diff --git a/website/content/docs/platform/k8s/helm/configuration.mdx b/website/content/docs/platform/k8s/helm/configuration.mdx index 1e56b29580..8da7fdd333 100644 --- a/website/content/docs/platform/k8s/helm/configuration.mdx +++ b/website/content/docs/platform/k8s/helm/configuration.mdx @@ -67,6 +67,8 @@ and consider if they're appropriate for your deployment. - `enabled` (`boolean: true`) - When set to `true`, enables leader election for Vault Agent Injector. This is required when using auto-tls and more than 1 replica. + - `useContainer` (`boolean: false`) - The deployment of the leader-elector container will soon be removed from this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set `useContainer=true` + - `image` - Values that configure the Vault Agent Injector Leader Election image. - `repository` (`string: "gcr.io/google_containers/leader-elector"`) - The name of the leader election image for the Vault Agent Injector. @@ -79,15 +81,15 @@ and consider if they're appropriate for your deployment. - `repository` (`string: "hashicorp/vault-k8s"`) - The name of the Docker image for Vault Agent Injector. - - `tag` (`string: "0.12.0"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. + - `tag` (`string: "0.13.0"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists. - `agentImage` - Values that configure the Vault Agent sidecar image. - - `repository` (`string: "vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image. + - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image. - - `tag` (`string: "1.8.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**. + - `tag` (`string: "1.8.2"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**. - `agentDefaults` - Values that configure the injected Vault Agent containers default values. @@ -240,9 +242,9 @@ and consider if they're appropriate for your deployment. - `image` - Values that configure the Vault Docker image. - - `repository` (`string: "vault"`) - The name of the Docker image for the containers running Vault. + - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the containers running Vault. - - `tag` (`string: "1.8.1"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. + - `tag` (`string: "1.8.2"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists. @@ -900,6 +902,10 @@ and consider if they're appropriate for your deployment. foo: bar ``` + - `providersDir` (`string: "/etc/kubernetes/secrets-store-csi-providers"`) - Provider host path (must match the CSI provider's path) + + - `kubeletRootDir` (`string: "/var/lib/kubelet"`) - Kubelet host path + - `pod` - Values that configure the Vault CSI Provider pod. - `annotations` (`dictionary: {}`) - This value defines additional annotations to diff --git a/website/content/docs/platform/k8s/helm/enterprise.mdx b/website/content/docs/platform/k8s/helm/enterprise.mdx index d58e541c3a..fd25eb323c 100644 --- a/website/content/docs/platform/k8s/helm/enterprise.mdx +++ b/website/content/docs/platform/k8s/helm/enterprise.mdx @@ -31,7 +31,7 @@ In your chart overrides, set the values of [`server.image`](/docs/platform/k8s/h server: image: repository: hashicorp/vault-enterprise - tag: 1.8.0_ent + tag: 1.8.2_ent enterpriseLicense: secretName: vault-ent-license ``` diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx index 3544e1e120..6e989e9c75 100644 --- a/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx +++ b/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx @@ -23,7 +23,7 @@ First, create the primary cluster: ```shell helm install vault-primary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.1_ent' \ + --set='server.image.tag=1.8.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` @@ -75,7 +75,7 @@ disaster recovery replication. ```shell helm install vault-secondary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.1_ent' \ + --set='server.image.tag=1.8.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx index 18c310df09..a9f9d5d393 100644 --- a/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx +++ b/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx @@ -23,7 +23,7 @@ First, create the primary cluster: ```shell helm install vault-primary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.1_ent' \ + --set='server.image.tag=1.8.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` @@ -74,7 +74,7 @@ With the primary cluster created, next create a secondary cluster. ```shell helm install vault-secondary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.1_ent' \ + --set='server.image.tag=1.8.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx index da8f899a74..4cf383c152 100644 --- a/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx +++ b/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx @@ -15,7 +15,7 @@ Integrated storage (raft) can be enabled using the `server.ha.raft.enabled` valu ```shell helm install vault hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.8.1_ent' \ + --set='server.image.tag=1.8.2_ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` diff --git a/website/content/docs/platform/k8s/helm/index.mdx b/website/content/docs/platform/k8s/helm/index.mdx index 70c07059bf..1907d0f8ff 100644 --- a/website/content/docs/platform/k8s/helm/index.mdx +++ b/website/content/docs/platform/k8s/helm/index.mdx @@ -35,7 +35,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm search repo hashicorp/vault NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/vault 0.15.0 1.8.1 Official HashiCorp Vault Chart +hashicorp/vault 0.16.0 1.8.2 Official HashiCorp Vault Chart ``` -> **Important:** The Helm chart is new and under significant development. @@ -57,6 +57,7 @@ Installing a specific version of the chart. # List the available releases $ helm search repo hashicorp/vault -l NAME CHART VERSION APP VERSION DESCRIPTION +hashicorp/vault 0.16.0 1.8.2 Official HashiCorp Vault Chart hashicorp/vault 0.15.0 1.8.1 Official HashiCorp Vault Chart hashicorp/vault 0.14.0 1.8.0 Official HashiCorp Vault Chart hashicorp/vault 0.13.0 1.7.3 Official HashiCorp Vault Chart @@ -64,10 +65,9 @@ hashicorp/vault 0.12.0 1.7.2 Official HashiCorp Vault Chart hashicorp/vault 0.11.0 1.7.0 Official HashiCorp Vault Chart hashicorp/vault 0.10.0 1.7.0 Official HashiCorp Vault Chart hashicorp/vault 0.9.1 1.6.2 Official HashiCorp Vault Chart -hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart -# Install version 0.15.0 -$ helm install vault hashicorp/vault --version 0.15.0 +# Install version 0.16.0 +$ helm install vault hashicorp/vault --version 0.16.0 ``` ~> **Security Warning:** By default, the chart runs in standalone mode. This diff --git a/website/content/docs/platform/k8s/helm/openshift.mdx b/website/content/docs/platform/k8s/helm/openshift.mdx index 00e26cd3de..3d6c862e70 100644 --- a/website/content/docs/platform/k8s/helm/openshift.mdx +++ b/website/content/docs/platform/k8s/helm/openshift.mdx @@ -69,7 +69,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm search repo hashicorp/vault NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/vault 0.15.0 1.8.1 Official HashiCorp Vault Chart +hashicorp/vault 0.16.0 1.8.2 Official HashiCorp Vault Chart ``` -> **Important:** The Helm chart is new and under significant development. @@ -88,6 +88,7 @@ Or install a specific version of the chart. # List the available releases $ helm search repo hashicorp/vault -l NAME CHART VERSION APP VERSION DESCRIPTION +hashicorp/vault 0.16.0 1.8.2 Official HashiCorp Vault Chart hashicorp/vault 0.15.0 1.8.1 Official HashiCorp Vault Chart hashicorp/vault 0.14.0 1.8.0 Official HashiCorp Vault Chart hashicorp/vault 0.13.0 1.7.3 Official HashiCorp Vault Chart @@ -95,10 +96,9 @@ hashicorp/vault 0.12.0 1.7.2 Official HashiCorp Vault Chart hashicorp/vault 0.11.0 1.7.0 Official HashiCorp Vault Chart hashicorp/vault 0.10.0 1.7.0 Official HashiCorp Vault Chart hashicorp/vault 0.9.1 1.6.2 Official HashiCorp Vault Chart -hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart -# Install version 0.15.0 -$ helm install vault hashicorp/vault --version 0.15.0 +# Install version 0.16.0 +$ helm install vault hashicorp/vault --version 0.16.0 ``` The `helm install` command accepts parameters to override default configuration diff --git a/website/content/docs/platform/k8s/helm/run.mdx b/website/content/docs/platform/k8s/helm/run.mdx index 9a8ac5cbd1..54c186c500 100644 --- a/website/content/docs/platform/k8s/helm/run.mdx +++ b/website/content/docs/platform/k8s/helm/run.mdx @@ -53,7 +53,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm search repo hashicorp/vault NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/vault 0.15.0 1.8.1 Official HashiCorp Vault Chart +hashicorp/vault 0.16.0 1.8.2 Official HashiCorp Vault Chart ``` -> **Important:** The Helm chart is new and under significant development. @@ -72,6 +72,7 @@ Or install a specific version of the chart. # List the available releases $ helm search repo hashicorp/vault -l NAME CHART VERSION APP VERSION DESCRIPTION +hashicorp/vault 0.16.0 1.8.2 Official HashiCorp Vault Chart hashicorp/vault 0.15.0 1.8.1 Official HashiCorp Vault Chart hashicorp/vault 0.14.0 1.8.0 Official HashiCorp Vault Chart hashicorp/vault 0.13.0 1.7.3 Official HashiCorp Vault Chart @@ -79,10 +80,9 @@ hashicorp/vault 0.12.0 1.7.2 Official HashiCorp Vault Chart hashicorp/vault 0.11.0 1.7.0 Official HashiCorp Vault Chart hashicorp/vault 0.10.0 1.7.0 Official HashiCorp Vault Chart hashicorp/vault 0.9.1 1.6.2 Official HashiCorp Vault Chart -hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart -# Install version 0.15.0 -$ helm install vault hashicorp/vault --version 0.15.0 +# Install version 0.16.0 +$ helm install vault hashicorp/vault --version 0.16.0 ``` The `helm install` command accepts parameters to override default configuration diff --git a/website/content/docs/platform/k8s/injector/annotations.mdx b/website/content/docs/platform/k8s/injector/annotations.mdx index c87d0417e2..f371bfc3f7 100644 --- a/website/content/docs/platform/k8s/injector/annotations.mdx +++ b/website/content/docs/platform/k8s/injector/annotations.mdx @@ -28,7 +28,7 @@ them, optional commands to run, etc. - `vault.hashicorp.com/agent-image` - name of the Vault docker image to use. This value overrides the default image configured in the controller and is usually - not needed. Defaults to `hashicorp/vault:1.8.1`. + not needed. Defaults to `hashicorp/vault:1.8.2`. - `vault.hashicorp.com/agent-init-first` - configures the pod to run the Vault Agent init container first if `true` (last if `false`). This is useful when other init @@ -184,6 +184,8 @@ them, optional commands to run, etc. container and mounts them to the Vault Agent containers. The service account volume is ignored. +- `vault.hashicorp.com/agent-service-account-token-volume-name` - the optional name of a projected volume containing a service account token for use with auto-auth against Vault's Kubernetes auth method. If the volume is mounted to another container in the deployment, the token volume will be mounted to the same location in the vault-agent containers. Otherwise it will be mounted at the default location of `/var/run/secrets/vault.hashicorp.com/serviceaccount/`. + ## Vault Annotations Vault annotations change how the Vault Agent containers communicate with Vault. For diff --git a/website/content/docs/platform/k8s/injector/installation.mdx b/website/content/docs/platform/k8s/injector/installation.mdx index 359fe9d542..e113169d32 100644 --- a/website/content/docs/platform/k8s/injector/installation.mdx +++ b/website/content/docs/platform/k8s/injector/installation.mdx @@ -20,7 +20,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm search repo hashicorp/vault NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/vault 0.15.0 1.8.1 Official HashiCorp Vault Chart +hashicorp/vault 0.16.0 1.8.2 Official HashiCorp Vault Chart ``` Then install the chart and enable the injection feature by setting the @@ -67,31 +67,23 @@ For more information on configuring manual TLS, see the [Vault Helm cert values] ## Multiple Replicas and TLS The Vault Agent Injector can be run with multiple replicas if using [Manual -TLS](#manual-tls), and as of v0.7.0 multiple replicas are also supported with +TLS](#manual-tls) or [cert-manager](/docs/platform/k8s/helm/examples/injector-tls-cert-manager), and as of v0.7.0 multiple replicas are also supported with [Auto TLS](#auto-tls). The number of replicas is controlled in the Vault Helm chart by the [injector.replicas value](/docs/platform/k8s/helm/configuration#replicas). -With Auto TLS and multiple replicas, a leader-elector sidecar container is -deployed with each replica. These sidecars determine which injector replica is -the "leader" in charge of generating the CA and patching the webhook caBundle in -Kubernetes, and also generating and distributing the certificate and key to the -"followers". The followers read the certificate and key needed for the webhook -service listener from a Kubernetes Secret, which is updated by the leader when a -certificate is near expiration. - -The leader-elector sidecar in use is described in detail [here][k8s-blog]. For -more information on configuring leader election, see the [Vault Helm -leaderElector values](/docs/platform/k8s/helm/configuration#leaderelector). +With Auto TLS and multiple replicas, a leader replica is determined by ownership +of a ConfigMap named `vault-k8s-leader`. Another replica can become the leader +once the current leader replica stops running, and the Kubernetes garbage +collector deletes the ConfigMap. The leader replica is in charge of generating +the CA and patching the webhook caBundle in Kubernetes, and also generating and +distributing the certificate and key to the "followers". The followers read the +certificate and key needed for the webhook service listener from a Kubernetes +Secret, which is updated by the leader when a certificate is near expiration. With Manual TLS and multiple replicas, [injector.leaderElector.enabled](/docs/platform/k8s/helm/configuration#enabled-2) -should be set to `false` since leader-election is not necessary in this case. - -If there is only one replica set (regardless of other TLS or leaderElector -settings), no leader-elector containers will be deployed. - -[k8s-blog]: https://kubernetes.io/blog/2016/01/simple-leader-election-with-kubernetes/ 'Simple leader election with Kubernetes and Docker' +can be set to `false` since leader determination is not necessary in this case. ## Namespace Selector