From d881a2cb87478c503d0d138ac7bea84eb1ba3f2f Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Fri, 7 Apr 2023 17:29:55 -0400 Subject: [PATCH] backport of commit d697b08502afc3ba23129456b8f71cd42c24363e (#20052) Co-authored-by: Christopher Swenson --- .../service-registration/kubernetes.mdx | 8 +- .../docs/platform/k8s/helm/configuration.mdx | 96 ++++++++++++++++--- .../docs/platform/k8s/helm/enterprise.mdx | 2 +- .../helm/examples/enterprise-dr-with-raft.mdx | 4 +- .../examples/enterprise-perf-with-raft.mdx | 4 +- .../helm/examples/enterprise-with-raft.mdx | 2 +- .../content/docs/platform/k8s/helm/run.mdx | 4 +- website/content/partials/helm/install.mdx | 6 +- website/content/partials/helm/repo.mdx | 2 +- 9 files changed, 101 insertions(+), 27 deletions(-) diff --git a/website/content/docs/configuration/service-registration/kubernetes.mdx b/website/content/docs/configuration/service-registration/kubernetes.mdx index 0eb740318742..56e489474d52 100644 --- a/website/content/docs/configuration/service-registration/kubernetes.mdx +++ b/website/content/docs/configuration/service-registration/kubernetes.mdx @@ -71,7 +71,7 @@ metadata: vault-initialized: "true" vault-perf-standby: "false" vault-sealed: "false" - vault-version: 1.3.0 + vault-version: 1.13.1 ``` After shutdowns, Vault pods will bear the following labels: @@ -86,7 +86,7 @@ metadata: vault-initialized: "false" vault-perf-standby: "false" vault-sealed: "true" - vault-version: 1.3.0 + vault-version: 1.13.1 ``` ## Label Definitions @@ -102,7 +102,7 @@ metadata: - `vault-sealed` `(string: "true"/"false")` – Vault sealed is updated dynamically each time Vault's sealed/unsealed status changes. True indicates that Vault is currently sealed. False indicates that Vault is currently unsealed. -- `vault-version` `(string: "1.3.0")` – Vault version is a string that will not change during a pod's lifecycle. +- `vault-version` `(string: "1.13.1")` – Vault version is a string that will not change during a pod's lifecycle. ## Working with Vault's Service Discovery Labels @@ -156,7 +156,7 @@ $ vault write -f sys/replication/performance/primary/enable \ In conjunction with the pod labels and the `OnDelete` upgrade strategy, upgrades are much easier to orchestrate: ```shell-session -$ helm upgrade vault --set='server.image.tag=1.12.0' +$ helm upgrade vault --set='server.image.tag=1.13.1' $ kubectl delete pod --selector=vault-active=false \ --selector=vault-version=1.2.3 diff --git a/website/content/docs/platform/k8s/helm/configuration.mdx b/website/content/docs/platform/k8s/helm/configuration.mdx index e91b6872a197..248be9a74b8e 100644 --- a/website/content/docs/platform/k8s/helm/configuration.mdx +++ b/website/content/docs/platform/k8s/helm/configuration.mdx @@ -77,7 +77,7 @@ and consider if they're appropriate for your deployment. - `repository` (`string: "hashicorp/vault-k8s"`) - The name of the Docker image for Vault Agent Injector. - - `tag` (`string: "1.1.0"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. + - `tag` (`string: "1.2.1"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists. @@ -85,7 +85,7 @@ and consider if they're appropriate for your deployment. - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image. - - `tag` (`string: "1.12.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**. + - `tag` (`string: "1.13.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**. - `agentDefaults` - Values that configure the injected Vault Agent containers default values. @@ -295,6 +295,42 @@ and consider if they're appropriate for your deployment. type: RollingUpdate ``` + - `livenessProbe` - Values that configure the liveness probe for the injector. + + - `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes. + + - `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the liveness probe when the container starts. + + - `periodSeconds` (`int: 5`) - When set to a value, configures how often (in seconds) to perform the probe. + + - `successThreshold` (`int: 1`) - When set to a value, configures the minimum consecutive successes for the probe to be considered successful after having failed. + + - `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out. + + - `readinessProbe` - Values that configure the readiness probe for the injector. + + - `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes. + + - `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the readiness probe when the container starts. + + - `periodSeconds` (`int: 5`) - When set to a value, configures how often (in seconds) to perform the probe. + + - `successThreshold` (`int: 1`) - When set to a value, configures the minimum consecutive successes for the probe to be considered successful after having failed. + + - `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out. + + - `startupProbe` - Values that configure the startup probe for the injector. + + - `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes. + + - `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the startup probe when the container starts. + + - `periodSeconds` (`int: 5`) - When set to a value, configures how often (in seconds) to perform the probe. + + - `successThreshold` (`int: 1`) - When set to a value, configures the minimum consecutive successes for the probe to be considered successful after having failed. + + - `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out. + - `server` - Values that configure running a Vault server within Kubernetes. - `enabled` (`boolean or string: "-"`) - When set to `true`, the Vault server will be created. When set to `"-"`, defaults to the value of `global.enabled`. @@ -309,7 +345,7 @@ and consider if they're appropriate for your deployment. - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the containers running Vault. - - `tag` (`string: "1.12.1"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. + - `tag` (`string: "1.13.1"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller. - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists. @@ -429,6 +465,8 @@ and consider if they're appropriate for your deployment. - `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out. + - `port` (`int: 8200`) - When set to a value, overrides the default port used for the server readiness probe. + ```yaml readinessProbe: enabled: true @@ -438,15 +476,16 @@ and consider if they're appropriate for your deployment. periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 + port: 8200 ``` - - `livenessProbe` - Values that configure the liveliness probe for the Vault pods. + - `livenessProbe` - Values that configure the liveness probe for the Vault pods. - - `enabled` (`boolean: false`) - When set to `true`, a liveliness probe will be applied to the Vault pods. + - `enabled` (`boolean: false`) - When set to `true`, a liveness probe will be applied to the Vault pods. - `path` (`string: "/v1/sys/health?standbyok=true"`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controlled by the `tlsDisable` value. - - `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the liveliness probe when the container starts. + - `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the liveness probe when the container starts. - `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes. @@ -456,8 +495,10 @@ and consider if they're appropriate for your deployment. - `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out. + - `port` (`int: 8200`) - When set to a value, overrides the default port used for the server liveness probe. + ```yaml - livelinessProbe: + livenessProbe: enabled: true path: /v1/sys/health?standbyok=true initialDelaySeconds: 60 @@ -465,6 +506,7 @@ and consider if they're appropriate for your deployment. periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 + port: 8200 ``` - `terminationGracePeriodSeconds` (`int: 10`) - Optional duration in seconds the pod needs to terminate gracefully. See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ @@ -509,6 +551,14 @@ and consider if they're appropriate for your deployment. extraArgs: '-config=/path/to/extra/config.hcl -log-format=json' ``` + - `extraPorts` (`array: []`) - additional ports to add to the server statefulset + + ```yaml + extraPorts: + - containerPort: 8300 + name: http-monitoring + ``` + - `extraSecretEnvironmentVars` (`array: []`) - The extra environment variables populated from a secret to be applied to the Vault server. - `envName` (`string: required`) - @@ -978,7 +1028,7 @@ and consider if they're appropriate for your deployment. - `repository` (`string: "hashicorp/vault-csi-provider"`) - The name of the Docker image for the Vault CSI Provider. - - `tag` (`string: "1.2.1"`) - The tag of the Docker image for the Vault CSI Provider.. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your CSI provider. + - `tag` (`string: "1.3.0"`) - The tag of the Docker image for the Vault CSI Provider.. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your CSI provider. - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists locally. @@ -1091,9 +1141,9 @@ and consider if they're appropriate for your deployment. - `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out. - - `livenessProbe` - Values that configure the liveliness probe for the Vault CSI Provider pods. + - `livenessProbe` - Values that configure the liveness probe for the Vault CSI Provider pods. - - `initialDelaySeconds` (`int: 5`) - Sets the initial delay of the liveliness probe when the container starts. + - `initialDelaySeconds` (`int: 5`) - Sets the initial delay of the liveness probe when the container starts. - `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes. @@ -1105,7 +1155,31 @@ and consider if they're appropriate for your deployment. - `debug` (`bool: false`) - When set to true, enables debug logging on the Vault CSI Provider daemonset. - - `extraArgs` (`string: array`) - The extra arguments to be applied to the CSI pod startup command. See [here](/vault/docs/platform/k8s/csi/configurations#command-line-arguments) for available flags. + - `extraArgs` (`array: []`) - The extra arguments to be applied to the CSI pod startup command. See [here](/vault/docs/platform/k8s/csi/configurations#command-line-arguments) for available flags. + + - `agent` - Configures the Vault Agent sidecar for the CSI Provider + - `enabled` (`bool: true`) - whether to enable the agent sidecar for the CSI provider + - `extraArgs` (`array: []`) - The extra arguments to be applied to the agent startup command. + + - `image` - Values that configure the Vault Agent sidecar image for the CSI Provider. + - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for agent image. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists. + + - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image. + + - `tag` (`string: "1.13.1"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. + + - `logFormat` (`string: "standard"`) - + - `logLevel` (`string: "info"`) - + - `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for the agent. This should be a YAML dictionary of a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core) object. + ```yaml + resources: + requests: + memory: '256Mi' + cpu: '250m' + limits: + memory: '256Mi' + cpu: '250m' + ``` - `serverTelemetry` - Values the configure metrics and telemetry. Enabling these features requires setting the `telemetry {}` stanza in the Vault configuration. See the [telemetry](/vault/docs/configuration/telemetry) diff --git a/website/content/docs/platform/k8s/helm/enterprise.mdx b/website/content/docs/platform/k8s/helm/enterprise.mdx index 1505a81f68d8..8c21049209fc 100644 --- a/website/content/docs/platform/k8s/helm/enterprise.mdx +++ b/website/content/docs/platform/k8s/helm/enterprise.mdx @@ -33,7 +33,7 @@ In your chart overrides, set the values of [`server.image`](/vault/docs/platform server: image: repository: hashicorp/vault-enterprise - tag: 1.12.1-ent + tag: 1.13.1-ent enterpriseLicense: secretName: vault-ent-license ``` diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx index 56a56dc82721..687704cf4ab0 100644 --- a/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx +++ b/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx @@ -23,7 +23,7 @@ First, create the primary cluster: ```shell helm install vault-primary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` @@ -75,7 +75,7 @@ disaster recovery replication. ```shell helm install vault-secondary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx index 28f0f5c79388..89ab693bbb78 100644 --- a/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx +++ b/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx @@ -23,7 +23,7 @@ First, create the primary cluster: ```shell helm install vault-primary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` @@ -74,7 +74,7 @@ With the primary cluster created, next create a secondary cluster. ```shell helm install vault-secondary hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx index 5eb2c1cddaf6..1989275a6884 100644 --- a/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx +++ b/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx @@ -15,7 +15,7 @@ Integrated Storage (raft) can be enabled using the `server.ha.raft.enabled` valu ```shell helm install vault hashicorp/vault \ --set='server.image.repository=hashicorp/vault-enterprise' \ - --set='server.image.tag=1.12.1-ent' \ + --set='server.image.tag=1.13.1-ent' \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true' ``` diff --git a/website/content/docs/platform/k8s/helm/run.mdx b/website/content/docs/platform/k8s/helm/run.mdx index 042366566482..a9078607b952 100644 --- a/website/content/docs/platform/k8s/helm/run.mdx +++ b/website/content/docs/platform/k8s/helm/run.mdx @@ -409,14 +409,14 @@ Next, list the Helm versions and choose the desired version to install. ```bash $ helm search repo hashicorp/vault NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/vault 0.23.0 1.12.1 Official HashiCorp Vault Chart +hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart ``` Next, test the upgrade with `--dry-run` first to verify the changes sent to the Kubernetes cluster. ```shell-session -$ helm upgrade vault hashicorp/vault --version=0.23.0 \ +$ helm upgrade vault hashicorp/vault --version=0.24.0 \ --set='server.image.repository=vault' \ --set='server.image.tag=123.456' \ --dry-run diff --git a/website/content/partials/helm/install.mdx b/website/content/partials/helm/install.mdx index e06d56302a24..4c94d424be22 100644 --- a/website/content/partials/helm/install.mdx +++ b/website/content/partials/helm/install.mdx @@ -2,15 +2,15 @@ # List the available releases $ helm search repo hashicorp/vault -l NAME CHART VERSION APP VERSION DESCRIPTION +hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart hashicorp/vault 0.23.0 1.12.1 Official HashiCorp Vault Chart hashicorp/vault 0.22.1 1.12.0 Official HashiCorp Vault Chart hashicorp/vault 0.22.0 1.11.3 Official HashiCorp Vault Chart hashicorp/vault 0.21.0 1.11.2 Official HashiCorp Vault Chart hashicorp/vault 0.20.1 1.10.3 Official HashiCorp Vault Chart hashicorp/vault 0.20.0 1.10.3 Official HashiCorp Vault Chart -hashicorp/vault 0.19.0 1.9.2 Official HashiCorp Vault Chart ... -# Install version 0.23.0 -$ helm install vault hashicorp/vault --version 0.23.0 +# Install version 0.24.0 +$ helm install vault hashicorp/vault --version 0.24.0 ``` diff --git a/website/content/partials/helm/repo.mdx b/website/content/partials/helm/repo.mdx index 62ff0453a7d8..f3571bbea1c0 100644 --- a/website/content/partials/helm/repo.mdx +++ b/website/content/partials/helm/repo.mdx @@ -4,5 +4,5 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm search repo hashicorp/vault NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/vault 0.23.0 1.12.1 Official HashiCorp Vault Chart +hashicorp/vault 0.24.0 1.13.1 Official HashiCorp Vault Chart ```