[incubator/vault-operator] Introducing the Vault Operator chart (#5574)

* Starting work on the Vault Operator Get us some chart-y goodness! * Starting work on the Vault Operator Get us some chart-y goodness! * Vault operator chart lints Time to see if it works? * Vault operators deploys! Need to test on a real k8s instance, now * Starting work on the Vault Operator Get us some chart-y goodness! * Vault operator chart lints Time to see if it works? * Vault operators deploys! Need to test on a real k8s instance, now * Don't set the etcd-operator to cluster-wide Cuz that'd be bad, mmkay? * Validated to be awesome! Last step is to update docs * Updated README with all of the values * Updated values Things noticed while documenting them * Syncing up with the 2.8+ Helm chart style * Fix indentation issue * Updating as per code review * Migrate the `vault-operator` to `stable` * Replace references to incubator with stable
helm · Jun 28, 2018 · 02dc414 · 02dc414
1 parent ac526fa
commit 02dc414
Show file tree

Hide file tree

Showing 14 changed files with 495 additions and 0 deletions.
diff --git a/stable/vault-operator/.helmignore b/stable/vault-operator/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/stable/vault-operator/Chart.yaml b/stable/vault-operator/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+description: CoreOS vault-operator Helm chart for Kubernetes
+name: vault-operator
+version: 0.1.0
+appVersion: 0.1.9
+home: https://github.com/coreos/vault-operator
+icon: https://s3.amazonaws.com/hashicorp-marketing-web-assets/brand/Vault_VerticalLogo_FullColor.B1xPC0pSax.svg
+sources:
+- https://github.com/coreos/vault-operator
+maintainers:
+- name: mlaccetti
+  email: michael@laccetti.com
diff --git a/stable/vault-operator/OWNERS b/stable/vault-operator/OWNERS
@@ -0,0 +1,4 @@
+approvers:
+- mlaccetti
+reviewers:
+- mlaccetti
diff --git a/stable/vault-operator/README.md b/stable/vault-operator/README.md
@@ -0,0 +1,141 @@
+# CoreOS vault-operator
+
+[vault-operator](https://coreos.com/blog/introducing-vault-operator-project) Simplify vault cluster
+configuration and management.
+
+__DISCLAIMER:__ While this chart has been well-tested, the vault-operator is still currently in beta.
+Current project status is available [here](https://github.com/coreos/vault-operator).
+
+## Introduction
+
+This chart bootstraps a vault-operator and allows the deployment of vault cluster(s). It depends on the `etcd-operator` being installed.
+
+## Official Documentation
+
+Official project documentation found [here](https://github.com/coreos/vault-operator)
+
+## Pre-requisites
+
+- Kubernetes 1.9+
+- __Suggested:__ RBAC setup for the Kubernetes cluster
+- [`etcd-operator`](https://github.com/kubernetes/charts/tree/master/stable/etcd-operator)
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`:
+
+```bash
+$ helm install stable/vault-operator --name my-release
+```
+
+If you do not want to deploy the `etcd-operator` manually, you can deploy it at the same time as when you deploy the `vault-operator`:
+
+```bash
+$ helm install stable/vault-operator --name my-release --set etcd-operator.enabled=true
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```bash
+$ helm delete my-release
+```
+
+The command removes all the Kubernetes components EXCEPT the persistent volume.
+
+## Configuration
+
+The following table lists the configurable parameters of the vault-operator chart and their default values.
+
+| Parameter                                         | Description                                                          | Default                                        |
+| ------------------------------------------------- | -------------------------------------------------------------------- | ---------------------------------------------- |
+| `name`                                            | name of the deployment                                               | `vault-operator`                               |
+| `replicaCount`                                    | Number of operator replicas to create (only 1 is supported)          | `1`                                            |
+| `image.repository`                                | vault-operator container image                                       | `quay.io/coreos/vault-operator`                |
+| `image.tag`                                       | vault-operator container image tag                                   | `0.1.9`                                        |
+| `image.pullPolicy`                                | vault-operator container image pull policy                           | `Always`                                       |
+| `rbac.create`                                     | install required RBAC service account, roles and rolebindings        | `true`                                         |
+| `rbac.apiVersion`                                 | RBAC api version `v1alpha1|v1beta1`                                  | `v1beta1`                                      |
+| `serviceAccount.create`                           | create a new service account for the vault-operator                  | `true`                                         |
+| `serviceAccount.name`                             | Name of the service account resource when RBAC is enabled            | `vault-operator-sa`                            |
+| `resources.cpu`                                   | CPU limit per vault-operator pod                                     | `100m`                                         |
+| `resources.memory`                                | Memory limit per vault-operator pod                                  | `128mi`                                        |
+| `nodeSelector`                                    | Node labels for vault-operator pod assignment                        | `{}`                                           |
+| `commandArgs`                                     | Additional command arguments                                         | `{}`                                           |
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:
+
+```bash
+$ helm install --name my-release --set image.tag=v0.1.9 stable/vault-operator
+```
+
+Alternatively, a YAML file that specifies the values for the parameters can be provided while
+installing the chart. For example:
+
+```bash
+$ helm install --name my-release --values values.yaml stable/vault-operator
+```
+
+## RBAC
+By default the chart will install the recommended RBAC roles and rolebindings.
+
+To determine if your cluster supports this running the following:
+
+```bash
+$ kubectl api-versions | grep rbac
+```
+
+You also need to have the following parameter on the api server. See the following document for how to enable [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)
+
+```bash
+--authorization-mode=RBAC
+```
+
+If the output contains "beta" or both "alpha" and "beta" you can may install rbac by default, if not, you may turn RBAC off as described below.
+
+### RBAC Role/RoleBinding Creation
+
+RBAC resources are enabled by default. To disable RBAC do the following:
+
+```bash
+$ helm install --name my-release stable/vault-operator --set rbac.create=false
+```
+
+### Changing RBAC Manifest apiVersion
+
+By default the RBAC resources are generated with the "v1beta1" apiVersion. To use "v1alpha1" do the following:
+
+```bash
+$ helm install --name my-release stable/vault-operator --set rbac.install=true,rbac.apiVersion=v1alpha1
+```
+
+## Creating a Vault
+
+### Deploy a CRD
+
+```yaml
+apiVersion: "vault.security.coreos.com/v1alpha1"
+kind: "VaultService"
+metadata:
+  name: "example"
+spec:
+  nodes: 2
+  version: "0.9.1-0"
+```
+
+### Initialize Vault
+
+```bash
+kubectl -n <namespace> get vault example -o jsonpath='{.status.vaultStatus.sealed[0]}' | xargs -0 -I {} kubectl -n <namespace> port-forward {} 8200
+vault init
+```
+
+### Unseal the Vault
+
+Repeat as many times as nodes created. Run the `vault unseal` command three times.
+
+```bash
+kubectl -n <namespace> get vault example -o jsonpath='{.status.vaultStatus.sealed[0]}' | xargs -0 -I {} kubectl -n <namespace> port-forward {} 8200
+vault unseal
+```
diff --git a/stable/vault-operator/requirements.lock b/stable/vault-operator/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: etcd-operator
+  repository: https://kubernetes-charts.storage.googleapis.com/
+  version: 0.8.0
+digest: sha256:469fd7ac741beb4956d4695a1fa4d6583f0f81c4d89fbf8400367fd87bfc2e4f
+generated: 2018-06-21T13:00:45.7632645-04:00
diff --git a/stable/vault-operator/requirements.yaml b/stable/vault-operator/requirements.yaml
@@ -0,0 +1,5 @@
+dependencies:
+  - name: etcd-operator
+    version: 0.8.0
+    repository: https://kubernetes-charts.storage.googleapis.com/
+    condition: etcd-operator.enabled
diff --git a/stable/vault-operator/templates/NOTES.txt b/stable/vault-operator/templates/NOTES.txt
@@ -0,0 +1,6 @@
+1. vault-operator deployed.
+
+  Check the vault-operator logs
+
+    export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "vault-operator.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+    kubectl logs $POD_NAME --namespace={{ .Release.Namespace }}
diff --git a/stable/vault-operator/templates/_helpers.tpl b/stable/vault-operator/templates/_helpers.tpl
@@ -0,0 +1,43 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "vault-operator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "vault-operator.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "vault-operator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "vault-operator.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
diff --git a/stable/vault-operator/templates/crd.yaml b/stable/vault-operator/templates/crd.yaml
@@ -0,0 +1,21 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: vaultservices.vault.security.coreos.com
+  labels:
+    app: {{ template "vault-operator.name" . }}
+    chart: {{ template "vault-operator.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  group: vault.security.coreos.com
+  names:
+    kind: VaultService
+    listKind: VaultServiceList
+    plural: vaultservices
+    shortNames:
+    - vault
+    singular: vaultservice
+  scope: Namespaced
+  version: v1alpha1
+
diff --git a/stable/vault-operator/templates/deployment.yaml b/stable/vault-operator/templates/deployment.yaml
@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "vault-operator.fullname" . }}
+  labels:
+    app: {{ template "vault-operator.name" . }}
+    chart: {{ template "vault-operator.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ template "vault-operator.name" . }}
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "vault-operator.name" . }}
+        release: {{ .Release.Name }}
+    spec:
+      serviceAccountName: {{ template "serviceAccountName" . }}
+      containers:
+      - name: {{ .Chart.Name }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        command:
+        - vault-operator
+{{- range $key, $value := .Values.commandArgs }}
+        - "--{{ $key }}={{ $value }}"
+{{- end }}
+        env:
+        - name: MY_POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: MY_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        {{- if .Values.livenessProbe.enabled }}
+        livenessProbe:
+          httpGet:
+            path: /readyz
+            port: 8080
+          initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.livenessProbe.successThreshold }}
+          failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
+        {{- end}}
+        {{- if .Values.readinessProbe.enabled }}
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8080
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+        {{- end }}
+        resources:
+{{ toYaml .Values.resources | indent 12 }}
+    {{- with .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}
diff --git a/stable/vault-operator/templates/role-binding.yaml b/stable/vault-operator/templates/role-binding.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "vault-operator.fullname" . }}
+  labels:
+    app: {{ template "vault-operator.name" . }}
+    chart: {{ template "vault-operator.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "vault-operator.fullname" . }}
+{{- end }}