Bridgeman-Accessible/custom-hashicorp-vault-helm
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated chart so that it worked better as a subchart, is more configurable and better documented
All checks were successful
Deploy the Helm Chart / build (push) Successful in 11s
Details

Browse source
This commit is contained in:
Alan Bridgeman 2025-12-19 17:11:14 -06:00
parent 82908c043c
commit ae8f4ad22b
11 changed files with 222 additions and 145 deletions
Download patch file Download diff file Expand all files Collapse all files

40
README.md
View file

@ -7,7 +7,41 @@ To use this chart as a dependency:
```yaml ```yaml
dependencies: dependencies:
- name: ba-custom-hashicorp-vault - name: ba-custom-hashicorp-vault
version: 1.0.0 version: 1.0.2
repository: "https://helm.bridgemanaccessible.ca/" repository: "https://helm.bridgemanaccessible.ca/"
condition: vault.enabled alias: passVault
``` condition: passVault.enabled
```
# Values (`values.yaml`)
The following table summarizes the values that can be specified in the `values.yaml`
| Value Name | Possible Values | Required |
| ------------------------------------------------------------ | ---------------------------------------------------------------- | -------- |
| `type` | `hashicorp` / `azure` | Yes |
| `vaultName` | string | No |
| `vaultPort` | number (ex. `8200`) | No |
| `clientID` | string | No |
| `clientSecret` | string | No |
| `tenantID` | string | No |
| `create`.`enabled` | `true` / `false` | Yes |
| `create`.`image`.`repository` | string (ex. `<redacted-private-repo>/ba-custom-hashicorp-vault`) | Yes* |
| `create`.`image`.`tag` | `latest` | Yes* |
| `create`.`ingress`.`enabled` | `true` / `false` | Yes* |
| `create`.`ingress`.`host` | string (ex. `vault.<redacted-private-hostname>`) | Yes** |
| `create`.`snapshotServer`.`enabled` | `true` / `false` | Yes* |
| `create`.`snapshotServer`.`externalPort` | number (ex. `81`) | Yes*** |
| `create`.`snapshotServer`.`internalPort` | number (ex. `8300`) | Yes*** |
| `create`.`snapshotServer`.`vaultCredsPVC`.`storageClassName` | string (ex. `vault-role-vars-rook-cephfs`) | Yes*** |
| `create`.`snapshotServer`.`vaultCredsPVC`.`size` | size string (ex. `512Mi`) | Yes*** |
| `create`.`appRole`.`roleIDSecretName` | string (ex. `VAULT_ROLE_ID`) | Yes* |
| `create`.`appRole`.`secretIDSecretName` | string (ex. `VAULT_SECRET_ID`) | Yes* |
| `create`.`roleVarsPVC`.`storageClassName` | string (ex. `vault-role-vars-rook-cephfs`) | Yes* |
| `create`.`roleVarsPVC`.`size` | size string (ex. `512Mi`) | Yes* |
| `create`.`vaultData`.`storageClassName` | string(ex. `rook-ceph-block`) | Yes* |
| `create`.`vaultData`.`accessModes` | array<`ReadWriteOnce`> | Yes* |
| `create`.`vaultData`.`size` | size string (ex. `2Gi`) | Yes* |
`*` If `create`.`enabled` is `true`
`**` If `create`.`ingress`.`enabled` is `true`
`***` If `creat`.`snapshotServer`.`enabled` is `true`

16
templates/_helpers.tpl Normal file
View file

@ -0,0 +1,16 @@
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "vault.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}

10
templates/vault-creds-persistant-volume-claim.yaml
View file

@ -1,15 +1,15 @@
{{- if .Values.vault.create.enabled -}} {{- if .Values.create.enabled -}}
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: {{ .Release.Name }}-vault-creds name: {{ include "vault.fullname" . }}-creds
labels: labels:
app: {{ .Release.Name }}-vault app: {{ include "vault.fullname" . }}
spec: spec:
storageClassName: vault-role-vars-rook-cephfs storageClassName: {{ .Values.create.snapshotServer.vaultCredsPVC.storageClassName }}
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:
requests: requests:
storage: 512Mi storage: {{ .Values.create.snapshotServer.vaultCredsPVC.size }}
{{- end -}} {{- end -}}

10
templates/vault-hashicorp-secret.yaml
View file

@ -1,24 +1,24 @@
{{- if and (.Values.vault.enabled) (eq .Values.vault.type "hashicorp") -}} {{- if and (.Values.enabled) (eq .Values.type "hashicorp") -}}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: {{ .Release.Name }}-vault-secret name: {{ include "vault.fullname" . }}-secret
type: opaque type: opaque
data: data:
{{- if .Values.vault.create.enabled }} {{- if .Values.vault.create.enabled }}
# Because we create the Hashicorp Vault instance as part of the Helm chart, # Because we create the Hashicorp Vault instance as part of the Helm chart,
# we can use the name of the created resource (utilizing k8s built-in container connections) # we can use the name of the created resource (utilizing k8s built-in container connections)
# to connect to the Vault instance without having to hard-code the Vault name. # to connect to the Vault instance without having to hard-code the Vault name.
vault-name: {{ printf "%s-vault" .Release.Name | b64enc }} vault-name: {{ include "vault.fullname" . | b64enc }}
# Because we create the Hashicorp Vault instance as part of the Helm chart, # Because we create the Hashicorp Vault instance as part of the Helm chart,
# We know the port that the Vault instance is running on. # We know the port that the Vault instance is running on.
vault-port: {{ printf "%d" 80 | b64enc }} vault-port: {{ printf "%d" 80 | b64enc }}
{{- else }} {{- else }}
# Because the Vault wasn't created as part of the Helm chart, # Because the Vault wasn't created as part of the Helm chart,
# we need the deployer to specify the name of the Vault instance to connect to. # we need the deployer to specify the name of the Vault instance to connect to.
vault-name: {{ .Values.vault.vaultName | b64enc }} vault-name: {{ .Values.vaultName | b64enc }}
# Because the Vault wasn't created as part of the Helm chart, # Because the Vault wasn't created as part of the Helm chart,
# we need the deployer to specify the port that the Vault instance is running on. # we need the deployer to specify the port that the Vault instance is running on.
vault-port: {{ .Values.vault.vaultPort | b64enc }} vault-port: {{ .Values.vaultPort | b64enc }}
{{- end }} {{- end }}
{{- end -}} {{- end -}}

10
templates/vault-ingress.yaml
View file

@ -1,21 +1,21 @@
{{- if .Values.vault.create.ingress.enabled -}} {{- if .Values.create.ingress.enabled -}}
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
name: {{ .Release.Name }}-vault-ingress name: {{ include "vault.fullname" . }}-ingress
labels: labels:
app: {{ .Release.Name }}-vault app: {{ include "vault.fullname" . }}
spec: spec:
ingressClassName: nginx ingressClassName: nginx
rules: rules:
- host: {{ .Values.vault.create.ingress.host }} - host: {{ .Values.create.ingress.host }}
http: http:
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: {{ .Release.Name }}-vault name: {{ include "vault.fullname" . }}
port: port:
number: 80 number: 80
{{- end -}} {{- end -}}

12
templates/vault-keyvault-secret.yaml
View file

@ -1,12 +1,12 @@
{{- if and (.Values.vault.enabled) (eq .Values.vault.type "azure") -}} {{- if and (.Values.enabled) (eq .Values.vault.type "azure") -}}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: {{ .Release.Name }}-vault-secret name: {{ include "vault.fullname" . }}-secret
type: opaque type: opaque
data: data:
client-id: {{ .Values.vault.clientId | b64enc }} client-id: {{ .Values.clientId | b64enc }}
client-secret: {{ .Values.vault.clientSecret | b64enc}} client-secret: {{ .Values.clientSecret | b64enc}}
name: {{ .Values.vault.vaultName | b64enc }} name: {{ .Values.vaultName | b64enc }}
tenant-id: {{ .Values.vault.tenantId | b64enc }} tenant-id: {{ .Values.tenantId | b64enc }}
{{- end -}} {{- end -}}

10
templates/vault-role-vars-persistant-volume-claim.yaml
View file

@ -1,15 +1,15 @@
{{- if .Values.vault.create.enabled -}} {{- if .Values.create.enabled -}}
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: {{ .Release.Name }}-vault-role-vars name: {{ include "vault.fullname" . }}-role-vars
labels: labels:
app: {{ .Release.Name }}-vault app: {{ include "vault.fullname" . }}
spec: spec:
storageClassName: vault-role-vars-rook-cephfs storageClassName: {{ .Values.create.roleVarsPVC.storageClassName }}
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:
requests: requests:
storage: 512Mi storage: {{ .Values.create.roleVarsPVC.size }}
{{- end -}} {{- end -}}

14
templates/vault-service.yaml
View file

@ -1,19 +1,19 @@
{{- if .Values.vault.create.enabled -}} {{- if .Values.create.enabled -}}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ .Release.Name }}-vault name: {{ include "vault.fullname" . }}
labels: labels:
app: {{ .Release.Name }}-vault app: {{ include "vault.fullname" . }}
spec: spec:
selector: selector:
app: {{ .Release.Name }}-vault app: {{ include "vault.fullname" . }}
ports: ports:
{{- if .Values.vault.create.snapshotServer.enabled }} {{- if .Values.create.snapshotServer.enabled }}
- name: custom-snapshot-server - name: custom-snapshot-server
protocol: TCP protocol: TCP
port: {{ .Values.vault.create.snapshotServer.externalPort }} port: {{ .Values.create.snapshotServer.externalPort }}
targetPort: {{ .Values.vault.create.snapshotServer.internalPort }} targetPort: {{ .Values.create.snapshotServer.internalPort }}
{{- end }} {{- end }}
- name: http - name: http
protocol: TCP protocol: TCP

6
templates/vault-snapshot-server-configmap.yaml
View file

@ -1,8 +1,8 @@
{{- if .Values.vault.create.snapshotServer.enabled -}} {{- if .Values.create.snapshotServer.enabled -}}
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: {{ .Release.Name }}-vault-snapshot-config name: {{ include "vault.fullname" . }}-snapshot-config
data: data:
port: {{ .Values.vault.create.snapshotServer.externalPort | quote }} port: {{ .Values.create.snapshotServer.externalPort | quote }}
{{- end -}} {{- end -}}

40
templates/vault-statefulset.yaml
View file

@ -1,44 +1,44 @@
{{- if and (.Values.vault.create.enabled) (eq .Values.vault.type "hashicorp") -}} {{- if and (.Values.create.enabled) (eq .Values.type "hashicorp") -}}
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
metadata: metadata:
name: {{ .Release.Name }}-vault name: {{ include "vault.fullname" . }}
labels: labels:
app: {{ .Release.Name }}-vault app: {{ include "vault.fullname" . }}
spec: spec:
serviceName: {{ .Release.Name }}-vault serviceName: {{ include "vault.fullname" . }}
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app: {{ .Release.Name }}-vault app: {{ include "vault.fullname" . }}
template: template:
metadata: metadata:
labels: labels:
app: {{ .Release.Name }}-vault app: {{ include "vault.fullname" . }}
spec: spec:
# Because the Vault process runs with a non-root user inside the container, # Because the Vault process runs with a non-root user inside the container,
# we need to set the fsGroup to ensure that the mounted volumes have the correct permissions # we need to set the fsGroup to ensure that the mounted volumes have the correct permissions
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
containers: containers:
- name: {{ .Release.Name }}-vault - name: {{ include "vault.fullname" . }}
image: {{ .Values.vault.create.image.repository }}:{{ .Values.vault.create.image.tag }} image: {{ .Values.create.image.repository }}:{{ .Values.create.image.tag }}
ports: ports:
- containerPort: 8200 - containerPort: 8200
- containerPort: 8201 - containerPort: 8201
{{- if .Values.vault.create.snapshotServer.enabled }} {{- if .Values.create.snapshotServer.enabled }}
- containerPort: {{ .Values.vault.create.snapshotServer.internalPort }} - containerPort: {{ .Values.create.snapshotServer.internalPort }}
{{- end }} {{- end }}
env: env:
- name: VAULT_ADDR - name: VAULT_ADDR
value: http://0.0.0.0:8200 value: http://0.0.0.0:8200
- name: ROLE_ID_SECRET_NAME - name: ROLE_ID_SECRET_NAME
value: USER_PASSWORD_DEFAULT_VAULT_ROLE_ID value: {{ .Values.create.appRole.roleIDSecretName }}
- name: SECRET_ID_SECRET_NAME - name: SECRET_ID_SECRET_NAME
value: USER_PASSWORD_DEFAULT_VAULT_SECRET_ID value: {{ .Values.create.appRole.secretIDSecretName }}
{{- if .Values.vault.create.snapshotServer.enabled }} {{- if .Values.create.snapshotServer.enabled }}
- name: SNAPSHOT_SERVER_PORT - name: SNAPSHOT_SERVER_PORT
value: {{ .Values.vault.create.snapshotServer.internalPort | quote }} value: {{ .Values.create.snapshotServer.internalPort | quote }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: vault-data - name: vault-data
@ -55,24 +55,24 @@ spec:
- name: vault-log - name: vault-log
emptyDir: {} emptyDir: {}
- name: vault-creds - name: vault-creds
{{- if .Values.vault.create.snapshotServer.enabled }} {{- if .Values.create.snapshotServer.enabled }}
persistentVolumeClaim: persistentVolumeClaim:
claimName: {{ .Release.Name }}-vault-creds claimName: {{ include "vault.fullname" . }}-creds
{{- else }} {{- else }}
emptyDir: {} emptyDir: {}
{{- end }} {{- end }}
- name: vault-role-vars - name: vault-role-vars
persistentVolumeClaim: persistentVolumeClaim:
claimName: {{ .Release.Name }}-vault-role-vars claimName: {{ include "vault.fullname" . }}-role-vars
# To have data consistency across pod restarts, we use a volume claim template # To have data consistency across pod restarts, we use a volume claim template
# We do this instead of a static PVC because we require less control and it's easier to manage # We do this instead of a static PVC because we require less control and it's easier to manage
volumeClaimTemplates: volumeClaimTemplates:
- metadata: - metadata:
name: vault-data name: vault-data
spec: spec:
storageClassName: rook-ceph-block storageClassName: {{ .Values.create.vaultData.storageClassName }}
accessModes: [ "ReadWriteOnce" ] accessModes: {{ .Values.create.vaultData.accessModes }}
resources: resources:
requests: requests:
storage: 2Gi storage: {{ .Values.create.vaultData.size }}
{{- end -}} {{- end -}}

199
values.yaml
View file

@ -1,95 +1,122 @@
# ============================
# Configurations for the vault # Configurations for the vault
vault: # ============================
# If a password "vault" should be used
# That is, if a dedicated software for secret management should be used # The type of secrets "vault" to use.
# This should virtually always be true as it's the most secure option #
# Vaults
# ------
# The following table lists the supported "vault" types:
#
# | Type | Description | Current Status | Required Fields |
# | ----------- | -------------------- | -------------- | --------------------------------------------------- |
# | `hashicorp` | Uses Hashicorp Vault | Implemented | `vaultName` (if `create` not true) |
# | `azure` | Uses Azure Key Vault | Implemented | `vaultName`, `clientId`, `clientSecret`, `tenantId` |
#
type: 'hashicorp'
# The name of the vault instance to connect to
#
# This is relevant if type is set to `hashicorp` or `azure`
# Note, if `create` is true this is ignored
#
# For `hashicorp`, this is generally the hostname of the Hashicorp Vault instance to connect to
# For `azure`, this is the name of the Azure Key Vault instance to connect to
#vaultName: ''
# The port of the vault instance to connect to
#
# ONLY RELEVANT iF `type` IS SET TO `hashicorp` AND `create` IS NOT TRUE
#vaultPort: 8200
# The client ID of the Azure Key Vault instance
#
# ONLY RELEVANT IF `type` IS SET TO `azure`
#clientID: ""
# The client secret of the Azure Key Vault instance
#
# ONLY RELEVANT IF `type` IS SET TO `azure`
#clientSecret: ""
# The tenant ID of the Azure Key Vault instance
#
# ONLY RELEVANT IF `type` IS SET TO `azure`
#tenantID: ""
# Configurations to create a Hashicorp Vault instance as part of the Helm chart
#
# THIS IS ONLY RELEVANT IF `type` IS SET TO `hashicorp`
create:
# If a Hashicorp Vault instance should be created as part of the Helm chart
enabled: true enabled: true
# The type of password "vault" (or storage if `enabled` is `false`) to use. # Configurations for the image to use if creating the Hashicorp Vault instance
# # as part of the Helm chart
# Vaults image:
# ------ # The repository of the image to use
# The following table lists the supported "vault" types: repository: <redacted-private-repo>/ba-custom-hashicorp-vault
#
# | Type | Description | Current Status | Required Fields |
# | ----------- | -------------------- | -------------- | --------------------------------------------------- |
# | `hashicorp` | Uses Hashicorp Vault | Implemented | `vaultName` (if `create` not true) |
# | `azure` | Uses Azure Key Vault | Implemented | `vaultName`, `clientId`, `clientSecret`, `tenantId` |
#
# Storage
# -------
# The following table lists the supported storage types.
# These are methods OUTSIDE of a dedicated "vault" software.
# These are generally **discouraged** as they are less secure.
#
# | Type | Description | Current Status | Required Fields |
# | ----------- | ------------------------------- | -------------- | ---------------- |
# | `file` | Uses a file | To-Do | `path` |
# | `mem` | Uses in-memory (no persistance) | To-Do | N/A |
#
type: 'hashicorp'
# The name of the vault instance to connect to # The tag of the image to use
# tag: latest
# This is relevant if type is set to `hashicorp` or `azure`
# Note, if `create` is true this is ignored # Configurations for the ingress of the created Hashicorp Vault instance
# ingress:
# For `hashicorp`, this is generally the hostname of the Hashicorp Vault instance to connect to # If an ingress should be created for the created Hashicorp Vault instance
# For `azure`, this is the name of the Azure Key Vault instance to connect to
#vaultName: ''
# The port of the vault instance to connect to
#
# ONLY RELEVANT iF `type` IS SET TO `hashicorp` AND `create` IS NOT TRUE
#vaultPort: 8200
# The client ID of the Azure Key Vault instance
#
# ONLY RELEVANT IF `type` IS SET TO `azure`
#client-id: ""
# The client secret of the Azure Key Vault instance
#
# ONLY RELEVANT IF `type` IS SET TO `azure`
#client-secret: ""
# The tenant ID of the Azure Key Vault instance
#
# ONLY RELEVANT IF `type` IS SET TO `azure`
#tenant-id: ""
# Configurations to create a Hashicorp Vault instance as part of the Helm chart
#
# THIS IS ONLY RELEVANT IF `type` IS SET TO `hashicorp`
create:
# If a Hashicorp Vault instance should be created as part of the Helm chart
enabled: true enabled: true
# Configurations for the image to use if creating the Hashicorp Vault instance # The host of the ingress for the created Hashicorp Vault instance
# as part of the Helm chart host: vault.<redacted-private-hostname>
image:
# The repository of the image to use
repository: <redacted-private-repo>/ba-custom-hashicorp-vault
# The tag of the image to use
tag: latest
# Configurations for the ingress of the created Hashicorp Vault instance # As part of the custom Hashicorp Vault image it includes a "snapshot server"
ingress: # This allows for the triggering and receiving of manual backups ("snapshots") and restoration via HTTP
# If an ingress should be created for the created Hashicorp Vault instance snapshotServer:
enabled: true # If the snapshot server should be enabled/running
enabled: true
# The host of the ingress for the created Hashicorp Vault instance # The external port that is opened via the service resource
host: vault.<redacted-private-hostname> externalPort: 81
# The internal port that the snapshot server listens on
internalPort: 8300
# Configurations for the `vault-creds` Persistent Volume Claim (PVC).
# The `vault-creds` PVC is used for the credentials used by the snapshot server to authenticate with Vault
vaultCredsPVC:
storageClassName: vault-role-vars-rook-cephfs
size: 512Mi
# Configurations for the AppRole authentication method for the created Vault instance
appRole:
# The name of the environment variable/secret that contains the Role ID for the app
roleIDSecretName: VAULT_ROLE_ID
# The name of the environment variable/secret that contains the Secret ID for the app
secretIDSecretName: VAULT_SECRET_ID
# Configurations for the `role-vars` Persistent Volume Claim (PVC).
# The `role-vars` PVC is used for the app's AppRole auth access variables (role & secret IDs etc...)
roleVarsPVC:
# Because the PVC needs to be a RWX type volume (so that multiple pods can access it)
# Because the app and the vault are separate pods.
# We need to use a storage class that supports RWX (Custom create CephFS backed storage class)
storageClassName: vault-role-vars-rook-cephfs
# As part of the custom Hashicorp Vault image it includes a "snapshot server" # The size of the PVC (note because this is largely just credentials a small size is sufficient)
# This allows for the triggering and receiving of manual backups ("snapshots") and restoration via HTTP size: 512Mi
snapshotServer:
# If the snapshot server should be enabled/running # Configurations for the `vault-data` Persistent Volume Claim (PVC).
enabled: true # The `vault-data` PVC is used for the Vault's data storage.
# In particular, a PVC allows data persistence across pod restarts.
# The external port that is opened via the service resource vaultData:
externalPort: 81 # The storage class to use for the PVC
# Note, because there are no special requirements here we can use a standard RWO type volume
# The internal port that the snapshot server listens on # Which means the default storage class (Rook Ceph Block) is sufficient
internalPort: 8300 storageClassName: rook-ceph-block
# The access modes for the PVC (shouldn't ever really need to be changed)
accessModes:
- ReadWriteOnce
# The size of the PVC (Note, this should be sized according to expected usage)
size: 2Gi