base template from helm chart

hashicorp/vault/NOTES.txt

@@ -0,0 +1,14 @@
+
+Thank you for installing HashiCorp Vault!
+
+Now that you have deployed Vault, you should look over the docs on using
+Vault with Kubernetes available here:
+
+https://www.vaultproject.io/docs/
+
+
+Your release is named {{ .Release.Name }}. To learn more about the release, try:
+
+  $ helm status {{ .Release.Name }}
+  $ helm get {{ .Release.Name }}
+

hashicorp/vault/_helpers.tpl

@@ -0,0 +1,313 @@
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to
+this (by the DNS naming spec). If release name contains chart name it will
+be used as a full name.
+*/}}
+{{- define "vault.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "vault.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "vault.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
+This defaults to (n/2)-1 where n is the number of members of the server cluster.
+Add a special case for replicas=1, where it should default to 0 as well.
+*/}}
+{{- define "vault.pdb.maxUnavailable" -}}
+{{- if eq (int .Values.server.ha.replicas) 1 -}}
+{{ 0 }}
+{{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}}
+{{ .Values.server.ha.disruptionBudget.maxUnavailable -}}
+{{- else -}}
+{{- div (sub (div (mul (int .Values.server.ha.replicas) 10) 2) 1) 10 -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Set the variable 'mode' to the server mode requested by the user to simplify
+template logic.
+*/}}
+{{- define "vault.mode" -}}
+  {{- if eq (.Values.server.dev.enabled | toString) "true" -}}
+    {{- $_ := set . "mode" "dev" -}}
+  {{- else if eq (.Values.server.ha.enabled | toString) "true" -}}
+    {{- $_ := set . "mode" "ha" -}}
+  {{- else if or (eq (.Values.server.standalone.enabled | toString) "true") (eq (.Values.server.standalone.enabled | toString) "-") -}}
+    {{- $_ := set . "mode" "standalone" -}}
+  {{- else -}}
+    {{- $_ := set . "mode" "" -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set's the replica count based on the different modes configured by user
+*/}}
+{{- define "vault.replicas" -}}
+  {{ if eq .mode "standalone" }}
+    {{- default 1 -}}
+  {{ else if eq .mode "ha" }}
+    {{- .Values.server.ha.replicas | default 3 -}}
+  {{ else }}
+    {{- default 1 -}}
+  {{ end }}
+{{- end -}}
+
+{{/*
+Set's up configmap mounts if this isn't a dev deployment and the user
+defined a custom configuration.  Additionally iterates over any
+extra volumes the user may have specified (such as a secret with TLS).
+*/}}
+{{- define "vault.volumes" -}}
+  {{- if and (ne .mode "dev") (or (ne .Values.server.standalone.config "")  (ne .Values.server.ha.config "")) }}
+        - name: config
+          configMap:
+            name: {{ template "vault.fullname" . }}-config
+  {{ end }}
+  {{- range .Values.server.extraVolumes }}
+        - name: userconfig-{{ .name }}
+          {{ .type }}:
+          {{- if (eq .type "configMap") }}
+            name: {{ .name }}
+          {{- else if (eq .type "secret") }}
+            secretName: {{ .name }}
+          {{- end }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+Set's a command to override the entrypoint defined in the image
+so we can make the user experience nicer.  This works in with
+"vault.args" to specify what commands /bin/sh should run.
+*/}}
+{{- define "vault.command" -}}
+  {{ if or (eq .mode "standalone") (eq .mode "ha") }}
+          - "/bin/sh"
+          - "-ec"
+  {{ end }}
+{{- end -}}
+
+{{/*
+Set's the args for custom command to render the Vault configuration
+file with IP addresses to make the out of box experience easier
+for users looking to use this chart with Consul Helm.
+*/}}
+{{- define "vault.args" -}}
+  {{ if or (eq .mode "standalone") (eq .mode "ha") }}
+          - |
+            sed -E "s/HOST_IP/${HOST_IP?}/g" /vault/config/extraconfig-from-values.hcl > /tmp/storageconfig.hcl;
+            sed -Ei "s/POD_IP/${POD_IP?}/g" /tmp/storageconfig.hcl;
+            /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }}
+  {{ end }}
+{{- end -}}
+
+{{/*
+Set's additional environment variables based on the mode.
+*/}}
+{{- define "vault.envs" -}}
+  {{ if eq .mode "dev" }}
+            - name: VAULT_DEV_ROOT_TOKEN_ID
+              value: "root"
+  {{ end }}
+{{- end -}}
+
+{{/*
+Set's which additional volumes should be mounted to the container
+based on the mode configured.
+*/}}
+{{- define "vault.mounts" -}}
+  {{ if eq (.Values.server.auditStorage.enabled | toString) "true" }}
+            - name: audit
+              mountPath: /vault/audit
+  {{ end }}
+  {{ if eq .mode "standalone" }}
+    {{ if eq (.Values.server.dataStorage.enabled | toString) "true" }}
+            - name: data
+              mountPath: /vault/data
+    {{ end }}
+  {{ end }}
+  {{ if and (ne .mode "dev") (or (ne .Values.server.standalone.config "")  (ne .Values.server.ha.config "")) }}
+            - name: config
+              mountPath: /vault/config
+  {{ end }}
+  {{- range .Values.server.extraVolumes }}
+            - name: userconfig-{{ .name }}
+              readOnly: true
+              mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+Set's up the volumeClaimTemplates when data or audit storage is required.  HA
+might not use data storage since Consul is likely it's backend, however, audit
+storage might be desired by the user.
+*/}}
+{{- define "vault.volumeclaims" -}}
+  {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }}
+  volumeClaimTemplates:
+      {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (eq .mode "standalone") }}
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }}
+        resources:
+          requests:
+            storage: {{ .Values.server.dataStorage.size }}
+          {{- if .Values.server.dataStorage.storageClass }}
+        storageClassName: {{ .Values.server.dataStorage.storageClass }}
+          {{- end }}
+      {{ end }}
+      {{- if eq (.Values.server.auditStorage.enabled | toString) "true" }}
+    - metadata:
+        name: audit
+      spec:
+        accessModes:
+          - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }}
+        resources:
+          requests:
+            storage: {{ .Values.server.auditStorage.size }}
+          {{- if .Values.server.auditStorage.storageClass }}
+        storageClassName: {{ .Values.server.auditStorage.storageClass }}
+          {{- end }}
+      {{ end }}
+  {{ end }}
+{{- end -}}
+
+{{/*
+Set's the affinity for pod placement when running in standalone and HA modes.
+*/}}
+{{- define "vault.affinity" -}}
+  {{- if and (ne .mode "dev") .Values.server.affinity }}
+      affinity:
+        {{ tpl .Values.server.affinity . | nindent 8 | trim }}
+  {{ end }}
+{{- end -}}
+
+{{/*
+Set's the toleration for pod placement when running in standalone and HA modes.
+*/}}
+{{- define "vault.tolerations" -}}
+  {{- if and (ne .mode "dev") .Values.server.tolerations }}
+      tolerations:
+        {{ tpl .Values.server.tolerations . | nindent 8 | trim }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+Set's the node selector for pod placement when running in standalone and HA modes.
+*/}}
+{{- define "vault.nodeselector" -}}
+  {{- if and (ne .mode "dev") .Values.server.nodeSelector }}
+      nodeSelector:
+        {{ tpl .Values.server.nodeSelector . | indent 8 | trim }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+Sets extra pod annotations
+*/}}
+{{- define "vault.annotations" -}}
+  {{- if and (ne .mode "dev") .Values.server.annotations }}
+      annotations:
+        {{- tpl .Values.server.annotations . | nindent 8 }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+Sets extra ui service annotations
+*/}}
+{{- define "vault.ui.annotations" -}}
+  {{- if .Values.ui.annotations }}
+  annotations:
+    {{- toYaml .Values.ui.annotations | nindent 4 }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+Sets extra service account annotations
+*/}}
+{{- define "vault.serviceAccount.annotations" -}}
+  {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml .Values.server.serviceAccount.annotations | nindent 4 }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+Set's the container resources if the user has set any.
+*/}}
+{{- define "vault.resources" -}}
+  {{- if .Values.server.resources -}}
+          resources:
+{{ toYaml .Values.server.resources | indent 12}}
+  {{ end }}
+{{- end -}}
+
+{{/*
+Sets the container resources if the user has set any.
+*/}}
+{{- define "injector.resources" -}}
+  {{- if .Values.injector.resources -}}
+          resources:
+{{ toYaml .Values.injector.resources | indent 12}}
+  {{ end }}
+{{- end -}}
+
+{{/*
+Inject extra environment vars in the format key:value, if populated
+*/}}
+{{- define "vault.extraEnvironmentVars" -}}
+{{- if .extraEnvironmentVars -}}
+{{- range $key, $value := .extraEnvironmentVars }}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Inject extra environment populated by secrets, if populated
+*/}}
+{{- define "vault.extraSecretEnvironmentVars" -}}
+{{- if .extraSecretEnvironmentVars -}}
+{{- range .extraSecretEnvironmentVars }}
+- name: {{ .envName }}
+  valueFrom:
+   secretKeyRef:
+     name: {{ .secretName }}
+     key: {{ .secretKey }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/* Scheme for health check and local endpoint */}}
+{{- define "vault.scheme" -}}
+{{- if .Values.global.tlsDisable -}}
+{{ "http" }}
+{{- else -}}
+{{ "https" }}
+{{- end -}}
+{{- end -}}

hashicorp/vault/injector/injector-clusterrole.yaml

@@ -0,0 +1,18 @@
+{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations"]
+  verbs: 
+    - "get"
+    - "list"
+    - "watch"
+    - "patch"
+{{ end }}

hashicorp/vault/injector/injector-clusterrolebinding.yaml

@@ -0,0 +1,19 @@
+{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "vault.fullname" . }}-agent-injector-binding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: {{ template "vault.fullname" . }}-agent-injector
+  namespace: {{ .Release.Namespace }}
+{{ end }}

hashicorp/vault/injector/injector-deployment.yaml

@@ -0,0 +1,90 @@
+{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+# Deployment for the injector
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "vault.fullname" . }}-agent-injector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    component: webhook
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      component: webhook
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        component: webhook
+    spec:
+      serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
+      securityContext:
+        runAsNonRoot: true
+        runAsGroup: {{ .Values.injector.gid | default 1000 }}
+        runAsUser: {{ .Values.injector.uid | default 100 }}
+      containers:
+        - name: sidecar-injector
+          {{ template "injector.resources" . }}
+          image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
+          imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
+          env:
+            - name: AGENT_INJECT_LISTEN
+              value: ":8080"
+            - name: AGENT_INJECT_LOG_LEVEL
+              value: {{ .Values.injector.logLevel | default "info" }}
+            - name: AGENT_INJECT_VAULT_ADDR
+              value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
+            - name: AGENT_INJECT_VAULT_IMAGE
+              value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
+            {{- if .Values.injector.certs.secretName }}
+            - name: AGENT_INJECT_TLS_CERT_FILE
+              value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}"
+            - name: AGENT_INJECT_TLS_KEY_FILE
+              value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}"
+            {{- else }}
+            - name: AGENT_INJECT_TLS_AUTO
+              value: {{ template "vault.fullname" . }}-agent-injector-cfg
+            - name: AGENT_INJECT_TLS_AUTO_HOSTS
+              value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc
+            {{- end }}
+          args:
+            - agent-inject
+            - 2>&1
+          livenessProbe:
+            httpGet:
+              path: /health/ready
+              port: 8080
+              scheme: HTTPS
+            failureThreshold: 2
+            initialDelaySeconds: 1
+            periodSeconds: 2
+            successThreshold: 1
+            timeoutSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /health/ready
+              port: 8080
+              scheme: HTTPS
+            failureThreshold: 2
+            initialDelaySeconds: 2
+            periodSeconds: 2
+            successThreshold: 1
+            timeoutSeconds: 5
+{{- if .Values.injector.certs.secretName }}
+          volumeMounts:
+            - name: webhook-certs
+              mountPath: /etc/webhook/certs
+              readOnly: true
+      volumes:
+        - name: webhook-certs
+          secret:
+            secretName: "{{ .Values.injector.certs.secretName }}"
+{{- end }}
+{{ end }}

hashicorp/vault/injector/injector-mutating-webhook.yaml

@@ -0,0 +1,27 @@
+{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ template "vault.fullname" . }}-agent-injector-cfg
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+webhooks:
+  - name: vault.hashicorp.com
+    clientConfig:
+      service:
+        name: {{ template "vault.fullname" . }}-agent-injector-svc
+        namespace: {{ .Release.Namespace }}
+        path: "/mutate"
+      caBundle: {{ .Values.injector.certs.caBundle }}
+    rules:
+      - operations: ["CREATE", "UPDATE"]
+        apiGroups: [""]
+        apiVersions: ["v1"]
+        resources: ["pods"]
+{{- if .Values.injector.namespaceSelector }}
+    namespaceSelector:
+{{ toYaml .Values.injector.namespaceSelector | indent 6}}
+{{ end }}
+{{ end }}

hashicorp/vault/injector/injector-service.yaml

@@ -0,0 +1,19 @@
+{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "vault.fullname" . }}-agent-injector-svc
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  ports:
+  - port: 443
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    component: webhook
+{{- end }}

hashicorp/vault/injector/injector-serviceaccount.yaml

@@ -0,0 +1,11 @@
+{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "vault.fullname" . }}-agent-injector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{ end }}