sa_8001/dsk-devops-toolchains
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

디렉토리 구조 및 각 서비스 추가

Browse Source
This commit is contained in:
dsk-minchulahn
2024-01-03 17:29:11 +09:00
parent 98de2a7627
commit d601d0f259
1632 changed files with 207616 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
helm/vault/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,14 @@
Thank you for installing HashiCorp Vault!
Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:
https://www.vaultproject.io/docs/
Your release is named {{ .Release.Name }}. To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get manifest {{ .Release.Name }}

996
helm/vault/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,996 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to
this (by the DNS naming spec). If release name contains chart name it will
be used as a full name.
*/}}
{{- define "vault.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "vault.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Expand the name of the chart.
*/}}
{{- define "vault.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Compute if the csi driver is enabled.
*/}}
{{- define "vault.csiEnabled" -}}
{{- $_ := set . "csiEnabled" (or
(eq (.Values.csi.enabled | toString) "true")
(and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the injector is enabled.
*/}}
{{- define "vault.injectorEnabled" -}}
{{- $_ := set . "injectorEnabled" (or
(eq (.Values.injector.enabled | toString) "true")
(and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server is enabled.
*/}}
{{- define "vault.serverEnabled" -}}
{{- $_ := set . "serverEnabled" (or
(eq (.Values.server.enabled | toString) "true")
(and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server serviceaccount is enabled.
*/}}
{{- define "vault.serverServiceAccountEnabled" -}}
{{- $_ := set . "serverServiceAccountEnabled"
(and
(eq (.Values.server.serviceAccount.create | toString) "true" )
(or
(eq (.Values.server.enabled | toString) "true")
(eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server auth delegator serviceaccount is enabled.
*/}}
{{- define "vault.serverAuthDelegator" -}}
{{- $_ := set . "serverAuthDelegator"
(and
(eq (.Values.server.authDelegator.enabled | toString) "true" )
(or (eq (.Values.server.serviceAccount.create | toString) "true")
(not (eq .Values.server.serviceAccount.name "")))
(or
(eq (.Values.server.enabled | toString) "true")
(eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server service is enabled.
*/}}
{{- define "vault.serverServiceEnabled" -}}
{{- template "vault.serverEnabled" . -}}
{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}}
{{- end -}}
{{/*
Compute if the ui is enabled.
*/}}
{{- define "vault.uiEnabled" -}}
{{- $_ := set . "uiEnabled" (or
(eq (.Values.ui.enabled | toString) "true")
(and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
This defaults to (n/2)-1 where n is the number of members of the server cluster.
Add a special case for replicas=1, where it should default to 0 as well.
*/}}
{{- define "vault.pdb.maxUnavailable" -}}
{{- if eq (int .Values.server.ha.replicas) 1 -}}
{{ 0 }}
{{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}}
{{ .Values.server.ha.disruptionBudget.maxUnavailable -}}
{{- else -}}
{{- div (sub (div (mul (int .Values.server.ha.replicas) 10) 2) 1) 10 -}}
{{- end -}}
{{- end -}}
{{/*
Set the variable 'mode' to the server mode requested by the user to simplify
template logic.
*/}}
{{- define "vault.mode" -}}
{{- template "vault.serverEnabled" . -}}
{{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}}
{{- $_ := set . "mode" "external" -}}
{{- else if not .serverEnabled -}}
{{- $_ := set . "mode" "external" -}}
{{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
{{- $_ := set . "mode" "dev" -}}
{{- else if eq (.Values.server.ha.enabled | toString) "true" -}}
{{- $_ := set . "mode" "ha" -}}
{{- else if or (eq (.Values.server.standalone.enabled | toString) "true") (eq (.Values.server.standalone.enabled | toString) "-") -}}
{{- $_ := set . "mode" "standalone" -}}
{{- else -}}
{{- $_ := set . "mode" "" -}}
{{- end -}}
{{- end -}}
{{/*
Set's the replica count based on the different modes configured by user
*/}}
{{- define "vault.replicas" -}}
{{ if eq .mode "standalone" }}
{{- default 1 -}}
{{ else if eq .mode "ha" }}
{{- .Values.server.ha.replicas | default 3 -}}
{{ else }}
{{- default 1 -}}
{{ end }}
{{- end -}}
{{/*
Set's up configmap mounts if this isn't a dev deployment and the user
defined a custom configuration. Additionally iterates over any
extra volumes the user may have specified (such as a secret with TLS).
*/}}
{{- define "vault.volumes" -}}
{{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
- name: config
configMap:
name: {{ template "vault.fullname" . }}-config
{{ end }}
{{- range .Values.server.extraVolumes }}
- name: userconfig-{{ .name }}
{{ .type }}:
{{- if (eq .type "configMap") }}
name: {{ .name }}
{{- else if (eq .type "secret") }}
secretName: {{ .name }}
{{- end }}
defaultMode: {{ .defaultMode | default 420 }}
{{- end }}
{{- if .Values.server.volumes }}
{{- toYaml .Values.server.volumes | nindent 8}}
{{- end }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
- name: vault-license
secret:
secretName: {{ .Values.server.enterpriseLicense.secretName }}
defaultMode: 0440
{{- end }}
{{- end -}}
{{/*
Set's the args for custom command to render the Vault configuration
file with IP addresses to make the out of box experience easier
for users looking to use this chart with Consul Helm.
*/}}
{{- define "vault.args" -}}
{{ if or (eq .mode "standalone") (eq .mode "ha") }}
- |
cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
[ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
[ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
/usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }}
{{ else if eq .mode "dev" }}
- |
/usr/local/bin/docker-entrypoint.sh vault server -dev {{ .Values.server.extraArgs }}
{{ end }}
{{- end -}}
{{/*
Set's additional environment variables based on the mode.
*/}}
{{- define "vault.envs" -}}
{{ if eq .mode "dev" }}
- name: VAULT_DEV_ROOT_TOKEN_ID
value: {{ .Values.server.dev.devRootToken }}
- name: VAULT_DEV_LISTEN_ADDRESS
value: "[::]:8200"
{{ end }}
{{- end -}}
{{/*
Set's which additional volumes should be mounted to the container
based on the mode configured.
*/}}
{{- define "vault.mounts" -}}
{{ if eq (.Values.server.auditStorage.enabled | toString) "true" }}
- name: audit
mountPath: {{ .Values.server.auditStorage.mountPath }}
{{ end }}
{{ if or (eq .mode "standalone") (and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true")) }}
{{ if eq (.Values.server.dataStorage.enabled | toString) "true" }}
- name: data
mountPath: {{ .Values.server.dataStorage.mountPath }}
{{ end }}
{{ end }}
{{ if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
- name: config
mountPath: /vault/config
{{ end }}
{{- range .Values.server.extraVolumes }}
- name: userconfig-{{ .name }}
readOnly: true
mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }}
{{- end }}
{{- if .Values.server.volumeMounts }}
{{- toYaml .Values.server.volumeMounts | nindent 12}}
{{- end }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
- name: vault-license
mountPath: /vault/license
readOnly: true
{{- end }}
{{- end -}}
{{/*
Set's up the volumeClaimTemplates when data or audit storage is required. HA
might not use data storage since Consul is likely it's backend, however, audit
storage might be desired by the user.
*/}}
{{- define "vault.volumeclaims" -}}
{{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }}
volumeClaimTemplates:
{{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }}
- metadata:
name: data
{{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }}
spec:
accessModes:
- {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }}
resources:
requests:
storage: {{ .Values.server.dataStorage.size }}
{{- if .Values.server.dataStorage.storageClass }}
storageClassName: {{ .Values.server.dataStorage.storageClass }}
{{- end }}
{{ end }}
{{- if eq (.Values.server.auditStorage.enabled | toString) "true" }}
- metadata:
name: audit
{{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }}
spec:
accessModes:
- {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }}
resources:
requests:
storage: {{ .Values.server.auditStorage.size }}
{{- if .Values.server.auditStorage.storageClass }}
storageClassName: {{ .Values.server.auditStorage.storageClass }}
{{- end }}
{{ end }}
{{ end }}
{{- end -}}
{{/*
Set's the affinity for pod placement when running in standalone and HA modes.
*/}}
{{- define "vault.affinity" -}}
{{- if and (ne .mode "dev") .Values.server.affinity }}
affinity:
{{ $tp := typeOf .Values.server.affinity }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.affinity . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.server.affinity | nindent 8 }}
{{- end }}
{{ end }}
{{- end -}}
{{/*
Sets the injector affinity for pod placement
*/}}
{{- define "injector.affinity" -}}
{{- if .Values.injector.affinity }}
affinity:
{{ $tp := typeOf .Values.injector.affinity }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.affinity . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.injector.affinity | nindent 8 }}
{{- end }}
{{ end }}
{{- end -}}
{{/*
Sets the topologySpreadConstraints when running in standalone and HA modes.
*/}}
{{- define "vault.topologySpreadConstraints" -}}
{{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }}
topologySpreadConstraints:
{{ $tp := typeOf .Values.server.topologySpreadConstraints }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.server.topologySpreadConstraints | nindent 8 }}
{{- end }}
{{ end }}
{{- end -}}
{{/*
Sets the injector topologySpreadConstraints for pod placement
*/}}
{{- define "injector.topologySpreadConstraints" -}}
{{- if .Values.injector.topologySpreadConstraints }}
topologySpreadConstraints:
{{ $tp := typeOf .Values.injector.topologySpreadConstraints }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.topologySpreadConstraints . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.injector.topologySpreadConstraints | nindent 8 }}
{{- end }}
{{ end }}
{{- end -}}
{{/*
Sets the toleration for pod placement when running in standalone and HA modes.
*/}}
{{- define "vault.tolerations" -}}
{{- if and (ne .mode "dev") .Values.server.tolerations }}
tolerations:
{{- $tp := typeOf .Values.server.tolerations }}
{{- if eq $tp "string" }}
{{ tpl .Values.server.tolerations . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.server.tolerations | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets the injector toleration for pod placement
*/}}
{{- define "injector.tolerations" -}}
{{- if .Values.injector.tolerations }}
tolerations:
{{- $tp := typeOf .Values.injector.tolerations }}
{{- if eq $tp "string" }}
{{ tpl .Values.injector.tolerations . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.injector.tolerations | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Set's the node selector for pod placement when running in standalone and HA modes.
*/}}
{{- define "vault.nodeselector" -}}
{{- if and (ne .mode "dev") .Values.server.nodeSelector }}
nodeSelector:
{{- $tp := typeOf .Values.server.nodeSelector }}
{{- if eq $tp "string" }}
{{ tpl .Values.server.nodeSelector . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.server.nodeSelector | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets the injector node selector for pod placement
*/}}
{{- define "injector.nodeselector" -}}
{{- if .Values.injector.nodeSelector }}
nodeSelector:
{{- $tp := typeOf .Values.injector.nodeSelector }}
{{- if eq $tp "string" }}
{{ tpl .Values.injector.nodeSelector . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.injector.nodeSelector | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets the injector deployment update strategy
*/}}
{{- define "injector.strategy" -}}
{{- if .Values.injector.strategy }}
strategy:
{{- $tp := typeOf .Values.injector.strategy }}
{{- if eq $tp "string" }}
{{ tpl .Values.injector.strategy . | nindent 4 | trim }}
{{- else }}
{{- toYaml .Values.injector.strategy | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra pod annotations
*/}}
{{- define "vault.annotations" -}}
{{- if .Values.server.annotations }}
annotations:
{{- $tp := typeOf .Values.server.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.annotations . | nindent 8 }}
{{- else }}
{{- toYaml .Values.server.annotations | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra injector pod annotations
*/}}
{{- define "injector.annotations" -}}
{{- if .Values.injector.annotations }}
annotations:
{{- $tp := typeOf .Values.injector.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.annotations . | nindent 8 }}
{{- else }}
{{- toYaml .Values.injector.annotations | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra injector service annotations
*/}}
{{- define "injector.service.annotations" -}}
{{- if .Values.injector.service.annotations }}
annotations:
{{- $tp := typeOf .Values.injector.service.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.service.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.injector.service.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
securityContext for the injector pod level.
*/}}
{{- define "injector.securityContext.pod" -}}
{{- if .Values.injector.securityContext.pod }}
securityContext:
{{- $tp := typeOf .Values.injector.securityContext.pod }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.securityContext.pod . | nindent 8 }}
{{- else }}
{{- toYaml .Values.injector.securityContext.pod | nindent 8 }}
{{- end }}
{{- else if not .Values.global.openshift }}
securityContext:
runAsNonRoot: true
runAsGroup: {{ .Values.injector.gid | default 1000 }}
runAsUser: {{ .Values.injector.uid | default 100 }}
fsGroup: {{ .Values.injector.gid | default 1000 }}
{{- end }}
{{- end -}}
{{/*
securityContext for the injector container level.
*/}}
{{- define "injector.securityContext.container" -}}
{{- if .Values.injector.securityContext.container}}
securityContext:
{{- $tp := typeOf .Values.injector.securityContext.container }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.securityContext.container . | nindent 12 }}
{{- else }}
{{- toYaml .Values.injector.securityContext.container | nindent 12 }}
{{- end }}
{{- else if not .Values.global.openshift }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
{{- end }}
{{- end -}}
{{/*
securityContext for the statefulset pod template.
*/}}
{{- define "server.statefulSet.securityContext.pod" -}}
{{- if .Values.server.statefulSet.securityContext.pod }}
securityContext:
{{- $tp := typeOf .Values.server.statefulSet.securityContext.pod }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.statefulSet.securityContext.pod . | nindent 8 }}
{{- else }}
{{- toYaml .Values.server.statefulSet.securityContext.pod | nindent 8 }}
{{- end }}
{{- else if not .Values.global.openshift }}
securityContext:
runAsNonRoot: true
runAsGroup: {{ .Values.server.gid | default 1000 }}
runAsUser: {{ .Values.server.uid | default 100 }}
fsGroup: {{ .Values.server.gid | default 1000 }}
{{- end }}
{{- end -}}
{{/*
securityContext for the statefulset vault container
*/}}
{{- define "server.statefulSet.securityContext.container" -}}
{{- if .Values.server.statefulSet.securityContext.container }}
securityContext:
{{- $tp := typeOf .Values.server.statefulSet.securityContext.container }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.statefulSet.securityContext.container . | nindent 12 }}
{{- else }}
{{- toYaml .Values.server.statefulSet.securityContext.container | nindent 12 }}
{{- end }}
{{- else if not .Values.global.openshift }}
securityContext:
allowPrivilegeEscalation: false
{{- end }}
{{- end -}}
{{/*
Sets extra injector service account annotations
*/}}
{{- define "injector.serviceAccount.annotations" -}}
{{- if and (ne .mode "dev") .Values.injector.serviceAccount.annotations }}
annotations:
{{- $tp := typeOf .Values.injector.serviceAccount.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.serviceAccount.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.injector.serviceAccount.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra injector webhook annotations
*/}}
{{- define "injector.webhookAnnotations" -}}
{{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations) }}
annotations:
{{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }}
{{- if eq $tp "string" }}
{{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }}
{{- else }}
{{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Set's the injector webhook objectSelector
*/}}
{{- define "injector.objectSelector" -}}
{{- $v := or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) -}}
{{ if $v }}
objectSelector:
{{- $tp := typeOf $v -}}
{{ if eq $tp "string" }}
{{ tpl $v . | indent 6 | trim }}
{{ else }}
{{ toYaml $v | indent 6 | trim }}
{{ end }}
{{ end }}
{{ end }}
{{/*
Sets extra ui service annotations
*/}}
{{- define "vault.ui.annotations" -}}
{{- if .Values.ui.annotations }}
annotations:
{{- $tp := typeOf .Values.ui.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.ui.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.ui.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "vault.serviceAccount.name" -}}
{{- if .Values.server.serviceAccount.create -}}
{{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.server.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Sets extra service account annotations
*/}}
{{- define "vault.serviceAccount.annotations" -}}
{{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }}
annotations:
{{- $tp := typeOf .Values.server.serviceAccount.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.serviceAccount.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.serviceAccount.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra ingress annotations
*/}}
{{- define "vault.ingress.annotations" -}}
{{- if .Values.server.ingress.annotations }}
annotations:
{{- $tp := typeOf .Values.server.ingress.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.ingress.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.ingress.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra route annotations
*/}}
{{- define "vault.route.annotations" -}}
{{- if .Values.server.route.annotations }}
annotations:
{{- $tp := typeOf .Values.server.route.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.route.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.route.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra vault server Service annotations
*/}}
{{- define "vault.service.annotations" -}}
{{- if .Values.server.service.annotations }}
{{- $tp := typeOf .Values.server.service.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.service.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.service.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets PodSecurityPolicy annotations
*/}}
{{- define "vault.psp.annotations" -}}
{{- if .Values.global.psp.annotations }}
annotations:
{{- $tp := typeOf .Values.global.psp.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.global.psp.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.global.psp.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra statefulset annotations
*/}}
{{- define "vault.statefulSet.annotations" -}}
{{- if .Values.server.statefulSet.annotations }}
annotations:
{{- $tp := typeOf .Values.server.statefulSet.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.statefulSet.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.statefulSet.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets VolumeClaim annotations for data volume
*/}}
{{- define "vault.dataVolumeClaim.annotations" -}}
{{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }}
annotations:
{{- $tp := typeOf .Values.server.dataStorage.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.dataStorage.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.dataStorage.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets VolumeClaim annotations for audit volume
*/}}
{{- define "vault.auditVolumeClaim.annotations" -}}
{{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }}
annotations:
{{- $tp := typeOf .Values.server.auditStorage.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.auditStorage.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.auditStorage.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Set's the container resources if the user has set any.
*/}}
{{- define "vault.resources" -}}
{{- if .Values.server.resources -}}
resources:
{{ toYaml .Values.server.resources | indent 12}}
{{ end }}
{{- end -}}
{{/*
Sets the container resources if the user has set any.
*/}}
{{- define "injector.resources" -}}
{{- if .Values.injector.resources -}}
resources:
{{ toYaml .Values.injector.resources | indent 12}}
{{ end }}
{{- end -}}
{{/*
Sets the container resources if the user has set any.
*/}}
{{- define "csi.resources" -}}
{{- if .Values.csi.resources -}}
resources:
{{ toYaml .Values.csi.resources | indent 12}}
{{ end }}
{{- end -}}
{{/*
Sets the container resources for CSI's Agent sidecar if the user has set any.
*/}}
{{- define "csi.agent.resources" -}}
{{- if .Values.csi.agent.resources -}}
resources:
{{ toYaml .Values.csi.agent.resources | indent 12}}
{{ end }}
{{- end -}}
{{/*
Sets extra CSI daemonset annotations
*/}}
{{- define "csi.daemonSet.annotations" -}}
{{- if .Values.csi.daemonSet.annotations }}
annotations:
{{- $tp := typeOf .Values.csi.daemonSet.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.daemonSet.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.csi.daemonSet.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets CSI daemonset securityContext for pod template
*/}}
{{- define "csi.daemonSet.securityContext.pod" -}}
{{- if .Values.csi.daemonSet.securityContext.pod }}
securityContext:
{{- $tp := typeOf .Values.csi.daemonSet.securityContext.pod }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.daemonSet.securityContext.pod . | nindent 8 }}
{{- else }}
{{- toYaml .Values.csi.daemonSet.securityContext.pod | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets CSI daemonset securityContext for container
*/}}
{{- define "csi.daemonSet.securityContext.container" -}}
{{- if .Values.csi.daemonSet.securityContext.container }}
securityContext:
{{- $tp := typeOf .Values.csi.daemonSet.securityContext.container }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.daemonSet.securityContext.container . | nindent 12 }}
{{- else }}
{{- toYaml .Values.csi.daemonSet.securityContext.container | nindent 12 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets the injector toleration for pod placement
*/}}
{{- define "csi.pod.tolerations" -}}
{{- if .Values.csi.pod.tolerations }}
tolerations:
{{- $tp := typeOf .Values.csi.pod.tolerations }}
{{- if eq $tp "string" }}
{{ tpl .Values.csi.pod.tolerations . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.csi.pod.tolerations | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets the CSI provider nodeSelector for pod placement
*/}}
{{- define "csi.pod.nodeselector" -}}
{{- if .Values.csi.pod.nodeSelector }}
nodeSelector:
{{- $tp := typeOf .Values.csi.pod.nodeSelector }}
{{- if eq $tp "string" }}
{{ tpl .Values.csi.pod.nodeSelector . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.csi.pod.nodeSelector | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets the CSI provider affinity for pod placement.
*/}}
{{- define "csi.pod.affinity" -}}
{{- if .Values.csi.pod.affinity }}
affinity:
{{ $tp := typeOf .Values.csi.pod.affinity }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.pod.affinity . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.csi.pod.affinity | nindent 8 }}
{{- end }}
{{ end }}
{{- end -}}
{{/*
Sets extra CSI provider pod annotations
*/}}
{{- define "csi.pod.annotations" -}}
{{- if .Values.csi.pod.annotations }}
annotations:
{{- $tp := typeOf .Values.csi.pod.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.pod.annotations . | nindent 8 }}
{{- else }}
{{- toYaml .Values.csi.pod.annotations | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra CSI service account annotations
*/}}
{{- define "csi.serviceAccount.annotations" -}}
{{- if .Values.csi.serviceAccount.annotations }}
annotations:
{{- $tp := typeOf .Values.csi.serviceAccount.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.serviceAccount.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.csi.serviceAccount.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Inject extra environment vars in the format key:value, if populated
*/}}
{{- define "vault.extraEnvironmentVars" -}}
{{- if .extraEnvironmentVars -}}
{{- range $key, $value := .extraEnvironmentVars }}
- name: {{ printf "%s" $key | replace "." "_" | upper | quote }}
value: {{ $value | quote }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Inject extra environment populated by secrets, if populated
*/}}
{{- define "vault.extraSecretEnvironmentVars" -}}
{{- if .extraSecretEnvironmentVars -}}
{{- range .extraSecretEnvironmentVars }}
- name: {{ .envName }}
valueFrom:
secretKeyRef:
name: {{ .secretName }}
key: {{ .secretKey }}
{{- end -}}
{{- end -}}
{{- end -}}
{{/* Scheme for health check and local endpoint */}}
{{- define "vault.scheme" -}}
{{- if .Values.global.tlsDisable -}}
{{ "http" }}
{{- else -}}
{{ "https" }}
{{- end -}}
{{- end -}}
{{/*
imagePullSecrets generates pull secrets from either string or map values.
A map value must be indexable by the key 'name'.
*/}}
{{- define "imagePullSecrets" -}}
{{- with .Values.global.imagePullSecrets -}}
imagePullSecrets:
{{- range . -}}
{{- if typeIs "string" . }}
- name: {{ . }}
{{- else if index . "name" }}
- name: {{ .name }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
externalTrafficPolicy sets a Service's externalTrafficPolicy if applicable.
Supported inputs are Values.server.service and Values.ui
*/}}
{{- define "service.externalTrafficPolicy" -}}
{{- $type := "" -}}
{{- if .serviceType -}}
{{- $type = .serviceType -}}
{{- else if .type -}}
{{- $type = .type -}}
{{- end -}}
{{- if and .externalTrafficPolicy (or (eq $type "LoadBalancer") (eq $type "NodePort")) }}
externalTrafficPolicy: {{ .externalTrafficPolicy }}
{{- else }}
{{- end }}
{{- end -}}
{{/*
loadBalancer configuration for the the UI service.
Supported inputs are Values.ui
*/}}
{{- define "service.loadBalancer" -}}
{{- if eq (.serviceType | toString) "LoadBalancer" }}
{{- if .loadBalancerIP }}
loadBalancerIP: {{ .loadBalancerIP }}
{{- end }}
{{- with .loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- range . }}
- {{ . }}
{{- end }}
{{- end -}}
{{- end }}
{{- end -}}

34
helm/vault/templates/csi-agent-configmap.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-agent-config
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
config.hcl: |
vault {
{{- if .Values.global.externalVaultAddr }}
"address" = "{{ .Values.global.externalVaultAddr }}"
{{- else }}
"address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}"
{{- end }}
}
cache {}
listener "unix" {
address = "/var/run/vault/agent.sock"
tls_disable = true
}
{{- end }}

23
helm/vault/templates/csi-clusterrole.yaml Normal file
View File

@@ -0,0 +1,23 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
{{- end }}

24
helm/vault/templates/csi-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
{{- end }}

157
helm/vault/templates/csi-daemonset.yaml Normal file
View File

@@ -0,0 +1,157 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.daemonSet.extraLabels -}}
{{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "csi.daemonSet.annotations" . }}
spec:
updateStrategy:
type: {{ .Values.csi.daemonSet.updateStrategy.type }}
{{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
rollingUpdate:
maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.csi.pod.extraLabels -}}
{{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}}
{{- end -}}
{{ template "csi.pod.annotations" . }}
spec:
{{ template "csi.daemonSet.securityContext.pod" . }}
{{- if .Values.csi.priorityClassName }}
priorityClassName: {{ .Values.csi.priorityClassName }}
{{- end }}
serviceAccountName: {{ template "vault.fullname" . }}-csi-provider
{{- template "csi.pod.tolerations" . }}
{{- template "csi.pod.nodeselector" . }}
{{- template "csi.pod.affinity" . }}
containers:
- name: {{ include "vault.name" . }}-csi-provider
{{ template "csi.resources" . }}
{{ template "csi.daemonSet.securityContext.container" . }}
image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
imagePullPolicy: {{ .Values.csi.image.pullPolicy }}
args:
- --endpoint=/provider/vault.sock
- --debug={{ .Values.csi.debug }}
{{- if .Values.csi.hmacSecretName }}
- --hmac-secret-name={{ .Values.csi.hmacSecretName }}
{{- else }}
- --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key
{{- end }}
{{- if .Values.csi.extraArgs }}
{{- toYaml .Values.csi.extraArgs | nindent 12 }}
{{- end }}
env:
- name: VAULT_ADDR
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
value: "unix:///var/run/vault/agent.sock"
{{- else if .Values.global.externalVaultAddr }}
value: "{{ .Values.global.externalVaultAddr }}"
{{- else }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
{{- end }}
volumeMounts:
- name: providervol
mountPath: "/provider"
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: agent-unix-socket
mountPath: /var/run/vault
{{- end }}
{{- if .Values.csi.volumeMounts }}
{{- toYaml .Values.csi.volumeMounts | nindent 12}}
{{- end }}
livenessProbe:
httpGet:
path: /health/ready
port: 8080
failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.csi.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }}
readinessProbe:
httpGet:
path: /health/ready
port: 8080
failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: {{ include "vault.name" . }}-agent
image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}"
imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }}
{{ template "csi.agent.resources" . }}
command:
- vault
args:
- agent
- -config=/etc/vault/config.hcl
{{- if .Values.csi.agent.extraArgs }}
{{- toYaml .Values.csi.agent.extraArgs | nindent 12 }}
{{- end }}
ports:
- containerPort: 8200
env:
- name: VAULT_LOG_LEVEL
value: "{{ .Values.csi.agent.logLevel }}"
- name: VAULT_LOG_FORMAT
value: "{{ .Values.csi.agent.logFormat }}"
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 100
runAsGroup: 1000
volumeMounts:
- name: agent-config
mountPath: /etc/vault/config.hcl
subPath: config.hcl
readOnly: true
- name: agent-unix-socket
mountPath: /var/run/vault
{{- if .Values.csi.volumeMounts }}
{{- toYaml .Values.csi.volumeMounts | nindent 12 }}
{{- end }}
{{- end }}
volumes:
- name: providervol
hostPath:
path: {{ .Values.csi.daemonSet.providersDir }}
{{- if eq (.Values.csi.agent.enabled | toString) "true" }}
- name: agent-config
configMap:
name: {{ template "vault.fullname" . }}-csi-provider-agent-config
- name: agent-unix-socket
emptyDir:
medium: Memory
{{- end }}
{{- if .Values.csi.volumes }}
{{- toYaml .Values.csi.volumes | nindent 8}}
{{- end }}
{{- include "imagePullSecrets" . | nindent 6 }}
{{- end }}

31
helm/vault/templates/csi-role.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-role
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames:
{{- if .Values.csi.hmacSecretName }}
- {{ .Values.csi.hmacSecretName }}
{{- else }}
- {{ include "vault.name" . }}-csi-provider-hmac-key
{{- end }}
# 'create' permissions cannot be restricted by resource name:
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
{{- end }}

24
helm/vault/templates/csi-rolebinding.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-rolebinding
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "vault.fullname" . }}-csi-provider-role
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
{{- end }}

21
helm/vault/templates/csi-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.serviceAccount.extraLabels -}}
{{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "csi.serviceAccount.annotations" . }}
{{- end }}

19
helm/vault/templates/injector-certs-secret.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: v1
kind: Secret
metadata:
name: vault-injector-certs
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- end }}

24
helm/vault/templates/injector-clusterrole.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs:
- "get"
- "list"
- "watch"
- "patch"
{{ end }}

24
helm/vault/templates/injector-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-binding
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
{{ end }}

179
helm/vault/templates/injector-deployment.yaml Normal file
View File

@@ -0,0 +1,179 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
# Deployment for the injector
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook
spec:
replicas: {{ .Values.injector.replicas }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{ template "injector.strategy" . }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- if .Values.injector.extraLabels -}}
{{- toYaml .Values.injector.extraLabels | nindent 8 -}}
{{- end -}}
{{ template "injector.annotations" . }}
spec:
{{ template "injector.affinity" . }}
{{ template "injector.topologySpreadConstraints" . }}
{{ template "injector.tolerations" . }}
{{ template "injector.nodeselector" . }}
{{- if .Values.injector.priorityClassName }}
priorityClassName: {{ .Values.injector.priorityClassName }}
{{- end }}
serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
{{ template "injector.securityContext.pod" . -}}
{{- if not .Values.global.openshift }}
hostNetwork: {{ .Values.injector.hostNetwork }}
{{- end }}
containers:
- name: sidecar-injector
{{ template "injector.resources" . }}
image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
{{- template "injector.securityContext.container" . }}
env:
- name: AGENT_INJECT_LISTEN
value: {{ printf ":%v" .Values.injector.port }}
- name: AGENT_INJECT_LOG_LEVEL
value: {{ .Values.injector.logLevel | default "info" }}
- name: AGENT_INJECT_VAULT_ADDR
{{- if .Values.global.externalVaultAddr }}
value: "{{ .Values.global.externalVaultAddr }}"
{{- else if .Values.injector.externalVaultAddr }}
value: "{{ .Values.injector.externalVaultAddr }}"
{{- else }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
{{- end }}
- name: AGENT_INJECT_VAULT_AUTH_PATH
value: {{ .Values.injector.authPath }}
- name: AGENT_INJECT_VAULT_IMAGE
value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
{{- if .Values.injector.certs.secretName }}
- name: AGENT_INJECT_TLS_CERT_FILE
value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}"
- name: AGENT_INJECT_TLS_KEY_FILE
value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}"
{{- else }}
- name: AGENT_INJECT_TLS_AUTO
value: {{ template "vault.fullname" . }}-agent-injector-cfg
- name: AGENT_INJECT_TLS_AUTO_HOSTS
value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc
{{- end }}
- name: AGENT_INJECT_LOG_FORMAT
value: {{ .Values.injector.logFormat | default "standard" }}
- name: AGENT_INJECT_REVOKE_ON_SHUTDOWN
value: "{{ .Values.injector.revokeOnShutdown | default false }}"
{{- if .Values.global.openshift }}
- name: AGENT_INJECT_SET_SECURITY_CONTEXT
value: "false"
{{- end }}
{{- if .Values.injector.metrics.enabled }}
- name: AGENT_INJECT_TELEMETRY_PATH
value: "/metrics"
{{- end }}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
- name: AGENT_INJECT_USE_LEADER_ELECTOR
value: "true"
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- end }}
- name: AGENT_INJECT_CPU_REQUEST
value: "{{ .Values.injector.agentDefaults.cpuRequest }}"
- name: AGENT_INJECT_CPU_LIMIT
value: "{{ .Values.injector.agentDefaults.cpuLimit }}"
- name: AGENT_INJECT_MEM_REQUEST
value: "{{ .Values.injector.agentDefaults.memRequest }}"
- name: AGENT_INJECT_MEM_LIMIT
value: "{{ .Values.injector.agentDefaults.memLimit }}"
{{- if .Values.injector.agentDefaults.ephemeralRequest }}
- name: AGENT_INJECT_EPHEMERAL_REQUEST
value: "{{ .Values.injector.agentDefaults.ephemeralRequest }}"
{{- end }}
{{- if .Values.injector.agentDefaults.ephemeralLimit }}
- name: AGENT_INJECT_EPHEMERAL_LIMIT
value: "{{ .Values.injector.agentDefaults.ephemeralLimit }}"
{{- end }}
- name: AGENT_INJECT_DEFAULT_TEMPLATE
value: "{{ .Values.injector.agentDefaults.template }}"
- name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE
value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}"
{{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}
- name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL
value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}"
{{- end }}
{{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
args:
- agent-inject
- 2>&1
livenessProbe:
httpGet:
path: /health/ready
port: {{ .Values.injector.port }}
scheme: HTTPS
failureThreshold: {{ .Values.injector.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.injector.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.injector.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.injector.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.injector.livenessProbe.timeoutSeconds }}
readinessProbe:
httpGet:
path: /health/ready
port: {{ .Values.injector.port }}
scheme: HTTPS
failureThreshold: {{ .Values.injector.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.injector.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.injector.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.injector.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.injector.readinessProbe.timeoutSeconds }}
startupProbe:
httpGet:
path: /health/ready
port: {{ .Values.injector.port }}
scheme: HTTPS
failureThreshold: {{ .Values.injector.startupProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.injector.startupProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }}
successThreshold: {{ .Values.injector.startupProbe.successThreshold }}
timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }}
{{- if .Values.injector.certs.secretName }}
volumeMounts:
- name: webhook-certs
mountPath: /etc/webhook/certs
readOnly: true
{{- end }}
{{- if .Values.injector.certs.secretName }}
volumes:
- name: webhook-certs
secret:
secretName: "{{ .Values.injector.certs.secretName }}"
{{- end }}
{{- include "imagePullSecrets" . | nindent 6 }}
{{ end }}

25
helm/vault/templates/injector-disruptionbudget.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if .Values.injector.podDisruptionBudget }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }}
{{- end -}}

44
helm/vault/templates/injector-mutating-webhook.yaml Normal file
View File

@@ -0,0 +1,44 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1
{{- else }}
apiVersion: admissionregistration.k8s.io/v1beta1
{{- end }}
kind: MutatingWebhookConfiguration
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-cfg
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "injector.webhookAnnotations" . }}
webhooks:
- name: vault.hashicorp.com
failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }}
matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }}
sideEffects: None
timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }}
admissionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: {{ template "vault.fullname" . }}-agent-injector-svc
namespace: {{ .Release.Namespace }}
path: "/mutate"
caBundle: {{ .Values.injector.certs.caBundle | quote }}
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }}
namespaceSelector:
{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}}
{{ end }}
{{- template "injector.objectSelector" . -}}
{{ end }}

29
helm/vault/templates/injector-network-policy.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.openshift | toString) "true" }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
ingress:
- from:
- namespaceSelector: {}
ports:
- port: 8080
protocol: TCP
{{ end }}
{{ end }}

25
helm/vault/templates/injector-psp-role.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "vault.fullname" . }}-agent-injector
{{- end }}
{{- end }}

26
helm/vault/templates/injector-psp-rolebinding.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
kind: Role
name: {{ template "vault.fullname" . }}-agent-injector-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
{{- end }}
{{- end }}

51
helm/vault/templates/injector-psp.yaml Normal file
View File

@@ -0,0 +1,51 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.psp.annotations" . }}
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: MustRunAsNonRoot
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}
{{- end }}

34
helm/vault/templates/injector-role.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: [""]
resources: ["secrets", "configmaps"]
verbs:
- "create"
- "get"
- "watch"
- "list"
- "update"
- apiGroups: [""]
resources: ["pods"]
verbs:
- "get"
- "patch"
- "delete"
{{- end }}
{{- end }}

27
helm/vault/templates/injector-rolebinding.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

27
helm/vault/templates/injector-service.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-svc
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "injector.service.annotations" . }}
spec:
ports:
- name: https
port: 443
targetPort: {{ .Values.injector.port }}
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- end }}

18
helm/vault/templates/injector-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "injector.serviceAccount.annotations" . }}
{{ end }}

31
helm/vault/templates/prometheus-prometheusrules.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ if and (.Values.serverTelemetry.prometheusRules.rules)
(or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) )
}}
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "vault.fullname" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
{{- $selectors := .Values.serverTelemetry.prometheusRules.selectors }}
{{- if $selectors }}
{{- toYaml $selectors | nindent 4 }}
{{- else }}
release: prometheus
{{- end }}
spec:
groups:
- name: {{ include "vault.fullname" . }}
rules:
{{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }}
{{- end }}

49
helm/vault/templates/prometheus-servicemonitor.yaml Normal file
View File

@@ -0,0 +1,49 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "vault.fullname" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
{{- $selectors := .Values.serverTelemetry.serviceMonitor.selectors }}
{{- if $selectors }}
{{- toYaml $selectors | nindent 4 }}
{{- else }}
release: prometheus
{{- end }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if eq .mode "ha" }}
vault-active: "true"
{{- else }}
vault-internal: "true"
{{- end }}
endpoints:
- port: {{ include "vault.scheme" . }}
interval: {{ .Values.serverTelemetry.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }}
scheme: {{ include "vault.scheme" . | lower }}
path: /v1/sys/metrics
params:
format:
- prometheus
tlsConfig:
insecureSkipVerify: true
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
{{ end }}

29
helm/vault/templates/server-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.serverAuthDelegator" . }}
{{- if .serverAuthDelegator -}}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: {{ template "vault.fullname" . }}-server-binding
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
{{ end }}

45
helm/vault/templates/server-config-configmap.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
{{- if ne .mode "dev" -}}
{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "vault.fullname" . }}-config
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
extraconfig-from-values.hcl: |-
{{- if or (eq .mode "ha") (eq .mode "standalone") }}
{{- $type := typeOf (index .Values.server .mode).config }}
{{- if eq $type "string" }}
disable_mlock = true
{{- if eq .mode "standalone" }}
{{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }}
{{ tpl .Values.server.ha.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }}
{{ end }}
{{- else }}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }}
{{- else }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

26
helm/vault/templates/server-discovery-role.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {{ .Release.Namespace }}
name: {{ template "vault.fullname" . }}-discovery-role
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "update", "patch"]
{{ end }}
{{ end }}
{{ end }}

34
helm/vault/templates/server-discovery-rolebinding.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }}
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-discovery-rolebinding
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "vault.fullname" . }}-discovery-role
subjects:
- kind: ServiceAccount
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
{{ end }}
{{ end }}
{{ end }}

31
helm/vault/templates/server-disruptionbudget.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" -}}
{{- if .serverEnabled -}}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
# PodDisruptionBudget to prevent degrading the server cluster through
# voluntary cluster changes.
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- end -}}
{{- end -}}
{{- end -}}

55
helm/vault/templates/server-ha-active-service.yaml Normal file
View File

@@ -0,0 +1,55 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.service.active.enabled | toString) "true" }}
# Service for active Vault pod
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-active
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
vault-active: "true"
annotations:
{{ template "vault.service.annotations" .}}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
{{- end}}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.activeNodePort }}
{{- end }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
component: server
vault-active: "true"
{{- end }}
{{- end }}
{{- end }}
{{- end }}

54
helm/vault/templates/server-ha-standby-service.yaml Normal file
View File

@@ -0,0 +1,54 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
{{- if eq (.Values.server.service.standby.enabled | toString) "true" }}
# Service for standby Vault pod
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-standby
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{ template "vault.service.annotations" .}}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
{{- end}}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.standbyNodePort }}
{{- end }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
component: server
vault-active: "false"
{{- end }}
{{- end }}
{{- end }}
{{- end }}

39
helm/vault/templates/server-headless-service.yaml Normal file
View File

@@ -0,0 +1,39 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-internal
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
vault-internal: "true"
annotations:
{{ template "vault.service.annotations" .}}
spec:
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: "{{ include "vault.scheme" . }}"
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- end }}
{{- end }}

69
helm/vault/templates/server-ingress.yaml Normal file
View File

@@ -0,0 +1,69 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if not .Values.global.openshift }}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .Values.server.ingress.enabled -}}
{{- $extraPaths := .Values.server.ingress.extraPaths -}}
{{- $serviceName := include "vault.fullname" . -}}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
{{- end }}
{{- $servicePort := .Values.server.service.port -}}
{{- $pathType := .Values.server.ingress.pathType -}}
{{- $kubeVersion := .Capabilities.KubeVersion.Version }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.server.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- template "vault.ingress.annotations" . }}
spec:
{{- if .Values.server.ingress.tls }}
tls:
{{- range .Values.server.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
{{- if .Values.server.ingress.ingressClassName }}
ingressClassName: {{ .Values.server.ingress.ingressClassName }}
{{- end }}
rules:
{{- range .Values.server.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{ if $extraPaths }}
{{ toYaml $extraPaths | indent 10 }}
{{- end }}
{{- range (.paths | default (list "/")) }}
- path: {{ . }}
pathType: {{ $pathType }}
backend:
service:
name: {{ $serviceName }}
port:
number: {{ $servicePort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

31
helm/vault/templates/server-network-policy.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "vault.fullname" . }}
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
ingress:
- from:
- namespaceSelector: {}
ports:
- port: 8200
protocol: TCP
- port: 8201
protocol: TCP
{{- if .Values.server.networkPolicy.egress }}
egress:
{{- toYaml .Values.server.networkPolicy.egress | nindent 4 }}
{{ end }}
{{ end }}

25
helm/vault/templates/server-psp-role.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "vault.fullname" . }}
{{- end }}
{{- end }}

26
helm/vault/templates/server-psp-rolebinding.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
kind: Role
name: {{ template "vault.fullname" . }}-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}
{{- end }}
{{- end }}

54
helm/vault/templates/server-psp.yaml Normal file
View File

@@ -0,0 +1,54 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "vault.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.psp.annotations" . }}
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
{{- if eq (.Values.server.dataStorage.enabled | toString) "true" }}
- persistentVolumeClaim
{{- end }}
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: MustRunAsNonRoot
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}
{{- end }}

39
helm/vault/templates/server-route.yaml Normal file
View File

@@ -0,0 +1,39 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- if .Values.global.openshift }}
{{- if ne .mode "external" }}
{{- if .Values.server.route.enabled -}}
{{- $serviceName := include "vault.fullname" . -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
{{- end }}
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.server.route.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- template "vault.route.annotations" . }}
spec:
host: {{ .Values.server.route.host }}
to:
kind: Service
name: {{ $serviceName }}
weight: 100
port:
targetPort: 8200
tls:
{{- toYaml .Values.server.route.tls | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

51
helm/vault/templates/server-service.yaml Normal file
View File

@@ -0,0 +1,51 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{ template "vault.service.annotations" .}}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
{{- end}}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
# We want the servers to become available even if they're not ready
# since this DNS is also used for join operations.
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.nodePort }}
{{- end }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
{{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
component: server
{{- end }}
{{- end }}

22
helm/vault/templates/server-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.serverServiceAccountEnabled" . }}
{{- if .serverServiceAccountEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.server.serviceAccount.extraLabels -}}
{{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "vault.serviceAccount.annotations" . }}
{{ end }}

217
helm/vault/templates/server-statefulset.yaml Normal file
View File

@@ -0,0 +1,217 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if ne .mode "" }}
{{- if .serverEnabled -}}
# StatefulSet to run the actual vault server cluster.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.statefulSet.annotations" . }}
spec:
serviceName: {{ template "vault.fullname" . }}-internal
podManagementPolicy: Parallel
replicas: {{ template "vault.replicas" . }}
updateStrategy:
type: {{ .Values.server.updateStrategyType }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
template:
metadata:
labels:
helm.sh/chart: {{ template "vault.chart" . }}
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- if .Values.server.extraLabels -}}
{{- toYaml .Values.server.extraLabels | nindent 8 -}}
{{- end -}}
{{ template "vault.annotations" . }}
spec:
{{ template "vault.affinity" . }}
{{ template "vault.topologySpreadConstraints" . }}
{{ template "vault.tolerations" . }}
{{ template "vault.nodeselector" . }}
{{- if .Values.server.priorityClassName }}
priorityClassName: {{ .Values.server.priorityClassName }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
serviceAccountName: {{ template "vault.serviceAccount.name" . }}
{{ if .Values.server.shareProcessNamespace }}
shareProcessNamespace: true
{{ end }}
{{- template "server.statefulSet.securityContext.pod" . }}
{{- if not .Values.global.openshift }}
hostNetwork: {{ .Values.server.hostNetwork }}
{{- end }}
volumes:
{{ template "vault.volumes" . }}
- name: home
emptyDir: {}
{{- if .Values.server.extraInitContainers }}
initContainers:
{{ toYaml .Values.server.extraInitContainers | nindent 8}}
{{- end }}
containers:
- name: vault
{{ template "vault.resources" . }}
image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
command:
- "/bin/sh"
- "-ec"
args: {{ template "vault.args" . }}
{{- template "server.statefulSet.securityContext.container" . }}
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: VAULT_K8S_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: VAULT_K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: VAULT_ADDR
value: "{{ include "vault.scheme" . }}://127.0.0.1:8200"
- name: VAULT_API_ADDR
{{- if .Values.server.ha.apiAddr }}
value: {{ .Values.server.ha.apiAddr }}
{{- else }}
value: "{{ include "vault.scheme" . }}://$(POD_IP):8200"
{{- end }}
- name: SKIP_CHOWN
value: "true"
- name: SKIP_SETCAP
value: "true"
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: VAULT_CLUSTER_ADDR
{{- if .Values.server.ha.clusterAddr }}
value: {{ .Values.server.ha.clusterAddr | quote }}
{{- else }}
value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201"
{{- end }}
{{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }}
- name: VAULT_RAFT_NODE_ID
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- end }}
- name: HOME
value: "/home/vault"
{{- if .Values.server.logLevel }}
- name: VAULT_LOG_LEVEL
value: "{{ .Values.server.logLevel }}"
{{- end }}
{{- if .Values.server.logFormat }}
- name: VAULT_LOG_FORMAT
value: "{{ .Values.server.logFormat }}"
{{- end }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
- name: VAULT_LICENSE_PATH
value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }}
{{- end }}
{{ template "vault.envs" . }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
{{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
volumeMounts:
{{ template "vault.mounts" . }}
- name: home
mountPath: /home/vault
ports:
- containerPort: 8200
name: {{ include "vault.scheme" . }}
- containerPort: 8201
name: https-internal
- containerPort: 8202
name: {{ include "vault.scheme" . }}-rep
{{- if .Values.server.extraPorts -}}
{{ toYaml .Values.server.extraPorts | nindent 12}}
{{- end }}
{{- if .Values.server.readinessProbe.enabled }}
readinessProbe:
{{- if .Values.server.readinessProbe.path }}
httpGet:
path: {{ .Values.server.readinessProbe.path | quote }}
port: {{ .Values.server.readinessProbe.port }}
scheme: {{ include "vault.scheme" . | upper }}
{{- else }}
# Check status; unsealed vault servers return 0
# The exit code reflects the seal status:
# 0 - unsealed
# 1 - error
# 2 - sealed
exec:
command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
{{- end }}
failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.server.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.server.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.server.readinessProbe.timeoutSeconds }}
{{- end }}
{{- if .Values.server.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: {{ .Values.server.livenessProbe.path | quote }}
port: {{ .Values.server.livenessProbe.port }}
scheme: {{ include "vault.scheme" . | upper }}
failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.server.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }}
{{- end }}
lifecycle:
# Vault container doesn't receive SIGTERM from Kubernetes
# and after the grace period ends, Kube sends SIGKILL. This
# causes issues with graceful shutdowns such as deregistering itself
# from Consul (zombie services).
preStop:
exec:
command: [
"/bin/sh", "-c",
# Adding a sleep here to give the pod eviction a
# chance to propagate, so requests will not be made
# to this pod while it's terminating
"sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)",
]
{{- if .Values.server.postStart }}
postStart:
exec:
command:
{{- range (.Values.server.postStart) }}
- {{ . | quote }}
{{- end }}
{{- end }}
{{- if .Values.server.extraContainers }}
{{ toYaml .Values.server.extraContainers | nindent 8}}
{{- end }}
{{- include "imagePullSecrets" . | nindent 6 }}
{{ template "vault.volumeclaims" . }}
{{ end }}
{{ end }}
{{ end }}

56
helm/vault/templates/tests/server-test.yaml Normal file
View File

@@ -0,0 +1,56 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
apiVersion: v1
kind: Pod
metadata:
name: "{{ .Release.Name }}-server-test"
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": test
spec:
{{- include "imagePullSecrets" . | nindent 2 }}
containers:
- name: {{ .Release.Name }}-server-test
image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
env:
- name: VAULT_ADDR
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }}
command:
- /bin/sh
- -c
- |
echo "Checking for sealed info in 'vault status' output"
ATTEMPTS=10
n=0
until [ "$n" -ge $ATTEMPTS ]
do
echo "Attempt" $n...
vault status -format yaml | grep -E '^sealed: (true|false)' && break
n=$((n+1))
sleep 5
done
if [ $n -ge $ATTEMPTS ]; then
echo "timed out looking for sealed info in 'vault status' output"
exit 1
fi
exit 0
volumeMounts:
{{- if .Values.server.volumeMounts }}
{{- toYaml .Values.server.volumeMounts | nindent 8}}
{{- end }}
volumes:
{{- if .Values.server.volumes }}
{{- toYaml .Values.server.volumes | nindent 4}}
{{- end }}
restartPolicy: Never
{{- end }}
{{- end }}

42
helm/vault/templates/ui-service.yaml Normal file
View File

@@ -0,0 +1,42 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.uiEnabled" . -}}
{{- if .uiEnabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-ui
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-ui
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.ui.annotations" . }}
spec:
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }}
vault-active: "true"
{{- end }}
publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.ui.externalPort }}
targetPort: {{ .Values.ui.targetPort }}
{{- if .Values.ui.serviceNodePort }}
nodePort: {{ .Values.ui.serviceNodePort }}
{{- end }}
type: {{ .Values.ui.serviceType }}
{{- include "service.externalTrafficPolicy" .Values.ui }}
{{- include "service.loadBalancer" .Values.ui }}
{{- end -}}
{{- end }}