Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add stateless configuration. Assumes a consul deployed

Browse source
This commit is contained in:
Clint Shryock 2018-10-08 16:35:20 -05:00
parent 2061e199d4
commit 9e8d74de04
No known key found for this signature in database
GPG key ID: B7C8F9C70EC5CD29
7 changed files with 189 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
templates/ha-ui-service.yaml Normal file
View file

@ -0,0 +1,28 @@
# Headless service for Vault server DNS entries. This service should only
# point to Vault servers. For access to an agent, one should assume that
# the agent is installed locally on the node and the NODE_IP should be used.
# If the node can't run a Vault agent, then this service can be used to
# communicate directly to a server agent.
{{- if (and (or (and (ne (.Values.consulHA.enabled | toString) "-") .Values.consulHA.enabled) (and (eq (.Values.consulHA.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-ui
labels:
app: {{ template "vault.name" . }}
chart: {{ template "vault.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
selector:
app: {{ template "vault.name" . }}
release: "{{ .Release.Name }}"
component: server
ports:
- name: http
port: 80
targetPort: 8200
{{- if .Values.ui.service.type }}
type: {{ .Values.ui.service.type }}
{{- end }}
{{- end }}

2
templates/server-config-configmap.yaml
View file

@ -11,5 +11,5 @@ metadata:
release: {{ .Release.Name }} release: {{ .Release.Name }}
data: data:
statefulconfig-from-values.hcl: |- statefulconfig-from-values.hcl: |-
{{ tpl .Values.server.storageConfig . | indent 4 }} {{ tpl .Values.server.statefulConfig . | indent 4 }}
{{- end }} {{- end }}

120
templates/server-deployment.yaml Normal file
View file

@ -0,0 +1,120 @@
# StatefulSet to run the actual vault server cluster.
{{- if (or (and (ne (.Values.consulHA.enabled | toString) "-") .Values.consulHA.enabled) (and (eq (.Values.consulHA.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "vault.fullname" . }}-ha-server
labels:
app: {{ template "vault.name" . }}
chart: {{ template "vault.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
serviceName: {{ template "vault.fullname" . }}-ha-server
podManagementPolicy: Parallel
replicas: {{ .Values.consulHA.replicas }}
selector:
matchLabels:
app: {{ template "vault.name" . }}
chart: {{ template "vault.chart" . }}
release: {{ .Release.Name }}
component: server
template:
metadata:
labels:
app: {{ template "vault.name" . }}
chart: {{ template "vault.chart" . }}
release: {{ .Release.Name }}
component: server
spec:
#affinity:
# podAntiAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# - labelSelector:
# matchLabels:
# app: {{ template "vault.name" . }}
# release: "{{ .Release.Name }}"
# component: server
# topologyKey: kubernetes.io/hostname
terminationGracePeriodSeconds: 10
securityContext:
fsGroup: 1000
volumes:
- name: config
configMap:
name: {{ template "vault.fullname" . }}-ha-config
defaultMode: 0755
{{- range .Values.consulHA.extraVolumes }}
- name: userconfig-{{ .name }}
{{ .type }}:
{{- if (eq .type "configMap") }}
name: {{ .name }}
{{- else if (eq .type "secret") }}
secretName: {{ .name }}
{{- end }}
{{- end }}
containers:
- name: vault
securityContext:
fsGroup: 1000
# TODO: confirm Vault needs this
privileged: true
image: "{{ default .Values.global.image .Values.consulHA.image }}"
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: VAULT_ADDR
value: "http://localhost:8200"
command:
- "/bin/sh"
- "-ec"
- |
export VAULT_CLUSTER_ADDR=http://${POD_IP}:8201
sed -E "s/HOST_IP/${HOST_IP}/g" /vault/config/storageconfig-from-values.hcl > storageconfig.hcl
sed -Ei "s/POD_IP/${POD_IP}/g" storageconfig.hcl
vault server -config=storageconfig.hcl
volumeMounts:
- name: config
mountPath: /vault/config
{{- range .Values.consulHA.extraVolumes }}
- name: userconfig-{{ .name }}
readOnly: true
mountPath: /vault/userconfig/{{ .name }}
{{- end }}
lifecycle:
preStop:
exec:
command:
- vault step-down
ports:
- containerPort: 8200
name: http
#readinessProbe:
# # NOTE(mitchellh): when our HTTP status endpoints support the
# # proper status codes, we should switch to that. This is temporary.
# # TODO: verify for Vault
# #exec:
# # command:
# # - "/bin/sh"
# # - "-ec"
# # - |
# # curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \
# # grep -E '".+"'
# failureThreshold: 2
# initialDelaySeconds: 5
# periodSeconds: 3
# successThreshold: 1
# timeoutSeconds: 5
{{- end }}

35
templates/server-ha-service.yaml Normal file
View file

@ -0,0 +1,35 @@
# Headless service for Vault server DNS entries. This service should only
# point to Vault servers. For access to an agent, one should assume that
# the agent is installed locally on the node and the NODE_IP should be used.
# If the node can't run a Vault agent, then this service can be used to
# communicate directly to a server agent.
# TODO: verify for Vault
{{- if (or (and (ne (.Values.consulHA.enabled | toString) "-") .Values.consulHA.enabled) (and (eq (.Values.consulHA.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-ha-server
labels:
app: {{ template "vault.name" . }}
chart: {{ template "vault.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
# This must be set in addition to publishNotReadyAddresses due
# to an open issue where it may not work:
# https://github.com/kubernetes/kubernetes/issues/58662
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
spec:
clusterIP: None
# We want the servers to become available even if they're not ready
# since this DNS is also used for join operations.
publishNotReadyAddresses: true
ports:
- name: http
port: 8200
targetPort: 8200
selector:
app: {{ template "vault.name" . }}
release: "{{ .Release.Name }}"
component: server
{{- end }}

2
templates/server-storage-configmap.yaml
View file

@ -3,7 +3,7 @@
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: {{ template "vault.fullname" . }}-server-storage-config name: {{ template "vault.fullname" . }}-ha-config
labels: labels:
app: {{ template "vault.name" . }} app: {{ template "vault.name" . }}
chart: {{ template "vault.chart" . }} chart: {{ template "vault.chart" . }}

1
templates/ui-service.yaml
View file

@ -18,7 +18,6 @@ spec:
app: {{ template "vault.name" . }} app: {{ template "vault.name" . }}
release: "{{ .Release.Name }}" release: "{{ .Release.Name }}"
component: server component: server
type: LoadBalancer
ports: ports:
- name: http - name: http
port: 80 port: 80

6
values.yaml
View file

@ -21,7 +21,7 @@ global:
#image: "vault" #image: "vault"
server: server:
enabled: "-" enabled: false
image: null image: null
replicas: 1 replicas: 1
@ -87,10 +87,12 @@ consulHA:
listener "tcp" { listener "tcp" {
tls_disable = 1 tls_disable = 1
address = "0.0.0.0:8200" address = "0.0.0.0:8200"
cluster_address = "POD_IP:8201"
} }
storage "consul" { storage "consul" {
path = "vault"
address = "HOST_IP:8500" address = "HOST_IP:8500"
path = "vault"
} }
# Configuration for DNS configuration within the Kubernetes cluster. # Configuration for DNS configuration within the Kubernetes cluster.