From bcc8a8db5fe03f9187c48dcf982c855df126b1e0 Mon Sep 17 00:00:00 2001 From: Clint Shryock Date: Mon, 26 Nov 2018 11:44:05 -0600 Subject: [PATCH] re-add seperate config map file for single server. Update config/values and statefulsets. Add auto-unseal config to single server --- templates/server-config-configmap.yaml | 4 +-- templates/server-ha-config-configmap.yaml | 15 +++++++++++ templates/server-ha-statefulset.yaml | 9 ++++--- templates/server-statefulset.yaml | 33 ++++++++++++----------- values.yaml | 15 ++++++++++- 5 files changed, 53 insertions(+), 23 deletions(-) create mode 100644 templates/server-ha-config-configmap.yaml diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index 4a128db..100880c 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -1,5 +1,5 @@ # StatefulSet to run the actual vault server cluster. -{{- if (or (and (ne (.Values.consulHA.enabled | toString) "-") .Values.consulHA.enabled) (and (eq (.Values.consulHA.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} apiVersion: v1 kind: ConfigMap metadata: @@ -11,5 +11,5 @@ metadata: release: {{ .Release.Name }} data: statefulconfig-from-values.hcl: |- -{{ tpl .Values.consulHA.config . | indent 4 }} +{{ tpl .Values.server.config . | indent 4 }} {{- end }} diff --git a/templates/server-ha-config-configmap.yaml b/templates/server-ha-config-configmap.yaml new file mode 100644 index 0000000..4a128db --- /dev/null +++ b/templates/server-ha-config-configmap.yaml @@ -0,0 +1,15 @@ +# StatefulSet to run the actual vault server cluster. +{{- if (or (and (ne (.Values.consulHA.enabled | toString) "-") .Values.consulHA.enabled) (and (eq (.Values.consulHA.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-server-config + labels: + app: {{ template "vault.name" . }} + chart: {{ template "vault.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + statefulconfig-from-values.hcl: |- +{{ tpl .Values.consulHA.config . | indent 4 }} +{{- end }} diff --git a/templates/server-ha-statefulset.yaml b/templates/server-ha-statefulset.yaml index 1473879..32e9821 100644 --- a/templates/server-ha-statefulset.yaml +++ b/templates/server-ha-statefulset.yaml @@ -39,7 +39,7 @@ spec: volumes: - name: config configMap: - name: {{ template "vault.fullname" . }}-server-config + name: {{ template "vault.fullname" . }}-server-ha-config defaultMode: 0755 {{- range .Values.consulHA.extraVolumes }} - name: userconfig-{{ .name }} @@ -100,10 +100,11 @@ spec: - containerPort: 8200 name: http readinessProbe: - # NOTE(mitchellh): when our HTTP status endpoints support the - # proper status codes, we should switch to that. This is temporary. - # TODO: verify for Vault # Check status; unsealed vault servers return 0 + # The exit code reflects the seal status: + # 0 - unsealed + # 1 - error + # 2 - sealed exec: command: - "/bin/sh" diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 5ce9ee9..b315da0 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -92,22 +92,23 @@ spec: ports: - containerPort: 8200 name: http - #readinessProbe: - # # NOTE(mitchellh): when our HTTP status endpoints support the - # # proper status codes, we should switch to that. This is temporary. - # # TODO: verify for Vault - # #exec: - # # command: - # # - "/bin/sh" - # # - "-ec" - # # - | - # # curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \ - # # grep -E '".+"' - # failureThreshold: 2 - # initialDelaySeconds: 5 - # periodSeconds: 3 - # successThreshold: 1 - # timeoutSeconds: 5 + readinessProbe: + # Check status; unsealed vault servers return 0 + # The exit code reflects the seal status: + # 0 - unsealed + # 1 - error + # 2 - sealed + exec: + command: + - "/bin/sh" + - "-ec" + - | + vault status + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 volumeClaimTemplates: - metadata: name: data diff --git a/values.yaml b/values.yaml index 8304966..003994a 100644 --- a/values.yaml +++ b/values.yaml @@ -48,10 +48,22 @@ server: tls_disable = 1 address = "0.0.0.0:8200" } + + #api_addr = "POD_IP:8201" + storage "file" { path = "/vault/data" } + # The GKMS keys must already exist, and the cluster must have a service + # account that is authorized to access GCP KMS, and ass + seal "gcpckms" { + project = "vault-helm-dev" + region = "global" + key_ring = "vault-helm" + crypto_key = "vault-init" + } + # extraVolumes is a list of extra volumes to mount. These will be exposed # to Vault in the path `/vault/userconfig//`. The value below is # an array of objects, examples are shown below. @@ -100,8 +112,9 @@ consulHA: address = "HOST_IP:8500" } + # The GKMS keys must already exist, and the cluster must have a service + # account that is authorized to access GCP KMS, and ass seal "gcpckms" { - #credentials = "/usr/vault/vault-project-user-creds.json" project = "vault-helm-dev" region = "global" key_ring = "vault-helm"