re-add seperate config map file for single server. Update config/values and statefulsets. Add auto-unseal config to single server

2018-11-26 11:44:05 -06:00 · 2018-11-26 11:44:05 -06:00 · bcc8a8db5f
commit bcc8a8db5f
parent 616e262518
5 changed files with 53 additions and 23 deletions
--- a/templates/server-config-configmap.yaml
+++ b/templates/server-config-configmap.yaml
@ -1,5 +1,5 @@
 # StatefulSet to run the actual vault server cluster.
-{{- if (or (and (ne (.Values.consulHA.enabled | toString) "-") .Values.consulHA.enabled) (and (eq (.Values.consulHA.enabled | toString) "-") .Values.global.enabled)) }}
+{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@ -11,5 +11,5 @@ metadata:
    release: {{ .Release.Name }}
 data:
  statefulconfig-from-values.hcl: |-
-{{ tpl .Values.consulHA.config . | indent 4 }}
+{{ tpl .Values.server.config . | indent 4 }}
 {{- end }}
--- a/templates/server-ha-config-configmap.yaml
+++ b/templates/server-ha-config-configmap.yaml
@ -0,0 +1,15 @@
+# StatefulSet to run the actual vault server cluster.
+{{- if (or (and (ne (.Values.consulHA.enabled | toString) "-") .Values.consulHA.enabled) (and (eq (.Values.consulHA.enabled | toString) "-") .Values.global.enabled)) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "vault.fullname" . }}-server-config
+  labels:
+    app: {{ template "vault.name" . }}
+    chart: {{ template "vault.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+data:
+  statefulconfig-from-values.hcl: |-
+{{ tpl .Values.consulHA.config . | indent 4 }}
+{{- end }}
--- a/templates/server-ha-statefulset.yaml
+++ b/templates/server-ha-statefulset.yaml
@ -39,7 +39,7 @@ spec:
      volumes:
        - name: config
          configMap:
-            name: {{ template "vault.fullname" . }}-server-config
+            name: {{ template "vault.fullname" . }}-server-ha-config
            defaultMode: 0755
        {{- range .Values.consulHA.extraVolumes }}
        - name: userconfig-{{ .name }}
@ -100,10 +100,11 @@ spec:
            - containerPort: 8200
              name: http
          readinessProbe:
-            # NOTE(mitchellh): when our HTTP status endpoints support the
-            # proper status codes, we should switch to that. This is temporary.
-            # TODO: verify for Vault
            # Check status; unsealed vault servers return 0
+            # The exit code reflects the seal status:
+            #   0 - unsealed
+            #   1 - error
+            #   2 - sealed
            exec:
              command:
                - "/bin/sh"
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@ -92,22 +92,23 @@ spec:
          ports:
            - containerPort: 8200
              name: http
-          #readinessProbe:
-          #  # NOTE(mitchellh): when our HTTP status endpoints support the
-          #  # proper status codes, we should switch to that. This is temporary.
-          #  # TODO: verify for Vault
-          #  #exec:
-          #  #  command:
-          #  #    - "/bin/sh"
-          #  #    - "-ec"
-          #  #    - |
-          #  #      curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \
-          #  #      grep -E '".+"'
-          #  failureThreshold: 2
-          #  initialDelaySeconds: 5
-          #  periodSeconds: 3
-          #  successThreshold: 1
-          #  timeoutSeconds: 5
+          readinessProbe:
+            # Check status; unsealed vault servers return 0
+            # The exit code reflects the seal status:
+            #   0 - unsealed
+            #   1 - error
+            #   2 - sealed
+            exec:
+              command:
+                - "/bin/sh"
+                - "-ec"
+                - |
+                  vault status
+            failureThreshold: 2
+            initialDelaySeconds: 5
+            periodSeconds: 3
+            successThreshold: 1
+            timeoutSeconds: 5
  volumeClaimTemplates:
    - metadata:
        name: data
--- a/values.yaml
+++ b/values.yaml
@ -48,10 +48,22 @@ server:
      tls_disable = 1
      address     = "0.0.0.0:8200"
    }
+
+    #api_addr = "POD_IP:8201"
+
    storage "file" {
      path = "/vault/data"
    }

+    # The GKMS keys must already exist, and the cluster must have a service
+    # account that is authorized to access GCP KMS, and ass
+    seal "gcpckms" {
+      project     = "vault-helm-dev"
+      region      = "global"
+      key_ring    = "vault-helm"
+      crypto_key  = "vault-init"
+    }
+
  # extraVolumes is a list of extra volumes to mount. These will be exposed
  # to Vault in the path `/vault/userconfig/<name>/`. The value below is
  # an array of objects, examples are shown below.
@ -100,8 +112,9 @@ consulHA:
      address = "HOST_IP:8500"
    }

+    # The GKMS keys must already exist, and the cluster must have a service
+    # account that is authorized to access GCP KMS, and ass
    seal "gcpckms" {
-      #credentials = "/usr/vault/vault-project-user-creds.json"
      project     = "vault-helm-dev"
      region      = "global"
      key_ring    = "vault-helm"