Skip to content

C
charts
Commit fcc309f9 by Guangbo Chen Committed by Denise Schannon
Options

Bump vault-operator to 0.1.9

parent 85126c3d
Showing with 1248 additions and 381 deletions
charts/vault-operator/v0.1.3/Chart.yaml
apiVersion: v1 apiVersion: v1
description: A Helm chart for Vault, a tool for managing secrets description: CoreOS vault-operator Helm chart for Kubernetes
name: vault-operator name: vault-operator
version: 0.1.2 version: 0.1.3
icon: https://s3.amazonaws.com/hashicorp-marketing-web-assets/brand/Vault_VerticalLogo_FullColor.B1xPC0pSax.svg icon: file://../vault-logo.svg
home: https://github.com/coreos/vault-operator home: https://github.com/coreos/vault-operator
appVersion: 0.9.1 appVersion: 0.9.1
sources: sources:
......
charts/vault-operator/v0.1.3/OWNERS 0 → 100644
approvers:
- mlaccetti
reviewers:
- mlaccetti
charts/vault-operator/v0.1.3/README.md
## Overview # CoreOS vault-operator
The Vault operator deploys and manages [Vault][vault] clusters on Kubernetes. Vault instances created by the Vault operator are highly available and support automatic failover and upgrade.
[vault-operator](https://coreos.com/blog/introducing-vault-operator-project) Simplify vault cluster configuration and management.
### Project status: beta __DISCLAIMER:__ While this chart has been well-tested, the vault-operator is still currently in beta. Current project status is available [here](https://github.com/coreos/vault-operator).
The basic features have been completed, and while no breaking API changes are currently planned, the API can change in a backwards incompatible way before the project is declared stable.
## Configuration ## Configuration
Parameter | Description | Default
--------- | ----------- | ------- The following table lists the configurable parameters of the vault-operator chart and their default values.
`rbac.create` | If true, create & use RBAC resources | `true`
`serviceAccounts.create` | If true, create the values-operator service account | `true` | Parameter | Description | Default |
`imagePullPolicy` | all containers image pull policy | `IfNotPresent` | ------------------------------------------------- | -------------------------------------------------------------------- | ---------------------------------------------- |
`vaultOperator.replicaCount` | desired number of vault operator controller pod | `1` | `name` | name of the deployment | `vault-operator` |
`vaultOperator.image.repository` | vault operator container image repository | `quay.io/coreos/vault-operator` | `replicaCount` | Number of operator replicas to create (only 1 is supported) | `1` |
`vaultOperator.image.tag` | vault operator container image tag | `latest` | `image.repository` | vault-operator container image | `ranchercharts/vault-operator` |
`vaultOperator.resources` | vault operator pod resource requests & limits | `{}` | `image.tag` | vault-operator container image tag | `0.1.9` |
`vaultOperator.nodeSelector` | node labels for vault operator pod assignment | `{}` | `image.pullPolicy` | vault-operator container image pull policy | `Always` |
`vault.node` | desired number of vault cluster nodes | `2` | `rbac.create` | install required RBAC service account, roles and rolebindings | `true` |
`vault.version` | vault app version | `0.9.1-0` | `rbac.apiVersion` | RBAC api version `v1alpha1|v1beta1` | `v1beta1` |
`etcd.image.repository` | etcd container image repository | `quay.io/coreos/etcd-operator` | `serviceAccount.create` | create a new service account for the vault-operator | `true` |
`etcd.image.tag` | etcd container image tag | `v0.8.3` | `serviceAccount.name` | Name of the service account resource when RBAC is enabled | `vault-operator-sa` |
`ui.replicaCount` | desired number of Vault UI pod | `1` | `resources.cpu` | CPU limit per vault-operator pod | `100m` |
`ui.image.repository` | Vault UI container image repository | `djenriquez/vault-ui` | `resources.memory` | Memory limit per vault-operator pod | `128mi` |
`ui.image.tag` | Vault UI container image tag | `latest` | `nodeSelector` | Node labels for vault-operator pod assignment | `{}` |
`ui.resources` | Vault UI pod resource requests & limits | `{}` | `commandArgs` | Additional command arguments | `{}` |
`ui.nodeSelector` | node labels for Vault UI pod assignment | `{}`
`ui.ingress.enabled` | If true, Vault UI Ingress will be created | `false` Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:
`ui.ingress.annotations` | Vault UI Ingress annotations | `{}`
`ui.ingress.hosts` | Vault UI Ingress hostnames | `[]` ```bash
`ui.ingress.tls` | Vault UI Ingress TLS configuration (YAML) | `[]` $ helm install --name my-release --set image.tag=v0.1.9 stable/vault-operator
`ui.vault.auth` | Vault UI login method | `TOKEN` ```
`ui.service.name` | Vault UI service name | `vault-ui`
`ui.service.type` | type of ui service to create | `ClusterIP` Alternatively, a YAML file that specifies the values for the parameters can be provided while
`ui.service.externalPort` | Vault UI service target port | `8000` installing the chart. For example:
`ui.service.internalPort` | Vault UI container port | `8000`
`ui.service.nodePort` | Port to be used as the service NodePort (ignored if `server.service.type` is not `NodePort`) | `0` ```bash
$ helm install --name my-release --values values.yaml stable/vault-operator
```
## Using the Vault cluster
## RBAC
See the [Vault usage guide](https://github.com/coreos/vault-operator/blob/master/doc/user/vault.md) on how to initialize, unseal, and use the deployed Vault cluster. By default the chart will install the recommended RBAC roles and rolebindings.
Consult the [monitoring guide](https://github.com/coreos/vault-operator/blob/master/doc/user/monitoring.md) on how to monitor and alert on a Vault cluster with Prometheus. To determine if your cluster supports this running the following:
See the [recovery guide](https://github.com/coreos/vault-operator/blob/master/doc/user/recovery.md) on how to backup and restore Vault cluster data using the etcd opeartor ```bash
$ kubectl api-versions | grep rbac
For an overview of the default TLS configuration or how to specify custom TLS assets for a Vault cluster see the [TLS setup guide](https://github.com/coreos/vault-operator/blob/master/doc/user/tls_setup.md). ```
[vault]: https://www.vaultproject.io/ You also need to have the following parameter on the api server. See the following document for how to enable [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)
[etcd-operator]: https://github.com/coreos/etcd-operator/
```bash
--authorization-mode=RBAC
```
If the output contains "beta" or both "alpha" and "beta" you can may install rbac by default, if not, you may turn RBAC off as described below.
### RBAC Role/RoleBinding Creation
RBAC resources are enabled by default. To disable RBAC do the following:
```bash
$ helm install --name my-release stable/vault-operator --set rbac.create=false
```
### Changing RBAC Manifest apiVersion
By default the RBAC resources are generated with the "v1beta1" apiVersion. To use "v1alpha1" do the following:
```bash
$ helm install --name my-release stable/vault-operator --set rbac.install=true,rbac.apiVersion=v1alpha1
```
## Creating a Vault
### Deploy a CRD
```yaml
apiVersion: "vault.security.coreos.com/v1alpha1"
kind: "VaultService"
metadata:
name: "example"
spec:
nodes: 2
version: "0.9.1-0"
```
### Initialize Vault
```bash
kubectl -n <namespace> get vault example -o jsonpath='{.status.vaultStatus.sealed[0]}' | xargs -0 -I {} kubectl -n <namespace> port-forward {} 8200
vault init
```
### Unseal the Vault
Repeat as many times as nodes created. Run the `vault unseal` command three times.
```bash
kubectl -n <namespace> get vault example -o jsonpath='{.status.vaultStatus.sealed[0]}' | xargs -0 -I {} kubectl -n <namespace> port-forward {} 8200
vault unseal
```
charts/vault-operator/v0.1.3/app-readme.md
# Vault Operator # Vault Operator
Run and manage Vault on Kubernetes simply and securely. [vault-operator](https://github.com/coreos/vault-operator) Simplify vault cluster configuration and management.
__DISCLAIMER:__ While this chart has been well-tested, the vault-operator is still currently in beta. Current project status is available [here](https://github.com/coreos/vault-operator).
### Prerequisites ### Using the Vault cluster
See the [Vault usage guide](https://github.com/coreos/vault-operator/blob/master/doc/user/vault.md) on how to initialize, unseal, and use the deployed Vault cluster.
- Kubernetes 1.8+ Consult the [monitoring guide](https://github.com/coreos/vault-operator/blob/master/doc/user/monitoring.md) on how to monitor and alert on a Vault cluster with Prometheus.
See the [recovery guide](https://github.com/coreos/vault-operator/blob/master/doc/user/recovery.md) on how to backup and restore Vault cluster data using the etcd opeartor
For an overview of the default TLS configuration or how to specify custom TLS assets for a Vault cluster see the [TLS setup guide](https://github.com/coreos/vault-operator/blob/master/doc/user/tls_setup.md).
**Warning:**
Upgrade `vault-operator` from 0.1.2 to 0.1.3 is not supported, if you wish to use the newest version you will need to re-deploy the `vault-operator 0.1.3`.
charts/vault-operator/v0.1.3/charts/etcd-operator/.helmignore 0 → 100644
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
charts/vault-operator/v0.1.3/charts/etcd-operator/Chart.yaml 0 → 100755
apiVersion: v1
description: CoreOS etcd-operator Helm chart for Kubernetes
name: etcd-operator
version: 0.9.0
appVersion: 0.9.4
home: https://github.com/coreos/etcd-operator
icon: file://../etcd-logo.png
sources:
- https://github.com/coreos/etcd-operator
maintainers:
- name: lachie83
email: lachlan@deis.com
- name: alejandroEsc
email: jaescobar.cell@gmail.com
charts/vault-operator/v0.1.3/charts/etcd-operator/OWNERS 0 → 100644
approvers:
- lachie83
- alejandroEsc
reviewers:
- lachie83
- alejandroEsc
charts/vault-operator/v0.1.3/charts/etcd-operator/app-readme.md 0 → 100644
# etcd-operator
[etcd-operator](https://coreos.com/blog/introducing-the-etcd-operator.html) Simplify etcd cluster configuration and management.
__DISCLAIMER:__ While this chart has been well-tested, the etcd-operator is still currently in beta. Current project status is available [here](https://github.com/coreos/etcd-operator).
## Introduction
This chart bootstraps an etcd-operator and allows the deployment of etcd-cluster(s).
### How to use it
With etcd-operator, users can now create a custom etcd cluster using custom resource definitions(CRDs) like EtcdCluster, EtcdBackup and EtcdRestore . e.g,
```YAML
apiVersion: etcd.database.coreos.com/v1beta2
kind: EtcdCluster
metadata:
name: "example-etcd-cluster"
## Adding this annotation make this cluster managed by clusterwide operators, namespaced operators ignore it
# annotations:
# etcd.database.coreos.com/scope: clusterwide
spec:
size: 3
version: "3.2.25"
```
For more details about CRD spec please refer to the [etcd-operator doc](https://github.com/coreos/etcd-operator/blob/master/doc/user/spec_examples.md).
charts/vault-operator/v0.1.3/charts/etcd-operator/questions.yml 0 → 100644
categories:
- database
- keyvalue
labels:
io.rancher.certified: operator
io.cattle.role: cluster
questions:
- variable: defaultImage
default: true
description: "Use default Docker image"
label: Use Default Image
type: boolean
show_subquestion_if: false
group: "Container Images"
subquestions:
- variable: deployments.image.repository
default: "ranchercharts/coreos-etcd-operator"
description: "Etcd operator Docker image"
type: string
label: Etcd Operator Image Name
- variable: deployments.image.tag
default: "v0.9.4"
description: "Etcd operator Docker tag"
type: string
label: Etcd Operator Image Tag
- variable: etcdCluster.image.repository
default: "ranchercharts/coreos-etcd"
description: "Etcd container image"
type: string
label: Etcd Container Image Name
- variable: etcdCluster.image.tag
default: "v3.2.25"
description: "Etcd container image tag"
type: string
label: Etcd Container Image Tag
- variable: deployments.etcdOperator
default: true
description: "Deploy the etcd-operator controller"
required: true
label: Deploy the etcd Operator
type: boolean
show_subquestion_if: true
group: "etcd-operators"
subquestions:
- variable: clusterwide.enabled
default: false
description: "Set etcd operator manage clusters in all namespaces (more details on https://github.com/coreos/etcd-operator/blob/master/doc/user/clusterwide.md)"
label: Enable Clusterwide of etcd Operator
type: boolean
required: true
- variable: deployments.backupOperator
default: true
description: "Deploy the etcd backup operator, one time deployment, delete once completed"
label: Deploy the etcd Backup Operator
type: boolean
group: "etcd-operators"
- variable: deployments.restoreOperator
default: true
description: "Deploy the etcd restore operator, one time deployment, delete once completed"
label: Deploy the etcd Restore Operator
type: boolean
group: "etcd-operators"
# enable etcd cluster configs
- variable: customResources.createEtcdClusterCRD
default: false
description: "Create a new custom etcd cluster"
label: Create a New Custom Etcd Cluster
type: boolean
group: "Etcd Cluster"
show_subquestion_if: true
subquestions:
- variable: etcdCluster.size
default: "3"
description: "set etcd cluster size"
label: Etcd Cluster Size
type: enum
options:
- "3"
- "5"
- "7"
- "9"
- "11"
required: true
- variable: etcdCluster.version
default: "3.2.25"
description: "set etcd cluster version"
label: Etcd Cluster Version
type: string
required: true
- variable: etcdCluster.enableTLS
default: false
description: "Enable use of TLS"
label: Enable use of TLS
type: boolean
required: true
group: "Etcd Cluster"
show_if: "customResources.createEtcdClusterCRD=true"
- variable: etcdCluster.tls.static.member.peerSecret
default: ""
description: "Kubernetes secret containing TLS peer certs"
required: true
label: k8s Secret Name of TLS Peer Certs
type: secret
show_if: "customResources.createEtcdClusterCRD=true&&etcdCluster.enableTLS=true"
group: "Etcd Cluster"
- variable: etcdCluster.tls.static.member.serverSecret
default: ""
description: "Kubernetes secret containing TLS server certs"
required: true
label: k8s Secret Name of TLS Server Certs
type: secret
show_if: "customResources.createEtcdClusterCRD=true&&etcdCluster.enableTLS=true"
group: "Etcd Cluster"
- variable: etcdCluster.tls.static.operatorSecret
default: ""
description: "Kubernetes secret containing TLS client certs"
required: true
label: k8s Secret Name of TLS Client Certs
type: secret
show_if: "customResources.createEtcdClusterCRD=true&&etcdCluster.enableTLS=true"
group: "Etcd Cluster"
charts/vault-operator/v0.1.3/charts/etcd-operator/templates/NOTES.txt 0 → 100644
{{- $clusterEnabled := (and (not .Release.IsInstall) .Values.customResources.createEtcdClusterCRD) -}}
{{- if and .Release.IsInstall .Values.customResources.createEtcdClusterCRD -}}
Not enabling cluster, the ThirdPartResource must be installed before you can create a Cluster. Continuing rest of normal deployment.
{{ end -}}
{{- if $clusterEnabled -}}
1. Watch etcd cluster start
kubectl get pods -l etcd_cluster={{ .Values.etcdCluster.name }} --namespace {{ .Release.Namespace }} -w
2. Confirm etcd cluster is healthy
$ kubectl run --rm -i --tty --env="ETCDCTL_API=3" --env="ETCDCTL_ENDPOINTS=http://{{ .Values.etcdCluster.name }}-client:2379" --namespace {{ .Release.Namespace }} etcd-test --image quay.io/coreos/etcd --restart=Never -- /bin/sh -c 'watch -n1 "etcdctl member list"'
3. Interact with the cluster!
$ kubectl run --rm -i --tty --env ETCDCTL_API=3 --namespace {{ .Release.Namespace }} etcd-test --image quay.io/coreos/etcd --restart=Never -- /bin/sh
/ # etcdctl --endpoints http://{{ .Values.etcdCluster.name }}-client:2379 put foo bar
/ # etcdctl --endpoints http://{{ .Values.etcdCluster.name }}-client:2379 get foo
OK
(ctrl-D to exit)
4. Optional
Check the etcd-operator logs
export POD=$(kubectl get pods -l app={{ template "etcd-operator.fullname" . }} --namespace {{ .Release.Namespace }} --output name)
kubectl logs $POD --namespace={{ .Release.Namespace }}
{{- else -}}
1. etcd-operator deployed.
If you would like to deploy an etcd-cluster set cluster.enabled to true in values.yaml
Check the etcd-operator logs
export POD=$(kubectl get pods -l app={{ template "etcd-operator.fullname" . }} --namespace {{ .Release.Namespace }} --output name)
kubectl logs $POD --namespace={{ .Release.Namespace }}
{{- end -}}
charts/vault-operator/v0.1.3/charts/etcd-operator/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "etcd-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "etcd-operator.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s-%s" .Release.Name $name .Values.etcdOperator.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "etcd-backup-operator.name" -}}
{{- default .Chart.Name .Values.backupOperator.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "etcd-backup-operator.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s-%s" .Release.Name $name .Values.backupOperator.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "etcd-restore-operator.name" -}}
{{- default .Chart.Name .Values.restoreOperator.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "etcd-restore-operator.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s-%s" .Release.Name $name .Values.restoreOperator.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the etcd-operator service account to use
*/}}
{{- define "etcd-operator.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "etcd-operator.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
charts/vault-operator/v0.1.3/charts/etcd-operator/templates/backup-etcd-crd.yaml 0 → 100644
{{- if .Values.customResources.createBackupCRD }}
apiVersion: etcd.database.coreos.com/v1beta2
kind: EtcdBackup
metadata:
name: {{ template "etcd-backup-operator.fullname" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-backup-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
clusterName: {{ .Values.etcdCluster.name }}
{{ toYaml .Values.backupOperator.spec | indent 2 }}
{{- end}}
charts/vault-operator/v0.1.3/charts/etcd-operator/templates/backup-operator-deployment.yaml 0 → 100644
{{- if .Values.deployments.backupOperator }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "etcd-backup-operator.fullname" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-backup-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
selector:
matchLabels:
app: {{ template "etcd-backup-operator.fullname" . }}
release: {{ .Release.Name }}
replicas: {{ .Values.backupOperator.replicaCount }}
template:
metadata:
name: {{ template "etcd-backup-operator.fullname" . }}
labels:
app: {{ template "etcd-backup-operator.fullname" . }}
release: {{ .Release.Name }}
spec:
serviceAccountName: {{ template "etcd-operator.serviceAccountName" . }}
containers:
- name: {{ .Values.backupOperator.name }}
image: "{{ .Values.deployments.image.repository }}:{{ .Values.deployments.image.tag }}"
imagePullPolicy: {{ .Values.deployments.image.pullPolicy }}
command:
- etcd-backup-operator
{{- range $key, $value := .Values.backupOperator.commandArgs }}
- "--{{ $key }}={{ $value }}"
{{- end }}
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
resources:
limits:
cpu: {{ .Values.backupOperator.resources.cpu }}
memory: {{ .Values.backupOperator.resources.memory }}
requests:
cpu: {{ .Values.backupOperator.resources.cpu }}
memory: {{ .Values.backupOperator.resources.memory }}
{{- if .Values.backupOperator.nodeSelector }}
nodeSelector: {{ toYaml .Values.backupOperator.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.backupOperator.securityContext }}
securityContext: {{ toYaml .Values.backupOperator.securityContext | nindent 8 }}
{{- end }}
{{- if .Values.backupOperator.tolerations }}
tolerations: {{ toYaml .Values.backupOperator.tolerations | nindent 8 }}
{{- end }}
{{- end }}
charts/vault-operator/v0.1.3/charts/etcd-operator/templates/crds.yaml 0 → 100644
{{- if .Values.enableCRDs -}}
{{- if not (.Capabilities.APIVersions.Has "etcd.database.coreos.com/v1beta2") }}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: etcdclusters.etcd.database.coreos.com
annotations:
"helm.sh/resource-policy": keep
"helm.sh/hook": "crd-install"
spec:
conversion:
strategy: None
group: etcd.database.coreos.com
names:
kind: EtcdCluster
listKind: EtcdClusterList
plural: etcdclusters
shortNames:
- etcd
singular: etcdcluster
scope: Namespaced
version: v1beta2
versions:
- name: v1beta2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: etcdbackups.etcd.database.coreos.com
spec:
conversion:
strategy: None
group: etcd.database.coreos.com
names:
kind: EtcdBackup
listKind: EtcdBackupList
plural: etcdbackups
singular: etcdbackup
scope: Namespaced
version: v1beta2
versions:
- name: v1beta2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: etcdrestores.etcd.database.coreos.com
spec:
conversion:
strategy: None
group: etcd.database.coreos.com
names:
kind: EtcdRestore
listKind: EtcdRestoreList
plural: etcdrestores
singular: etcdrestore
scope: Namespaced
version: v1beta2
versions:
- name: v1beta2
served: true
storage: true
{{- end }}
{{- end -}}
charts/vault-operator/v0.1.3/charts/etcd-operator/templates/etcd-cluster-crd.yaml 0 → 100644
{{- if .Values.customResources.createEtcdClusterCRD }}
apiVersion: etcd.database.coreos.com/v1beta2
kind: EtcdCluster
metadata:
name: {{ .Values.etcdCluster.name }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.clusterwide.enabled }}
annotations:
"etcd.database.coreos.com/scope": "clusterwide"
{{- end }}
spec:
size: {{ .Values.etcdCluster.size }}
version: "{{ .Values.etcdCluster.version }}"
pod:
{{ toYaml .Values.etcdCluster.pod | indent 4 }}
{{- if .Values.etcdCluster.enableTLS }}
TLS:
{{ toYaml .Values.etcdCluster.tls | indent 4 }}
{{- end }}
{{- end }}
charts/vault-operator/v0.1.3/charts/etcd-operator/templates/operator-cluster-role.yaml 0 → 100644
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
kind: ClusterRole
metadata:
name: {{ template "etcd-operator.fullname" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups:
- etcd.database.coreos.com
resources:
- etcdclusters
- etcdbackups
- etcdrestores
verbs:
- "*"
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- "*"
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- persistentvolumeclaims
- events
verbs:
- "*"
- apiGroups:
- apps
resources:
- deployments
verbs:
- "*"
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
{{- end }}
charts/vault-operator/v0.1.3/charts/etcd-operator/templates/operator-clusterrole-binding.yaml 0 → 100644
{{- if and .Values.rbac.create .Values.deployments.etcdOperator }}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/{{ required "A valid .Values.rbac.apiVersion entry required!" .Values.rbac.apiVersion }}
metadata:
name: {{ template "etcd-operator.fullname" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
subjects:
- kind: ServiceAccount
name: {{ template "etcd-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "etcd-operator.fullname" . }}
{{- end }}
charts/vault-operator/v0.1.3/charts/etcd-operator/templates/operator-deployment.yaml 0 → 100644
{{- if .Values.deployments.etcdOperator }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "etcd-operator.fullname" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
selector:
matchLabels:
app: {{ template "etcd-operator.fullname" . }}
release: {{ .Release.Name }}
replicas: {{ .Values.etcdOperator.replicaCount }}
template:
metadata:
name: {{ template "etcd-operator.fullname" . }}
labels:
app: {{ template "etcd-operator.fullname" . }}
release: {{ .Release.Name }}
annotations: {{ toYaml .Values.etcdOperator.podAnnotations | nindent 8}}
spec:
serviceAccountName: {{ template "etcd-operator.serviceAccountName" . }}
containers:
- name: {{ template "etcd-operator.fullname" . }}
image: "{{ .Values.deployments.image.repository }}:{{ .Values.deployments.image.tag }}"
imagePullPolicy: {{ .Values.deployments.image.pullPolicy }}
command:
- etcd-operator
{{- if .Values.clusterwide.enabled }}
- "--cluster-wide=true"
{{- end }}
{{- range $key, $value := .Values.etcdOperator.commandArgs }}
- "--{{ $key }}={{ $value }}"
{{- end }}
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
resources:
limits:
cpu: {{ .Values.etcdOperator.resources.cpu }}
memory: {{ .Values.etcdOperator.resources.memory }}
requests:
cpu: {{ .Values.etcdOperator.resources.cpu }}
memory: {{ .Values.etcdOperator.resources.memory }}
{{- if .Values.etcdOperator.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /readyz
port: 8080
initialDelaySeconds: {{ .Values.etcdOperator.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.etcdOperator.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.etcdOperator.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.etcdOperator.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.etcdOperator.livenessProbe.failureThreshold }}
{{- end}}
{{- if .Values.etcdOperator.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /readyz
port: 8080
initialDelaySeconds: {{ .Values.etcdOperator.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.etcdOperator.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.etcdOperator.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.etcdOperator.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.etcdOperator.readinessProbe.failureThreshold }}
{{- end }}
{{- if .Values.etcdOperator.nodeSelector }}
nodeSelector: {{ toYaml .Values.etcdOperator.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.etcdOperator.securityContext }}
securityContext: {{ toYaml .Values.etcdOperator.securityContext | nindent 8 }}
{{- end }}
{{- if .Values.etcdOperator.tolerations }}
tolerations: {{ toYaml .Values.etcdOperator.tolerations | nindent 8 }}
{{- end }}
{{- end }}
charts/vault-operator/v0.1.3/charts/etcd-operator/templates/operator-service-account.yaml 0 → 100644
{{- if and .Values.serviceAccount.create .Values.deployments.etcdOperator }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "etcd-operator.serviceAccountName" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }}
{{- end }}
charts/vault-operator/v0.1.3/charts/etcd-operator/templates/restore-etcd-crd.yaml 0 → 100644
{{- if .Values.customResources.createRestoreCRD }}
apiVersion: etcd.database.coreos.com/v1beta2
kind: EtcdRestore
metadata:
# An EtcdCluster with the same name will be created
name: {{ .Values.etcdCluster.name }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-restore-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
clusterSpec:
size: {{ .Values.etcdCluster.size }}
baseImage: "{{ .Values.etcdCluster.image.repository }}"
version: {{ .Values.etcdCluster.image.tag }}
pod:
{{ toYaml .Values.etcdCluster.pod | indent 6 }}
{{- if .Values.etcdCluster.enableTLS }}
TLS:
{{ toYaml .Values.etcdCluster.tls | indent 6 }}
{{- end }}
{{ toYaml .Values.restoreOperator.spec | indent 2 }}
{{- end }}
charts/vault-operator/v0.1.3/charts/etcd-operator/templates/restore-operator-deployment.yaml 0 → 100644
{{- if .Values.deployments.restoreOperator }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "etcd-restore-operator.fullname" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-restore-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
selector:
matchLabels:
app: {{ template "etcd-restore-operator.name" . }}
release: {{ .Release.Name }}
replicas: {{ .Values.restoreOperator.replicaCount }}
template:
metadata:
name: {{ template "etcd-restore-operator.fullname" . }}
labels:
app: {{ template "etcd-restore-operator.name" . }}
release: {{ .Release.Name }}
spec:
serviceAccountName: {{ template "etcd-operator.serviceAccountName" . }}
containers:
- name: {{ .Values.restoreOperator.name }}
image: "{{ .Values.deployments.image.repository }}:{{ .Values.deployments.image.tag }}"
imagePullPolicy: {{ .Values.deployments.image.pullPolicy }}
ports:
- containerPort: {{ .Values.restoreOperator.port }}
command:
- etcd-restore-operator
{{- range $key, $value := .Values.restoreOperator.commandArgs }}
- "--{{ $key }}={{ $value }}"
{{- end }}
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: SERVICE_ADDR
value: "{{ .Values.restoreOperator.name }}:{{ .Values.restoreOperator.port }}"
resources:
limits:
cpu: {{ .Values.restoreOperator.resources.cpu }}
memory: {{ .Values.restoreOperator.resources.memory }}
requests:
cpu: {{ .Values.restoreOperator.resources.cpu }}
memory: {{ .Values.restoreOperator.resources.memory }}
{{- if .Values.restoreOperator.nodeSelector }}
nodeSelector: {{ toYaml .Values.restoreOperator.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.restoreOperator.securityContext }}
securityContext: {{ toYaml .Values.restoreOperator.securityContext | nindent 8 }}
{{- end }}
{{- if .Values.restoreOperator.tolerations }}
tolerations: {{ toYaml .Values.restoreOperator.tolerations | nindent 8 }}
{{- end }}
{{- end }}
charts/vault-operator/v0.1.3/charts/etcd-operator/templates/restore-operator-service.yaml 0 → 100644
{{- if .Values.deployments.restoreOperator }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.restoreOperator.name }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-restore-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
ports:
- protocol: TCP
name: http-etcd-restore-port
port: {{ .Values.restoreOperator.port }}
selector:
app: {{ template "etcd-restore-operator.name" . }}
release: {{ .Release.Name }}
{{- end }}
charts/vault-operator/v0.1.3/charts/etcd-operator/values.yaml 0 → 100644
# Default values for etcd-operator.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
global:
## Reference to one or more secrets to be used when pulling images
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
imagePullSecrets: []
# - name: "image-pull-secret"
## Install Default RBAC roles and bindings
rbac:
create: true
apiVersion: v1
enableCRDs: true
## Service account name and whether to create it
serviceAccount:
create: true
name:
# Enabled to act for resources in all namespaces. More information in doc/clusterwide.md
clusterwide:
enabled: false
# Select what to deploy
deployments:
etcdOperator: true
# one time deployment, delete once completed,
# Ref: https://github.com/coreos/etcd-operator/blob/master/doc/user/walkthrough/backup-operator.md
backupOperator: true
# one time deployment, delete once completed
# Ref: https://github.com/coreos/etcd-operator/blob/master/doc/user/walkthrough/restore-operator.md
restoreOperator: true
image:
repository: ranchercharts/coreos-etcd-operator
tag: v0.9.4
pullPolicy: Always
# creates custom resources, not all required,
# you could use `helm template --values <values.yaml> --name release_name ... `
# and create the resources yourself to deploy on your cluster later
customResources:
createEtcdClusterCRD: false
createBackupCRD: false
createRestoreCRD: false
# etcdOperator
etcdOperator:
name: etcd-operator
replicaCount: 1
resources:
cpu: 100m
memory: 128Mi
## Node labels for etcd-operator pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
## additional command arguments go here; will be translated to `--key=value` form
## e.g., analytics: true
commandArgs: {}
## Configurable health checks against the /readyz endpoint that etcd-operator exposes
readinessProbe:
enabled: false
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
livenessProbe:
enabled: false
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
# backup spec
backupOperator:
name: etcd-backup-operator
replicaCount: 1
resources:
cpu: 100m
memory: 128Mi
spec:
storageType: S3
s3:
s3Bucket:
awsSecret:
## Node labels for etcd pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
## additional command arguments go here; will be translated to `--key=value` form
## e.g., analytics: true
commandArgs: {}
securityContext: {}
tolerations: {}
# restore spec
restoreOperator:
name: etcd-restore-operator
replicaCount: 1
port: 19999
resources:
cpu: 100m
memory: 128Mi
spec:
s3:
# The format of "path" must be: "<s3-bucket-name>/<path-to-backup-file>"
# e.g: "etcd-snapshot-bucket/v1/default/example-etcd-cluster/3.2.10_0000000000000001_etcd.backup"
path:
awsSecret:
## Node labels for etcd pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
## additional command arguments go here; will be translated to `--key=value` form
## e.g., analytics: true
commandArgs: {}
securityContext: {}
tolerations: {}
## etcd-cluster specific values
etcdCluster:
name: etcd-cluster
size: 3
version: 3.2.25
image:
repository: ranchercharts/coreos-etcd
tag: v3.2.25
pullPolicy: Always
enableTLS: false
# TLS configs
tls:
static:
member:
peerSecret: etcd-peer-tls
serverSecret: etcd-server-tls
operatorSecret: etcd-client-tls
## etcd cluster pod specific values
## Ref: https://github.com/coreos/etcd-operator/blob/master/doc/user/spec_examples.md#three-members-cluster-with-resource-requirement
pod:
## Antiaffinity for etcd pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
antiAffinity: false
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
## Node labels for etcd pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
securityContext: {}
charts/vault-operator/v0.1.3/questions.yml
categories: categories:
- security - security
labels:
io.rancher.certified: operator
io.cattle.role: project
questions: questions:
- variable: defaultImage - variable: defaultImage
default: "true" default: true
description: "Use default Docker image" description: "Use default Docker image"
label: Use Default Image label: Use Default Image
type: boolean type: boolean
show_subquestion_if: false show_subquestion_if: false
group: "Container Images" group: "Container Images"
subquestions: subquestions:
- variable: vaultOperator.image.repository - variable: image.repository
default: "quay.io/coreos/vault-operator" default: "ranchercharts/vault-operator"
description: "Vault image name" description: "Vault operator image name"
type: string type: string
label: Vault Operator Image Name label: Vault Operator Image Name
- variable: vaultOperator.image.tag - variable: image.tag
default: "latest" default: "0.1.9"
description: "Values operator image tag" description: "Values operator image tag"
type: string type: string
label: Vault Operator Image Tag label: Vault Operator Image Tag
- variable: ui.image.repository - variable: vault.baseImage
default: "djenriquez/vault-ui" default: "ranchercharts/vault"
description: "Vault image name" description: "Vault base image name"
type: string type: string
label: Vault UI Image Name label: Vault Base Image Name
- variable: ui.image.tag - variable: vault.version
default: "latest" default: "1.2.2"
description: "Values UI image tag" description: "Values version"
type: string type: string
label: Vault UI Image Tag label: Vault Base Image Version
- variable: etcd.image.repository - variable: etcd-operator.image.repository
default: "quay.io/coreos/etcd-operator" default: "ranchercharts/coreos-etcd-operator"
description: "etcd image name" description: "etcd image name"
type: string type: string
label: etcd Image Name label: etcd Image Name
- variable: etcd.image.tag - variable: etcd.image.tag
default: "v0.8.3" default: "v0.9.4"
description: "etcd image tag" description: "etcd image tag"
type: string type: string
label: etcd Image Tag label: etcd Image Tag
- variable: ui.ingress.enabled # config vault service
- variable: vault.create
default: true default: true
description: "Expose Vault-UI using Layer 7 Load Balancer - ingress" description: "Create a custom vault service"
label: Create a New Custom Vault Service
type: boolean type: boolean
group: "Vault UI" group: "Vault Service"
label: Expose Vault-UI using Layer 7 Load Balancer
show_subquestion_if: true show_subquestion_if: true
required: true
subquestions: subquestions:
- variable: ui.ingress.hosts[0] - variable: vault.name
default: "xip.io" default: "my-vault"
description: "Vault-UI server ingress hostname" label: Vault Service Name
type: hostname description: "Set the name of custom vault service"
type: string
required: true required: true
label: Hostname - variable: vault.node
- variable: ui.service.type default: 3
default: "NodePort" label: Vault Service Nodes
description: "Server service type" description: "Set the number of vault nodes"
group: "Vault UI" min: 1
type: enum
show_if: "ui.ingress.enabled=false"
options:
- "ClusterIP"
- "NodePort"
required: true
label: Vault UI Service Type
show_subquestion_if: "NodePort"
subquestions:
- variable: ui.service.nodePort
default: ""
description: "NodePort http port(to set explicitly, choose port between 30000-32767)"
type: int type: int
min: 30000 required: true
max: 32767 - variable: vault.version
show_if: "ui.ingress.enabled=false" default: "1.2.2"
label: Vault UI NodePort Http Port label: Set Vault Version
description: "Set the version of custom vault service"
type: enum
required: true
options:
- "1.2.1"
- "1.2.2"
# etcd-operator configs
- variable: etcd-operator.deployments.backupOperator
default: true
description: "Deploy the etcd backup operator, one time deployment, delete once completed"
label: Deploy the etcd Backup Operator
type: boolean
group: "etcd-operators"
- variable: etcd-operator.deployments.restoreOperator
default: true
description: "Deploy the etcd restore operator, one time deployment, delete once completed"
label: Deploy the etcd Restore Operator
type: boolean
group: "etcd-operators"
charts/vault-operator/v0.1.3/requirements.yaml 0 → 100644
dependencies:
- name: etcd-operator
version: 0.9.0
condition: etcd-operator.enabled
repository: file://./charts/etcd-operator
charts/vault-operator/v0.1.3/templates/NOTES.txt
## Configure port forwarding between the local machine and the first sealed Vault node: # Vault Operator
1. kubectl -n {{ .Release.Namespace }} get vault {{ .Release.Name }} -o jsonpath='{.status.vaultStatus.sealed[0]}' | xargs -0 -I {} kubectl -n {{ .Release.Namespace }} port-forward {} 8200 [vault-operator](https://github.com/coreos/vault-operator) Simplify vault cluster configuration and management.
2. Open a new terminal. __DISCLAIMER:__ While this chart has been well-tested, the vault-operator is still currently in beta. Current project status is available [here](https://github.com/coreos/vault-operator).
3. Export the following environment for Vault CLI environment: ### Using the Vault cluster
```
export VAULT_ADDR='https://127.0.0.1:8200'
export VAULT_SKIP_VERIFY="true"
```
4. Verify that the Vault server is accessible using the Vault CLI: See the [Vault usage guide](https://github.com/coreos/vault-operator/blob/master/doc/user/vault.md) on how to initialize, unseal, and use the deployed Vault cluster.
```
$vault status
Error checking seal status: Error making API request. Consult the [monitoring guide](https://github.com/coreos/vault-operator/blob/master/doc/user/monitoring.md) on how to monitor and alert on a Vault cluster with Prometheus.
URL: GET https://127.0.0.1:8200/v1/sys/seal-status See the [recovery guide](https://github.com/coreos/vault-operator/blob/master/doc/user/recovery.md) on how to backup and restore Vault cluster data using the etcd opeartor
Code: 400. Errors:
* server is not yet initialized For an overview of the default TLS configuration or how to specify custom TLS assets for a Vault cluster see the [TLS setup guide](https://github.com/coreos/vault-operator/blob/master/doc/user/tls_setup.md).
```
5.Initialize the Vault server to generate the unseal keys and the root token. (https://www.vaultproject.io/intro/getting-started/deploy.html#initializing-the-vault)
$vault operator init
## Unsealing a sealed node
https://www.vaultproject.io/intro/getting-started/deploy.html#seal-unseal
```
$ vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Sealed true
Total Shares 5
Unseal Progress 1/3
Unseal Nonce 786e7190-d1e2-84d2-520c-022efee5b71e
Version (version unknown)
HA Enabled true
HA Mode sealed
```
Continue with vault unseal to complete unsealing the Vault, normally 3 keys out of 5 unseal keys.
charts/vault-operator/v0.1.3/templates/_helpers.tpl
...@@ -12,8 +12,19 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this ...@@ -12,8 +12,19 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
*/}} */}}
{{- define "vault-operator.fullname" -}} {{- define "vault-operator.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}} {{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "vault-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* {{/*
Define vault operator service account name Define vault operator service account name
......
charts/vault-operator/v0.1.3/templates/configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Values.vault.name }}
labels:
app: {{ template "vault-operator.name" . }}
chart: {{ template "vault-operator.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
data:
vault.hcl: |-
ui = true
disable_mlock = true
charts/vault-operator/v0.1.3/templates/etcd-operator-deploy.yaml deleted 100644 → 0
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: {{ .Release.Name }}-etcd-operator
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "vault-operator.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
name: etcd-operator
spec:
replicas: 1
template:
metadata:
labels:
app: {{ template "vault-operator.name" . }}
release: {{ .Release.Name }}
name: etcd-operator
spec:
serviceAccountName: {{ template "vault-operator.sa" . }}
containers:
- name: etcd-operator
image: "{{ .Values.etcd.image.repository }}:{{ .Values.etcd.image.tag }}"
imagePullPolicy: {{ .Values.imagePullPolicy }}
command:
- etcd-operator
- "--create-crd=false"
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
charts/vault-operator/v0.1.3/templates/etcd_crds.yaml deleted 100644 → 0
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: etcdclusters.etcd.database.coreos.com
annotations:
"helm.sh/hook": "crd-install"
"helm.sh/hook-delete-policy": "before-hook-creation"
spec:
group: etcd.database.coreos.com
names:
kind: EtcdCluster
listKind: EtcdClusterList
plural: etcdclusters
shortNames:
- etcd
singular: etcdcluster
scope: Namespaced
version: v1beta2
charts/vault-operator/v0.1.3/templates/rbac.yaml
...@@ -3,6 +3,11 @@ kind: Role ...@@ -3,6 +3,11 @@ kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: metadata:
name: {{ template "vault-operator.role" . }} name: {{ template "vault-operator.role" . }}
labels:
app: {{ template "vault-operator.name" . }}
chart: {{ template "vault-operator.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules: rules:
- apiGroups: - apiGroups:
- etcd.database.coreos.com - etcd.database.coreos.com
...@@ -49,6 +54,11 @@ kind: RoleBinding ...@@ -49,6 +54,11 @@ kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: metadata:
name: {{ template "vault-operator.rolebinding" . }} name: {{ template "vault-operator.rolebinding" . }}
labels:
app: {{ template "vault-operator.name" . }}
chart: {{ template "vault-operator.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "vault-operator.sa" . }} name: {{ template "vault-operator.sa" . }}
......
charts/vault-operator/v0.1.3/templates/ui-service.yaml charts/vault-operator/v0.1.3/templates/service-ui.yaml
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ template "vault.ui.fullname" . }} name: {{ .Values.vault.name }}-access-ui
labels: labels:
app: {{ template "vault-operator.name" . }} app: {{ template "vault-operator.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} chart: {{ template "vault-operator.chart" . }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
spec: spec:
type: {{ .Values.ui.service.type }} type: {{ .Values.service.type }}
ports: ports:
- port: {{ .Values.ui.service.externalPort }} - name: https
targetPort: {{ .Values.ui.service.internalPort }} port: {{ .Values.service.port }}
targetPort: {{ .Values.service.port }}
protocol: TCP protocol: TCP
name: {{ .Values.ui.service.name }} {{- if and .Values.service.nodePort (eq .Values.service.type "NodePort") }}
{{- if .Values.ui.service.nodePort }} nodePort: {{ .Values.service.nodePort }}
nodePort: {{ .Values.ui.service.nodePort }}
{{- end }} {{- end }}
selector: selector:
app: {{ template "vault-operator.name" . }} app: vault
release: {{ .Release.Name }} vault_cluster: {{ .Values.vault.name }}
component: {{ .Values.ui.name }}
charts/vault-operator/v0.1.3/templates/serviceaccount.yaml
...@@ -5,7 +5,7 @@ metadata: ...@@ -5,7 +5,7 @@ metadata:
name: {{ template "vault-operator.sa" . }} name: {{ template "vault-operator.sa" . }}
labels: labels:
app: {{ template "vault-operator.name" . }} app: {{ template "vault-operator.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} chart: {{ template "vault-operator.chart" . }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
{{- end }} {{- end }}
charts/vault-operator/v0.1.3/templates/ui-ingress.yaml deleted 100644 → 0
{{- if .Values.ui.ingress.enabled -}}
{{- $serviceName := include "vault.ui.fullname" . -}}
{{- $servicePort := .Values.ui.service.externalPort -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "vault.ui.fullname" . }}
labels:
app: {{ template "vault-operator.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
{{- range $key, $value := .Values.ui.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- range $host := .Values.ui.ingress.hosts }}
- host: {{ $host }}
http:
paths:
- path:
backend:
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end -}}
{{- if .Values.ui.ingress.tls }}
tls:
{{ toYaml .Values.ui.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
charts/vault-operator/v0.1.3/templates/vault_crd.yaml charts/vault-operator/v0.1.3/templates/vault-crd.yaml
{{- if and .Values.enableCRDs .Release.IsInstall -}}
{{- if not (.Capabilities.APIVersions.Has "vault.security.coreos.com/v1alpha1") }}
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
name: vaultservices.vault.security.coreos.com name: vaultservices.vault.security.coreos.com
annotations: annotations:
"helm.sh/hook": "crd-install" "helm.sh/hook": "crd-install"
"helm.sh/hook-delete-policy": "before-hook-creation" "helm.sh/resource-policy": keep
labels:
app: {{ template "vault-operator.name" . }}
chart: {{ template "vault-operator.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec: spec:
group: vault.security.coreos.com group: vault.security.coreos.com
names: names:
...@@ -16,3 +23,5 @@ spec: ...@@ -16,3 +23,5 @@ spec:
singular: vaultservice singular: vaultservice
scope: Namespaced scope: Namespaced
version: v1alpha1 version: v1alpha1
{{- end }}
{{- end -}}
charts/vault-operator/v0.1.3/templates/vault-operator-deployment.yaml
apiVersion: apps/v1beta1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ template "vault-operator.fullname" . }} name: {{ template "vault-operator.fullname" . }}
labels: labels:
app: {{ template "vault-operator.name" . }} app: {{ template "vault-operator.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} chart: {{ template "vault-operator.chart" . }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
spec: spec:
replicas: {{ .Values.replicaCount }} replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ template "vault-operator.name" . }}
release: {{ .Release.Name }}
name: vault-operator
template: template:
metadata: metadata:
labels: labels:
...@@ -18,21 +23,56 @@ spec: ...@@ -18,21 +23,56 @@ spec:
spec: spec:
serviceAccountName: {{ template "vault-operator.sa" . }} serviceAccountName: {{ template "vault-operator.sa" . }}
containers: containers:
- name: {{ .Chart.Name }} - name: {{ .Chart.Name }}
image: "{{ .Values.vaultOperator.image.repository }}:{{ .Values.vaultOperator.image.tag }}" image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.imagePullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
env: command:
- name: MY_POD_NAMESPACE - vault-operator
valueFrom: {{- range $key, $value := .Values.commandArgs }}
fieldRef: - "--{{ $key }}={{ $value }}"
fieldPath: metadata.namespace {{- end }}
- name: MY_POD_NAME env:
valueFrom: - name: MY_POD_NAMESPACE
fieldRef: valueFrom:
fieldPath: metadata.name fieldRef:
resources: fieldPath: metadata.namespace
{{ toYaml .Values.vaultOperator.resources | indent 12 }} - name: MY_POD_NAME
{{- if .Values.vaultOperator.nodeSelector }} valueFrom:
fieldRef:
fieldPath: metadata.name
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /readyz
port: 8080
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
{{- end}}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /readyz
port: 8080
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- end }}
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector: nodeSelector:
{{ toYaml .Values.vaultOperator.nodeSelector | indent 8 }} {{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }} {{- end }}
charts/vault-operator/v0.1.3/templates/vault-service.yaml
{{- if .Values.vault.create }}
apiVersion: vault.security.coreos.com/v1alpha1 apiVersion: vault.security.coreos.com/v1alpha1
kind: VaultService kind: VaultService
metadata: metadata:
name: {{ .Release.Name }} name: {{ .Values.vault.name }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
spec: spec:
nodes: {{ .Values.vault.node }} nodes: {{ .Values.vault.node }}
version: {{ .Values.vault.version }} version: {{ .Values.vault.version }}
baseImage: {{ .Values.vault.baseImage }}
configMapName: {{ .Values.vault.name }}
{{- if .Values.vault.etcdCluster }}
etcdCluster:
{{ toYaml .Values.vault.etcdCluster | nindent 4 }}
{{- end }}
{{- end }}
charts/vault-operator/v0.1.3/templates/vault-ui-deployment.yaml deleted 100644 → 0
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: {{ template "vault.ui.fullname" . }}
labels:
app: {{ template "vault-operator.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
component: {{ .Values.ui.name }}
spec:
replicas: {{ .Values.ui.replicaCount }}
template:
metadata:
labels:
app: {{ template "vault-operator.name" . }}
release: {{ .Release.Name }}
component: {{ .Values.ui.name }}
spec:
containers:
- name: {{ .Values.ui.name }}
image: "{{ .Values.ui.image.repository }}:{{ .Values.ui.image.tag }}"
imagePullPolicy: {{ .Values.imagePullPolicy }}
env:
- name: VAULT_URL_DEFAULT
{{- if .Values.ui.vault.url }}
value: {{ .Values.ui.vault.url }}
{{ else }}
value: {{ template "vault.service.url" . }}
{{- end }}
- name: VAULT_AUTH_DEFAULT
value: {{ .Values.ui.vault.auth }}
- name: NODE_TLS_REJECT_UNAUTHORIZED
value: '0'
ports:
- containerPort: {{ .Values.ui.service.internalPort }}
livenessProbe:
httpGet:
path: /
port: {{ .Values.ui.service.internalPort }}
readinessProbe:
httpGet:
path: /
port: {{ .Values.ui.service.internalPort }}
resources:
{{ toYaml .Values.ui.resources | indent 12 }}
{{- if .Values.ui.nodeSelector }}
nodeSelector:
{{ toYaml .Values.ui.nodeSelector | indent 8 }}
{{- end }}
charts/vault-operator/v0.1.3/values.yaml
# Default values for vault-operator. ## Default values for the image
# This is a YAML-formatted file. name: vault-operator
# Declare variables to be passed into your templates. replicaCount: 1
image:
# repository: quay.io/coreos/vault-operator
# https://github.com/guangbochen/vault-operator/commit/59c51300f6692bdd2e6957c7837da288596b7d56:
repository: ranchercharts/vault-operator
tag: 0.1.9
pullPolicy: IfNotPresent
## Install Default RBAC roles and bindings
rbac: rbac:
create: true create: true
## Service account names and whether to create them
serviceAccount: serviceAccount:
create: true create: true
imagePullPolicy: IfNotPresent enableCRDs: true
vaultOperator: service:
replicaCount: 1 type: NodePort
image: port: 8200
repository: quay.io/coreos/vault-operator
tag: latest
resources: {} resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious # limits:
# choice for the user. This also increases chances charts run on environments with little # cpu: 100m
# resources, such as Minikube. If you do want to specify resources, uncomment the following # memory: 128Mi
# lines, adjust them as necessary, and remove the curly braces after 'resources:'. # requests:
# limits: # cpu: 100m
# cpu: 100m # memory: 128Mi
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
vault: ## additional command arguments go here; will be translated to `--key=value` form
node: 2 ## e.g., analytics: true
version: "0.9.1-0" commandArgs: {}
## Configurable health checks against the /readyz endpoint that vault-operator exposes
readinessProbe:
enabled: false
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
livenessProbe:
enabled: false
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
nodeSelector: {}
ui: tolerations: []
name: "vault-ui"
replicaCount: 1 affinity: {}
image:
repository: djenriquez/vault-ui vault:
tag: latest create: true
service: name: my-vault
name: vault-ui node: 1
type: ClusterIP version: "1.2.2"
externalPort: 8000 baseImage: "ranchercharts/vault"
internalPort: 8000 etcdCluster:
# nodePort: 32001 size: 3
ingress: version: 3.2.25
enabled: true repository: ranchercharts/coreos-etcd
# Used to create Ingress record (should used with service.type: ClusterIP).
hosts:
- xip.io
annotations:
# AWS --> redirect http to https
# kubernetes.io/ingress.class: nginx
# ingress.kubernetes.io/force-ssl-redirect: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
vault:
auth: TOKEN
etcd-operator:
enabled: true
deployments:
etcdOperator: true
# one time deployment, delete once completed,
# Ref: https://github.com/coreos/etcd-operator/blob/master/doc/user/walkthrough/backup-operator.md
backupOperator: true
# one time deployment, delete once completed
# Ref: https://github.com/coreos/etcd-operator/blob/master/doc/user/walkthrough/restore-operator.md
restoreOperator: true
etcd: image:
name: etcd repository: ranchercharts/coreos-etcd-operator
image: tag: v0.9.4
repository: quay.io/coreos/etcd-operator pullPolicy: Always
tag: v0.8.3
charts/vault-operator/vault-logo.svg 0 → 100644
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 77.41 114.64"><title>Asset 1</title><g id="Layer_2" data-name="Layer 2"><g id="Logo"><path d="M10.39,89.27V87.16H8.46v2.11h-1V84.19h1v2.13h1.94V84.19h1v5.08Zm4.61,0h-.78L14.15,89a2.15,2.15,0,0,1-1.14.32c-.7,0-1-.46-1-1.09s.34-1,1.11-1H14v-.38c0-.41-.12-.55-.73-.55a5.55,5.55,0,0,0-1.06.11l-.12-.7a5.18,5.18,0,0,1,1.31-.17c1.2,0,1.55.41,1.55,1.32Zm-1-1.38h-.71c-.31,0-.4.08-.4.36s.09.37.38.37a1.55,1.55,0,0,0,.72-.19Zm3,1.46a4.67,4.67,0,0,1-1.32-.21l.13-.7a4.44,4.44,0,0,0,1.14.16c.42,0,.49-.09.49-.37s0-.34-.67-.48c-.93-.22-1-.44-1-1.15s.34-1.06,1.43-1.06a5.22,5.22,0,0,1,1.14.13l-.09.73a7,7,0,0,0-1.05-.11c-.42,0-.49.09-.49.32s0,.32.54.44c1.07.27,1.17.41,1.17,1.16S18.16,89.35,17,89.35Zm4.38-.08V86.71c0-.2-.09-.29-.31-.29a2.72,2.72,0,0,0-1,.31v2.54h-1V84.12l1,.14v1.62a3.48,3.48,0,0,1,1.4-.35c.63,0,.86.43.86,1.08v2.66Zm1.76-4.18v-.9h1v.9Zm0,4.18V85.61h1v3.67Zm1.72-3.63c0-.92.56-1.45,1.86-1.45a6.14,6.14,0,0,1,1.42.17l-.11.82A8,8,0,0,0,26.75,85c-.68,0-.9.23-.9.76v1.93c0,.53.22.76.9.76A8,8,0,0,0,28,88.36l.11.82a6.14,6.14,0,0,1-1.42.17c-1.3,0-1.86-.53-1.86-1.45Zm5.39,3.71c-1.31,0-1.66-.69-1.66-1.44V87c0-.75.35-1.44,1.66-1.44s1.66.69,1.66,1.44v.93C31.91,88.65,31.56,89.35,30.25,89.35Zm0-3c-.51,0-.71.22-.71.63v1c0,.41.2.63.71.63s.71-.22.71-.63v-1C31,86.53,30.76,86.31,30.25,86.31Zm4.35.06a7.58,7.58,0,0,0-1,.53v2.36h-1V85.61h.81l.06.41a4.35,4.35,0,0,1,1-.48Zm3.82,1.68a1.13,1.13,0,0,1-1.26,1.29,5.48,5.48,0,0,1-1-.11v1.5l-1,.14V85.61h.76l.09.31a2.06,2.06,0,0,1,1.21-.38c.77,0,1.18.44,1.18,1.27Zm-2.28.41a4.41,4.41,0,0,0,.85.1c.34,0,.48-.16.48-.49V86.78c0-.3-.12-.47-.47-.47a1.38,1.38,0,0,0-.85.33Z"/><path d="M21.73,93.36h4.12l-6.26,21H13.73l-6.26-21h4.12l5.07,17.47Z"/><path d="M37.31,114.32H34.16l-.28-1a8.38,8.38,0,0,1-4.56,1.35c-2.8,0-4-1.92-4-4.56,0-3.12,1.35-4.31,4.47-4.31h3.68v-1.61c0-1.7-.47-2.3-2.93-2.3a21.42,21.42,0,0,0-4.25.47l-.47-2.93a20,20,0,0,1,5.26-.72c4.82,0,6.23,1.7,6.23,5.54Zm-3.84-5.79H30.63c-1.26,0-1.61.35-1.61,1.51s.35,1.54,1.54,1.54a6,6,0,0,0,2.9-.79Z"/><path d="M43.35,99v10.7c0,.82.35,1.23,1.23,1.23a10.59,10.59,0,0,0,4-1.29V99h3.84v15.33H49.49L49.11,113A15.35,15.35,0,0,1,43,114.64c-2.55,0-3.46-1.79-3.46-4.53V99Z"/><path d="M54.46,114.32V92.73l3.84-.53v22.13Z"/><path d="M69.76,114a10.64,10.64,0,0,1-3.37.6c-2.8,0-4.22-1.32-4.22-4.06V102h-2.3V99h2.3V95.19L66,94.65V99h3.93L69.69,102H66v8a1.21,1.21,0,0,0,1.38,1.35,7.39,7.39,0,0,0,1.92-.31Z"/><path d="M0,0,38.57,77.41,77.41,0ZM43.16,15.54h4.49V20H43.16Zm-8.94,18H29.73V29h4.49Zm0-6.73H29.73V22.27h4.49Zm0-6.73H29.73V15.54h4.49ZM41,40.22H36.46V35.73H41Zm0-6.73H36.46V29H41Zm0-6.73H36.46V22.27H41ZM41,20H36.46V15.54H41Zm2.21,2.24h4.49v4.49H43.16Zm0,11.22V29h4.49v4.49Z"/></g></g></svg>
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment