A Helm chart to configure Hashicorp's vault.
This chart is used by the Validated Patterns installation script that can be found here
Homepage: https://github.com/validatedpatterns/hashicorp-vault-chart
| Name | Url | |
|---|---|---|
| Validated Patterns Team | validatedpatterns@googlegroups.com |
| Repository | Name | Version |
|---|---|---|
| https://helm.releases.hashicorp.com | vault | 0.32.0 |
| Key | Type | Default | Description |
|---|---|---|---|
| global | object | depends on the individual settings | The global namespace contains some globally used variables used in patterns |
| global.localClusterDomain | string | "apps.foo.cluster.com" |
The DNS entry for the cluster the chart is being rendered on with the apps. prefix |
| global.openshift | bool | true |
Setting the enforces openshift templates for the vault chart |
| vault | object | depends on the individual settings | A number of settings passed down to the vault subchart |
| vault.injector.enabled | bool | false |
Vault agent injection support |
| vault.server.extraEnvironmentVars | object | {"VAULT_ADDR":"https://vault.vault.svc.cluster.local:8200","VAULT_CACERT":"/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"} |
Additional environment variables injected in the vault pod |
| vault.server.extraVolumes | list | [{"name":"vault-secret","type":"secret"}] |
Extra volumes that are automatically mounted in the vault pod under /vault/userconfig/ |
| vault.server.image.repository | string | "registry.connect.redhat.com/hashicorp/vault" |
Where to fetch the vault images from |
| vault.server.image.tag | string | "1.21.4-ubi" |
Tag to use for the vault image |
| vault.server.route.enabled | bool | true |
Enable route support when exposing the vault |
| vault.server.route.tls.termination | string | "reencrypt" |
Termination type of the vault route |
| vault.server.service.enabled | bool | true |
Enables an associated k8s service when running the vault |
| vault.server.service.internal.annotations | object | {"service.beta.openshift.io/serving-cert-secret-name":"vault-secret-internal"} |
Annotation to inject a secret called vault-secret to the internal service |
| vault.server.service.nonha.annotations | object | {"service.beta.openshift.io/serving-cert-secret-name":"vault-secret"} |
Annotation to inject a secret called vault-secret to the nonha service |
| vault.server.standalone | object | {"config":"ui = true\nlistener \"tcp\" {\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n tls_cert_file = \"/vault/userconfig/vault-secret/tls.crt\"\n tls_key_file = \"/vault/userconfig/vault-secret/tls.key\"\n}\nstorage \"file\" {\n path = \"/vault/data\"\n}\n"} |
Base configuration for the standalone vault server |
| vault.ui.enabled | bool | true |
Vault UI support |
Autogenerated from chart metadata using helm-docs v1.14.2
- Edit Chart.yaml with the new version
- In the hashicorp-vault folder, run:
helm dependency update . - Run
./update-helm-dependency.sh - Check that the images in ./values.yaml are the same version as upstream
- Git add the new chart in
./charts/vault-<version>.tgz
In order to be able to use vault SSL we need to patch the helm chart to fix upstream issue 674. Basically a single annotation for both internal service and non-internal service is a problem because the annotations in the service section are applied to both the vault and the vault-internal services and there is not way to distinguish between the two. When deploying to OpenShift and the annotation is used to request a certificate, this causes a race condition because two services are trying to modify the same secret (containing the certificate)
This is why we set the following in the values files:
nonha:
# -- Annotation to inject a secret called `vault-secret` to the nonha service
annotations:
service.beta.openshift.io/serving-cert-secret-name: vault-secret
internal:
# -- Annotation to inject a secret called `vault-secret` to the internal service
annotations:
service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal
Make sure to run "./update-helm-dependency.sh" after you updated the subchart (by calling helm dependency update .)
We can drop this local patch once upstream merges https://www.github.com/hashicorp/vault-helm/pull/1179