Attempted to make the changes and add things that will be needed for the new k8s mode

2026-04-05 15:46:22 -05:00 · 2026-04-05 15:46:22 -05:00 · 1912114d63
commit 1912114d63
parent 9e288e7404
6 changed files with 65 additions and 15 deletions
--- a/templates/vault-rbac-role-binding.yaml
+++ b/templates/vault-rbac-role-binding.yaml
@ -0,0 +1,13 @@
+{{- if and .Values.create.enabled (eq .Values.create.appRole.mode "k8s") -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "vault.fullname" . }}-binding
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "vault.fullname" . }}-sa
+roleRef:
+  kind: Role
+  name: {{ include "vault.fullname" . }}-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end -}}
--- a/templates/vault-rbac-role.yaml
+++ b/templates/vault-rbac-role.yaml
@ -0,0 +1,10 @@
+{{- if and .Values.create.enabled (eq .Values.create.appRole.mode "k8s") -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "vault.fullname" . }}-role
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create", "patch", "get"]
+{{- end -}}
--- a/templates/vault-rbac-sa.yaml
+++ b/templates/vault-rbac-sa.yaml
@ -0,0 +1,8 @@
+{{- if and .Values.create.enabled (eq .Values.create.appRole.mode "k8s") -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "vault.fullname" . }}-sa
+  labels:
+    app.kubernetes.io/name: {{ include "vault.fullname" . }}
+{{- end -}}
--- a/templates/vault-role-vars-persistant-volume-claim.yaml
+++ b/templates/vault-role-vars-persistant-volume-claim.yaml
@ -1,4 +1,4 @@
-{{- if .Values.create.enabled -}}
+{{- if and .Values.create.enabled (eq .Values.create.appRole.mode "file") -}}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@ -6,10 +6,10 @@ metadata:
  labels:
    app: {{ include "vault.fullname" . }}
 spec:
-  storageClassName: {{ .Values.create.roleVarsPVC.storageClassName }}
+  storageClassName: {{ .Values.create.appRole.roleVarsPVC.storageClassName }}
  accessModes:
    - ReadWriteMany
  resources:
    requests:
-      storage: {{ .Values.create.roleVarsPVC.size }}
+      storage: {{ .Values.create.appRole.roleVarsPVC.size }}
 {{- end -}}
--- a/templates/vault-statefulset.yaml
+++ b/templates/vault-statefulset.yaml
@ -16,6 +16,10 @@ spec:
      labels:
        app: {{ include "vault.fullname" . }}
    spec:
+      {{- if eq .Values.create.appRole.mode "k8s" }}
+      # If the AppRole mode is set to `k8s`, we need to specify the service account for the Vault pods to use so that it can access the Kubernetes API and specifically manage specific secrets etc...
+      serviceAccountName: {{ include "vault.fullname" . }}-sa
+      {{- end }}
      # Because the Vault process runs with a non-root user inside the container,
      # we need to set the fsGroup to ensure that the mounted volumes have the correct permissions
      securityContext:
@ -49,8 +53,10 @@ spec:
          mountPath: /vault/logs
        - name: vault-creds
          mountPath: /vault/creds
+        {{- if eq .Values.create.appRole.mode "file" }}
        - name: vault-role-vars
          mountPath: /role_vars
+        {{- end }}
        capAdd:
        - IPC_LOCK
      volumes:
@ -63,9 +69,12 @@ spec:
        {{- else }}
        emptyDir: {}
        {{- end }}
+      {{- if eq .Values.create.appRole.mode "file" }}
      - name: vault-role-vars
        persistentVolumeClaim:
          claimName: {{ include "vault.fullname" . }}-role-vars
+      {{- end }}
+
  # To have data consistency across pod restarts, we use a volume claim template
  # We do this instead of a static PVC because we require less control and it's easier to manage
  volumeClaimTemplates:
--- a/values.yaml
+++ b/values.yaml
@ -76,22 +76,32 @@ create:
  
  # Configurations for the AppRole authentication method for the created Vault instance
  appRole:
-    # The name of the environment variable/secret that contains the Role ID for the app
+    # The mode within which it runs this determines how approle data is shared
+    # 
+    # | Value  | Description                                                                                                                                                                                        |
+    # | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+    # | `file` | This creates a .env file with the approle data. This is useful in situations where sharing data across filesystems makes sense. Ex. docker compose                                                 |
+    # | `k8s`  | This creates Kubernetes configurations and secrets for the approle data. This is useful in situations where sharing data via Kubernetes resources makes sense. Ex. In the same k8s cluster, etc... |
+    mode: 'file'
+
+    # In `file` mode - the name of the environment variable/secret that contains the Role ID for the app
+    # In `k8s` mode - the name of the Kubernetes secret that contains the Role ID for the app
    roleIDSecretName: VAULT_ROLE_ID

-    # The name of the environment variable/secret that contains the Secret ID for the app
+    # In `file` mode - the name of the environment variable/secret that contains the Secret ID for the app
+    # In `k8s` mode - the name of the Kubernetes secret that contains the Secret ID for the app
    secretIDSecretName: VAULT_SECRET_ID

-  # Configurations for the `role-vars` Persistent Volume Claim (PVC). 
-  # The `role-vars` PVC is used for the app's AppRole auth access variables (role & secret IDs etc...)
-  roleVarsPVC:
-    # Because the PVC needs to be a RWX type volume (so that multiple pods can access it) 
-    # Because the app and the vault are separate pods. 
-    # We need to use a storage class that supports RWX (Custom create CephFS backed storage class)
-    storageClassName: vault-role-vars-rook-cephfs
-    
-    # The size of the PVC (note because this is largely just credentials a small size is sufficient)
-    size: 512Mi
+    # Configurations for the `role-vars` Persistent Volume Claim (PVC). 
+    # The `role-vars` PVC is used for the app's AppRole auth access variables (role & secret IDs etc...)
+    roleVarsPVC:
+      # Because the PVC needs to be a RWX type volume (so that multiple pods can access it) 
+      # Because the app and the vault are separate pods. 
+      # We need to use a storage class that supports RWX (Custom create CephFS backed storage class)
+      storageClassName: vault-role-vars-rook-cephfs
+
+      # The size of the PVC (note because this is largely just credentials a small size is sufficient)
+      size: 512Mi
  
  # Configurations for the `vault-data` Persistent Volume Claim (PVC).
  # The `vault-data` PVC is used for the Vault's data storage.