diff --git a/website/data/docs-navigation.js b/website/data/docs-navigation.js index 0efe012709..65902b14b9 100644 --- a/website/data/docs-navigation.js +++ b/website/data/docs-navigation.js @@ -314,7 +314,20 @@ export default [ content: [ { category: 'helm', - content: ['run', 'configuration', 'examples'] + content: [ + 'run', + 'configuration', + { + category: 'examples', + content: [ + 'standalone-load-balanced-ui', + 'standalone-tls', + 'standalone-audit', + 'ha-with-consul', + 'kubernetes-auth' + ] + }, + ], }, { category: 'injector', diff --git a/website/pages/docs/platform/k8s/helm/examples/ha-with-consul.mdx b/website/pages/docs/platform/k8s/helm/examples/ha-with-consul.mdx new file mode 100644 index 0000000000..98f13a758f --- /dev/null +++ b/website/pages/docs/platform/k8s/helm/examples/ha-with-consul.mdx @@ -0,0 +1,65 @@ +--- +layout: "docs" +page_title: "Highly Available Vault Cluster with Consul" +sidebar_current: "docs-platform-k8s-examples-ha-with-consul" +sidebar_title: "Highly Available Vault Cluster with Consul" +description: |- + Describes how to set up a highly available Vault cluster with Consul backend +--- + +# Highly Available Vault Cluster with Consul + +~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart. + +The below `values.yaml` can be used to set up a five server Vault cluster using +Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal. + +```yaml +server: + extraEnvironmentVars: + GOOGLE_REGION: global + GOOGLE_PROJECT: myproject + GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json + + extraVolumes: + - type: secret + name: my-gcp-iam + + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "vault.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + service: + enabled: true + + ha: + enabled: true + replicas: 5 + + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + } + + storage "consul" { + path = "vault" + address = "HOST_IP:8500" + } + + seal "gcpckms" { + project = "myproject" + region = "global" + key_ring = "vault-unseal-kr" + crypto_key = "vault-unseal-key" + } +``` diff --git a/website/pages/docs/platform/k8s/helm/examples/index.mdx b/website/pages/docs/platform/k8s/helm/examples/index.mdx new file mode 100644 index 0000000000..32be2bd514 --- /dev/null +++ b/website/pages/docs/platform/k8s/helm/examples/index.mdx @@ -0,0 +1,17 @@ +--- +layout: "docs" +page_title: "Examples" +sidebar_current: "docs-platform-k8s-examples" +sidebar_title: "Examples" +description: |- + This section documents configuration options for the Vault Helm chart +--- + +# Helm Chart Examples + +~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart. + +These are a collection of examples of common configurations for Vault using the Helm chart. + +The following are different configuration examples to support a variety of +deployment models. You can view the different examples from the list on the left. diff --git a/website/pages/docs/platform/k8s/helm/examples/kubernetes-auth.mdx b/website/pages/docs/platform/k8s/helm/examples/kubernetes-auth.mdx new file mode 100644 index 0000000000..c5c55da35b --- /dev/null +++ b/website/pages/docs/platform/k8s/helm/examples/kubernetes-auth.mdx @@ -0,0 +1,47 @@ +--- +layout: "docs" +page_title: "Using Kubernetes Auth Method" +sidebar_current: "docs-platform-k8s-examples-kubernetes-auth" +sidebar_title: "Using Kubernetes Auth Method" +description: |- + Describes how to set up Kubernetes Auth method +--- + +# Bootstrapping Kubernetes Auth Method + +~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart. + +In this example, we will walk through how to set up the [Kubernetes Auth Method](/docs/auth/kubernetes.html). + +This assumes the following commands will be run inside a Vault pod running in Kubernetes. + +You will optionally need the following variables: + +```bash +# JWT is a service account token that has access to the Kubernetes TokenReview API +# You can retrieve this from inside a pod at: /var/run/secrets/kubernetes.io/serviceaccount/token +JWT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) + +# Address of Kubernetes itself as viewed from inside a running pod +KUBERNETES_HOST=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 + +# Kubernetes internal CA +KUBERNETES_CA_CERT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt) +``` + +Exec into the Vault pod: + +```bash +kubectl exec -it vault-0 /bin/sh +``` + +Then run the following command to configure the Kubernetes Auth Method: + +```bash +vault write auth/kubernetes/config \ + token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ + kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \ + kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt +``` + +From here you can continue to configure Vault from the [Kubernetes Auth Method](/docs/auth/kubernetes.html) documentation. diff --git a/website/pages/docs/platform/k8s/helm/examples/standalone-audit.mdx b/website/pages/docs/platform/k8s/helm/examples/standalone-audit.mdx new file mode 100644 index 0000000000..fb86b2a89e --- /dev/null +++ b/website/pages/docs/platform/k8s/helm/examples/standalone-audit.mdx @@ -0,0 +1,53 @@ +--- +layout: "docs" +page_title: "Standalone Server with Audit Storage" +sidebar_current: "docs-platform-k8s-examples-standalone-audit" +sidebar_title: "Standalone Server with Audit Storage" +description: |- + Describes how to set up a standalone Vault with audit storage +--- + +# Standalone Server with Audit Storage + +~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart. + +The below `values.yaml` can be used to set up a single server Vault cluster with +auditing enabled. + +```yaml +server: + standalone: + enabled: true + config: | + listener "tcp" { + tls_disable = true + address = "[::]:8200" + cluster_address = "[::]:8201" + } + + storage "file" { + path = "/vault/data" + } + + service: + enabled: true + + dataStorage: + enabled: true + size: 10Gi + storageClass: null + accessMode: ReadWriteOnce + + auditStorage: + enabled: true + size: 10Gi + storageClass: null + accessMode: ReadWriteOnce +``` + +After Vault has been deployed, initialized and unsealed, auditing can be enabled +by running the following command against the Vault pod: + +```bash +$ kubectl exec -ti -- vault audit enable file file_path=/vault/audit/vault_audit.log +``` diff --git a/website/pages/docs/platform/k8s/helm/examples/standalone-load-balanced-ui.mdx b/website/pages/docs/platform/k8s/helm/examples/standalone-load-balanced-ui.mdx new file mode 100644 index 0000000000..accb096b70 --- /dev/null +++ b/website/pages/docs/platform/k8s/helm/examples/standalone-load-balanced-ui.mdx @@ -0,0 +1,44 @@ +--- +layout: "docs" +page_title: "Standalone Server with Load Balanced UI" +sidebar_current: "docs-platform-k8s-examples-standalone-load-balanced-ui" +sidebar_title: "Standalone Server with Load Balanced UI" +description: |- + Describes how to set up a standalone Vault with a load balanced UI +--- + +# Standalone Server with Load Balanced UI + +~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart. + +The below `values.yaml` can be used to set up a single server Vault cluster with a LoadBalancer to allow external access to the UI and API. + +```yaml +server: + standalone: + enabled: true + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + } + storage "file" { + path = "/vault/data" + } + + service: + enabled: true + + dataStorage: + enabled: true + size: 10Gi + storageClass: null + accessMode: ReadWriteOnce + +ui: + enabled: true + serviceType: LoadBalancer +``` diff --git a/website/pages/docs/platform/k8s/helm/examples.mdx b/website/pages/docs/platform/k8s/helm/examples/standalone-tls.mdx similarity index 58% rename from website/pages/docs/platform/k8s/helm/examples.mdx rename to website/pages/docs/platform/k8s/helm/examples/standalone-tls.mdx index b32a83cece..ee7be33987 100644 --- a/website/pages/docs/platform/k8s/helm/examples.mdx +++ b/website/pages/docs/platform/k8s/helm/examples/standalone-tls.mdx @@ -1,67 +1,23 @@ --- -layout: docs -page_title: Examples -sidebar_title: Examples -description: This section documents configuration options for the Vault Helm chart +layout: "docs" +page_title: "Standalone Server with TLS" +sidebar_current: "docs-platform-k8s-examples-standalone-tls" +sidebar_title: "Standalone Server with TLS" +description: |- + Describes how to set up a standalone Vault with TLS certificate --- -# Helm Chart Examples +# Standalone Server with TLS ~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart. -The following are different configuration examples to support a variety of -deployment models. - -## Standalone Server with Load Balanced UI - -The below `values.yaml` can be used to set up a single server Vault cluster with a LoadBalancer to allow external access to the UI and API. - -```yaml -global: - enabled: true - -server: - image: - repository: 'vault' - tag: '1.3.1' - - standalone: - enabled: true - config: | - ui = true - - listener "tcp" { - tls_disable = 1 - address = "[::]:8200" - cluster_address = "[::]:8201" - } - storage "file" { - path = "/vault/data" - } - - service: - enabled: true - - dataStorage: - enabled: true - size: 10Gi - storageClass: null - accessMode: ReadWriteOnce - -ui: - enabled: true - serviceType: LoadBalancer -``` - -## Standalone Server with TLS - This example can be used to set up a single server Vault cluster using TLS. 1. Create key & certificate using Kubernetes CA 2. Store key & cert into [Kubernetes secrets store](https://kubernetes.io/docs/concepts/configuration/secret/) 3. Configure helm chart to use Kubernetes secret from step 2 -### 1. Create key & certificate using Kubernetes CA +## 1. Create key & certificate using Kubernetes CA There are three variables that will be used in this example. @@ -153,7 +109,7 @@ TMPDIR=/tmp kubectl certificate approve ${CSR_NAME} ``` -### 2. Store key, cert, and Kubernetes CA into Kubernetes secrets store +## 2. Store key, cert, and Kubernetes CA into Kubernetes secrets store 1. Retrieve the certificate. @@ -187,7 +143,7 @@ TMPDIR=/tmp -### 3. Helm Configuration +## 3. Helm Configuration The below `custom-values.yaml` can be used to set up a single server Vault cluster using TLS. This assumes that a Kubernetes `secret` exists with the server certificate, key and @@ -224,115 +180,3 @@ server: path = "/vault/data" } ``` - -## Standalone Server with Audit Storage - -The below `values.yaml` can be used to set up a single server Vault cluster with -auditing enabled. - -```yaml -global: - enabled: true - -server: - image: - repository: 'vault' - tag: '1.3.1' - - standalone: - enabled: true - config: | - listener "tcp" { - tls_disable = true - address = "[::]:8200" - cluster_address = "[::]:8201" - } - - storage "file" { - path = "/vault/data" - } - - service: - enabled: true - - dataStorage: - enabled: true - size: 10Gi - storageClass: null - accessMode: ReadWriteOnce - - auditStorage: - enabled: true - size: 10Gi - storageClass: null - accessMode: ReadWriteOnce -``` - -After Vault has been deployed, initialized and unsealed, auditing can be enabled -by running the following command against the Vault pod: - -```bash -$ kubectl exec -ti -- vault audit enable file file_path=/vault/audit/vault_audit.log -``` - -## Highly Available Vault Cluster with Consul - -The below `values.yaml` can be used to set up a five server Vault cluster using -Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal. - -```yaml -global: - enabled: true - -server: - image: - repository: "vault" - tag: "1.3.1" - - extraEnvironmentVars: - GOOGLE_REGION: global - GOOGLE_PROJECT: myproject - GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json - - extraVolumes: [] - - type: secret - name: my-gcp-iam - - affinity: | - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: {{ template "vault.name" . }} - release: "{{ .Release.Name }}" - component: server - topologyKey: kubernetes.io/hostname - - service: - enabled: true - - ha: - enabled: true - replicas: 5 - - config: | - ui = true - - listener "tcp" { - tls_disable = 1 - address = "[::]:8200" - cluster_address = "[::]:8201" - } - - storage "consul" { - path = "vault" - address = "HOST_IP:8500" - } - - seal "gcpckms" { - project = "myproject" - region = "global" - key_ring = "vault-unseal-kr" - crypto_key = "vault-unseal-key" - } -```