really ugly hack/slash proof-of-concept, forked from consul-helm
This commit is contained in:
parent
a2235339eb
commit
d72a939a51
10 changed files with 87 additions and 168 deletions
|
@ -1,27 +1,27 @@
|
|||
# Service for Vault DNS.
|
||||
# TODO: verify for Vault
|
||||
{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.global.enabled)) }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "vault.fullname" . }}-dns
|
||||
labels:
|
||||
app: {{ template "vault.name" . }}
|
||||
chart: {{ template "vault.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
ports:
|
||||
- name: dns-tcp
|
||||
port: 53
|
||||
protocol: "TCP"
|
||||
targetPort: dns-tcp
|
||||
- name: dns-udp
|
||||
port: 53
|
||||
protocol: "UDP"
|
||||
targetPort: dns-udp
|
||||
selector:
|
||||
app: {{ template "vault.name" . }}
|
||||
release: "{{ .Release.Name }}"
|
||||
hasDNS: "true"
|
||||
{{- end }}
|
||||
## TODO: verify for Vault
|
||||
#{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.global.enabled)) }}
|
||||
#apiVersion: v1
|
||||
#kind: Service
|
||||
#metadata:
|
||||
# name: {{ template "vault.fullname" . }}-dns
|
||||
# labels:
|
||||
# app: {{ template "vault.name" . }}
|
||||
# chart: {{ template "vault.chart" . }}
|
||||
# heritage: {{ .Release.Service }}
|
||||
# release: {{ .Release.Name }}
|
||||
#spec:
|
||||
# ports:
|
||||
# - name: dns-tcp
|
||||
# port: 53
|
||||
# protocol: "TCP"
|
||||
# targetPort: dns-tcp
|
||||
# - name: dns-udp
|
||||
# port: 53
|
||||
# protocol: "UDP"
|
||||
# targetPort: dns-udp
|
||||
# selector:
|
||||
# app: {{ template "vault.name" . }}
|
||||
# release: "{{ .Release.Name }}"
|
||||
# hasDNS: "true"
|
||||
#{{- end }}
|
||||
|
|
|
@ -10,6 +10,6 @@ metadata:
|
|||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
data:
|
||||
extra-from-values.json: |-
|
||||
extra-from-values.hcl: |-
|
||||
{{ tpl .Values.server.extraConfig . | indent 4 }}
|
||||
{{- end }}
|
||||
|
|
|
@ -4,17 +4,17 @@
|
|||
apiVersion: policy/v1beta1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ template "consul.fullname" . }}-server
|
||||
name: {{ template "vault.fullname" . }}-server
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
app: {{ template "vault.name" . }}
|
||||
chart: {{ template "vault.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }}
|
||||
maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app: {{ template "consul.name" . }}
|
||||
app: {{ template "vault.name" . }}
|
||||
release: "{{ .Release.Name }}"
|
||||
component: server
|
||||
{{- end }}
|
||||
|
|
|
@ -26,35 +26,8 @@ spec:
|
|||
publishNotReadyAddresses: true
|
||||
ports:
|
||||
- name: http
|
||||
port: 8500
|
||||
targetPort: 8500
|
||||
- name: serflan-tcp
|
||||
protocol: "TCP"
|
||||
port: 8301
|
||||
targetPort: 8301
|
||||
- name: serflan-udp
|
||||
protocol: "UDP"
|
||||
port: 8301
|
||||
targetPort: 8301
|
||||
- name: serfwan-tcp
|
||||
protocol: "TCP"
|
||||
port: 8302
|
||||
targetPort: 8302
|
||||
- name: serfwan-udp
|
||||
protocol: "UDP"
|
||||
port: 8302
|
||||
targetPort: 8302
|
||||
- name: server
|
||||
port: 8300
|
||||
targetPort: 8300
|
||||
- name: dns-tcp
|
||||
protocol: "TCP"
|
||||
port: 8600
|
||||
targetPort: dns-tcp
|
||||
- name: dns-udp
|
||||
protocol: "UDP"
|
||||
port: 8600
|
||||
targetPort: dns-udp
|
||||
port: 8200
|
||||
targetPort: 8200
|
||||
selector:
|
||||
app: {{ template "vault.name" . }}
|
||||
release: "{{ .Release.Name }}"
|
||||
|
|
|
@ -13,6 +13,7 @@ spec:
|
|||
serviceName: {{ template "vault.fullname" . }}-server
|
||||
podManagementPolicy: Parallel
|
||||
replicas: {{ .Values.server.replicas }}
|
||||
# TODO: verify for Vault
|
||||
{{- if (gt (int .Values.server.updatePartition) 0) }}
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
|
@ -25,7 +26,7 @@ spec:
|
|||
chart: {{ template "vault.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
component: server
|
||||
hasDNS: "true"
|
||||
#hasDNS: "true"
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
|
@ -33,7 +34,7 @@ spec:
|
|||
chart: {{ template "vault.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
component: server
|
||||
hasDNS: "true"
|
||||
#hasDNS: "true"
|
||||
spec:
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
|
@ -62,6 +63,9 @@ spec:
|
|||
{{- end }}
|
||||
containers:
|
||||
- name: vault
|
||||
securityContext:
|
||||
fsGroup: 1000
|
||||
privileged: true
|
||||
image: "{{ default .Values.global.image .Values.server.image }}"
|
||||
env:
|
||||
- name: POD_IP
|
||||
|
@ -72,39 +76,13 @@ spec:
|
|||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
env:
|
||||
- name: VAULT_ADDR
|
||||
value: "http://localhost:8200"
|
||||
command:
|
||||
- ""
|
||||
# should give us dev server
|
||||
#- "/bin/sh"
|
||||
#- "-ec"
|
||||
#- |
|
||||
#vault_FULLNAME="{{template "vault.fullname" . }}"
|
||||
|
||||
#exec "hello vault"
|
||||
#exec /bin/vault agent \
|
||||
# -advertise="${POD_IP}" \
|
||||
# -bind=0.0.0.0 \
|
||||
# -bootstrap-expect={{ .Values.server.bootstrapExpect }} \
|
||||
# -client=0.0.0.0 \
|
||||
# -config-dir=/vault/config \
|
||||
# {{- range .Values.server.extraVolumes }}
|
||||
# {{- if .load }}
|
||||
# -config-dir=/vault/userconfig/{{ .name }}
|
||||
# {{- end }}
|
||||
# {{- end }}
|
||||
# -datacenter={{ .Values.global.datacenter }} \
|
||||
# -data-dir=/vault/data \
|
||||
# -domain={{ .Values.global.domain }} \
|
||||
# {{- if .Values.server.connect }}
|
||||
# -hcl="connect { enabled = true }" \
|
||||
# {{- end }}
|
||||
# {{- if .Values.ui.enabled }}
|
||||
# -ui \
|
||||
# {{- end }}
|
||||
# {{- range $index := until (.Values.server.replicas | int) }}
|
||||
# -retry-join=${vault_FULLNAME}-server-{{ $index }}.${vault_FULLNAME}-server.${NAMESPACE}.svc \
|
||||
# {{- end }}
|
||||
# -server
|
||||
- "vault"
|
||||
- "server"
|
||||
- "-config=/vault/config/"
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /vault/data
|
||||
|
@ -119,40 +97,26 @@ spec:
|
|||
preStop:
|
||||
exec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- vault leave
|
||||
- vault step-down
|
||||
ports:
|
||||
- containerPort: 8500
|
||||
- containerPort: 8200
|
||||
name: http
|
||||
- containerPort: 8301
|
||||
name: serflan
|
||||
- containerPort: 8302
|
||||
name: serfwan
|
||||
- containerPort: 8300
|
||||
name: server
|
||||
- containerPort: 8600
|
||||
name: dns-tcp
|
||||
protocol: "TCP"
|
||||
- containerPort: 8600
|
||||
name: dns-udp
|
||||
protocol: "UDP"
|
||||
readinessProbe:
|
||||
# NOTE(mitchellh): when our HTTP status endpoints support the
|
||||
# proper status codes, we should switch to that. This is temporary.
|
||||
# TODO: verify for Vault
|
||||
#exec:
|
||||
# command:
|
||||
# - "/bin/sh"
|
||||
# - "-ec"
|
||||
# - |
|
||||
# curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \
|
||||
# grep -E '".+"'
|
||||
failureThreshold: 2
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 3
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
#readinessProbe:
|
||||
# # NOTE(mitchellh): when our HTTP status endpoints support the
|
||||
# # proper status codes, we should switch to that. This is temporary.
|
||||
# # TODO: verify for Vault
|
||||
# #exec:
|
||||
# # command:
|
||||
# # - "/bin/sh"
|
||||
# # - "-ec"
|
||||
# # - |
|
||||
# # curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \
|
||||
# # grep -E '".+"'
|
||||
# failureThreshold: 2
|
||||
# initialDelaySeconds: 5
|
||||
# periodSeconds: 3
|
||||
# successThreshold: 1
|
||||
# timeoutSeconds: 5
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: data
|
||||
|
|
|
@ -1,31 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: "{{ template "consul.fullname" . }}-test-{{ randAlphaNum 5 | lower }}"
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
annotations:
|
||||
"helm.sh/hook": test-success
|
||||
spec:
|
||||
containers:
|
||||
- name: consul-test
|
||||
image: "{{ .Values.global.image }}"
|
||||
env:
|
||||
- name: HOST_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
command:
|
||||
- "/bin/sh"
|
||||
- "-ec"
|
||||
- |
|
||||
export VALUE="{{randAlphaNum 24 | lower }}"
|
||||
export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
|
||||
consul kv delete _consul_helm_test
|
||||
consul kv put _consul_helm_test $VALUE
|
||||
[ `consul kv get _consul_helm_test` = "$VALUE" ]
|
||||
consul kv delete _consul_helm_test
|
||||
restartPolicy: Never
|
|
@ -21,7 +21,7 @@ spec:
|
|||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
targetPort: 8500
|
||||
targetPort: 8200
|
||||
{{- if .Values.ui.service.type }}
|
||||
type: {{ .Values.ui.service.type }}
|
||||
{{- end }}
|
||||
|
|
|
@ -3,7 +3,9 @@ locals {
|
|||
}
|
||||
|
||||
provider "google" {
|
||||
project = "${var.project}"
|
||||
project = "${var.project}"
|
||||
region = "us-central1"
|
||||
credentials = "${file("vault-helm-dev-creds.json")}"
|
||||
}
|
||||
|
||||
resource "random_id" "suffix" {
|
||||
|
@ -15,7 +17,7 @@ data "google_container_engine_versions" "main" {
|
|||
}
|
||||
|
||||
resource "google_container_cluster" "cluster" {
|
||||
name = "consul-k8s-${random_id.suffix.dec}"
|
||||
name = "vault-helm-dev-${random_id.suffix.dec}"
|
||||
project = "${var.project}"
|
||||
enable_legacy_abac = true
|
||||
initial_node_count = 5
|
||||
|
@ -55,7 +57,7 @@ resource "null_resource" "kubectl" {
|
|||
}
|
||||
|
||||
resource "null_resource" "helm" {
|
||||
count = "${var.init_cli ? 1 : 0 }"
|
||||
count = "${var.init_cli ? 1 : 0 }"
|
||||
depends_on = ["null_resource.kubectl"]
|
||||
|
||||
triggers {
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
variable "project" {
|
||||
default = "vault-helm-dev"
|
||||
|
||||
description = <<EOF
|
||||
Google Cloud Project to launch resources in. This project must have GKE
|
||||
enabled and billing activated. We can't use the GOOGLE_PROJECT environment
|
||||
|
@ -12,6 +14,6 @@ variable "zone" {
|
|||
}
|
||||
|
||||
variable "init_cli" {
|
||||
default = false
|
||||
default = true
|
||||
description = "Whether to init the CLI tools kubectl, helm, etc. or not."
|
||||
}
|
||||
|
|
19
values.yaml
19
values.yaml
|
@ -17,7 +17,8 @@ global:
|
|||
|
||||
# Image is the name (and tag) of the Vault Docker image for clients and
|
||||
# servers below. This can be overridden per component.
|
||||
image: "vault:0.11.1"
|
||||
#image: "vault:0.11.1"
|
||||
image: "vault"
|
||||
|
||||
# Datacenter is the name of the datacenter that the agents should register
|
||||
# as. This shouldn't be changed once the Vault cluster is up and running
|
||||
|
@ -29,7 +30,7 @@ global:
|
|||
server:
|
||||
enabled: "-"
|
||||
image: null
|
||||
replicas: 3
|
||||
replicas: 1
|
||||
|
||||
# storage and storageClass are the settings for configuring stateful
|
||||
# storage for the server pods. storage should be set to the disk size of
|
||||
|
@ -46,13 +47,14 @@ server:
|
|||
# updatePartition is used to control a careful rolling update of Vault
|
||||
# servers. This should be done particularly when changing the version
|
||||
# of Vault. Please refer to the documentation for more information.
|
||||
# TODO: verify for Vaultt
|
||||
# TODO: verify for Vault
|
||||
updatePartition: 0
|
||||
|
||||
# disruptionBudget enables the creation of a PodDisruptionBudget to
|
||||
# prevent voluntary degrading of the Vault server cluster.
|
||||
disruptionBudget:
|
||||
enabled: true
|
||||
#enabled: true
|
||||
enabled: false
|
||||
|
||||
# maxUnavailable will default to (n/2)-1 where n is the number of
|
||||
# replicas. If you'd like a custom value, you can specify an override here.
|
||||
|
@ -61,7 +63,14 @@ server:
|
|||
# extraConfig is a raw string of extra configuration to set with the
|
||||
# server. This should be JSON or HCL.
|
||||
extraConfig: |
|
||||
{}
|
||||
ui = true
|
||||
listener "tcp" {
|
||||
tls_disable = 1
|
||||
address = "0.0.0.0:8200"
|
||||
}
|
||||
storage "file" {
|
||||
path = "/vault/data"
|
||||
}
|
||||
|
||||
# extraVolumes is a list of extra volumes to mount. These will be exposed
|
||||
# to Vault in the path `/vault/userconfig/<name>/`. The value below is
|
||||
|
|
Loading…
Reference in a new issue