From e1304d0c6b44a85a4d4b56a574cb4f059f537c6c Mon Sep 17 00:00:00 2001 From: Clint Shryock Date: Fri, 28 Sep 2018 15:45:58 -0500 Subject: [PATCH] trim, s/Consul/Vault --- values.yaml | 131 ++++++++-------------------------------------------- 1 file changed, 20 insertions(+), 111 deletions(-) diff --git a/values.yaml b/values.yaml index 83182d3..14ce4ed 100644 --- a/values.yaml +++ b/values.yaml @@ -1,7 +1,7 @@ -# Available parameters and their default values for the Consul chart. +# Available parameters and their default values for the Vault chart. # Server, when enabled, configures a server cluster to run. This should -# be disabled if you plan on connecting to a Consul cluster external to +# be disabled if you plan on connecting to a Vault cluster external to # the Kube cluster. global: @@ -11,29 +11,25 @@ global: # value. enabled: true - # Domain to register the Consul DNS server to listen for. - domain: consul + # Domain to register the Vault DNS server to listen for. + # TODO: verify for Vault + domain: vault - # Image is the name (and tag) of the Consul Docker image for clients and + # Image is the name (and tag) of the Vault Docker image for clients and # servers below. This can be overridden per component. - image: "consul:1.2.3" - - # imageK8S is the name (and tag) of the consul-k8s Docker image that - # is used for functionality such as the catalog sync. This can be overridden - # per component below. - imageK8S: "hashicorp/consul-k8s:0.1.0" + image: "vault:0.11.1" # Datacenter is the name of the datacenter that the agents should register - # as. This shouldn't be changed once the Consul cluster is up and running - # since Consul doesn't support an automatic way to change this value - # currently: https://github.com/hashicorp/consul/issues/1858 + # as. This shouldn't be changed once the Vault cluster is up and running + # since Vault doesn't support an automatic way to change this value + # currently: https://github.com/hashicorp/vault/issues/1858 + # TODO: verify for Vault datacenter: dc1 server: enabled: "-" image: null replicas: 3 - bootstrapExpect: 3 # Should <= replicas count # storage and storageClass are the settings for configuring stateful # storage for the server pods. storage should be set to the disk size of @@ -42,23 +38,19 @@ server: storage: 10Gi storageClass: null - # connect will enable Connect on all the servers, initializing a CA - # for Connect-related connections. Other customizations can be done - # via the extraConfig setting. - connect: true - # Resource requests, limits, etc. for the server cluster placement. This # should map directly to the value of the resources field for a PodSpec. # By default no direct resource request is made. resources: {} - # updatePartition is used to control a careful rolling update of Consul + # updatePartition is used to control a careful rolling update of Vault # servers. This should be done particularly when changing the version - # of Consul. Please refer to the documentation for more information. + # of Vault. Please refer to the documentation for more information. + # TODO: verify for Vaultt updatePartition: 0 # disruptionBudget enables the creation of a PodDisruptionBudget to - # prevent voluntary degrading of the Consul server cluster. + # prevent voluntary degrading of the Vault server cluster. disruptionBudget: enabled: true @@ -72,38 +64,12 @@ server: {} # extraVolumes is a list of extra volumes to mount. These will be exposed - # to Consul in the path `/consul/userconfig//`. The value below is + # to Vault in the path `/vault/userconfig//`. The value below is # an array of objects, examples are shown below. extraVolumes: [] # - type: secret (or "configMap") # name: my-secret - # load: false # if true, will add to `-config-dir` to load by Consul - -# Client, when enabled, configures Consul clients to run on every node -# within the Kube cluster. The current deployment model follows a traditional -# DC where a single agent is deployed per node. -client: - enabled: "-" - image: null - join: null - - # Resource requests, limits, etc. for the client cluster placement. This - # should map directly to the value of the resources field for a PodSpec. - # By default no direct resource request is made. - resources: {} - - # extraConfig is a raw string of extra configuration to set with the - # server. This should be JSON or HCL. - extraConfig: | - {} - - # extraVolumes is a list of extra volumes to mount. These will be exposed - # to Consul in the path `/consul/userconfig//`. The value below is - # an array of objects, examples are shown below. - extraVolumes: [] - # - type: secret (or "configMap") - # name: my-secret - # load: false # if true, will add to `-config-dir` to load by Consul + # load: false # if true, will add to `-config-dir` to load by Vault # Configuration for DNS configuration within the Kubernetes cluster. # This creates a service that routes to all agents (client or server) @@ -115,13 +81,13 @@ dns: enabled: "-" ui: - # True if you want to enable the Consul UI. The UI will run only + # True if you want to enable the Vault UI. The UI will run only # on the server nodes. This makes UI access via the service below (if - # enabled) predictable rather than "any node" if you're running Consul + # enabled) predictable rather than "any node" if you're running Vault # clients as well. enabled: "-" - # True if you want to create a Service entry for the Consul UI. + # True if you want to create a Service entry for the Vault UI. # # serviceType can be used to control the type of service created. For # example, setting this to "LoadBalancer" will create an external load @@ -129,60 +95,3 @@ ui: service: enabled: true type: null - -# syncCatalog will run the catalog sync process to sync K8S with Consul -# services. This can run bidirectional (default) or unidirectionally (Consul -# to K8S or K8S to Consul only). -# -# This process assumes that a Consul agent is available on the host IP. -# This is done automatically if clients are enabled. If clients are not -# enabled then set the node selection so that it chooses a node with a -# Consul agent. -syncCatalog: - # True if you want to enable the catalog sync. "-" for default. - enabled: false - image: null - - # toConsul and toK8S control whether syncing is enabled to Consul or K8S - # as a destination. If both of these are disabled, the sync will do nothing. - toConsul: true - toK8S: true - - # k8sPrefix is the service prefix to prepend to services before registering - # with Kubernetes. For example "consul-" will register all services - # prepended with "consul-". - k8sPrefix: null - -# ConnectInject will enable the automatic Connect sidecar injector. -connectInject: - enabled: false # "-" disable this by default for now until the image is public - image: "TODO" - default: false # true will inject by default, otherwise requires annotation - caBundle: "" # empty will auto generate the bundle - - # namespaceSelector is the selector for restricting the webhook to only - # specific namespaces. This should be set to a multiline string. - namespaceSelector: null - - # The certs section configures how the webhook TLS certs are configured. - # These are the TLS certs for the Kube apiserver communicating to the - # webhook. By default, the injector will generate and manage its own certs, - # but this requires the ability for the injector to update its own - # MutatingWebhookConfiguration. In a production environment, custom certs - # should probaly be used. Configure the values below to enable this. - certs: - # secretName is the name of the secret that has the TLS certificate and - # private key to serve the injector webhook. If this is null, then the - # injector will default to its automatic management mode. - secretName: null - - # caBundle is a base64-encoded PEM-encoded certificate bundle for the - # CA that signed the TLS certificate that the webhook serves. This must - # be set if secretName is non-null. - caBundle: "" - - # certName and keyName are the names of the files within the secret for - # the TLS cert and private key, respectively. These have reasonable - # defaults but can be customized if necessary. - certName: tls.crt - keyName: tls.key