Update Kubernetes docs to include Kubernetes Auth method (#8046)

* Improve standalone with TLS example - Documented creating a key & cert for serving Vault endpoints - Removed unneeded configuration in custom values.yaml - Updated examples to 1.3.0 * Add 127.0.0.1 to CSR * Grammar & minor formatting * Add additional DNS entry for CSR * Split examples into individual pages * Add Kubernetes Auth Method example * Remove old examples file * Fix rebase fail * Remove global section of yaml files that aren't needed * Fix minor typos * Fix typos that didn't get carried over from previous PR * Re-copy from previous examples file to resolve rebase issues * update dependencies Co-authored-by: Jeff Escalante <jescalan@users.noreply.github.com>
2025-12-23 13:57:12 +00:00 · 2020-01-23 13:14:01 -07:00
parent 8f30f51ae9
commit ac33c32639
7 changed files with 250 additions and 167 deletions
--- a/website/data/docs-navigation.js
+++ b/website/data/docs-navigation.js
@@ -314,7 +314,20 @@ export default [
        content: [
          {
            category: 'helm',
-            content: ['run', 'configuration', 'examples']
+            content: [
              'run',
              'configuration',
              {
                category: 'examples',
                content: [
                  'standalone-load-balanced-ui',
                  'standalone-tls',
                  'standalone-audit',
                  'ha-with-consul',
                  'kubernetes-auth'
                ]
              },
            ],
          },
          {
            category: 'injector',
--- a/website/pages/docs/platform/k8s/helm/examples/ha-with-consul.mdx
+++ b/website/pages/docs/platform/k8s/helm/examples/ha-with-consul.mdx
@@ -0,0 +1,65 @@
 ---
 layout: "docs"
 page_title: "Highly Available Vault Cluster with Consul"
 sidebar_current: "docs-platform-k8s-examples-ha-with-consul"
 sidebar_title: "Highly Available Vault Cluster with Consul"
 description: |-
  Describes how to set up a highly available Vault cluster with Consul backend
 ---
 # Highly Available Vault Cluster with Consul
 ~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
 The below `values.yaml` can be used to set up a five server Vault cluster using
 Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal.
 ```yaml
 server:
  extraEnvironmentVars:
    GOOGLE_REGION: global
    GOOGLE_PROJECT: myproject
    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json
  extraVolumes:
    - type: secret
      name: my-gcp-iam
  affinity: |
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchLabels:
              app: {{ template "vault.name" . }}
              release: "{{ .Release.Name }}"
              component: server
          topologyKey: kubernetes.io/hostname
  service:
    enabled: true
  ha:
    enabled: true
    replicas: 5
    config: |
      ui = true
      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }
      storage "consul" {
        path = "vault"
        address = "HOST_IP:8500"
      }
      seal "gcpckms" {
         project     = "myproject"
         region      = "global"
         key_ring    = "vault-unseal-kr"
         crypto_key  = "vault-unseal-key"
      }
 ```
--- a/website/pages/docs/platform/k8s/helm/examples/index.mdx
+++ b/website/pages/docs/platform/k8s/helm/examples/index.mdx
@@ -0,0 +1,17 @@
 ---
 layout: "docs"
 page_title: "Examples"
 sidebar_current: "docs-platform-k8s-examples"
 sidebar_title: "Examples"
 description: |-
  This section documents configuration options for the Vault Helm chart
 ---
 # Helm Chart Examples
 ~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
 These are a collection of examples of common configurations for Vault using the Helm chart. 
 The following are different configuration examples to support a variety of
 deployment models. You can view the different examples from the list on the left.
--- a/website/pages/docs/platform/k8s/helm/examples/kubernetes-auth.mdx
+++ b/website/pages/docs/platform/k8s/helm/examples/kubernetes-auth.mdx
@@ -0,0 +1,47 @@
 ---
 layout: "docs"
 page_title: "Using Kubernetes Auth Method"
 sidebar_current: "docs-platform-k8s-examples-kubernetes-auth"
 sidebar_title: "Using Kubernetes Auth Method"
 description: |-
  Describes how to set up Kubernetes Auth method
 ---
 # Bootstrapping Kubernetes Auth Method
 ~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
 In this example, we will walk through how to set up the [Kubernetes Auth Method](/docs/auth/kubernetes.html).
 This assumes the following commands will be run inside a Vault pod running in Kubernetes.
 You will optionally need the following variables:
 ```bash
 # JWT is a service account token that has access to the Kubernetes TokenReview API
 # You can retrieve this from inside a pod at: /var/run/secrets/kubernetes.io/serviceaccount/token
 JWT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
 # Address of Kubernetes itself as viewed from inside a running pod
 KUBERNETES_HOST=https://${KUBERNETES_PORT_443_TCP_ADDR}:443
 # Kubernetes internal CA
 KUBERNETES_CA_CERT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)
 ```
 Exec into the Vault pod:
 ```bash
 kubectl exec -it vault-0 /bin/sh
 ```
 Then run the following command to configure the Kubernetes Auth Method:
 ```bash
 vault write auth/kubernetes/config \
   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
 ```
 From here you can continue to configure Vault from the [Kubernetes Auth Method](/docs/auth/kubernetes.html) documentation.
--- a/website/pages/docs/platform/k8s/helm/examples/standalone-audit.mdx
+++ b/website/pages/docs/platform/k8s/helm/examples/standalone-audit.mdx
@@ -0,0 +1,53 @@
 ---
 layout: "docs"
 page_title: "Standalone Server with Audit Storage"
 sidebar_current: "docs-platform-k8s-examples-standalone-audit"
 sidebar_title: "Standalone Server with Audit Storage"
 description: |-
  Describes how to set up a standalone Vault with audit storage
 ---
 # Standalone Server with Audit Storage
 ~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
 The below `values.yaml` can be used to set up a single server Vault cluster with
 auditing enabled.
 ```yaml
 server:
  standalone:
    enabled: true
    config: |
      listener "tcp" {
        tls_disable = true
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }
      storage "file" {
        path = "/vault/data"
      }
  service:
    enabled: true
  dataStorage:
    enabled: true
    size: 10Gi
    storageClass: null
    accessMode: ReadWriteOnce
  auditStorage:
    enabled: true
    size: 10Gi
    storageClass: null
    accessMode: ReadWriteOnce
 ```
 After Vault has been deployed, initialized and unsealed, auditing can be enabled
 by running the following command against the Vault pod:
 ```bash
 $ kubectl exec -ti <POD NAME> --  vault audit enable file file_path=/vault/audit/vault_audit.log
 ```
--- a/website/pages/docs/platform/k8s/helm/examples/standalone-load-balanced-ui.mdx
+++ b/website/pages/docs/platform/k8s/helm/examples/standalone-load-balanced-ui.mdx
@@ -0,0 +1,44 @@
 ---
 layout: "docs"
 page_title: "Standalone Server with Load Balanced UI"
 sidebar_current: "docs-platform-k8s-examples-standalone-load-balanced-ui"
 sidebar_title: "Standalone Server with Load Balanced UI"
 description: |-
  Describes how to set up a standalone Vault with a load balanced UI
 ---
 # Standalone Server with Load Balanced UI
 ~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
 The below `values.yaml` can be used to set up a single server Vault cluster with a LoadBalancer to allow external access to the UI and API.
 ```yaml
 server:
  standalone:
    enabled: true
    config: |
      ui = true
      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }
      storage "file" {
        path = "/vault/data"
      }
  service:
    enabled: true
  dataStorage:
    enabled: true
    size: 10Gi
    storageClass: null
    accessMode: ReadWriteOnce
 ui:
  enabled: true
  serviceType: LoadBalancer
 ```
--- a/website/pages/docs/platform/k8s/helm/examples/standalone-tls.mdx
+++ b/website/pages/docs/platform/k8s/helm/examples/standalone-tls.mdx
@@ -1,67 +1,23 @@
 ---
-layout: docs
+layout: "docs"
-page_title: Examples
+page_title: "Standalone Server with TLS"
-sidebar_title: Examples
+sidebar_current: "docs-platform-k8s-examples-standalone-tls"
-description: This section documents configuration options for the Vault Helm chart
+sidebar_title: "Standalone Server with TLS"
 description: |-
  Describes how to set up a standalone Vault with TLS certificate
 ---
-# Helm Chart Examples
+# Standalone Server with TLS
 ~> **Important Note:** This chart is not compatible with Helm 3. Please use Helm 2 with this chart.
 The following are different configuration examples to support a variety of
 deployment models.
 ## Standalone Server with Load Balanced UI
 The below `values.yaml` can be used to set up a single server Vault cluster with a LoadBalancer to allow external access to the UI and API.
 ```yaml
 global:
  enabled: true
 server:
  image:
    repository: 'vault'
    tag: '1.3.1'
  standalone:
    enabled: true
    config: |
      ui = true
      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }
      storage "file" {
        path = "/vault/data"
      }
  service:
    enabled: true
  dataStorage:
    enabled: true
    size: 10Gi
    storageClass: null
    accessMode: ReadWriteOnce
 ui:
  enabled: true
  serviceType: LoadBalancer
 ```
 ## Standalone Server with TLS
 This example can be used to set up a single server Vault cluster using TLS.
 1. Create key & certificate using Kubernetes CA
 2. Store key & cert into [Kubernetes secrets store](https://kubernetes.io/docs/concepts/configuration/secret/)
 3. Configure helm chart to use Kubernetes secret from step 2
-### 1. Create key & certificate using Kubernetes CA
+## 1. Create key & certificate using Kubernetes CA
 There are three variables that will be used in this example.
@@ -153,7 +109,7 @@ TMPDIR=/tmp
        kubectl certificate approve ${CSR_NAME}
        ```
-### 2. Store key, cert, and Kubernetes CA into Kubernetes secrets store
+## 2. Store key, cert, and Kubernetes CA into Kubernetes secrets store
 1. Retrieve the certificate.
@@ -187,7 +143,7 @@ TMPDIR=/tmp
-### 3. Helm Configuration
+## 3. Helm Configuration
 The below `custom-values.yaml` can be used to set up a single server Vault cluster using TLS.
 This assumes that a Kubernetes `secret` exists with the server certificate, key and
@@ -224,115 +180,3 @@ server:
        path = "/vault/data"
      }
 ```
 ## Standalone Server with Audit Storage
 The below `values.yaml` can be used to set up a single server Vault cluster with
 auditing enabled.
 ```yaml
 global:
  enabled: true
 server:
  image:
    repository: 'vault'
    tag: '1.3.1'
  standalone:
    enabled: true
    config: |
      listener "tcp" {
        tls_disable = true
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }
      storage "file" {
        path = "/vault/data"
      }
  service:
    enabled: true
  dataStorage:
    enabled: true
    size: 10Gi
    storageClass: null
    accessMode: ReadWriteOnce
  auditStorage:
    enabled: true
    size: 10Gi
    storageClass: null
    accessMode: ReadWriteOnce
 ```
 After Vault has been deployed, initialized and unsealed, auditing can be enabled
 by running the following command against the Vault pod:
 ```bash
 $ kubectl exec -ti <POD NAME> --  vault audit enable file file_path=/vault/audit/vault_audit.log
 ```
 ## Highly Available Vault Cluster with Consul
 The below `values.yaml` can be used to set up a five server Vault cluster using
 Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal.
 ```yaml
 global:
  enabled: true
 server:
  image:
    repository: "vault"
    tag: "1.3.1"
  extraEnvironmentVars:
    GOOGLE_REGION: global
    GOOGLE_PROJECT: myproject
    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json
  extraVolumes: []
    - type: secret
      name: my-gcp-iam
  affinity: |
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchLabels:
              app: {{ template "vault.name" . }}
              release: "{{ .Release.Name }}"
              component: server
          topologyKey: kubernetes.io/hostname
  service:
    enabled: true
  ha:
    enabled: true
    replicas: 5
    config: |
      ui = true
      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }
      storage "consul" {
        path = "vault"
        address = "HOST_IP:8500"
      }
      seal "gcpckms" {
         project     = "myproject"
         region      = "global"
         key_ring    = "vault-unseal-kr"
         crypto_key  = "vault-unseal-key"
      }
 ```