From 7429b74c9a56f19093ab8492e6906965fd9fbe45 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Tue, 30 May 2023 12:01:56 -0400 Subject: [PATCH] backport of commit 021bd76819075b69b46d69f3ce8858a6165416d1 (#20800) Co-authored-by: Kyle Schochenmaier --- .../content/docs/platform/k8s/vso/helm.mdx | 73 +++++++++++++++++-- 1 file changed, 68 insertions(+), 5 deletions(-) diff --git a/website/content/docs/platform/k8s/vso/helm.mdx b/website/content/docs/platform/k8s/vso/helm.mdx index e99c9a7a4258..85b54f82b4f6 100644 --- a/website/content/docs/platform/k8s/vso/helm.mdx +++ b/website/content/docs/platform/k8s/vso/helm.mdx @@ -13,7 +13,7 @@ The chart is customizable using [Helm configuration values](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). + the vault-secrets-operator repo's values.yaml: file commit=b9d4f2f8ac86bdc1de71ca101ea8ed1c4e8a429e --> ## Top-Level Stanzas @@ -60,6 +60,8 @@ Use these links to navigate to a particular top-level stanza. - `memory` ((#v-controller-kuberbacproxy-resources-requests-memory)) (`string: 64Mi`) + - `annotations` ((#v-controller-annotations)) - This value defines additional annotations for the deployment. This should be formatted as a YAML object (map) + - `manager` ((#v-controller-manager)) - Settings related to the vault-secrets-operator container. - `image` ((#v-controller-manager-image)) - Image sets the repo and tag of the vault-secrets-operator image to use for the controller. @@ -69,14 +71,18 @@ Use these links to navigate to a particular top-level stanza. - `tag` ((#v-controller-manager-image-tag)) (`string: 0.1.0-beta`) - `clientCache` ((#v-controller-manager-clientcache)) - Configures the client cache which is used by the controller to cache (and potentially persist) vault tokens that - are the result of using the VaultAuthMethod. This enables re-use of Vault Tokens around their TTLs as well as the - ability to renew. + are the result of using the VaultAuthMethod. This enables re-use of Vault Tokens + throughout their TTLs as well as the ability to renew. + Persistence is only useful in the context of Dynamic Secrets, so "none" is an okay default. - `persistenceModel` ((#v-controller-manager-clientcache-persistencemodel)) (`string: ""`) - Defines the `-client-cache-persistence-model` which caches+persists vault tokens. Valid values are: "none" - in-memory client cache is used, no tokens are persisted. "direct-unencrypted" - in-memory client cache is persisted, unencrypted. This is NOT recommended for any production workload. "direct-encrypted" - in-memory client cache is persisted encrypted using the Vault Transit engine. + Note: It is strongly encouraged to not use the setting of "direct-unencrypted" in + production due to the potential of vault tokens being leaked as they would then be stored + in clear text. default: "none" @@ -86,6 +92,33 @@ Use these links to navigate to a particular top-level stanza. default: 10000 + - `storageEncryption` ((#v-controller-manager-clientcache-storageencryption)) - StorageEncryption provides the necessary configuration to encrypt the client storage + cache within Kubernetes objects using (required) Vault Transit Engine. + This should only be configured when client cache persistence with encryption is enabled. + E.g. `controller.manager.clientCache.persistenceMode=direct-encrypted` + Typically there should only ever be one VaultAuth configured with + StorageEncryption in the Cluster. + + - `vaultConnectionRef` ((#v-controller-manager-clientcache-storageencryption-vaultconnectionref)) (`string: default`) - Vault Connection Ref to be used by the VaultAuthMethod. + Default setting will use the default VaultConnectionRef, which must also be configured. + + - `namespace` ((#v-controller-manager-clientcache-storageencryption-namespace)) (`string: ""`) - Vault namespace for the VaultAuthMethod + + - `keyName` ((#v-controller-manager-clientcache-storageencryption-keyname)) (`string: ""`) - KeyName to use for encrypt/decrypt operations via Vault Transit. + + - `mount` ((#v-controller-manager-clientcache-storageencryption-mount)) (`string: kubernetes`) - Mount path for the Vault Auth Method. + + - `role` ((#v-controller-manager-clientcache-storageencryption-role)) (`string: ""`) - Vault Auth Role to use + This is a required field and must be setup in Vault prior to deploying the helm chart + if `defaultAuthMethod.enabled=true` + + - `serviceAccount` ((#v-controller-manager-clientcache-storageencryption-serviceaccount)) (`string: ""`) - Kubernetes ServiceAccount associated with the default Vault Auth Role + default: Operator's ServiceAccount + + - `tokenAudiences` ((#v-controller-manager-clientcache-storageencryption-tokenaudiences)) (`array: []`) - Token Audience should match the audience of the vault kubernetes auth role. + + - `transitMount` ((#v-controller-manager-clientcache-storageencryption-transitmount)) (`string: ""`) - Mount path for the Transit Method. + - `maxConcurrentReconciles` ((#v-controller-manager-maxconcurrentreconciles)) (`integer: ""`) - Defines the maximum number of concurrent reconciles by the controller. NOTE: Currently this is only used by the reconciliation logic of dynamic secrets. @@ -203,8 +236,38 @@ Use these links to navigate to a particular top-level stanza. - `serviceAccount` ((#v-defaultauthmethod-kubernetes-serviceaccount)) (`string: default`) - Kubernetes ServiceAccount associated with the default Vault Auth Role - - `tokenAudiences` ((#v-defaultauthmethod-kubernetes-tokenaudiences)) (`array: []`) - Token Audience is required and should match whatever the audience - of the vault kubernetes auth role has set. + - `tokenAudiences` ((#v-defaultauthmethod-kubernetes-tokenaudiences)) (`array: []`) - Token Audience should match the audience of the vault kubernetes auth role. + + - `jwt` ((#v-defaultauthmethod-jwt)) - Vault JWT auth method specific configuration + + - `role` ((#v-defaultauthmethod-jwt-role)) (`string: ""`) - Vault Auth Role to use + This is a required field and must be setup in Vault prior to deploying the helm chart + if `jwtAuthMethod.enabled=true` + + - `secretName` ((#v-defaultauthmethod-jwt-secretname)) (`string: ""`) - One of the following is required prior to deploying the helm chart + - K8s secret that contains the JWT + - K8s service account if a service account JWT is used as a Vault JWT auth token and needs generating by VSO + + Name of Kubernetes Secret that has the Vault JWT auth token. + The Kubernetes Secret must contain a key named `jwt` which references the JWT token, and must exist in the namespace + of any consuming VaultSecret CR. This is a required field if a JWT token is provided. + + - `serviceAccount` ((#v-defaultauthmethod-jwt-serviceaccount)) (`string: default`) - Kubernetes ServiceAccount to generate a service account JWT + + - `tokenAudiences` ((#v-defaultauthmethod-jwt-tokenaudiences)) (`array: []`) - Token Audience should match the bound_audiences or the `aud` list in bound_claims if applicable + of the Vault JWT auth role. + + - `appRole` ((#v-defaultauthmethod-approle)) - AppRole auth method specific configuration + + - `roleId` ((#v-defaultauthmethod-approle-roleid)) (`string: ""`) - AppRole Role's RoleID to use for authenticating to Vault. + This is a required field when using appRole and must be setup in Vault prior to deploying the + helm chart. + + - `secretName` ((#v-defaultauthmethod-approle-secretname)) (`string: ""`) - Name of Kubernetes Secret that has the AppRole Role's SecretID used to authenticate with Vault. + The Kubernetes Secret must contain a key named `id` which references the AppRole Role's + SecretID, and must exist in the namespace of any consuming VaultSecret CR. + This is a required field when using appRole and must be setup in Vault prior to deploying the + helm chart. - `params` ((#v-defaultauthmethod-params)) (`string: ""`) - Params to use when authenticating to Vault params: |