Branch: master
Find file History
CharlieC3 and k8s-ci-robot Vault: Adding ability to open cluster ip in k8s service (#8054)
* Vault: Adding ability to open cluster ip in k8s service

Signed-off-by: Charles Cantoni <charles.cantoni@gmail.com>

* Adding conditional block around exposing the cluster port

Signed-off-by: ccantoni <ccantoni@secureauth.com>

* Bumping chart version

Signed-off-by: ccantoni <ccantoni@secureauth.com>
Latest commit fbeb5f8 Feb 14, 2019

README.md

Vault Helm Chart

This directory contains a Kubernetes chart to deploy a Vault server.

Prerequisites Details

  • Kubernetes 1.6+

Chart Details

This chart will do the following:

  • Implement a Vault deployment
  • Optionally, deploy a consul agent in the pod

Please note that a backend service for Vault (for example, Consul) must be deployed beforehand and configured with the vault.config option. YAML provided under this option will be converted to JSON for the final Vault config.json file.

See https://www.vaultproject.io/docs/configuration/ for more information.

Installing the Chart

To install the chart, use the following, this backs Vault with a Consul cluster:

$ helm repo add incubator http://storage.googleapis.com/kubernetes-charts-incubator
$ helm install incubator/vault --set vault.dev=false --set vault.config.storage.consul.address="myconsul-svc-name:8500",vault.config.storage.consul.path="vault"

An alternative example using the Amazon S3 backend can be specified using:

vault:
  config:
    storage:
      s3:
        access_key: "AWS-ACCESS-KEY"
        secret_key: "AWS-SECRET-KEY"
        bucket: "AWS-BUCKET"
        region: "eu-central-1"

Configuration

The following table lists the configurable parameters of the Vault chart and their default values.

Parameter Description Default
imagePullSecret The name of the secret to use if pulling from a private registry nil
image.pullPolicy Container pull policy IfNotPresent
image.repository Container image to use vault
image.tag Container image tag to deploy .Chart.appVersion
vault.dev Use Vault in dev mode true (set to false in production)
vault.extraEnv Extra env vars for Vault pods {}
vault.extraContainers Sidecar containers to add to the vault pod {}
vault.extraVolumes Additional volumes to the controller pod {}
vault.customSecrets Custom secrets available to Vault []
vault.config Vault configuration No default backend
replicaCount k8s replicas 3
resources.limits.cpu Container requested CPU nil
resources.limits.memory Container requested memory nil
affinity Affinity settings See values.yaml
service.loadBalancerIP Assign a static IP to the loadbalancer nil
service.loadBalancerSourceRanges IP whitelist for service type loadbalancer []
service.annotations Annotations for service {}
service.externalPort External port for the service 8200
service.port The API port Vault is using 8200
service.clusterExternalPort External cluster port for the service nil
service.clusterPort The cluster port Vault is using 8201
annotations Annotations for deployment {}
labels Extra labels for deployment {}
ingress.labels Labels for ingress {}
podAnnotations Annotations for pods {}
consulAgent.join If set, start start a consul agent nil
consulAgent.repository Container image for consul agent consul
consulAgent.tag Container image tag for consul agent 1.4.0
consulAgent.pullPolicy Container pull policy for consul agent IfNotPresent
consulAgent.gossipKeySecretName k8s secret containing gossip key nil (see values.yaml for details)
consulAgent.HttpPort HTTP port for consul agent API 8500

Specify each parameter using the --set key=value[,key=value] argument to helm install.

Optional Consul Agent

If you are using the consul storage for vault, you might want a local consul agent to handle health checks. By setting consulAgent.join to your consul server, an agent will be started in the vault pod. In this case, you should configure vault to connect to consul over localhost. For example:

vault:
  dev: False
  config:
    storage:
      consul:
        address: "localhost:8500"
consulAgent:
  join: consul.service.consul

If you are using the stable/consul helm chart, consul communications are encrypted with a gossip key. You can configure a secret with the same format as that chart and specify it in the consulAgent.gossipKeySecretName parameter.

Using Vault

Once the Vault pod is ready, it can be accessed using a kubectl port-forward:

$ kubectl port-forward vault-pod 8200
$ export VAULT_ADDR=http://127.0.0.1:8200
$ vault status