Bridgeman-Accessible/custom-hashicorp-vault-helm
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Attempted to make the changes and add things that will be needed for the new k8s mode
All checks were successful
Deploy the Helm Chart / build (push) Successful in 12s
Details

Browse source
This commit is contained in:
Alan Bridgeman 2026-04-05 15:46:22 -05:00
parent 9e288e7404
commit 1912114d63
6 changed files with 65 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

13
templates/vault-rbac-role-binding.yaml Normal file
View file

@ -0,0 +1,13 @@
{{- if and .Values.create.enabled (eq .Values.create.appRole.mode "k8s") -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "vault.fullname" . }}-binding
subjects:
- kind: ServiceAccount
name: {{ include "vault.fullname" . }}-sa
roleRef:
kind: Role
name: {{ include "vault.fullname" . }}-role
apiGroup: rbac.authorization.k8s.io
{{- end -}}

10
templates/vault-rbac-role.yaml Normal file
View file

@ -0,0 +1,10 @@
{{- if and .Values.create.enabled (eq .Values.create.appRole.mode "k8s") -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "vault.fullname" . }}-role
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "patch", "get"]
{{- end -}}

8
templates/vault-rbac-sa.yaml Normal file
View file

@ -0,0 +1,8 @@
{{- if and .Values.create.enabled (eq .Values.create.appRole.mode "k8s") -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "vault.fullname" . }}-sa
labels:
app.kubernetes.io/name: {{ include "vault.fullname" . }}
{{- end -}}

6
templates/vault-role-vars-persistant-volume-claim.yaml
View file

@ -1,4 +1,4 @@
{{- if .Values.create.enabled -}} {{- if and .Values.create.enabled (eq .Values.create.appRole.mode "file") -}}
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
@ -6,10 +6,10 @@ metadata:
labels: labels:
app: {{ include "vault.fullname" . }} app: {{ include "vault.fullname" . }}
spec: spec:
storageClassName: {{ .Values.create.roleVarsPVC.storageClassName }} storageClassName: {{ .Values.create.appRole.roleVarsPVC.storageClassName }}
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:
requests: requests:
storage: {{ .Values.create.roleVarsPVC.size }} storage: {{ .Values.create.appRole.roleVarsPVC.size }}
{{- end -}} {{- end -}}

9
templates/vault-statefulset.yaml
View file

@ -16,6 +16,10 @@ spec:
labels: labels:
app: {{ include "vault.fullname" . }} app: {{ include "vault.fullname" . }}
spec: spec:
{{- if eq .Values.create.appRole.mode "k8s" }}
# If the AppRole mode is set to `k8s`, we need to specify the service account for the Vault pods to use so that it can access the Kubernetes API and specifically manage specific secrets etc...
serviceAccountName: {{ include "vault.fullname" . }}-sa
{{- end }}
# Because the Vault process runs with a non-root user inside the container, # Because the Vault process runs with a non-root user inside the container,
# we need to set the fsGroup to ensure that the mounted volumes have the correct permissions # we need to set the fsGroup to ensure that the mounted volumes have the correct permissions
securityContext: securityContext:
@ -49,8 +53,10 @@ spec:
mountPath: /vault/logs mountPath: /vault/logs
- name: vault-creds - name: vault-creds
mountPath: /vault/creds mountPath: /vault/creds
{{- if eq .Values.create.appRole.mode "file" }}
- name: vault-role-vars - name: vault-role-vars
mountPath: /role_vars mountPath: /role_vars
{{- end }}
capAdd: capAdd:
- IPC_LOCK - IPC_LOCK
volumes: volumes:
@ -63,9 +69,12 @@ spec:
{{- else }} {{- else }}
emptyDir: {} emptyDir: {}
{{- end }} {{- end }}
{{- if eq .Values.create.appRole.mode "file" }}
- name: vault-role-vars - name: vault-role-vars
persistentVolumeClaim: persistentVolumeClaim:
claimName: {{ include "vault.fullname" . }}-role-vars claimName: {{ include "vault.fullname" . }}-role-vars
{{- end }}
# To have data consistency across pod restarts, we use a volume claim template # To have data consistency across pod restarts, we use a volume claim template
# We do this instead of a static PVC because we require less control and it's easier to manage # We do this instead of a static PVC because we require less control and it's easier to manage
volumeClaimTemplates: volumeClaimTemplates:

34
values.yaml
View file

@ -76,22 +76,32 @@ create:
# Configurations for the AppRole authentication method for the created Vault instance # Configurations for the AppRole authentication method for the created Vault instance
appRole: appRole:
# The name of the environment variable/secret that contains the Role ID for the app # The mode within which it runs this determines how approle data is shared
#
# | Value | Description |
# | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
# | `file` | This creates a .env file with the approle data. This is useful in situations where sharing data across filesystems makes sense. Ex. docker compose |
# | `k8s` | This creates Kubernetes configurations and secrets for the approle data. This is useful in situations where sharing data via Kubernetes resources makes sense. Ex. In the same k8s cluster, etc... |
mode: 'file'
# In `file` mode - the name of the environment variable/secret that contains the Role ID for the app
# In `k8s` mode - the name of the Kubernetes secret that contains the Role ID for the app
roleIDSecretName: VAULT_ROLE_ID roleIDSecretName: VAULT_ROLE_ID
# The name of the environment variable/secret that contains the Secret ID for the app # In `file` mode - the name of the environment variable/secret that contains the Secret ID for the app
# In `k8s` mode - the name of the Kubernetes secret that contains the Secret ID for the app
secretIDSecretName: VAULT_SECRET_ID secretIDSecretName: VAULT_SECRET_ID
# Configurations for the `role-vars` Persistent Volume Claim (PVC). # Configurations for the `role-vars` Persistent Volume Claim (PVC).
# The `role-vars` PVC is used for the app's AppRole auth access variables (role & secret IDs etc...) # The `role-vars` PVC is used for the app's AppRole auth access variables (role & secret IDs etc...)
roleVarsPVC: roleVarsPVC:
# Because the PVC needs to be a RWX type volume (so that multiple pods can access it) # Because the PVC needs to be a RWX type volume (so that multiple pods can access it)
# Because the app and the vault are separate pods. # Because the app and the vault are separate pods.
# We need to use a storage class that supports RWX (Custom create CephFS backed storage class) # We need to use a storage class that supports RWX (Custom create CephFS backed storage class)
storageClassName: vault-role-vars-rook-cephfs storageClassName: vault-role-vars-rook-cephfs
# The size of the PVC (note because this is largely just credentials a small size is sufficient) # The size of the PVC (note because this is largely just credentials a small size is sufficient)
size: 512Mi size: 512Mi
# Configurations for the `vault-data` Persistent Volume Claim (PVC). # Configurations for the `vault-data` Persistent Volume Claim (PVC).
# The `vault-data` PVC is used for the Vault's data storage. # The `vault-data` PVC is used for the Vault's data storage.