Change config specification #213
Conversation
|
|
|
Hi @davidmogar, thanks for the contribution! This feature has been on our list to do for some time, so I'm happy to see some progress here. I'm wondering if this feature could simply be reduced to using the For example, the config could be defined such: server:
standalone:
config:
ui: true
listener:
tcp:
address: "[::]:8200"
cluster_address: "[::]:8201"
tls_disable: 1
storage:
file:
path: "/vault/data"
telemetry:
statsite_address: "127.0.0.1:8125"
disable_hostname: trueThen the configmap could simply be: apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ template "vault.fullname" . }}-config"
data:
config.json: |
{{ .Values.server.standalone.config | toJson }}Thoughts on your implementation verse this approach? |
|
Thanks for your comment @jasonodonnell. I wasn't aware of the possibility of specifying the config through json. In this case the code is way more simple and we can use Not sure about the need for |
|
@davidmogar
Hope that helps! |
|
Initial documentation for the change: hashicorp/vault#8423 |
|
Any news on this? |
|
Sorry for the delay @davidmogar, going to review this today. My only hesitation is this breaks existing functionality. On the other hand this is a way better UX. If you get a chance please resolve conflicts. |
|
No worries @jasonodonnell. Was merely a heads-up. I've fixed the conflicts. Let me know if you need anything else. |
|
I wouldn't worry about breaking BC. This still isn't even a 1.0 version of the chart. |
|
@jasonodonnell Any news on this? |
|
Hi @davidmogar, sorry for the long delay. We talked about this internally across other teams that use Helm and we're definitely hesitant on changing the UX across our products. That being said, we've experimented with a way of supporting the old style of config (string) vs this new style. An example of this can be found here: #272 I'm wondering if we can modify this PR to include similar logic? Users who have been using Vault Helm for some time won't need to upgrade their configuration to the new UX and we can gave them fair warning about deprecating the string style in the future. Thoughts? |
As it is right now, the specification of the config is done through an string. When using storage backends like PostgreSQL, the password for the database has to be included in the config variable of the values file. This change allows to specify the configuration through a map, making the chart GitOps friendly. Now, sensitive values can be stored in a different values file or passed on deployment time with --set. To have a very generic specification: - I've assumed that the combination stanza (eg. storage) name (eg. file) is unique. - Quoted values for all stanza parameters. I tested a generated configuration in a vault docker image and it seems to work just fine.
|
Hi @jasonodonnell, Makes sense to have both definitions working at the same time. I strongly suggest you to keep the yaml one. It's way more friendly and standard. In the meantime I left the original values file unchanged though. Your call on what to do with it although, again, I would use the yaml definition there too. Take a look and let me know if the last change goes more on the line of what you want. If so, would be nice if you could put this on the fast track as this PR is already 2 months old and forcing us to use a fork. |
| @@ -14,6 +14,9 @@ metadata: | |||
| app.kubernetes.io/managed-by: {{ .Release.Service }} | |||
| data: | |||
| extraconfig-from-values.hcl: |- | |||
| {{- if or (eq .mode "ha") (eq .mode "standalone")}} | |||
| {{- $type := typeOf (index .Values.server .mode).config }} | |||
There was a problem hiding this comment.
There's actually a new ha submode, raft, which has it's own configuration server.ha.raft.config. I think we'll need additional logic for that config file.
In the future we hope to consolidate these modes but we'll need to change this for now.
There was a problem hiding this comment.
Sorry, I didn't realize about the new submode. My last commit should address this problem.
In a side note, I think that you are over complicating the values file addressing problems where shouldn't be addressed.
It would be extremely more easy to define a single config variable with the specifics. If you want to provide examples, do so by creating multiple values files that the users can choose from or simply add comments. That would simplify the code a lot.
The only difference between modes, apart from the config, is the disruptionBudget in the ha, which could go outside the mode and be used if defined.
There was a problem hiding this comment.
Hi @davidmogar, thanks for adding this.
As I mentioned in my last comment:
In the future we hope to consolidate these modes but we'll need to change this for now.
Testing this now and looking to get it merged today.
|
Thank you for merging this, @jasonodonnell. |
* Change config specification As it is right now, the specification of the config is done through an string. When using storage backends like PostgreSQL, the password for the database has to be included in the config variable of the values file. This change allows to specify the configuration through a map, making the chart GitOps friendly. Now, sensitive values can be stored in a different values file or passed on deployment time with --set. To have a very generic specification: - I've assumed that the combination stanza (eg. storage) name (eg. file) is unique. - Quoted values for all stanza parameters. I tested a generated configuration in a vault docker image and it seems to work just fine. * Change config format to json * Add conditional formatting * Add config for raft mode
@jasonodonnell Just noticed these arguments and would like to leave a comment... I find it confusing that the |
As it is right now, the specification of the config is done through a string. When using storage backends like PostgreSQL, the password for the database has to be included in the config variable of the values file.
This change allows to specify the configuration through a map, making the chart GitOps friendly (eg. using it with Flux). Now, sensitive values can be stored in a different values file or passed on deployment time with
--set.To have a very generic specification:
As an example, your values file could contain something like this:
Edit:
As stated by @jasonodonnell, Vault support json as a format for the configuration. The new change will generate the following ConfigMap when providing the values shown above: