Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

re-add seperate config map file for single server. Update config/values and statefulsets. Add auto-unseal config to single server

Browse source
This commit is contained in:
Clint Shryock 2018-11-26 11:44:05 -06:00
parent 616e262518
commit bcc8a8db5f
No known key found for this signature in database
GPG key ID: B7C8F9C70EC5CD29
5 changed files with 53 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
templates/server-config-configmap.yaml
View file

@ -1,5 +1,5 @@
# StatefulSet to run the actual vault server cluster. # StatefulSet to run the actual vault server cluster.
{{- if (or (and (ne (.Values.consulHA.enabled | toString) "-") .Values.consulHA.enabled) (and (eq (.Values.consulHA.enabled | toString) "-") .Values.global.enabled)) }} {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
@ -11,5 +11,5 @@ metadata:
release: {{ .Release.Name }} release: {{ .Release.Name }}
data: data:
statefulconfig-from-values.hcl: |- statefulconfig-from-values.hcl: |-
{{ tpl .Values.consulHA.config . | indent 4 }} {{ tpl .Values.server.config . | indent 4 }}
{{- end }} {{- end }}

15
templates/server-ha-config-configmap.yaml Normal file
View file

@ -0,0 +1,15 @@
# StatefulSet to run the actual vault server cluster.
{{- if (or (and (ne (.Values.consulHA.enabled | toString) "-") .Values.consulHA.enabled) (and (eq (.Values.consulHA.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "vault.fullname" . }}-server-config
labels:
app: {{ template "vault.name" . }}
chart: {{ template "vault.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
statefulconfig-from-values.hcl: |-
{{ tpl .Values.consulHA.config . | indent 4 }}
{{- end }}

9
templates/server-ha-statefulset.yaml
View file

@ -39,7 +39,7 @@ spec:
volumes: volumes:
- name: config - name: config
configMap: configMap:
name: {{ template "vault.fullname" . }}-server-config name: {{ template "vault.fullname" . }}-server-ha-config
defaultMode: 0755 defaultMode: 0755
{{- range .Values.consulHA.extraVolumes }} {{- range .Values.consulHA.extraVolumes }}
- name: userconfig-{{ .name }} - name: userconfig-{{ .name }}
@ -100,10 +100,11 @@ spec:
- containerPort: 8200 - containerPort: 8200
name: http name: http
readinessProbe: readinessProbe:
# NOTE(mitchellh): when our HTTP status endpoints support the
# proper status codes, we should switch to that. This is temporary.
# TODO: verify for Vault
# Check status; unsealed vault servers return 0 # Check status; unsealed vault servers return 0
# The exit code reflects the seal status:
# 0 - unsealed
# 1 - error
# 2 - sealed
exec: exec:
command: command:
- "/bin/sh" - "/bin/sh"

33
templates/server-statefulset.yaml
View file

@ -92,22 +92,23 @@ spec:
ports: ports:
- containerPort: 8200 - containerPort: 8200
name: http name: http
#readinessProbe: readinessProbe:
# # NOTE(mitchellh): when our HTTP status endpoints support the # Check status; unsealed vault servers return 0
# # proper status codes, we should switch to that. This is temporary. # The exit code reflects the seal status:
# # TODO: verify for Vault # 0 - unsealed
# #exec: # 1 - error
# # command: # 2 - sealed
# # - "/bin/sh" exec:
# # - "-ec" command:
# # - | - "/bin/sh"
# # curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \ - "-ec"
# # grep -E '".+"' - |
# failureThreshold: 2 vault status
# initialDelaySeconds: 5 failureThreshold: 2
# periodSeconds: 3 initialDelaySeconds: 5
# successThreshold: 1 periodSeconds: 3
# timeoutSeconds: 5 successThreshold: 1
timeoutSeconds: 5
volumeClaimTemplates: volumeClaimTemplates:
- metadata: - metadata:
name: data name: data

15
values.yaml
View file

@ -48,10 +48,22 @@ server:
tls_disable = 1 tls_disable = 1
address = "0.0.0.0:8200" address = "0.0.0.0:8200"
} }
#api_addr = "POD_IP:8201"
storage "file" { storage "file" {
path = "/vault/data" path = "/vault/data"
} }
# The GKMS keys must already exist, and the cluster must have a service
# account that is authorized to access GCP KMS, and ass
seal "gcpckms" {
project = "vault-helm-dev"
region = "global"
key_ring = "vault-helm"
crypto_key = "vault-init"
}
# extraVolumes is a list of extra volumes to mount. These will be exposed # extraVolumes is a list of extra volumes to mount. These will be exposed
# to Vault in the path `/vault/userconfig/<name>/`. The value below is # to Vault in the path `/vault/userconfig/<name>/`. The value below is
# an array of objects, examples are shown below. # an array of objects, examples are shown below.
@ -100,8 +112,9 @@ consulHA:
address = "HOST_IP:8500" address = "HOST_IP:8500"
} }
# The GKMS keys must already exist, and the cluster must have a service
# account that is authorized to access GCP KMS, and ass
seal "gcpckms" { seal "gcpckms" {
#credentials = "/usr/vault/vault-project-user-creds.json"
project = "vault-helm-dev" project = "vault-helm-dev"
region = "global" region = "global"
key_ring = "vault-helm" key_ring = "vault-helm"