From 781c396feb1cc91cfa4af68c67d4c03df5650b26 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Mon, 27 May 2024 18:01:26 -0700 Subject: [PATCH] backport of commit 990a25aee207fadffb267fb9998d962236e2f82d (#27247) Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> --- .../docs/platform/k8s/vso/api-reference.mdx | 8 +- .../content/docs/platform/k8s/vso/helm.mdx | 77 +++++++++++++++++-- .../docs/platform/k8s/vso/installation.mdx | 20 ++--- .../docs/platform/k8s/vso/openshift.mdx | 4 +- 4 files changed, 88 insertions(+), 21 deletions(-) diff --git a/website/content/docs/platform/k8s/vso/api-reference.mdx b/website/content/docs/platform/k8s/vso/api-reference.mdx index 57c1f1c18feb..cb2ccf98eb10 100644 --- a/website/content/docs/platform/k8s/vso/api-reference.mdx +++ b/website/content/docs/platform/k8s/vso/api-reference.mdx @@ -7,7 +7,7 @@ description: >- # API Reference @@ -212,7 +212,7 @@ with a timestamp value of when the trigger was executed. E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z" -Supported resources: Deployment, DaemonSet, StatefulSet +Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout @@ -224,8 +224,8 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `kind` _string_ | | | Enum: [Deployment DaemonSet StatefulSet]
| -| `name` _string_ | | | | +| `kind` _string_ | Kind of the resource | | Enum: [Deployment DaemonSet StatefulSet argo.Rollout]
| +| `name` _string_ | Name of the resource | | | #### SecretTransformation diff --git a/website/content/docs/platform/k8s/vso/helm.mdx b/website/content/docs/platform/k8s/vso/helm.mdx index 05d0e219d082..793a1843fe7a 100644 --- a/website/content/docs/platform/k8s/vso/helm.mdx +++ b/website/content/docs/platform/k8s/vso/helm.mdx @@ -11,7 +11,7 @@ The chart is customizable using [Helm configuration values](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). + the vault-secrets-operator repo's values.yaml: file commit=f9ddeb63c4d884360c3eeb127d09d13de34393f4 --> ## Top-Level Stanzas @@ -34,6 +34,16 @@ Use these links to navigate to a particular top-level stanza. - `replicas` ((#v-controller-replicas)) (`integer: 1`) - Set the number of replicas for the operator. + - `strategy` ((#v-controller-strategy)) (`object: ""`) - Configure update strategy for multi-replica deployments. + Kubernetes supports types Recreate, and RollingUpdate + ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + Example: + strategy: {} + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + - `hostAliases` ((#v-controller-hostaliases)) (`array`) - Host Aliases settings for vault-secrets-operator pod. The value is an array of PodSpec HostAlias maps. ref: https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ @@ -74,6 +84,38 @@ Use these links to navigate to a particular top-level stanza. - antarctica-east1 - antarctica-west1 + - `rbac` ((#v-controller-rbac)) + + - `clusterRoleAggregation` ((#v-controller-rbac-clusterroleaggregation)) - clusterRoleAggregation defines the roles included in the aggregated ClusterRole. + + - `viewerRoles` ((#v-controller-rbac-clusterroleaggregation-viewerroles)) (`array: []`) - viewerRoles is a list of roles that will be aggregated into the viewer ClusterRole. + The role name must be that of any VSO resource type. E.g. "VaultAuth", "HCPAuth". + All values are case-insensitive. + Specifying '*' as the first element will include all roles in the aggregation. + + The ClusterRole name takes the form of ``-aggregate-role-viewer. + + Example usages: + all roles: + - '*' + individually specified roles: + - "VaultAuth" + - "HCPAuth" + + - `editorRoles` ((#v-controller-rbac-clusterroleaggregation-editorroles)) (`array: []`) - editorRoles is a list of roles that will be aggregated into the editor ClusterRole. + The role name must be that of any VSO resource type. E.g. "VaultAuth", "HCPAuth". + All values are case-insensitive. + Specifying '*' as the first element will include all roles in the aggregation. + + The ClusterRole name takes the form of ``-aggregate-role-editor. + + Example usages: + all roles: + - '*' + individually specified roles: + - "VaultAuth" + - "HCPAuth" + - `kubeRbacProxy` ((#v-controller-kuberbacproxy)) - Settings related to the kubeRbacProxy container. This container is an HTTP proxy for the controller manager which performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. @@ -123,7 +165,21 @@ Use these links to navigate to a particular top-level stanza. - `repository` ((#v-controller-manager-image-repository)) (`string: hashicorp/vault-secrets-operator`) - - `tag` ((#v-controller-manager-image-tag)) (`string: 0.6.0`) + - `tag` ((#v-controller-manager-image-tag)) (`string: 0.7.0`) + + - `logging` ((#v-controller-manager-logging)) - logging + + - `level` ((#v-controller-manager-logging-level)) (`string: info`) - Sets the log level for the operator. + Builtin levels are: info, error, debug, debug-extended, trace + Default: info + + - `timeEncoding` ((#v-controller-manager-logging-timeencoding)) (`string: rfc3339`) - Sets the time encoding for the operator. + Options are: epoch, millis, nano, iso8601, rfc3339, rfc3339nano + Default: rfc3339 + + - `stacktraceLevel` ((#v-controller-manager-logging-stacktracelevel)) (`string: panic`) - Sets the stacktrace level for the operator. + Options are: info, error, panic + Default: panic - `globalTransformationOptions` ((#v-controller-manager-globaltransformationoptions)) - Global secret transformation options. In addition to the boolean options below, these options may be set via the @@ -133,6 +189,19 @@ Use these links to navigate to a particular top-level stanza. - `excludeRaw` ((#v-controller-manager-globaltransformationoptions-excluderaw)) (`boolean: false`) - excludeRaw directs the operator to prevent _raw secret data being stored in the destination K8s Secret. + - `backoffOnSecretSourceError` ((#v-controller-manager-backoffonsecretsourceerror)) - Backoff settings for the controller manager. These settings control the backoff behavior + when the controller encounters an error while fetching secrets from the SecretSource. + + - `initialInterval` ((#v-controller-manager-backoffonsecretsourceerror-initialinterval)) (`duration: 5s`) - Initial interval between retries. + + - `maxInterval` ((#v-controller-manager-backoffonsecretsourceerror-maxinterval)) (`duration: 60s`) - Maximum interval between retries. + + - `maxElapsedTime` ((#v-controller-manager-backoffonsecretsourceerror-maxelapsedtime)) (`duration: 0s`) - Maximum elapsed time before giving up. + + - `randomizationFactor` ((#v-controller-manager-backoffonsecretsourceerror-randomizationfactor)) (`float: 0.5`) - Randomization factor to add jitter to the interval between retries. + + - `multiplier` ((#v-controller-manager-backoffonsecretsourceerror-multiplier)) (`float: 1.5`) - Sets the multiplier for increasing the interval between retries. + - `clientCache` ((#v-controller-manager-clientcache)) - Configures the client cache which is used by the controller to cache (and potentially persist) vault tokens that are the result of using the VaultAuthMethod. This enables re-use of Vault Tokens throughout their TTLs as well as the ability to renew. @@ -301,8 +370,6 @@ Use these links to navigate to a particular top-level stanza. - `extraArgs` ((#v-controller-manager-extraargs)) (`array: []`) - Defines additional commandline arguments to be passed to the vault-secrets-operator manager container. - extraArgs: - - -zap-log-level=5 - `resources` ((#v-controller-manager-resources)) (`map`) - Configures the default resources for the vault-secrets-operator container. For more information on configuring resources, see the K8s documentation: @@ -520,7 +587,7 @@ Use these links to navigate to a particular top-level stanza. - `serviceMonitor` ((#v-telemetry-servicemonitor)) - - `enabled` ((#v-telemetry-servicemonitor-enabled)) (`boolean: false`) - The Prometheus operator *must* be installed before enabling this feature, + - `nabled` ((#v-telemetry-servicemonitor-nabled)) (`boolean: false`) - The Prometheus operator *must* be installed before enabling this feature, if not the chart will fail to install due to missing CustomResourceDefinitions provided by the operator. diff --git a/website/content/docs/platform/k8s/vso/installation.mdx b/website/content/docs/platform/k8s/vso/installation.mdx index 0748fc2acb3c..0ac1621eda4c 100644 --- a/website/content/docs/platform/k8s/vso/installation.mdx +++ b/website/content/docs/platform/k8s/vso/installation.mdx @@ -31,13 +31,13 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com ```shell-session $ helm search repo hashicorp/vault-secrets-operator NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/vault-secrets-operator 0.6.0 0.6.0 Official HashiCorp Vault Secrets Operator Chart +hashicorp/vault-secrets-operator 0.7.0 0.7.0 Official HashiCorp Vault Secrets Operator Chart ``` Then install the Operator: ```shell-session -$ helm install --version 0.6.0 --create-namespace --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator +$ helm install --version 0.7.0 --create-namespace --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator ``` ## Upgrading using Helm @@ -65,10 +65,10 @@ $ helm show crds --version hashicorp/vault-secrets-operator $ helm upgrade --version --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator ``` -For example, if you are upgrading to VSO 0.6.0: +For example, if you are upgrading to VSO 0.7.0: ```shell-session -$ helm show crds --version 0.6.0 hashicorp/vault-secrets-operator | kubectl apply -f - -$ helm upgrade --version 0.6.0 --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator +$ helm show crds --version 0.7.0 hashicorp/vault-secrets-operator | kubectl apply -f - +$ helm upgrade --version 0.7.0 --namespace vault-secrets-operator vault-secrets-operator hashicorp/vault-secrets-operator ``` ## Updating CRDs when using Helm @@ -83,9 +83,9 @@ To update the VSO CRDs, replace `` with the VSO version you $ helm show crds --version hashicorp/vault-secrets-operator | kubectl apply -f - ``` -For example, if you are upgrading to VSO 0.6.0: +For example, if you are upgrading to VSO 0.7.0: ```shell-session -$ helm show crds --version 0.6.0 hashicorp/vault-secrets-operator | kubectl apply -f - +$ helm show crds --version 0.7.0 hashicorp/vault-secrets-operator | kubectl apply -f - customresourcedefinition.apiextensions.k8s.io/hcpauths.secrets.hashicorp.com created customresourcedefinition.apiextensions.k8s.io/hcpvaultsecretsapps.secrets.hashicorp.com created @@ -112,9 +112,9 @@ You can install and update your installation using `kustomize` which allows you To install using Kustomize, download and untar/unzip the latest release from the [Releases Page](https://github.com/hashicorp/vault-secrets-operator/releases). ```shell-session -$ wget -q https://github.com/hashicorp/vault-secrets-operator/archive/refs/tags/v0.6.0.tar.gz -$ tar -zxf v0.6.0.tar.gz -$ cd vault-secrets-operator-0.6.0/ +$ wget -q https://github.com/hashicorp/vault-secrets-operator/archive/refs/tags/v0.7.0.tar.gz +$ tar -zxf v0.7.0.tar.gz +$ cd vault-secrets-operator-0.7.0/ ``` Next install using `kustomize build`: diff --git a/website/content/docs/platform/k8s/vso/openshift.mdx b/website/content/docs/platform/k8s/vso/openshift.mdx index 76f480bf5be3..04c0ff750f80 100644 --- a/website/content/docs/platform/k8s/vso/openshift.mdx +++ b/website/content/docs/platform/k8s/vso/openshift.mdx @@ -32,7 +32,7 @@ The Vault Secrets Operator may also be installed in OpenShift using the Helm cha $ helm install vault-secrets-operator hashicorp/vault-secrets-operator \ --create-namespace \ --namespace vault-secrets-operator \ - --version 0.6.0 \ + --version 0.7.0 \ --values values.yaml ``` @@ -65,7 +65,7 @@ controller: manager: image: repository: registry.connect.redhat.com/hashicorp/vault-secrets-operator - tag: 0.6.0-ubi + tag: 0.7.0-ubi resources: limits: memory: 256Mi