diff --git a/templates/ha-ui-service.yaml b/templates/ha-ui-service.yaml new file mode 100644 index 0000000..0ec99e2 --- /dev/null +++ b/templates/ha-ui-service.yaml @@ -0,0 +1,28 @@ +# Headless service for Vault server DNS entries. This service should only +# point to Vault servers. For access to an agent, one should assume that +# the agent is installed locally on the node and the NODE_IP should be used. +# If the node can't run a Vault agent, then this service can be used to +# communicate directly to a server agent. +{{- if (and (or (and (ne (.Values.consulHA.enabled | toString) "-") .Values.consulHA.enabled) (and (eq (.Values.consulHA.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-ui + labels: + app: {{ template "vault.name" . }} + chart: {{ template "vault.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + app: {{ template "vault.name" . }} + release: "{{ .Release.Name }}" + component: server + ports: + - name: http + port: 80 + targetPort: 8200 + {{- if .Values.ui.service.type }} + type: {{ .Values.ui.service.type }} + {{- end }} +{{- end }} diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index 5ee5234..35fcdc9 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -11,5 +11,5 @@ metadata: release: {{ .Release.Name }} data: statefulconfig-from-values.hcl: |- -{{ tpl .Values.server.storageConfig . | indent 4 }} +{{ tpl .Values.server.statefulConfig . | indent 4 }} {{- end }} diff --git a/templates/server-deployment.yaml b/templates/server-deployment.yaml new file mode 100644 index 0000000..6aea407 --- /dev/null +++ b/templates/server-deployment.yaml @@ -0,0 +1,120 @@ +# StatefulSet to run the actual vault server cluster. +{{- if (or (and (ne (.Values.consulHA.enabled | toString) "-") .Values.consulHA.enabled) (and (eq (.Values.consulHA.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "vault.fullname" . }}-ha-server + labels: + app: {{ template "vault.name" . }} + chart: {{ template "vault.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + serviceName: {{ template "vault.fullname" . }}-ha-server + podManagementPolicy: Parallel + replicas: {{ .Values.consulHA.replicas }} + selector: + matchLabels: + app: {{ template "vault.name" . }} + chart: {{ template "vault.chart" . }} + release: {{ .Release.Name }} + component: server + template: + metadata: + labels: + app: {{ template "vault.name" . }} + chart: {{ template "vault.chart" . }} + release: {{ .Release.Name }} + component: server + spec: + #affinity: + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "vault.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # topologyKey: kubernetes.io/hostname + terminationGracePeriodSeconds: 10 + securityContext: + fsGroup: 1000 + volumes: + - name: config + configMap: + name: {{ template "vault.fullname" . }}-ha-config + defaultMode: 0755 + {{- range .Values.consulHA.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- end }} + containers: + - name: vault + securityContext: + fsGroup: 1000 + # TODO: confirm Vault needs this + privileged: true + image: "{{ default .Values.global.image .Values.consulHA.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: VAULT_ADDR + value: "http://localhost:8200" + command: + - "/bin/sh" + - "-ec" + - | + export VAULT_CLUSTER_ADDR=http://${POD_IP}:8201 + + sed -E "s/HOST_IP/${HOST_IP}/g" /vault/config/storageconfig-from-values.hcl > storageconfig.hcl + sed -Ei "s/POD_IP/${POD_IP}/g" storageconfig.hcl + + vault server -config=storageconfig.hcl + volumeMounts: + - name: config + mountPath: /vault/config + {{- range .Values.consulHA.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /vault/userconfig/{{ .name }} + {{- end }} + lifecycle: + preStop: + exec: + command: + - vault step-down + ports: + - containerPort: 8200 + name: http + #readinessProbe: + # # NOTE(mitchellh): when our HTTP status endpoints support the + # # proper status codes, we should switch to that. This is temporary. + # # TODO: verify for Vault + # #exec: + # # command: + # # - "/bin/sh" + # # - "-ec" + # # - | + # # curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \ + # # grep -E '".+"' + # failureThreshold: 2 + # initialDelaySeconds: 5 + # periodSeconds: 3 + # successThreshold: 1 + # timeoutSeconds: 5 +{{- end }} diff --git a/templates/server-ha-service.yaml b/templates/server-ha-service.yaml new file mode 100644 index 0000000..33b6122 --- /dev/null +++ b/templates/server-ha-service.yaml @@ -0,0 +1,35 @@ +# Headless service for Vault server DNS entries. This service should only +# point to Vault servers. For access to an agent, one should assume that +# the agent is installed locally on the node and the NODE_IP should be used. +# If the node can't run a Vault agent, then this service can be used to +# communicate directly to a server agent. +# TODO: verify for Vault +{{- if (or (and (ne (.Values.consulHA.enabled | toString) "-") .Values.consulHA.enabled) (and (eq (.Values.consulHA.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-ha-server + labels: + app: {{ template "vault.name" . }} + chart: {{ template "vault.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + # This must be set in addition to publishNotReadyAddresses due + # to an open issue where it may not work: + # https://github.com/kubernetes/kubernetes/issues/58662 + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" +spec: + clusterIP: None + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: true + ports: + - name: http + port: 8200 + targetPort: 8200 + selector: + app: {{ template "vault.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/templates/server-storage-configmap.yaml b/templates/server-storage-configmap.yaml index f0998eb..abc7235 100644 --- a/templates/server-storage-configmap.yaml +++ b/templates/server-storage-configmap.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ template "vault.fullname" . }}-server-storage-config + name: {{ template "vault.fullname" . }}-ha-config labels: app: {{ template "vault.name" . }} chart: {{ template "vault.chart" . }} diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index a8a33c8..6a893bd 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -18,7 +18,6 @@ spec: app: {{ template "vault.name" . }} release: "{{ .Release.Name }}" component: server - type: LoadBalancer ports: - name: http port: 80 diff --git a/values.yaml b/values.yaml index 1e02016..1ec6c3f 100644 --- a/values.yaml +++ b/values.yaml @@ -21,7 +21,7 @@ global: #image: "vault" server: - enabled: "-" + enabled: false image: null replicas: 1 @@ -87,10 +87,12 @@ consulHA: listener "tcp" { tls_disable = 1 address = "0.0.0.0:8200" + cluster_address = "POD_IP:8201" } + storage "consul" { + path = "vault" address = "HOST_IP:8500" - path = "vault" } # Configuration for DNS configuration within the Kubernetes cluster.