | ||
$ helm install stable/vault-operator --name my-release --set etcd-operator.enabled=true | ||
``` | ||
|
||
## Uninstalling the Chart | ||
|
||
To uninstall/delete the `my-release` deployment: | ||
|
||
```bash | ||
$ helm delete my-release | ||
``` | ||
|
||
The command removes all the Kubernetes components EXCEPT the persistent volume. | ||
|
||
## Configuration | ||
|
||
The following table lists the configurable parameters of the vault-operator chart and their default values. | ||
|
||
| Parameter | Description | Default | | ||
| ------------------------------------------------- | -------------------------------------------------------------------- | ---------------------------------------------- | | ||
| `name` | name of the deployment | `vault-operator` | | ||
| `replicaCount` | Number of operator replicas to create (only 1 is supported) | `1` | | ||
| `image.repository` | vault-operator container image | `quay.io/coreos/vault-operator` | | ||
| `image.tag` | vault-operator container image tag | `0.1.9` | | ||
| `image.pullPolicy` | vault-operator container image pull policy | `Always` | | ||
| `rbac.create` | install required RBAC service account, roles and rolebindings | `true` | | ||
| `rbac.apiVersion` | RBAC api version `v1alpha1|v1beta1` | `v1beta1` | | ||
| `serviceAccount.create` | create a new service account for the vault-operator | `true` | | ||
| `serviceAccount.name` | Name of the service account resource when RBAC is enabled | `vault-operator-sa` | | ||
| `resources.cpu` | CPU limit per vault-operator pod | `100m` | | ||
| `resources.memory` | Memory limit per vault-operator pod | `128mi` | | ||
| `nodeSelector` | Node labels for vault-operator pod assignment | `{}` | | ||
| `commandArgs` | Additional command arguments | `{}` | | ||
|
||
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example: | ||
|
||
```bash | ||
$ helm install --name my-release --set image.tag=v0.1.9 stable/vault-operator | ||
``` | ||
|
||
Alternatively, a YAML file that specifies the values for the parameters can be provided while | ||
installing the chart. For example: | ||
|
||
```bash | ||
$ helm install --name my-release --values values.yaml stable/vault-operator | ||
``` | ||
|
||
## RBAC | ||
By default the chart will install the recommended RBAC roles and rolebindings. | ||
|
||
To determine if your cluster supports this running the following: | ||
|
||
```bash | ||
$ kubectl api-versions | grep rbac | ||
``` | ||
|
||
You also need to have the following parameter on the api server. See the following document for how to enable [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) | ||
|
||
```bash | ||
--authorization-mode=RBAC | ||
``` | ||
|
||
If the output contains "beta" or both "alpha" and "beta" you can may install rbac by default, if not, you may turn RBAC off as described below. | ||
|
||
### RBAC Role/RoleBinding Creation | ||
|
||
RBAC resources are enabled by default. To disable RBAC do the following: | ||
|
||
```bash | ||
$ helm install --name my-release stable/vault-operator --set rbac.create=false | ||
``` | ||
|
||
### Changing RBAC Manifest apiVersion | ||
|
||
By default the RBAC resources are generated with the "v1beta1" apiVersion. To use "v1alpha1" do the following: | ||
|
||
```bash | ||
$ helm install --name my-release stable/vault-operator --set rbac.install=true,rbac.apiVersion=v1alpha1 | ||
``` | ||
|
||
## Creating a Vault | ||
|
||
### Deploy a CRD | ||
|
||
```yaml | ||
apiVersion: "vault.security.coreos.com/v1alpha1" | ||
kind: "VaultService" | ||
metadata: | ||
name: "example" | ||
spec: | ||
nodes: 2 | ||
version: "0.9.1-0" | ||
``` | ||
|
||
### Initialize Vault | ||
|
||
```bash | ||
kubectl -n <namespace> get vault example -o jsonpath='{.status.vaultStatus.sealed[0]}' | xargs -0 -I {} kubectl -n <namespace> port-forward {} 8200 | ||
vault init | ||
``` | ||
|
||
### Unseal the Vault | ||
|
||
Repeat as many times as nodes created. Run the `vault unseal` command three times. | ||
|
||
```bash | ||
kubectl -n <namespace> get vault example -o jsonpath='{.status.vaultStatus.sealed[0]}' | xargs -0 -I {} kubectl -n <namespace> port-forward {} 8200 | ||
vault unseal | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
dependencies: | ||
- name: etcd-operator | ||
repository: https://kubernetes-charts.storage.googleapis.com/ | ||
version: 0.8.0 | ||
digest: sha256:469fd7ac741beb4956d4695a1fa4d6583f0f81c4d89fbf8400367fd87bfc2e4f | ||
generated: 2018-06-21T13:00:45.7632645-04:00 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
dependencies: | ||
- name: etcd-operator | ||
version: 0.8.0 | ||
repository: https://kubernetes-charts.storage.googleapis.com/ | ||
condition: etcd-operator.enabled |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
1. vault-operator deployed. | ||
|
||
Check the vault-operator logs | ||
|
||
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "vault-operator.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") | ||
kubectl logs $POD_NAME --namespace={{ .Release.Namespace }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
Expand the name of the chart. | ||
*/}} | ||
{{- define "vault-operator.name" -}} | ||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create a default fully qualified app name. | ||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||
If release name contains chart name it will be used as a full name. | ||
*/}} | ||
{{- define "vault-operator.fullname" -}} | ||
{{- if .Values.fullnameOverride -}} | ||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} | ||
{{- else -}} | ||
{{- $name := default .Chart.Name .Values.nameOverride -}} | ||
{{- if contains $name .Release.Name -}} | ||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}} | ||
{{- else -}} | ||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
{{- end -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create chart name and version as used by the chart label. | ||
*/}} | ||
{{- define "vault-operator.chart" -}} | ||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create the name of the service account to use | ||
*/}} | ||
{{- define "serviceAccountName" -}} | ||
{{- if .Values.serviceAccount.create -}} | ||
{{ default (include "vault-operator.fullname" .) .Values.serviceAccount.name }} | ||
{{- else -}} | ||
{{ default "default" .Values.serviceAccount.name }} | ||
{{- end -}} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
apiVersion: apiextensions.k8s.io/v1beta1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
name: vaultservices.vault.security.coreos.com | ||
labels: | ||
app: {{ template "vault-operator.name" . }} | ||
chart: {{ template "vault-operator.chart" . }} | ||
release: {{ .Release.Name }} | ||
heritage: {{ .Release.Service }} | ||
spec: | ||
group: vault.security.coreos.com | ||
names: | ||
kind: VaultService | ||
listKind: VaultServiceList | ||
plural: vaultservices | ||
shortNames: | ||
- vault | ||
singular: vaultservice | ||
scope: Namespaced | ||
version: v1alpha1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: {{ template "vault-operator.fullname" . }} | ||
labels: | ||
app: {{ template "vault-operator.name" . }} | ||
chart: {{ template "vault-operator.chart" . }} | ||
release: {{ .Release.Name }} | ||
heritage: {{ .Release.Service }} | ||
spec: | ||
replicas: {{ .Values.replicaCount }} | ||
selector: | ||
matchLabels: | ||
app: {{ template "vault-operator.name" . }} | ||
release: {{ .Release.Name }} | ||
template: | ||
metadata: | ||
labels: | ||
app: {{ template "vault-operator.name" . }} | ||
release: {{ .Release.Name }} | ||
spec: | ||
serviceAccountName: {{ template "serviceAccountName" . }} | ||
containers: | ||
- name: {{ .Chart.Name }} | ||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" | ||
imagePullPolicy: {{ .Values.image.pullPolicy }} | ||
command: | ||
- vault-operator | ||
{{- range $key, $value := .Values.commandArgs }} | ||
- "--{{ $key }}={{ $value }}" | ||
{{- end }} | ||
env: | ||
- name: MY_POD_NAMESPACE | ||
valueFrom: | ||
fieldRef: | ||
fieldPath: metadata.namespace | ||
- name: MY_POD_NAME | ||
valueFrom: | ||
fieldRef: | ||
fieldPath: metadata.name | ||
{{- if .Values.livenessProbe.enabled }} | ||
livenessProbe: | ||
httpGet: | ||
path: /readyz | ||
port: 8080 | ||
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} | ||
periodSeconds: {{ .Values.livenessProbe.periodSeconds }} | ||
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} | ||
successThreshold: {{ .Values.livenessProbe.successThreshold }} | ||
failureThreshold: {{ .Values.livenessProbe.failureThreshold }} | ||
{{- end}} | ||
{{- if .Values.readinessProbe.enabled }} | ||
readinessProbe: | ||
httpGet: | ||
path: /readyz | ||
port: 8080 | ||
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} | ||
periodSeconds: {{ .Values.readinessProbe.periodSeconds }} | ||
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} | ||
successThreshold: {{ .Values.readinessProbe.successThreshold }} | ||
failureThreshold: {{ .Values.readinessProbe.failureThreshold }} | ||
{{- end }} | ||
resources: | ||
{{ toYaml .Values.resources | indent 12 }} | ||
{{- with .Values.nodeSelector }} | ||
nodeSelector: | ||
{{ toYaml . | indent 8 }} | ||
{{- end }} | ||
{{- with .Values.affinity }} | ||
affinity: | ||
{{ toYaml . | indent 8 }} | ||
{{- end }} | ||
{{- with .Values.tolerations }} | ||
tolerations: | ||
{{ toYaml . | indent 8 }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
{{- if .Values.rbac.create }} | ||
kind: RoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: {{ template "vault-operator.fullname" . }} | ||
labels: | ||
app: {{ template "vault-operator.name" . }} | ||
chart: {{ template "vault-operator.chart" . }} | ||
release: {{ .Release.Name }} | ||
heritage: {{ .Release.Service }} | ||
subjects: | ||
- kind: ServiceAccount | ||
name: {{ template "serviceAccountName" . }} | ||
namespace: {{ .Release.Namespace }} | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: {{ template "vault-operator.fullname" . }} | ||
{{- end }} |
Oops, something went wrong.