Commit 40529ed9 authored by Will JALLET's avatar Will JALLET 💸

Merge branch 'master' of gitlab.binets.fr:br/kubernetes-helm-state

parents 5df1af7c a7eebf0d
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
apiVersion: v1
appVersion: 0.1.9
description: CoreOS vault-operator Helm chart for Kubernetes
home: https://github.com/coreos/vault-operator
icon: https://s3.amazonaws.com/hashicorp-marketing-web-assets/brand/Vault_VerticalLogo_FullColor.B1xPC0pSax.svg
maintainers:
- email: michael@laccetti.com
name: mlaccetti
name: vault-operator
sources:
- https://github.com/coreos/vault-operator
version: 0.1.0
approvers:
- mlaccetti
reviewers:
- mlaccetti
# CoreOS vault-operator
[vault-operator](https://coreos.com/blog/introducing-vault-operator-project) Simplify vault cluster
configuration and management.
__DISCLAIMER:__ While this chart has been well-tested, the vault-operator is still currently in beta.
Current project status is available [here](https://github.com/coreos/vault-operator).
## Introduction
This chart bootstraps a vault-operator and allows the deployment of vault cluster(s). It depends on the `etcd-operator` being installed.
## Official Documentation
Official project documentation found [here](https://github.com/coreos/vault-operator)
## Pre-requisites
- Kubernetes 1.9+
- __Suggested:__ RBAC setup for the Kubernetes cluster
- [`etcd-operator`](https://github.com/kubernetes/charts/tree/master/stable/etcd-operator)
## Installing the Chart
To install the chart with the release name `my-release`:
```bash
$ helm install stable/vault-operator --name my-release
```
If you do not want to deploy the `etcd-operator` manually, you can deploy it at the same time as when you deploy the `vault-operator`:
```bash
$ helm install stable/vault-operator --name my-release --set etcd-operator.enabled=true
```
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```bash
$ helm delete my-release
```
The command removes all the Kubernetes components EXCEPT the persistent volume.
## Configuration
The following table lists the configurable parameters of the vault-operator chart and their default values.
| Parameter | Description | Default |
| ------------------------------------------------- | -------------------------------------------------------------------- | ---------------------------------------------- |
| `name` | name of the deployment | `vault-operator` |
| `replicaCount` | Number of operator replicas to create (only 1 is supported) | `1` |
| `image.repository` | vault-operator container image | `quay.io/coreos/vault-operator` |
| `image.tag` | vault-operator container image tag | `0.1.9` |
| `image.pullPolicy` | vault-operator container image pull policy | `Always` |
| `rbac.create` | install required RBAC service account, roles and rolebindings | `true` |
| `rbac.apiVersion` | RBAC api version `v1alpha1|v1beta1` | `v1beta1` |
| `serviceAccount.create` | create a new service account for the vault-operator | `true` |
| `serviceAccount.name` | Name of the service account resource when RBAC is enabled | `vault-operator-sa` |
| `resources.cpu` | CPU limit per vault-operator pod | `100m` |
| `resources.memory` | Memory limit per vault-operator pod | `128mi` |
| `nodeSelector` | Node labels for vault-operator pod assignment | `{}` |
| `commandArgs` | Additional command arguments | `{}` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:
```bash
$ helm install --name my-release --set image.tag=v0.1.9 stable/vault-operator
```
Alternatively, a YAML file that specifies the values for the parameters can be provided while
installing the chart. For example:
```bash
$ helm install --name my-release --values values.yaml stable/vault-operator
```
## RBAC
By default the chart will install the recommended RBAC roles and rolebindings.
To determine if your cluster supports this running the following:
```bash
$ kubectl api-versions | grep rbac
```
You also need to have the following parameter on the api server. See the following document for how to enable [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)
```bash
--authorization-mode=RBAC
```
If the output contains "beta" or both "alpha" and "beta" you can may install rbac by default, if not, you may turn RBAC off as described below.
### RBAC Role/RoleBinding Creation
RBAC resources are enabled by default. To disable RBAC do the following:
```bash
$ helm install --name my-release stable/vault-operator --set rbac.create=false
```
### Changing RBAC Manifest apiVersion
By default the RBAC resources are generated with the "v1beta1" apiVersion. To use "v1alpha1" do the following:
```bash
$ helm install --name my-release stable/vault-operator --set rbac.install=true,rbac.apiVersion=v1alpha1
```
## Creating a Vault
### Deploy a CRD
```yaml
apiVersion: "vault.security.coreos.com/v1alpha1"
kind: "VaultService"
metadata:
name: "example"
spec:
nodes: 2
version: "0.9.1-0"
```
### Initialize Vault
```bash
kubectl -n <namespace> get vault example -o jsonpath='{.status.vaultStatus.sealed[0]}' | xargs -0 -I {} kubectl -n <namespace> port-forward {} 8200
vault init
```
### Unseal the Vault
Repeat as many times as nodes created. Run the `vault unseal` command three times.
```bash
kubectl -n <namespace> get vault example -o jsonpath='{.status.vaultStatus.sealed[0]}' | xargs -0 -I {} kubectl -n <namespace> port-forward {} 8200
vault unseal
```
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
apiVersion: v1
appVersion: 0.9.2
description: CoreOS etcd-operator Helm chart for Kubernetes
home: https://github.com/coreos/etcd-operator
icon: https://raw.githubusercontent.com/coreos/etcd/master/logos/etcd-horizontal-color.png
maintainers:
- email: chance.zibolski@coreos.com
name: chancez
- email: lachlan@deis.com
name: lachie83
- email: jaescobar.cell@gmail.com
name: alejandroEsc
name: etcd-operator
sources:
- https://github.com/coreos/etcd-operator
version: 0.8.0
approvers:
- lachie83
- chancez
- alejandroEsc
reviewers:
- lachie83
- chancez
- alejandroEsc
This diff is collapsed.
{{- $clusterEnabled := (and (not .Release.IsInstall) .Values.customResources.createEtcdClusterCRD) -}}
{{- if and .Release.IsInstall .Values.customResources.createEtcdClusterCRD -}}
Not enabling cluster, the ThirdPartResource must be installed before you can create a Cluster. Continuing rest of normal deployment.
{{ end -}}
{{- if $clusterEnabled -}}
1. Watch etcd cluster start
kubectl get pods -l etcd_cluster={{ .Values.etcdCluster.name }} --namespace {{ .Release.Namespace }} -w
2. Confirm etcd cluster is healthy
$ kubectl run --rm -i --tty --env="ETCDCTL_API=3" --env="ETCDCTL_ENDPOINTS=http://{{ .Values.etcdCluster.name }}-client:2379" --namespace {{ .Release.Namespace }} etcd-test --image quay.io/coreos/etcd --restart=Never -- /bin/sh -c 'watch -n1 "etcdctl member list"'
3. Interact with the cluster!
$ kubectl run --rm -i --tty --env ETCDCTL_API=3 --namespace {{ .Release.Namespace }} etcd-test --image quay.io/coreos/etcd --restart=Never -- /bin/sh
/ # etcdctl --endpoints http://{{ .Values.etcdCluster.name }}-client:2379 put foo bar
/ # etcdctl --endpoints http://{{ .Values.etcdCluster.name }}-client:2379 get foo
OK
(ctrl-D to exit)
4. Optional
Check the etcd-operator logs
export POD=$(kubectl get pods -l app={{ template "etcd-operator.fullname" . }} --namespace {{ .Release.Namespace }} --output name)
kubectl logs $POD --namespace={{ .Release.Namespace }}
{{- else -}}
1. etcd-operator deployed.
If you would like to deploy an etcd-cluster set cluster.enabled to true in values.yaml
Check the etcd-operator logs
export POD=$(kubectl get pods -l app={{ template "etcd-operator.fullname" . }} --namespace {{ .Release.Namespace }} --output name)
kubectl logs $POD --namespace={{ .Release.Namespace }}
{{- end -}}
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "etcd-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "etcd-operator.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s-%s" .Release.Name $name .Values.etcdOperator.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "etcd-backup-operator.name" -}}
{{- default .Chart.Name .Values.backupOperator.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "etcd-backup-operator.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s-%s" .Release.Name $name .Values.backupOperator.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "etcd-restore-operator.name" -}}
{{- default .Chart.Name .Values.restoreOperator.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "etcd-restore-operator.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s-%s" .Release.Name $name .Values.restoreOperator.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the etcd-operator service account to use
*/}}
{{- define "etcd-operator.serviceAccountName" -}}
{{- if .Values.serviceAccount.etcdOperatorServiceAccount.create -}}
{{ default (include "etcd-operator.fullname" .) .Values.serviceAccount.etcdOperatorServiceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.etcdOperatorServiceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the backup-operator service account to use
*/}}
{{- define "etcd-backup-operator.serviceAccountName" -}}
{{- if .Values.serviceAccount.backupOperatorServiceAccount.create -}}
{{ default (include "etcd-backup-operator.fullname" .) .Values.serviceAccount.backupOperatorServiceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.backupOperatorServiceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the restore-operator service account to use
*/}}
{{- define "etcd-restore-operator.serviceAccountName" -}}
{{- if .Values.serviceAccount.restoreOperatorServiceAccount.create -}}
{{ default (include "etcd-restore-operator.fullname" .) .Values.serviceAccount.restoreOperatorServiceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.restoreOperatorServiceAccount.name }}
{{- end -}}
{{- end -}}
\ No newline at end of file
{{- if .Values.customResources.createBackupCRD }}
---
apiVersion: "etcd.database.coreos.com/v1beta2"
kind: "EtcdBackup"
metadata:
name: {{ template "etcd-backup-operator.fullname" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-backup-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook-delete-policy": "before-hook-creation"
spec:
clusterName: {{ .Values.etcdCluster.name }}
{{ toYaml .Values.backupOperator.spec | indent 2 }}
{{- end}}
\ No newline at end of file
{{- if and .Values.rbac.create .Values.deployments.backupOperator }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
metadata:
name: {{ template "etcd-backup-operator.fullname" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
subjects:
- kind: ServiceAccount
name: {{ template "etcd-backup-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "etcd-operator.fullname" . }}
{{- end }}
{{- if .Values.deployments.backupOperator }}
---
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: {{ template "etcd-backup-operator.fullname" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-backup-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
selector:
matchLabels:
app: {{ template "etcd-backup-operator.fullname" . }}
release: {{ .Release.Name }}
replicas: {{ .Values.backupOperator.replicaCount }}
template:
metadata:
name: {{ template "etcd-backup-operator.fullname" . }}
labels:
app: {{ template "etcd-backup-operator.fullname" . }}
release: {{ .Release.Name }}
spec:
serviceAccountName: {{ template "etcd-backup-operator.serviceAccountName" . }}
containers:
- name: {{ .Values.backupOperator.name }}
image: "{{ .Values.backupOperator.image.repository }}:{{ .Values.backupOperator.image.tag }}"
imagePullPolicy: {{ .Values.backupOperator.image.pullPolicy }}
command:
- etcd-backup-operator
{{- range $key, $value := .Values.backupOperator.commandArgs }}
- "--{{ $key }}={{ $value }}"
{{- end }}
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
resources:
limits:
cpu: {{ .Values.backupOperator.resources.cpu }}
memory: {{ .Values.backupOperator.resources.memory }}
requests:
cpu: {{ .Values.backupOperator.resources.cpu }}
memory: {{ .Values.backupOperator.resources.memory }}
{{- if .Values.backupOperator.nodeSelector }}
nodeSelector:
{{ toYaml .Values.backupOperator.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.backupOperator.tolerations }}
tolerations:
{{ toYaml .Values.backupOperator.tolerations | indent 8 }}
{{- end }}
{{- end }}
{{- if and .Values.serviceAccount.backupOperatorServiceAccount.create .Values.deployments.backupOperator }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "etcd-backup-operator.serviceAccountName" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-backup-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- end }}
\ No newline at end of file
{{- if .Values.customResources.createEtcdClusterCRD }}
---
apiVersion: "etcd.database.coreos.com/v1beta2"
kind: "EtcdCluster"
metadata:
name: {{ .Values.etcdCluster.name }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook-delete-policy": "before-hook-creation"
spec:
size: {{ .Values.etcdCluster.size }}
version: "{{ .Values.etcdCluster.version }}"
pod:
{{ toYaml .Values.etcdCluster.pod | indent 4 }}
{{- if .Values.etcdCluster.enableTLS }}
TLS:
{{ toYaml .Values.etcdCluster.tls | indent 4 }}
{{- end }}
{{- end }}
{{- if .Values.rbac.create }}
---
apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
kind: ClusterRole
metadata:
name: {{ template "etcd-operator.fullname" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups:
- etcd.database.coreos.com
resources:
- etcdclusters
- etcdbackups
- etcdrestores
verbs:
- "*"
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- "*"
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- persistentvolumeclaims
- events
verbs:
- "*"
- apiGroups:
- apps
resources:
- deployments
verbs:
- "*"
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
{{- end }}
{{- if and .Values.rbac.create .Values.deployments.etcdOperator }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/{{ required "A valid .Values.rbac.apiVersion entry required!" .Values.rbac.apiVersion }}
metadata:
name: {{ template "etcd-operator.fullname" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
subjects:
- kind: ServiceAccount
name: {{ template "etcd-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "etcd-operator.fullname" . }}
{{- end }}
{{- if .Values.deployments.etcdOperator }}
---
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: {{ template "etcd-operator.fullname" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
selector:
matchLabels:
app: {{ template "etcd-operator.fullname" . }}
release: {{ .Release.Name }}
replicas: {{ .Values.etcdOperator.replicaCount }}
template:
metadata:
name: {{ template "etcd-operator.fullname" . }}
labels:
app: {{ template "etcd-operator.fullname" . }}
release: {{ .Release.Name }}
spec:
serviceAccountName: {{ template "etcd-operator.serviceAccountName" . }}
containers:
- name: {{ template "etcd-operator.fullname" . }}
image: "{{ .Values.etcdOperator.image.repository }}:{{ .Values.etcdOperator.image.tag }}"
imagePullPolicy: {{ .Values.etcdOperator.image.pullPolicy }}
command:
- etcd-operator
{{- range $key, $value := .Values.etcdOperator.commandArgs }}
- "--{{ $key }}={{ $value }}"
{{- end }}
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
resources:
limits:
cpu: {{ .Values.etcdOperator.resources.cpu }}
memory: {{ .Values.etcdOperator.resources.memory }}
requests:
cpu: {{ .Values.etcdOperator.resources.cpu }}
memory: {{ .Values.etcdOperator.resources.memory }}
{{- if .Values.etcdOperator.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /readyz
port: 8080
initialDelaySeconds: {{ .Values.etcdOperator.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.etcdOperator.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.etcdOperator.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.etcdOperator.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.etcdOperator.livenessProbe.failureThreshold }}
{{- end}}
{{- if .Values.etcdOperator.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /readyz
port: 8080
initialDelaySeconds: {{ .Values.etcdOperator.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.etcdOperator.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.etcdOperator.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.etcdOperator.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.etcdOperator.readinessProbe.failureThreshold }}
{{- end }}
{{- if .Values.etcdOperator.nodeSelector }}
nodeSelector:
{{ toYaml .Values.etcdOperator.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.etcdOperator.tolerations }}
tolerations:
{{ toYaml .Values.etcdOperator.tolerations | indent 8 }}
{{- end }}
{{- end }}
{{- if and .Values.serviceAccount.etcdOperatorServiceAccount.create .Values.deployments.etcdOperator }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "etcd-operator.serviceAccountName" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: {{ template "etcd-operator.name" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}