diff --git a/website/content/docs/platform/k8s/helm/configuration.mdx b/website/content/docs/platform/k8s/helm/configuration.mdx
index 154ed336b52d8..ac3ad1bb71483 100644
--- a/website/content/docs/platform/k8s/helm/configuration.mdx
+++ b/website/content/docs/platform/k8s/helm/configuration.mdx
@@ -73,7 +73,7 @@ and consider if they're appropriate for your deployment.
- `repository` (`string: "hashicorp/vault-k8s"`) - The name of the Docker image for Vault Agent Injector.
- - `tag` (`string: "0.9.0"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
+ - `tag` (`string: "0.10.0"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
@@ -83,6 +83,19 @@ and consider if they're appropriate for your deployment.
- `tag` (`string: "1.7.0"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**.
+- `agentDefaults` - Values that configure the injected Vault Agent containers default values.
+
+ - `cpuLimit` (`string: "500m"`) - The default CPU limit for injected Vault Agent containers.
+
+ - `cpuRequest` (`string: "250m"`) - The default CPU request for injected Vault Agent containers.
+
+ - `memLimit` (`string: "128Mi"`) - The default memory limit for injected Vault Agent containers.
+
+ - `memRequest` (`string: "64Mi"`) - The default memory request for injected Vault Agent containers.
+
+ - `template` (`string: "map"`) - The default template type for rendered secrets if no custom templates are defined.
+ Possible values include `map` and `json`.
+
- `metrics` - Values that configure the Vault Agent Injector metric exporter.
- `enabled` (`boolean: false`) - When set to `true`, the Vault Agent Injector exports Prometheus metrics at the `/metrics` path.
@@ -196,9 +209,15 @@ and consider if they're appropriate for your deployment.
"sample/annotation1": "foo"
"sample/annotation2": "bar"
```
+ - `hostNetwork` (`boolean: false`) - When set to true, configures the Vault Agent Injector to run on the host network. This is useful
+ when alternative cluster networking is used.
+
+ - `port` (`int: 8080`) - Configures the port the Vault Agent Injector listens on.
- `server` - Values that configure running a Vault server within Kubernetes.
+ - `enabled` (`boolean: true`) - When set to `true`, the Vault server will be created.
+
- `image` - Values that configure the Vault Docker image.
- `repository` (`string: "vault"`) - The name of the Docker image for the containers running Vault.
@@ -207,9 +226,15 @@ and consider if they're appropriate for your deployment.
- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
- - `updateStrategyType` (`string: "OnDelete"`) - Configure the [Update Strategy Type](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies) for the StatefulSet.
+ - `updateStrategyType` (`string: "OnDelete"`) - Configure the [Update Strategy Type](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies) for the StatefulSet.
+
+ - `logLevel` (`string: ""`) - Configures the Vault server logging verbosity. If set this will override values defined in the Vault configuration file.
+ Supported log levels include: `trace`, `debug`, `info`, `warn`, `error`.
- - `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for each container of the server. This should be a YAML dictionary of a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.15/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources, which limits the ability for Kubernetes to make efficient use of compute resources. **Setting this is highly recommended.**
+ - `logFormat` (`string: ""`) - Configures the Vault server logging format. If set this will override values defined in the Vault configuration file.
+ Supported log formats include: `standard`, `json`.
+
+ - `resources` (`dictionary: {}`) - The resource requests and limits (CPU, memory, etc.) for each container of the server. This should be a YAML dictionary of a Kubernetes [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.15/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources, which limits the ability for Kubernetes to make efficient use of compute resources. **Setting this is highly recommended.**
```yaml
resources:
@@ -219,16 +244,16 @@ and consider if they're appropriate for your deployment.
memory: '10Gi'
```
- * `ingress` - Values that configure Ingress services for Vault.
+ - `ingress` - Values that configure Ingress services for Vault.
- ~> If deploying on OpenShift, these ingress settings are ignored. Use the [`route`](#route) configuration to expose Vault on OpenShift.
+ ~> If deploying on OpenShift, these ingress settings are ignored. Use the [`route`](#route) configuration to expose Vault on OpenShift.
If [`ha`](#ha) is enabled the Ingress will point to the active vault server via the `active` Service. This requires vault 1.4+ and [service_registration](https://www.vaultproject.io/docs/configuration/service-registration/kubernetes) to be set in the vault config.
- - `enabled` (`boolean: false`) - When set to `true`, an [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) service will be created.
+ - `enabled` (`boolean: false`) - When set to `true`, an [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) service will be created.
- - `labels` (`dictionary: {}`) - Labels for the ingress service.
+ - `labels` (`dictionary: {}`) - Labels for the ingress service.
- - `annotations` (`dictionary: {}`) - This value defines additional annotations to
+ - `annotations` (`dictionary: {}`) - This value defines additional annotations to
add to the Ingress service. This can either be YAML or a YAML-formatted
multi-line templated string.
@@ -242,479 +267,490 @@ and consider if they're appropriate for your deployment.
kubernetes.io/tls-acme: "true"
```
- - `hosts` - Values that configure the Ingress host rules.
-
- - `host` (`string: required`): Name of the host to use for Ingress.
-
- - `paths` (`array: []`): A list of paths that will be directed to the Vault service. At least one path is required.
+ - `extraPaths` (`array: {}`) - Configures extra paths to prepend to the host configuration.
+ This is useful when working with annotation based services.
- ```yaml
- paths:
- - /
- - /vault
- ```
-
- * `route` - Values that configure Route services for Vault in OpenShift
-
- ~> If [`ha`](#ha) is enabled the Route will point to the active vault server via the `active` Service (requires vault 1.4+ and [service_registration](https://www.vaultproject.io/docs/configuration/service-registration/kubernetes) to be set in the vault config).
+ ```yaml
+ extraPaths:
+ - path: /*
+ backend:
+ serviceName: ssl-redirect
+ servicePort: use-annotation
+ ```
- - `enabled` (`boolean: false`) - When set to `true`, a Route for Vault will be created.
+ - `hosts` - Values that configure the Ingress host rules.
- - `labels` (`dictionary: {}`) - Labels for the Route
+ - `host` (`string: required`): Name of the host to use for Ingress.
- - `annotations` (`dictionary: {}`) - Annotations to add to the Route. This can either be YAML or a YAML-formatted multi-line templated string.
+ - `paths` (`array: []`): Deprecated: `server.ingress.extraPaths` should be used instead. A list of paths that will be directed to the Vault service. At least one path is required.
- - `host` (`string: "chart-example.local"`) - Sets the hostname for the Route.
+ ```yaml
+ paths:
+ - /
+ - /vault
+ ```
- * `tls` - Values that configure the Ingress TLS rules.
+ - `route` - Values that configure Route services for Vault in OpenShift
- - `hosts` (`array: []`): List of the hosts defined in the Common Name of the TLS Certificate.
+ ~> If [`ha`](#ha) is enabled the Route will point to the active vault server via the `active` Service (requires vault 1.4+ and [service_registration](https://www.vaultproject.io/docs/configuration/service-registration/kubernetes) to be set in the vault config).
- - `secretName` (`string: null`): Name of the secret containing the required TLS files such as certificates and keys.
+ - `enabled` (`boolean: false`) - When set to `true`, a Route for Vault will be created.
- ```yaml
- hosts:
- - sslexample.foo.com
- - sslexample.bar.com
- secretName: testsecret-tls
- ```
+ - `labels` (`dictionary: {}`) - Labels for the Route
- * `authDelegator` - Values that configure the Cluster Role Binding attached to the Vault service account.
+ - `annotations` (`dictionary: {}`) - Annotations to add to the Route. This can either be YAML or a YAML-formatted multi-line templated string.
- - `enabled` (`boolean: true`) - When set to `true`, a Cluster Role Binding will be bound to the Vault service account. This Cluster Role Binding has the necessary privileges for Vault to use the [Kubernetes Auth Method](/docs/auth/kubernetes).
+ - `host` (`string: "chart-example.local"`) - Sets the hostname for the Route.
- * `readinessProbe` - Values that configure the readiness probe for the Vault pods.
+ - `tls` - Values that configure the Ingress TLS rules.
- - `enabled` (`boolean: true`) - When set to `true`, a readiness probe will be applied to the Vault pods.
+ - `hosts` (`array: []`): List of the hosts defined in the Common Name of the TLS Certificate.
- - `path` (`string: ""`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controlled by the `tlsDisable` value.
+ - `secretName` (`string: null`): Name of the secret containing the required TLS files such as certificates and keys.
- - `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes.
+ ```yaml
+ hosts:
+ - sslexample.foo.com
+ - sslexample.bar.com
+ secretName: testsecret-tls
+ ```
- - `initialDelaySeconds` (`int: 5`) - When set to a value, configures the number of seconds after the container has started before probe initiates.
+ - `authDelegator` - Values that configure the Cluster Role Binding attached to the Vault service account.
- - `periodSeconds` (`int: 5`) - When set to a value, configures how often (in seconds) to perform the probe.
+ - `enabled` (`boolean: true`) - When set to `true`, a Cluster Role Binding will be bound to the Vault service account. This Cluster Role Binding has the necessary privileges for Vault to use the [Kubernetes Auth Method](/docs/auth/kubernetes).
- - `successThreshold` (`int: 1`) - When set to a value, configures the minimum consecutive successes for the probe to be considered successful after having failed.
+ - `readinessProbe` - Values that configure the readiness probe for the Vault pods.
- - `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out.
+ - `enabled` (`boolean: true`) - When set to `true`, a readiness probe will be applied to the Vault pods.
- ```yaml
- readinessProbe:
- enabled: true
- path: /v1/sys/health?standbyok=true
- failureThreshold: 2
- initialDelaySeconds: 5
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 3
- ```
+ - `path` (`string: ""`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controlled by the `tlsDisable` value.
- - `livelinessProbes` - Values that configure the liveliness probe for the Vault pods.
+ - `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes.
- - `enabled` (`boolean: false`) - When set to `true`, a liveliness probe will be applied to the Vault pods.
+ - `initialDelaySeconds` (`int: 5`) - When set to a value, configures the number of seconds after the container has started before probe initiates.
- - `path` (`string: "/v1/sys/health?standbyok=true"`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controlled by the `tlsDisable` value.
+ - `periodSeconds` (`int: 5`) - When set to a value, configures how often (in seconds) to perform the probe.
- - `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the liveliness probe when the container starts.
+ - `successThreshold` (`int: 1`) - When set to a value, configures the minimum consecutive successes for the probe to be considered successful after having failed.
- - `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes.
+ - `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out.
- - `periodSeconds` (`int: 5`) - When set to a value, configures how often (in seconds) to perform the probe.
+ ```yaml
+ readinessProbe:
+ enabled: true
+ path: /v1/sys/health?standbyok=true
+ failureThreshold: 2
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 3
+ ```
- - `successThreshold` (`int: 1`) - When set to a value, configures the minimum consecutive successes for the probe to be considered successful after having failed.
+ - `livenessProbe` - Values that configure the liveliness probe for the Vault pods.
- - `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out.
+ - `enabled` (`boolean: false`) - When set to `true`, a liveliness probe will be applied to the Vault pods.
- ```yaml
- livelinessProbe:
- enabled: true
- path: /v1/sys/health?standbyok=true
- initialDelaySeconds: 60
- failureThreshold: 2
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 3
- ```
+ - `path` (`string: "/v1/sys/health?standbyok=true"`) - When set to a value, enables HTTP/HTTPS probes instead of using the default `exec` probe. The http/https scheme is controlled by the `tlsDisable` value.
- - `preStopSleepSeconds` (`int: 5`) - Used to set the sleep time during the preStop step.
+ - `initialDelaySeconds` (`int: 60`) - Sets the initial delay of the liveliness probe when the container starts.
- - `postStart` (`array: []`) - Used to define commands to run after the pod is ready. This can be used to automate processes such as initialization or bootstrapping auth methods.
+ - `failureThreshold` (`int: 2`) - When set to a value, configures how many probe failures will be tolerated by Kubernetes.
- ```yaml
- postStart:
- - /bin/sh
- - -c
- - /vault/userconfig/myscript/run.sh
- ```
+ - `periodSeconds` (`int: 5`) - When set to a value, configures how often (in seconds) to perform the probe.
- - `extraInitContainers` (`array: null`) - extraInitContainers is a list of init containers. Specified as a YAML list. This is useful if you need to run a script to provision TLS certificates or write out configuration files in a dynamic way.
+ - `successThreshold` (`int: 1`) - When set to a value, configures the minimum consecutive successes for the probe to be considered successful after having failed.
- - `extraContainers` (`array: null`) - The extra containers to be applied to the Vault server pods.
+ - `timeoutSeconds` (`int: 3`) - When set to a value, configures the number of seconds after which the probe times out.
```yaml
- extraContainers:
- - name: mycontainer
- image: 'app:0.0.0'
- env: ...
+ livelinessProbe:
+ enabled: true
+ path: /v1/sys/health?standbyok=true
+ initialDelaySeconds: 60
+ failureThreshold: 2
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 3
```
- - `extraEnvironmentVars` (`dictionary: {}`) - The extra environment variables to be applied to the Vault server.
+ - `preStopSleepSeconds` (`int: 5`) - Used to set the sleep time during the preStop step.
- ```yaml
- # Extra Environment Variables are defined as key/value strings.
- extraEnvironmentVars:
- GOOGLE_REGION: global
- GOOGLE_PROJECT: myproject
- GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
- ```
+ - `postStart` (`array: []`) - Used to define commands to run after the pod is ready. This can be used to automate processes such as initialization or bootstrapping auth methods.
- - `shareProcessNamespace` (`boolean: false`) - Enables process namespace sharing between Vault and the extraContainers. This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation.
+ ```yaml
+ postStart:
+ - /bin/sh
+ - -c
+ - /vault/userconfig/myscript/run.sh
+ ```
- - `extraArgs` (`string: null`) - The extra arguments to be applied to the Vault server startup command.
+ - `extraInitContainers` (`array: null`) - extraInitContainers is a list of init containers. Specified as a YAML list. This is useful if you need to run a script to provision TLS certificates or write out configuration files in a dynamic way.
- ```yaml
- extraArgs: '-config=/path/to/extra/config.hcl -log-format=json'
- ```
+ - `extraContainers` (`array: null`) - The extra containers to be applied to the Vault server pods.
- - `extraSecretEnvironmentVars` (`string: null`) - The extra environment variables populated from a secret to be applied to the Vault server. This should be a multi-line key/value string.
+ ```yaml
+ extraContainers:
+ - name: mycontainer
+ image: 'app:0.0.0'
+ env: ...
+ ```
- - `envName` (`string: required`) -
- Name of the environment variable to be populated in the Vault container.
+ - `extraEnvironmentVars` (`dictionary: {}`) - The extra environment variables to be applied to the Vault server.
- - `secretName` (`string: required`) -
- Name of Kubernetes secret used to populate the environment variable defined by `envName`.
+ ```yaml
+ # Extra Environment Variables are defined as key/value strings.
+ extraEnvironmentVars:
+ GOOGLE_REGION: global
+ GOOGLE_PROJECT: myproject
+ GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
+ ```
- - `secretKey` (`string: required`) -
- Name of the key where the requested secret value is located in the Kubernetes secret.
+ - `shareProcessNamespace` (`boolean: false`) - Enables process namespace sharing between Vault and the extraContainers. This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation.
- ```yaml
- # Extra Environment Variables populated from a secret.
- extraSecretEnvironmentVars:
- - envName: AWS_SECRET_ACCESS_KEY
- secretName: vault
- secretKey: AWS_SECRET_ACCESS_KEY
- ```
+ - `extraArgs` (`string: null`) - The extra arguments to be applied to the Vault server startup command.
- - `extraVolumes` (`array: []`) - Deprecated: please use `volumes` instead. A list of extra volumes to mount to Vault servers. This is useful for bringing in extra data that can be referenced by other configurations at a well known path, such as TLS certificates. The value of this should be a list of objects. Each object supports the following keys:
+ ```yaml
+ extraArgs: '-config=/path/to/extra/config.hcl -log-format=json'
+ ```
- - `type` (`string: required`) -
- Type of the volume, must be one of "configMap" or "secret". Case sensitive.
+ - `extraSecretEnvironmentVars` (`string: null`) - The extra environment variables populated from a secret to be applied to the Vault server. This should be a multi-line key/value string.
- - `name` (`string: required`) -
- Name of the configMap or secret to be mounted. This also controls the path
- that it is mounted to. The volume will be mounted to `/vault/userconfig/` by default
- unless `path` is configured.
+ - `envName` (`string: required`) -
+ Name of the environment variable to be populated in the Vault container.
- - `path` (`string: /vault/userconfigs`) -
- Name of the path where a configMap or secret is mounted. If not specified
- the volume will be mounted to `/vault/userconfig/`.
+ - `secretName` (`string: required`) -
+ Name of Kubernetes secret used to populate the environment variable defined by `envName`.
- - `defaultMode` (`string: "420"`) -
- Default mode of the mounted files.
+ - `secretKey` (`string: required`) -
+ Name of the key where the requested secret value is located in the Kubernetes secret.
- ```yaml
- extraVolumes:
- - type: 'secret'
- name: 'vault-certs'
- path: '/etc/pki'
- ```
+ ```yaml
+ # Extra Environment Variables populated from a secret.
+ extraSecretEnvironmentVars:
+ - envName: AWS_SECRET_ACCESS_KEY
+ secretName: vault
+ secretKey: AWS_SECRET_ACCESS_KEY
+ ```
- - `volumes` (`array: []`) - A list of volumes made available to all containers. This takes
- standard Kubernetes volume definitions.
+ - `extraVolumes` (`array: []`) - Deprecated: please use `volumes` instead. A list of extra volumes to mount to Vault servers. This is useful for bringing in extra data that can be referenced by other configurations at a well known path, such as TLS certificates. The value of this should be a list of objects. Each object supports the following keys:
- ```yaml
- volumes:
- - name: plugins
- emptyDir: {}
- ```
+ - `type` (`string: required`) -
+ Type of the volume, must be one of "configMap" or "secret". Case sensitive.
- - `volumeMounts` (`array: []`) - A list of volumes mounts made available to all containers. This takes
- standard Kubernetes volume definitions.
+ - `name` (`string: required`) -
+ Name of the configMap or secret to be mounted. This also controls the path
+ that it is mounted to. The volume will be mounted to `/vault/userconfig/` by default
+ unless `path` is configured.
- ```yaml
- volumeMounts:
- - mountPath: /usr/local/libexec/vault
- name: plugins
- readOnly: true
- ```
+ - `path` (`string: /vault/userconfigs`) -
+ Name of the path where a configMap or secret is mounted. If not specified
+ the volume will be mounted to `/vault/userconfig/`.
- - `affinity` - This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for server pods. It defaults to allowing only a single pod on each node, which minimizes risk of the cluster becoming unusable if a node is lost. If you need to run more pods per node (for example, testing on Minikube), set this value to `null`.
+ - `defaultMode` (`string: "420"`) -
+ Default mode of the mounted files.
```yaml
- # Recommended default server affinity:
- affinity: |
- podAntiAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchLabels:
- app: {{ template "vault.name" . }}
- release: "{{ .Release.Name }}"
- component: server
- topologyKey: kubernetes.io/hostname
+ extraVolumes:
+ - type: 'secret'
+ name: 'vault-certs'
+ path: '/etc/pki'
```
- - `tolerations` (`string: null`) - This value defines the [tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) that are acceptable when being scheduled. This should be a multi-line string matching the Toleration array in a PodSpec.
+ - `volumes` (`array: []`) - A list of volumes made available to all containers. This takes
+ standard Kubernetes volume definitions.
```yaml
- tolerations: |
- - key: 'node.kubernetes.io/unreachable'
- operator: 'Exists'
- effect: 'NoExecute'
- tolerationSeconds: 6000
+ volumes:
+ - name: plugins
+ emptyDir: {}
```
- - `nodeSelector` - This value defines additional node selection criteria for more control over where the Vault servers are deployed. This should be formatted as a multi-line string.
+ - `volumeMounts` (`array: []`) - A list of volumes mounts made available to all containers. This takes
+ standard Kubernetes volume definitions.
```yaml
- nodeSelector: |
- disktype: ssd
+ volumeMounts:
+ - mountPath: /usr/local/libexec/vault
+ name: plugins
+ readOnly: true
```
- - `networkPolicy` - Values that configure the Vault Network Policy.
+ - `affinity` - This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for server pods. It defaults to allowing only a single pod on each node, which minimizes risk of the cluster becoming unusable if a node is lost. If you need to run more pods per node (for example, testing on Minikube), set this value to `null`.
- - `enabled` (`boolean: false`) - When set to `true`, enables a Network Policy for the Vault cluster.
+ ```yaml
+ # Recommended default server affinity:
+ affinity: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchLabels:
+ app: {{ template "vault.name" . }}
+ release: "{{ .Release.Name }}"
+ component: server
+ topologyKey: kubernetes.io/hostname
+ ```
- - `egress` (`array: []`) - This value configures the [egress](https://kubernetes.io/docs/concepts/services-networking/network-policies/) network policy rules.
+ - `tolerations` (`string: null`) - This value defines the [tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) that are acceptable when being scheduled. This should be a multi-line string matching the Toleration array in a PodSpec.
- ```yaml
- egress:
- - to:
- - ipBlock:
- cidr: 10.0.0.0/24
- ports:
- - protocol: TCP
- port: 8200
- ```
+ ```yaml
+ tolerations: |
+ - key: 'node.kubernetes.io/unreachable'
+ operator: 'Exists'
+ effect: 'NoExecute'
+ tolerationSeconds: 6000
+ ```
- - `priorityClassName` (`string: ""`) - Priority class for server pods
+ - `nodeSelector` - This value defines additional node selection criteria for more control over where the Vault servers are deployed. This should be formatted as a multi-line string.
- - `extraLabels` (`dictionary: {}`) - This value defines additional labels for server pods.
+ ```yaml
+ nodeSelector: |
+ disktype: ssd
+ ```
- ```yaml
- extraLabels:
- 'sample/label1': 'foo'
- 'sample/label2': 'bar'
- ```
+ - `networkPolicy` - Values that configure the Vault Network Policy.
+
+ - `enabled` (`boolean: false`) - When set to `true`, enables a Network Policy for the Vault cluster.
- - `annotations` (`dictionary: {}`) - This value defines additional annotations for server pods. This can either be YAML or a YAML-formatted multi-line templated string.
+ - `egress` (`array: []`) - This value configures the [egress](https://kubernetes.io/docs/concepts/services-networking/network-policies/) network policy rules.
```yaml
- annotations:
- "sample/annotation1": "foo"
- "sample/annotation2": "bar"
- # or
- annotations: |
- "sample/annotation1": "foo"
- "sample/annotation2": "bar"
+ egress:
+ - to:
+ - ipBlock:
+ cidr: 10.0.0.0/24
+ ports:
+ - protocol: TCP
+ port: 8200
```
- - `service` - Values that configure the Kubernetes service created for Vault. These options are also used for the `active` and `standby` services when [`ha`](#ha) is enabled.
+ - `priorityClassName` (`string: ""`) - Priority class for server pods
- - `enabled` (`boolean: true`) - When set to `true`, a Kubernetes service will be created for Vault.
+ - `extraLabels` (`dictionary: {}`) - This value defines additional labels for server pods.
- - `clusterIP` (`string`) - ClusterIP controls whether an IP address (cluster IP) is attached to the Vault service within Kubernetes. By default the Vault service will be given a Cluster IP address, set to `None` to disable. When disabled Kubernetes will create a "headless" service. Headless services can be used to communicate with pods directly through DNS instead of a round robin load balancer.
+ ```yaml
+ extraLabels:
+ 'sample/label1': 'foo'
+ 'sample/label2': 'bar'
+ ```
- - `type` (`string: "ClusterIP"`) - Sets the type of service to create, such as `NodePort`.
+ - `annotations` (`dictionary: {}`) - This value defines additional annotations for server pods. This can either be YAML or a YAML-formatted multi-line templated string.
- - `port` (`int: 8200`) - Port on which Vault server is listening inside the pod.
+ ```yaml
+ annotations:
+ "sample/annotation1": "foo"
+ "sample/annotation2": "bar"
+ # or
+ annotations: |
+ "sample/annotation1": "foo"
+ "sample/annotation2": "bar"
+ ```
- - `targetPort` (`int: 8200`) - Port on which the service is listening.
+ - `service` - Values that configure the Kubernetes service created for Vault. These options are also used for the `active` and `standby` services when [`ha`](#ha) is enabled.
- - `nodePort` (`int:`) - When type is set to `NodePort`, the bound node port can be configured using this value. A random port will be assigned if this is left blank.
+ - `enabled` (`boolean: true`) - When set to `true`, a Kubernetes service will be created for Vault.
- - `annotations` (`dictionary: {}`) - This value defines additional annotations for the service. This can either be YAML or a YAML-formatted multi-line templated string.
+ - `clusterIP` (`string`) - ClusterIP controls whether an IP address (cluster IP) is attached to the Vault service within Kubernetes. By default the Vault service will be given a Cluster IP address, set to `None` to disable. When disabled Kubernetes will create a "headless" service. Headless services can be used to communicate with pods directly through DNS instead of a round robin load balancer.
- ```yaml
- annotations:
- "sample/annotation1": "foo"
- "sample/annotation2": "bar"
- # or
- annotations: |
- "sample/annotation1": "foo"
- "sample/annotation2": "bar"
- ```
+ - `type` (`string: "ClusterIP"`) - Sets the type of service to create, such as `NodePort`.
- - `serviceAccount` - Values that configure the Kubernetes service account created for Vault.
+ - `port` (`int: 8200`) - Port on which Vault server is listening inside the pod.
- - `create` (`boolean: true`): If set to true, creates a service account used by Vault.
+ - `targetPort` (`int: 8200`) - Port on which the service is listening.
- - `name` (`string: ""`): Name of the service account to use. If not set and create is true, a name is generated using the name of the installation (default is "vault").
+ - `nodePort` (`int:`) - When type is set to `NodePort`, the bound node port can be configured using this value. A random port will be assigned if this is left blank.
- - `annotations` (`dictionary: {}`) - This value defines additional annotations for the service account. This can either be YAML or a YAML-formatted multi-line templated string.
+ - `annotations` (`dictionary: {}`) - This value defines additional annotations for the service. This can either be YAML or a YAML-formatted multi-line templated string.
- ```yaml
- annotations:
- "sample/annotation1": "foo"
- "sample/annotation2": "bar"
- # or
- annotations: |
- "sample/annotation1": "foo"
- "sample/annotation2": "bar"
- ```
+ ```yaml
+ annotations:
+ "sample/annotation1": "foo"
+ "sample/annotation2": "bar"
+ # or
+ annotations: |
+ "sample/annotation1": "foo"
+ "sample/annotation2": "bar"
+ ```
- - `dataStorage` - This configures the volume used for storing Vault data when not using external storage such as Consul.
+ - `serviceAccount` - Values that configure the Kubernetes service account created for Vault.
- - `enabled` (`boolean: true`) -
- Enables a persistent volume to be created for storing Vault data when not using an external storage service.
+ - `create` (`boolean: true`): If set to true, creates a service account used by Vault.
- - `size` (`string: 10Gi`) -
- Size of the volume to be created for Vault's data storage when not using an external storage service.
+ - `name` (`string: ""`): Name of the service account to use. If not set and create is true, a name is generated using the name of the installation (default is "vault").
- - `storageClass` (`string: null`) -
- Name of the storage class to use when creating the data storage volume.
+ - `annotations` (`dictionary: {}`) - This value defines additional annotations for the service account. This can either be YAML or a YAML-formatted multi-line templated string.
- - `mountPath` (`string: /vault/data`) -
- Configures the path in the Vault pod where the data storage will be mounted.
+ ```yaml
+ annotations:
+ "sample/annotation1": "foo"
+ "sample/annotation2": "bar"
+ # or
+ annotations: |
+ "sample/annotation1": "foo"
+ "sample/annotation2": "bar"
+ ```
- - `accessMode` (`string: ReadWriteOnce`) -
- Type of access mode of the storage device. See the [official Kubernetes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) for more information.
+ - `dataStorage` - This configures the volume used for storing Vault data when not using external storage such as Consul.
- - `annotations` (`dictionary: {}`) - This value defines additional annotations to
- add to the data PVCs. This can either be YAML or a YAML-formatted
- multi-line templated string.
+ - `enabled` (`boolean: true`) -
+ Enables a persistent volume to be created for storing Vault data when not using an external storage service.
- ```yaml
- annotations:
- kubernetes.io/my-pvc: foobar
- # or
- annotations: |
- kubernetes.io/my-pvc: foobar
- ```
+ - `size` (`string: 10Gi`) -
+ Size of the volume to be created for Vault's data storage when not using an external storage service.
- - `auditStorage` - This configures the volume used for storing Vault's audit logs. See the [Vault documentation](/docs/audit) for more information.
+ - `storageClass` (`string: null`) -
+ Name of the storage class to use when creating the data storage volume.
- - `enabled` (`boolean: true`) -
- Enables a persistent volume to be created for storing Vault's audit logs.
+ - `mountPath` (`string: /vault/data`) -
+ Configures the path in the Vault pod where the data storage will be mounted.
- - `size` (`string: 10Gi`) -
- Size of the volume to be created for Vault's audit logs.
+ - `accessMode` (`string: ReadWriteOnce`) -
+ Type of access mode of the storage device. See the [official Kubernetes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) for more information.
- - `storageClass` (`string: null`) -
- Name of the storage class to use when creating the audit storage volume.
+ - `annotations` (`dictionary: {}`) - This value defines additional annotations to
+ add to the data PVCs. This can either be YAML or a YAML-formatted
+ multi-line templated string.
- - `mountPath` (`string: /vault/audit`) -
- Configures the path in the Vault pod where the audit storage will be mounted.
+ ```yaml
+ annotations:
+ kubernetes.io/my-pvc: foobar
+ # or
+ annotations: |
+ kubernetes.io/my-pvc: foobar
+ ```
- - `accessMode` (`string: ReadWriteOnce`) -
- Type of access mode of the storage device.
+ - `auditStorage` - This configures the volume used for storing Vault's audit logs. See the [Vault documentation](/docs/audit) for more information.
- - `annotations` (`dictionary: {}`) - This value defines additional annotations to
- add to the audit PVCs. This can either be YAML or a YAML-formatted
- multi-line templated string.
+ - `enabled` (`boolean: true`) -
+ Enables a persistent volume to be created for storing Vault's audit logs.
- ```yaml
- annotations:
- kubernetes.io/my-pvc: foobar
- # or
- annotations: |
- kubernetes.io/my-pvc: foobar
- ```
+ - `size` (`string: 10Gi`) -
+ Size of the volume to be created for Vault's audit logs.
- - `dev` - This configures `dev` mode for the Vault server.
+ - `storageClass` (`string: null`) -
+ Name of the storage class to use when creating the audit storage volume.
- - `enabled` (`boolean: false`) -
- Enables `dev` mode for the Vault server. This mode is useful for experimenting with Vault without needing to unseal.
+ - `mountPath` (`string: /vault/audit`) -
+ Configures the path in the Vault pod where the audit storage will be mounted.
- - `devRootToken` (`string: "root"`) - Configures the root token for the Vault development server.
+ - `accessMode` (`string: ReadWriteOnce`) -
+ Type of access mode of the storage device.
- ~> **Security Warning:** Never, ever, ever run a "dev" mode server in production. It is insecure and will lose data on every restart (since it stores data in-memory). It is only made for development or experimentation.
+ - `annotations` (`dictionary: {}`) - This value defines additional annotations to
+ add to the audit PVCs. This can either be YAML or a YAML-formatted
+ multi-line templated string.
- - `standalone` - This configures `standalone` mode for the Vault server.
+ ```yaml
+ annotations:
+ kubernetes.io/my-pvc: foobar
+ # or
+ annotations: |
+ kubernetes.io/my-pvc: foobar
+ ```
- - `enabled` (`boolean: true`) -
- Enables `standalone` mode for the Vault server. This mode uses the `file` storage backend and requires a volume for persistence (`dataStorage`).
+ - `dev` - This configures `dev` mode for the Vault server.
- - `config` (`string: "{}"`) -
- A raw string of extra HCL or JSON [configuration](/docs/configuration) for Vault servers.
- This will be saved as-is into a ConfigMap that is read by the Vault servers.
- This can be used to add additional configuration that isn't directly exposed by the chart.
+ - `enabled` (`boolean: false`) -
+ Enables `dev` mode for the Vault server. This mode is useful for experimenting with Vault without needing to unseal.
- ```yaml
- # ExtraConfig values are formatted as a multi-line string:
- config: |
- api_addr = "http://POD_IP:8200"
+ - `devRootToken` (`string: "root"`) - Configures the root token for the Vault development server.
- listener "tcp" {
- tls_disable = 1
- address = "0.0.0.0:8200"
- }
+ ~> **Security Warning:** Never, ever, ever run a "dev" mode server in production. It is insecure and will lose data on every restart (since it stores data in-memory). It is only made for development or experimentation.
- storage "file" {
- path = "/vault/data"
- }
- ```
+ - `standalone` - This configures `standalone` mode for the Vault server.
- This can also be set using Helm's `--set` flag (vault-helm v0.1.0 and later), using the following syntax:
+ - `enabled` (`boolean: true`) -
+ Enables `standalone` mode for the Vault server. This mode uses the `file` storage backend and requires a volume for persistence (`dataStorage`).
- ```shell
- --set server.standalone.config='{ listener "tcp" { address = "0.0.0.0:8200" }'
- ```
+ - `config` (`string: "{}"`) -
+ A raw string of extra HCL or JSON [configuration](/docs/configuration) for Vault servers.
+ This will be saved as-is into a ConfigMap that is read by the Vault servers.
+ This can be used to add additional configuration that isn't directly exposed by the chart.
- - `ha` - This configures `ha` mode for the Vault server.
+ ```yaml
+ # ExtraConfig values are formatted as a multi-line string:
+ config: |
+ api_addr = "http://POD_IP:8200"
+
+ listener "tcp" {
+ tls_disable = 1
+ address = "0.0.0.0:8200"
+ }
+
+ storage "file" {
+ path = "/vault/data"
+ }
+ ```
- - `enabled` (`boolean: false`) -
- Enables `ha` mode for the Vault server. This mode uses a highly available backend storage (such as Consul) to store Vault's data. By default this is configured to use [Consul Helm](https://github.com/hashicorp/consul-helm). For a complete list of storage backends, see the [Vault documentation](/docs/configuration).
+ This can also be set using Helm's `--set` flag (vault-helm v0.1.0 and later), using the following syntax:
- - `apiAddr`: (`string: "{}"`) -
- Set the API address configuration for a Vault cluster. If set to an empty string, the pod IP address is used.
+ ```shell
+ --set server.standalone.config='{ listener "tcp" { address = "0.0.0.0:8200" }'
+ ```
- - `raft` - This configures `raft` integrated storage mode for the Vault server.
+ - `ha` - This configures `ha` mode for the Vault server.
- - `enabled` (`boolean: false`) -
- Enables `raft` integrated storage mode for the Vault server. This mode uses persistent volumes for storage.
+ - `enabled` (`boolean: false`) -
+ Enables `ha` mode for the Vault server. This mode uses a highly available backend storage (such as Consul) to store Vault's data. By default this is configured to use [Consul Helm](https://github.com/hashicorp/consul-helm). For a complete list of storage backends, see the [Vault documentation](/docs/configuration).
- - `setNodeId` (`boolean: false`) - Set the Node Raft ID to the name of the pod.
+ - `apiAddr`: (`string: "{}"`) -
+ Set the API address configuration for a Vault cluster. If set to an empty string, the pod IP address is used.
- - `config` (`string: "{}"`) -
- A raw string of extra HCL or JSON [configuration](/docs/configuration) for Vault servers.
- This will be saved as-is into a ConfigMap that is read by the Vault servers.
- This can be used to add additional configuration that isn't directly exposed by the chart.
+ - `raft` - This configures `raft` integrated storage mode for the Vault server.
- - `replicas` (`int: 5`) -
- The number of pods to deploy to create a highly available cluster of Vault servers.
+ - `enabled` (`boolean: false`) -
+ Enables `raft` integrated storage mode for the Vault server. This mode uses persistent volumes for storage.
- - `updatePartition` (`int: 0`) -
- If an updatePartition is specified, all Pods with an ordinal that is greater than or equal to the partition will be updated when the StatefulSet’s `.spec.template` is updated. If set to `0`, this disables partition updates. For more information see the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#rolling-updates).
+ - `setNodeId` (`boolean: false`) - Set the Node Raft ID to the name of the pod.
- `config` (`string: "{}"`) -
A raw string of extra HCL or JSON [configuration](/docs/configuration) for Vault servers.
This will be saved as-is into a ConfigMap that is read by the Vault servers.
This can be used to add additional configuration that isn't directly exposed by the chart.
- ```yaml
- # ExtraConfig values are formatted as a multi-line string:
- config: |
- ui = true
- api_addr = "http://POD_IP:8200"
- listener "tcp" {
- tls_disable = 1
- address = "0.0.0.0:8200"
- }
-
- storage "consul" {
- path = "vault"
- address = "HOST_IP:8500"
- }
- ```
+ - `replicas` (`int: 5`) -
+ The number of pods to deploy to create a highly available cluster of Vault servers.
- This can also be set using Helm's `--set` flag (vault-helm v0.1.0 and later), using the following syntax:
+ - `updatePartition` (`int: 0`) -
+ If an updatePartition is specified, all Pods with an ordinal that is greater than or equal to the partition will be updated when the StatefulSet’s `.spec.template` is updated. If set to `0`, this disables partition updates. For more information see the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#rolling-updates).
- ```shell
- --set server.ha.config='{ listener "tcp" { address = "0.0.0.0:8200" }'
- ```
+ - `config` (`string: "{}"`) -
+ A raw string of extra HCL or JSON [configuration](/docs/configuration) for Vault servers.
+ This will be saved as-is into a ConfigMap that is read by the Vault servers.
+ This can be used to add additional configuration that isn't directly exposed by the chart.
+
+ ```yaml
+ # ExtraConfig values are formatted as a multi-line string:
+ config: |
+ ui = true
+ api_addr = "http://POD_IP:8200"
+ listener "tcp" {
+ tls_disable = 1
+ address = "0.0.0.0:8200"
+ }
+
+ storage "consul" {
+ path = "vault"
+ address = "HOST_IP:8500"
+ }
+ ```
+
+ This can also be set using Helm's `--set` flag (vault-helm v0.1.0 and later), using the following syntax:
+
+ ```shell
+ --set server.ha.config='{ listener "tcp" { address = "0.0.0.0:8200" }'
+ ```
- * `disruptionBudget` - Values that configures the disruption budget policy. See the [official Kubernetes documentation](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) for more information.
+ - `disruptionBudget` - Values that configures the disruption budget policy. See the [official Kubernetes documentation](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) for more information.
- - `enabled` (`boolean: true`) -
- Enables disruption budget policy to limit the number of pods that are down simultaneously from voluntary disruptions.
+ - `enabled` (`boolean: true`) -
+ Enables disruption budget policy to limit the number of pods that are down simultaneously from voluntary disruptions.
- - `maxUnavailable` (`int: null`) -
- The maximum number of unavailable pods. By default, this will be automatically
- computed based on the `server.replicas` value to be `(n/2)-1`. If you need to set
- this to `0`, you will need to add a `--set 'server.disruptionBudget.maxUnavailable=0'`
- flag to the helm chart installation command because of a limitation in the Helm
- templating language.
+ - `maxUnavailable` (`int: null`) -
+ The maximum number of unavailable pods. By default, this will be automatically
+ computed based on the `server.replicas` value to be `(n/2)-1`. If you need to set
+ this to `0`, you will need to add a `--set 'server.disruptionBudget.maxUnavailable=0'`
+ flag to the helm chart installation command because of a limitation in the Helm
+ templating language.
- `statefulset` - This configures settings for the Vault Statefulset.
@@ -781,7 +817,7 @@ and consider if they're appropriate for your deployment.
- `repository` (`string: "hashicorp/vault-csi-provider"`) - The name of the Docker image for the Vault CSI Provider.
- - `tag` (`string: "0.1.0"`) - The tag of the Docker image for the Vault CSI Provider.. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your CSI provider.
+ - `tag` (`string: "0.2.0"`) - The tag of the Docker image for the Vault CSI Provider.. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your CSI provider.
- `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists locally.
diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx
index 120e9a547ac51..c3afb22080282 100644
--- a/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx
+++ b/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx
@@ -21,7 +21,7 @@ First, create the primary cluster:
```shell
helm install vault-primary hashicorp/vault \
--set='server.image.repository=hashicorp/vault-enterprise' \
- --set='server.image.tag=1.6.2_ent' \
+ --set='server.image.tag=1.7.0_ent' \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true'
```
@@ -73,7 +73,7 @@ disaster recovery replication.
```shell
helm install vault-secondary hashicorp/vault \
--set='server.image.repository=hashicorp/vault-enterprise' \
- --set='server.image.tag=1.6.2_ent' \
+ --set='server.image.tag=1.7.0_ent' \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true'
```
diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx
index 4c03d872b74c2..91480b198b2a0 100644
--- a/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx
+++ b/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx
@@ -21,7 +21,7 @@ First, create the primary cluster:
```shell
helm install vault-primary hashicorp/vault \
--set='server.image.repository=hashicorp/vault-enterprise' \
- --set='server.image.tag=1.6.2_ent' \
+ --set='server.image.tag=1.7.0_ent' \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true'
```
@@ -72,7 +72,7 @@ With the primary cluster created, next create a secondary cluster.
```shell
helm install vault-secondary hashicorp/vault \
--set='server.image.repository=hashicorp/vault-enterprise' \
- --set='server.image.tag=1.6.2_ent' \
+ --set='server.image.tag=1.7.0_ent' \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true'
```
diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx
index db109ecefc129..fa1cb9e62c5a3 100644
--- a/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx
+++ b/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx
@@ -15,7 +15,7 @@ Integrated storage (raft) can be enabled using the `server.ha.raft.enabled` valu
```shell
helm install vault hashicorp/vault \
--set='server.image.repository=hashicorp/vault-enterprise' \
- --set='server.image.tag=1.6.2_ent' \
+ --set='server.image.tag=1.7.0_ent' \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true'
```
diff --git a/website/content/docs/platform/k8s/helm/index.mdx b/website/content/docs/platform/k8s/helm/index.mdx
index 52c47dca583fb..7f88c286db15e 100644
--- a/website/content/docs/platform/k8s/helm/index.mdx
+++ b/website/content/docs/platform/k8s/helm/index.mdx
@@ -35,7 +35,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm search repo hashicorp/vault
NAME CHART VERSION APP VERSION DESCRIPTION
-hashicorp/vault 0.10.0 1.7.0 Official HashiCorp Vault Chart
+hashicorp/vault 0.11.0 1.7.0 Official HashiCorp Vault Chart
```
-> **Important:** The Helm chart is new and under significant development.
@@ -57,14 +57,16 @@ Installing a specific version of the chart.
# List the available releases
$ helm search repo hashicorp/vault -l
NAME CHART VERSION APP VERSION DESCRIPTION
-hashicorp/vault 0.10.0 1.7.0 Official HashiCorp Vault Chart
-hashicorp/vault 0.9.1 1.6.2 Official HashiCorp Vault Chart
-hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart
-hashicorp/vault 0.8.0 1.5.4 Official HashiCorp Vault Chart
-hashicorp/vault 0.7.0 1.5.2 Official HashiCorp Vault Chart
-
-# Install version 0.10.0
-$ helm install vault hashicorp/vault --version 0.10.0
+hashicorp/vault 0.11.0 1.7.0 Official HashiCorp Vault Chart
+hashicorp/vault 0.10.0 1.7.0 Official HashiCorp Vault Chart
+hashicorp/vault 0.9.1 1.6.2 Official HashiCorp Vault Chart
+hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart
+hashicorp/vault 0.8.0 1.5.4 Official HashiCorp Vault Chart
+hashicorp/vault 0.7.0 1.5.2 Official HashiCorp Vault Chart
+hashicorp/vault 0.6.0 1.4.2 Official HashiCorp Vault Chart
+
+# Install version 0.11.0
+$ helm install vault hashicorp/vault --version 0.11.0
```
~> **Security Warning:** By default, the chart runs in standalone mode. This
diff --git a/website/content/docs/platform/k8s/helm/openshift.mdx b/website/content/docs/platform/k8s/helm/openshift.mdx
index 68ec6fae06959..66c6ee27a8532 100644
--- a/website/content/docs/platform/k8s/helm/openshift.mdx
+++ b/website/content/docs/platform/k8s/helm/openshift.mdx
@@ -69,7 +69,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm search repo hashicorp/vault
NAME CHART VERSION APP VERSION DESCRIPTION
-hashicorp/vault 0.10.0 1.7.0 Official HashiCorp Vault Chart
+hashicorp/vault 0.11.0 1.7.0 Official HashiCorp Vault Chart
```
-> **Important:** The Helm chart is new and under significant development.
@@ -88,14 +88,16 @@ Or install a specific version of the chart.
# List the available releases
$ helm search repo hashicorp/vault -l
NAME CHART VERSION APP VERSION DESCRIPTION
-hashicorp/vault 0.10.0 1.7.0 Official HashiCorp Vault Chart
-hashicorp/vault 0.9.1 1.6.2 Official HashiCorp Vault Chart
-hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart
-hashicorp/vault 0.8.0 1.5.4 Official HashiCorp Vault Chart
-hashicorp/vault 0.7.0 1.5.2 Official HashiCorp Vault Chart
-
-# Install version 0.10.0
-$ helm install vault hashicorp/vault --version 0.10.0
+hashicorp/vault 0.11.0 1.7.0 Official HashiCorp Vault Chart
+hashicorp/vault 0.10.0 1.7.0 Official HashiCorp Vault Chart
+hashicorp/vault 0.9.1 1.6.2 Official HashiCorp Vault Chart
+hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart
+hashicorp/vault 0.8.0 1.5.4 Official HashiCorp Vault Chart
+hashicorp/vault 0.7.0 1.5.2 Official HashiCorp Vault Chart
+hashicorp/vault 0.6.0 1.4.2 Official HashiCorp Vault Chart
+
+# Install version 0.11.0
+$ helm install vault hashicorp/vault --version 0.11.0
```
The `helm install` command accepts parameters to override default configuration
diff --git a/website/content/docs/platform/k8s/helm/run.mdx b/website/content/docs/platform/k8s/helm/run.mdx
index 5897a71fc2f84..1cace9ccc9e98 100644
--- a/website/content/docs/platform/k8s/helm/run.mdx
+++ b/website/content/docs/platform/k8s/helm/run.mdx
@@ -53,7 +53,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm search repo hashicorp/vault
NAME CHART VERSION APP VERSION DESCRIPTION
-hashicorp/vault 0.10.0 1.7.0 Official HashiCorp Vault Chart
+hashicorp/vault 0.11.0 1.7.0 Official HashiCorp Vault Chart
```
-> **Important:** The Helm chart is new and under significant development.
@@ -72,14 +72,16 @@ Or install a specific version of the chart.
# List the available releases
$ helm search repo hashicorp/vault -l
NAME CHART VERSION APP VERSION DESCRIPTION
-hashicorp/vault 0.10.0 1.7.0 Official HashiCorp Vault Chart
-hashicorp/vault 0.9.1 1.6.2 Official HashiCorp Vault Chart
-hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart
-hashicorp/vault 0.8.0 1.5.4 Official HashiCorp Vault Chart
-hashicorp/vault 0.7.0 1.5.2 Official HashiCorp Vault Chart
-
-# Install version 0.10.0
-$ helm install vault hashicorp/vault --version 0.10.0
+hashicorp/vault 0.11.0 1.7.0 Official HashiCorp Vault Chart
+hashicorp/vault 0.10.0 1.7.0 Official HashiCorp Vault Chart
+hashicorp/vault 0.9.1 1.6.2 Official HashiCorp Vault Chart
+hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart
+hashicorp/vault 0.8.0 1.5.4 Official HashiCorp Vault Chart
+hashicorp/vault 0.7.0 1.5.2 Official HashiCorp Vault Chart
+hashicorp/vault 0.6.0 1.4.2 Official HashiCorp Vault Chart
+
+# Install version 0.11.0
+$ helm install vault hashicorp/vault --version 0.11.0
```
The `helm install` command accepts parameters to override default configuration