From 1912114d6337a48c5fa5bdde88c1e782e22ce6fb Mon Sep 17 00:00:00 2001 From: Alan Bridgeman Date: Sun, 5 Apr 2026 15:46:22 -0500 Subject: [PATCH] Attempted to make the changes and add things that will be needed for the new k8s mode --- templates/vault-rbac-role-binding.yaml | 13 +++++++ templates/vault-rbac-role.yaml | 10 ++++++ templates/vault-rbac-sa.yaml | 8 +++++ ...ult-role-vars-persistant-volume-claim.yaml | 6 ++-- templates/vault-statefulset.yaml | 9 +++++ values.yaml | 34 ++++++++++++------- 6 files changed, 65 insertions(+), 15 deletions(-) create mode 100644 templates/vault-rbac-role-binding.yaml create mode 100644 templates/vault-rbac-role.yaml create mode 100644 templates/vault-rbac-sa.yaml diff --git a/templates/vault-rbac-role-binding.yaml b/templates/vault-rbac-role-binding.yaml new file mode 100644 index 0000000..17bacb0 --- /dev/null +++ b/templates/vault-rbac-role-binding.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.create.enabled (eq .Values.create.appRole.mode "k8s") -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "vault.fullname" . }}-binding +subjects: + - kind: ServiceAccount + name: {{ include "vault.fullname" . }}-sa +roleRef: + kind: Role + name: {{ include "vault.fullname" . }}-role + apiGroup: rbac.authorization.k8s.io +{{- end -}} \ No newline at end of file diff --git a/templates/vault-rbac-role.yaml b/templates/vault-rbac-role.yaml new file mode 100644 index 0000000..3d6ab28 --- /dev/null +++ b/templates/vault-rbac-role.yaml @@ -0,0 +1,10 @@ +{{- if and .Values.create.enabled (eq .Values.create.appRole.mode "k8s") -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "vault.fullname" . }}-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "patch", "get"] +{{- end -}} \ No newline at end of file diff --git a/templates/vault-rbac-sa.yaml b/templates/vault-rbac-sa.yaml new file mode 100644 index 0000000..bec409b --- /dev/null +++ b/templates/vault-rbac-sa.yaml @@ -0,0 +1,8 @@ +{{- if and .Values.create.enabled (eq .Values.create.appRole.mode "k8s") -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "vault.fullname" . }}-sa + labels: + app.kubernetes.io/name: {{ include "vault.fullname" . }} +{{- end -}} \ No newline at end of file diff --git a/templates/vault-role-vars-persistant-volume-claim.yaml b/templates/vault-role-vars-persistant-volume-claim.yaml index fcf3931..88ee13f 100644 --- a/templates/vault-role-vars-persistant-volume-claim.yaml +++ b/templates/vault-role-vars-persistant-volume-claim.yaml @@ -1,4 +1,4 @@ -{{- if .Values.create.enabled -}} +{{- if and .Values.create.enabled (eq .Values.create.appRole.mode "file") -}} apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -6,10 +6,10 @@ metadata: labels: app: {{ include "vault.fullname" . }} spec: - storageClassName: {{ .Values.create.roleVarsPVC.storageClassName }} + storageClassName: {{ .Values.create.appRole.roleVarsPVC.storageClassName }} accessModes: - ReadWriteMany resources: requests: - storage: {{ .Values.create.roleVarsPVC.size }} + storage: {{ .Values.create.appRole.roleVarsPVC.size }} {{- end -}} \ No newline at end of file diff --git a/templates/vault-statefulset.yaml b/templates/vault-statefulset.yaml index 229dc03..f7bb21e 100644 --- a/templates/vault-statefulset.yaml +++ b/templates/vault-statefulset.yaml @@ -16,6 +16,10 @@ spec: labels: app: {{ include "vault.fullname" . }} spec: + {{- if eq .Values.create.appRole.mode "k8s" }} + # If the AppRole mode is set to `k8s`, we need to specify the service account for the Vault pods to use so that it can access the Kubernetes API and specifically manage specific secrets etc... + serviceAccountName: {{ include "vault.fullname" . }}-sa + {{- end }} # Because the Vault process runs with a non-root user inside the container, # we need to set the fsGroup to ensure that the mounted volumes have the correct permissions securityContext: @@ -49,8 +53,10 @@ spec: mountPath: /vault/logs - name: vault-creds mountPath: /vault/creds + {{- if eq .Values.create.appRole.mode "file" }} - name: vault-role-vars mountPath: /role_vars + {{- end }} capAdd: - IPC_LOCK volumes: @@ -63,9 +69,12 @@ spec: {{- else }} emptyDir: {} {{- end }} + {{- if eq .Values.create.appRole.mode "file" }} - name: vault-role-vars persistentVolumeClaim: claimName: {{ include "vault.fullname" . }}-role-vars + {{- end }} + # To have data consistency across pod restarts, we use a volume claim template # We do this instead of a static PVC because we require less control and it's easier to manage volumeClaimTemplates: diff --git a/values.yaml b/values.yaml index e4054be..4a7af68 100644 --- a/values.yaml +++ b/values.yaml @@ -76,22 +76,32 @@ create: # Configurations for the AppRole authentication method for the created Vault instance appRole: - # The name of the environment variable/secret that contains the Role ID for the app + # The mode within which it runs this determines how approle data is shared + # + # | Value | Description | + # | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + # | `file` | This creates a .env file with the approle data. This is useful in situations where sharing data across filesystems makes sense. Ex. docker compose | + # | `k8s` | This creates Kubernetes configurations and secrets for the approle data. This is useful in situations where sharing data via Kubernetes resources makes sense. Ex. In the same k8s cluster, etc... | + mode: 'file' + + # In `file` mode - the name of the environment variable/secret that contains the Role ID for the app + # In `k8s` mode - the name of the Kubernetes secret that contains the Role ID for the app roleIDSecretName: VAULT_ROLE_ID - # The name of the environment variable/secret that contains the Secret ID for the app + # In `file` mode - the name of the environment variable/secret that contains the Secret ID for the app + # In `k8s` mode - the name of the Kubernetes secret that contains the Secret ID for the app secretIDSecretName: VAULT_SECRET_ID - # Configurations for the `role-vars` Persistent Volume Claim (PVC). - # The `role-vars` PVC is used for the app's AppRole auth access variables (role & secret IDs etc...) - roleVarsPVC: - # Because the PVC needs to be a RWX type volume (so that multiple pods can access it) - # Because the app and the vault are separate pods. - # We need to use a storage class that supports RWX (Custom create CephFS backed storage class) - storageClassName: vault-role-vars-rook-cephfs - - # The size of the PVC (note because this is largely just credentials a small size is sufficient) - size: 512Mi + # Configurations for the `role-vars` Persistent Volume Claim (PVC). + # The `role-vars` PVC is used for the app's AppRole auth access variables (role & secret IDs etc...) + roleVarsPVC: + # Because the PVC needs to be a RWX type volume (so that multiple pods can access it) + # Because the app and the vault are separate pods. + # We need to use a storage class that supports RWX (Custom create CephFS backed storage class) + storageClassName: vault-role-vars-rook-cephfs + + # The size of the PVC (note because this is largely just credentials a small size is sufficient) + size: 512Mi # Configurations for the `vault-data` Persistent Volume Claim (PVC). # The `vault-data` PVC is used for the Vault's data storage.