docs: updates for vault-k8s and vault-helm (hashicorp#12901)

Documentation updates for vault-k8s 0.14.0 and vault-helm 0.17.0 releases.
qk4l · Feb 4, 2022 · 839002a · 839002a
1 parent 7c86a99
commit 839002a
Show file tree

Hide file tree

Showing 10 changed files with 69 additions and 28 deletions.
diff --git a/website/content/docs/platform/k8s/helm/configuration.mdx b/website/content/docs/platform/k8s/helm/configuration.mdx
@@ -81,15 +81,15 @@ and consider if they're appropriate for your deployment.
 
     - `repository` (`string: "hashicorp/vault-k8s"`) - The name of the Docker image for Vault Agent Injector.
 
-    - `tag` (`string: "0.13.1"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
+    - `tag` (`string: "0.14.0"`) - The tag of the Docker image for the Vault Agent Injector. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
 
     - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
 
   - `agentImage` - Values that configure the Vault Agent sidecar image.
 
     - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image.
 
-    - `tag` (`string: "1.8.3"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**.
+    - `tag` (`string: "1.8.4"`) - The tag of the Vault Docker image to use for the Vault Agent Sidecar. **Vault 1.3.1+ is required by the admission controller**.
 
   - `agentDefaults` - Values that configure the injected Vault Agent containers default values.
 
@@ -172,6 +172,13 @@ and consider if they're appropriate for your deployment.
 
   - `extraEnvironmentVars` (`dictionary: {}`) - Extra environment variables to set in the injector deployment.
 
+    ```yaml
+    # Example setting injector TLS options in a deployment:
+    extraEnvironmentVars:
+      AGENT_INJECT_TLS_MIN_VERSION: tls13
+      AGENT_INJECT_TLS_CIPHER_SUITES: ...
+    ```
+
   - `affinity` - This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for Vault Agent Injector pods. This can either be multi-line string or YAML matching the PodSpec's affinity field. It defaults to allowing only a single pod on each node, which minimizes risk of the cluster becoming unusable if a node is lost. If you need to run more pods per node (for example, testing on Minikube), set this value to `null`.
 
     ```yaml
@@ -244,7 +251,7 @@ and consider if they're appropriate for your deployment.
 
     - `repository` (`string: "hashicorp/vault"`) - The name of the Docker image for the containers running Vault.
 
-    - `tag` (`string: "1.8.3"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
+    - `tag` (`string: "1.8.4"`) - The tag of the Docker image for the containers running Vault. **This should be pinned to a specific version when running in production.** Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
 
     - `pullPolicy` (`string: "IfNotPresent"`) - The pull policy for container images. The default pull policy is `IfNotPresent` which causes the Kubelet to skip pulling an image if it already exists.
 
@@ -289,6 +296,8 @@ and consider if they're appropriate for your deployment.
         kubernetes.io/tls-acme: "true"
       ```
 
+    - `ingressClassName` (`string: ""`) - Specify the [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) that should be used to implement the Ingress
+
     - `activeService` (`boolean: true`) - When HA mode is enabled and K8s service registration is being used, configure the ingress to point to the Vault active service.
 
     - `extraPaths` (`array: []`) - Configures extra paths to prepend to the host configuration.
@@ -298,8 +307,10 @@ and consider if they're appropriate for your deployment.
       extraPaths: 
         - path: /*
           backend:
-            serviceName: ssl-redirect
-            servicePort: use-annotation
+            service:
+              name: ssl-redirect
+              port:
+                number: use-annotation
       ```
 
     - `tls` (`array: []`) - Configure the TLS portion of the Ingress spec.
@@ -588,6 +599,8 @@ and consider if they're appropriate for your deployment.
 
     - `type` (`string: "ClusterIP"`) - Sets the type of service to create, such as `NodePort`.
 
+    - `externalTrafficPolicy` (`string: "Cluster") - The [externalTrafficPolicy](https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy) can be set to either Cluster or Local and is only valid for LoadBalancer and NodePort service types.
+
     - `port` (`int: 8200`) - Port on which Vault server is listening inside the pod.
 
     - `targetPort` (`int: 8200`) - Port on which the service is listening.
@@ -819,6 +832,8 @@ and consider if they're appropriate for your deployment.
 
   - `targetPort` (`int: 8200`) - Sets the target port value of the service.
 
+  - `externalTrafficPolicy` (`string: "Cluster"`) - The [externalTrafficPolicy](https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy) can be set to either Cluster or Local and is only valid for LoadBalancer and NodePort service types.
+
   - `loadBalancerSourceRanges` (`string`) - This value defines additional source CIDRs when using `serviceType: LoadBalancer`. This should be formatted as a multi-line string.
 
   ```yaml

diff --git a/website/content/docs/platform/k8s/helm/enterprise.mdx b/website/content/docs/platform/k8s/helm/enterprise.mdx
@@ -31,7 +31,7 @@ In your chart overrides, set the values of [`server.image`](/docs/platform/k8s/h
 server:
   image:
     repository: hashicorp/vault-enterprise
-    tag: 1.8.3_ent
+    tag: 1.8.4_ent
   enterpriseLicense:
     secretName: vault-ent-license
 ```

diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-dr-with-raft.mdx
@@ -23,7 +23,7 @@ First, create the primary cluster:
 ```shell
 helm install vault-primary hashicorp/vault \
   --set='server.image.repository=hashicorp/vault-enterprise' \
-  --set='server.image.tag=1.8.3_ent' \
+  --set='server.image.tag=1.8.4_ent' \
   --set='server.ha.enabled=true' \
   --set='server.ha.raft.enabled=true'
 ```
@@ -75,7 +75,7 @@ disaster recovery replication.
 ```shell
 helm install vault-secondary hashicorp/vault \
   --set='server.image.repository=hashicorp/vault-enterprise' \
-  --set='server.image.tag=1.8.3_ent' \
+  --set='server.image.tag=1.8.4_ent' \
   --set='server.ha.enabled=true' \
   --set='server.ha.raft.enabled=true'
 ```

diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-perf-with-raft.mdx
@@ -23,7 +23,7 @@ First, create the primary cluster:
 ```shell
 helm install vault-primary hashicorp/vault \
   --set='server.image.repository=hashicorp/vault-enterprise' \
-  --set='server.image.tag=1.8.3_ent' \
+  --set='server.image.tag=1.8.4_ent' \
   --set='server.ha.enabled=true' \
   --set='server.ha.raft.enabled=true'
 ```
@@ -74,7 +74,7 @@ With the primary cluster created, next create a secondary cluster.
 ```shell
 helm install vault-secondary hashicorp/vault \
   --set='server.image.repository=hashicorp/vault-enterprise' \
-  --set='server.image.tag=1.8.3_ent' \
+  --set='server.image.tag=1.8.4_ent' \
   --set='server.ha.enabled=true' \
   --set='server.ha.raft.enabled=true'
 ```

diff --git a/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx b/website/content/docs/platform/k8s/helm/examples/enterprise-with-raft.mdx
@@ -15,7 +15,7 @@ Integrated storage (raft) can be enabled using the `server.ha.raft.enabled` valu
 ```shell
 helm install vault hashicorp/vault \
   --set='server.image.repository=hashicorp/vault-enterprise' \
-  --set='server.image.tag=1.8.3_ent' \
+  --set='server.image.tag=1.8.4_ent' \
   --set='server.ha.enabled=true' \
   --set='server.ha.raft.enabled=true'
 ```

diff --git a/website/content/docs/platform/k8s/helm/index.mdx b/website/content/docs/platform/k8s/helm/index.mdx
@@ -35,7 +35,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
 
 $ helm search repo hashicorp/vault
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
-hashicorp/vault	0.16.1       	1.8.3      	Official HashiCorp Vault Chart
+hashicorp/vault	0.17.0       	1.8.4      	Official HashiCorp Vault Chart
 ```
 
 -> **Important:** The Helm chart is new and under significant development.
@@ -57,17 +57,17 @@ Installing a specific version of the chart.
 # List the available releases
 $ helm search repo hashicorp/vault -l
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
+hashicorp/vault	0.17.0       	1.8.4      	Official HashiCorp Vault Chart
 hashicorp/vault	0.16.1       	1.8.3      	Official HashiCorp Vault Chart
 hashicorp/vault	0.16.0       	1.8.2      	Official HashiCorp Vault Chart
 hashicorp/vault	0.15.0       	1.8.1      	Official HashiCorp Vault Chart
 hashicorp/vault	0.14.0       	1.8.0      	Official HashiCorp Vault Chart
 hashicorp/vault	0.13.0       	1.7.3      	Official HashiCorp Vault Chart
 hashicorp/vault	0.12.0       	1.7.2      	Official HashiCorp Vault Chart
 hashicorp/vault	0.11.0       	1.7.0      	Official HashiCorp Vault Chart
-hashicorp/vault	0.10.0       	1.7.0      	Official HashiCorp Vault Chart
 
-# Install version 0.16.1
-$ helm install vault hashicorp/vault --version 0.16.1
+# Install version 0.17.0
+$ helm install vault hashicorp/vault --version 0.17.0
 ```
 
 ~> **Security Warning:** By default, the chart runs in standalone mode. This

diff --git a/website/content/docs/platform/k8s/helm/openshift.mdx b/website/content/docs/platform/k8s/helm/openshift.mdx
@@ -69,7 +69,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
 
 $ helm search repo hashicorp/vault
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
-hashicorp/vault	0.16.1       	1.8.3      	Official HashiCorp Vault Chart
+hashicorp/vault	0.17.0       	1.8.4      	Official HashiCorp Vault Chart
 ```
 
 -> **Important:** The Helm chart is new and under significant development.
@@ -88,17 +88,17 @@ Or install a specific version of the chart.
 # List the available releases
 $ helm search repo hashicorp/vault -l
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
+hashicorp/vault	0.17.0       	1.8.4      	Official HashiCorp Vault Chart
 hashicorp/vault	0.16.1       	1.8.3      	Official HashiCorp Vault Chart
 hashicorp/vault	0.16.0       	1.8.2      	Official HashiCorp Vault Chart
 hashicorp/vault	0.15.0       	1.8.1      	Official HashiCorp Vault Chart
 hashicorp/vault	0.14.0       	1.8.0      	Official HashiCorp Vault Chart
 hashicorp/vault	0.13.0       	1.7.3      	Official HashiCorp Vault Chart
 hashicorp/vault	0.12.0       	1.7.2      	Official HashiCorp Vault Chart
 hashicorp/vault	0.11.0       	1.7.0      	Official HashiCorp Vault Chart
-hashicorp/vault	0.10.0       	1.7.0      	Official HashiCorp Vault Chart
 
-# Install version 0.16.1
-$ helm install vault hashicorp/vault --version 0.16.1
+# Install version 0.17.0
+$ helm install vault hashicorp/vault --version 0.17.0
 ```
 
 The `helm install` command accepts parameters to override default configuration

diff --git a/website/content/docs/platform/k8s/helm/run.mdx b/website/content/docs/platform/k8s/helm/run.mdx
@@ -53,7 +53,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
 
 $ helm search repo hashicorp/vault
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
-hashicorp/vault	0.16.1        	1.8.3     	Official HashiCorp Vault Chart
+hashicorp/vault	0.17.0        	1.8.4     	Official HashiCorp Vault Chart
 ```
 
 -> **Important:** The Helm chart is new and under significant development.
@@ -72,6 +72,7 @@ Or install a specific version of the chart.
 # List the available releases
 $ helm search repo hashicorp/vault -l
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
+hashicorp/vault	0.17.0       	1.8.4      	Official HashiCorp Vault Chart
 hashicorp/vault	0.16.1       	1.8.3      	Official HashiCorp Vault Chart
 hashicorp/vault	0.16.0       	1.8.2      	Official HashiCorp Vault Chart
 hashicorp/vault	0.15.0       	1.8.1      	Official HashiCorp Vault Chart
@@ -81,8 +82,8 @@ hashicorp/vault	0.12.0       	1.7.2      	Official HashiCorp Vault Chart
 hashicorp/vault	0.11.0       	1.7.0      	Official HashiCorp Vault Chart
 hashicorp/vault	0.10.0       	1.7.0      	Official HashiCorp Vault Chart
 
-# Install version 0.16.1
-$ helm install vault hashicorp/vault --version 0.16.1
+# Install version 0.17.0
+$ helm install vault hashicorp/vault --version 0.17.0
 ```
 
 The `helm install` command accepts parameters to override default configuration
@@ -425,14 +426,14 @@ Next, list the Helm versions and choose the desired version to install.
 ```bash
 $ helm search repo hashicorp/vault
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
-hashicorp/vault	0.16.1        	1.8.3     	Official HashiCorp Vault Chart
+hashicorp/vault	0.17.0        	1.8.4     	Official HashiCorp Vault Chart
 ```
 
 Next, test the upgrade with `--dry-run` first to verify the changes sent to the
 Kubernetes cluster.
 
 ```shell-session
-$ helm upgrade vault hashicorp/vault --version=0.16.1 \
+$ helm upgrade vault hashicorp/vault --version=0.17.0 \
     --set='server.image.repository=vault' \
     --set='server.image.tag=123.456' \
     --dry-run

diff --git a/website/content/docs/platform/k8s/injector/annotations.mdx b/website/content/docs/platform/k8s/injector/annotations.mdx
@@ -28,7 +28,7 @@ them, optional commands to run, etc.
 
 - `vault.hashicorp.com/agent-image` - name of the Vault docker image to use. This
   value overrides the default image configured in the controller and is usually
-  not needed. Defaults to `hashicorp/vault:1.8.3`.
+  not needed. Defaults to `hashicorp/vault:1.8.4`.
 
 - `vault.hashicorp.com/agent-init-first` - configures the pod to run the Vault Agent
   init container first if `true` (last if `false`). This is useful when other init

diff --git a/website/content/docs/platform/k8s/injector/installation.mdx b/website/content/docs/platform/k8s/injector/installation.mdx
@@ -20,7 +20,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com
 
 $ helm search repo hashicorp/vault
 NAME           	CHART VERSION	APP VERSION	DESCRIPTION
-hashicorp/vault	0.16.1       	1.8.3      	Official HashiCorp Vault Chart
+hashicorp/vault	0.17.0       	1.8.4      	Official HashiCorp Vault Chart
 ```
 
 Then install the chart and enable the injection feature by setting the
@@ -41,8 +41,29 @@ more.
 
 ## TLS Options
 
-Admission webhook controllers require TLS to run within Kubernetes. At this time
-the Vault Agent Injector supports two TLS options:
+Admission webhook controllers require TLS to run within Kubernetes. The Injector
+defaults to supporting TLS 1.2 and above, and supports configuring the minimum
+supported TLS version and list of enabled cipher suites. These can be set via
+the following environment variables:
+
+| Environment variable | Description |
+| -------------------- | ----------- |
+| `AGENT_INJECT_TLS_MIN_VERSION` | Minimum supported version of TLS. Defaults to **tls12**. Accepted values are `tls10`, `tls11`, `tls12`, or `tls13`. |
+| `AGENT_INJECT_TLS_CIPHER_SUITES` | Comma-separated list of enabled [cipher suites][tls-suites] for TLS 1.0-1.2. (Cipher suites are not configurable for TLS 1.3.) |
+
+~> **Warning**: TLS 1.1 and lower are generally considered insecure.
+
+These may be set in a Helm chart deployment via the
+[injector.extraEnvironmentVars](/docs/platform/k8s/helm/configuration#extraenvironmentvars)
+option:
+
+```bash
+helm install vault hashicorp/vault \
+  --set="injector.extraEnvironmentVars.AGENT_INJECT_TLS_MIN_VERSION=tls13" \
+  --set="injector.extraEnvironmentVars.AGENT_INJECT_TLS_CIPHER_SUITES=..."
+```
+
+The Vault Agent Injector also supports two TLS management options:
 
 - Auto TLS generation (default)
 - Manual TLS
@@ -64,6 +85,8 @@ The following is required to configure TLS manually:
 
 For more information on configuring manual TLS, see the [Vault Helm cert values](/docs/platform/k8s/helm/configuration#certs).
 
+This option may also be used in conjunction with [cert-manager for certificate management](/docs/platform/k8s/helm/examples/injector-tls-cert-manager).
+
 ## Multiple Replicas and TLS
 
 The Vault Agent Injector can be run with multiple replicas if using [Manual
@@ -93,3 +116,5 @@ the injector can work in a namespace selector can be defined to match labels att
 to namespaces.
 
 For more information on configuring namespace selection, see the [Vault Helm namespaceSelector value](/docs/platform/k8s/helm/configuration#namespaceselector).
+
+[tls-suites]: https://golang.org/src/crypto/tls/cipher_suites.go