### Configure Plugin Loading with Extra Init Containers Source: https://context7.com/hashicorp/vault-helm/llms.txt Use `server.extraInitContainers` to download and prepare plugins before Vault starts. This example downloads and installs the oauthapp secrets plugin. ```yaml # values-plugin.yaml server: extraInitContainers: - name: install-oauthapp-plugin image: alpine:3.19 command: [sh, -c] args: - | wget -qO /tmp/plugin.tar.xz \ https://github.com/puppetlabs/vault-plugin-secrets-oauthapp/releases/download/v1.2.0/vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64.tar.xz tar -xf /tmp/plugin.tar.xz -C /tmp mv /tmp/vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64 /usr/local/libexec/vault/oauthapp chmod +x /usr/local/libexec/vault/oauthapp volumeMounts: - name: plugins mountPath: /usr/local/libexec/vault volumes: - name: plugins emptyDir: {} volumeMounts: - name: plugins mountPath: /usr/local/libexec/vault readOnly: true standalone: config: |- ui = true listener "tcp" { tls_disable = 1; address = "[::]:8200" } storage "file" { path = "/vault/data" } plugin_directory = "/usr/local/libexec/vault" ``` -------------------------------- ### Install Bats Core Source: https://github.com/hashicorp/vault-helm/blob/main/CONTRIBUTING.md Installs the Bats testing framework using Homebrew. This is a prerequisite for running tests locally. ```bash brew install bats-core ``` -------------------------------- ### Install yq Source: https://github.com/hashicorp/vault-helm/blob/main/CONTRIBUTING.md Installs the yq command-line YAML processor using Homebrew. This is a prerequisite for running tests locally. ```bash brew install python-yq ``` -------------------------------- ### Install Helm Source: https://github.com/hashicorp/vault-helm/blob/main/CONTRIBUTING.md Installs the Helm package manager using Homebrew. This is a prerequisite for running acceptance tests locally. ```bash brew install kubernetes-helm ``` -------------------------------- ### Install Vault in Dev Mode Source: https://context7.com/hashicorp/vault-helm/llms.txt Runs a pre-initialized, in-memory Vault instance for local experimentation. Data is lost on restart. ```bash helm install vault hashicorp/vault \ --set server.dev.enabled=true \ --set server.dev.devRootToken=root \ --namespace vault --create-namespace # Log in immediately — no init or unseal needed kubectl exec -n vault vault-0 -- vault login root # Expected output: # Success! You are now authenticated. The token information displayed below # is already stored in the token helper. You do NOT need to run "vault login" # again. Future Vault requests will automatically use this token. ``` -------------------------------- ### Install Vault Standalone Source: https://context7.com/hashicorp/vault-helm/llms.txt Installs a single-node Vault server with file-based storage and TLS disabled. Requires Helm 3.6+ and Kubernetes 1.20+. ```bash helm repo add hashicorp https://helm.releases.hashicorp.com helm repo update helm install vault hashicorp/vault \ --namespace vault \ --create-namespace # Verify the StatefulSet and service are up kubectl get statefulset,svc -n vault # NAME READY AGE # statefulset.apps/vault 1/1 2m # NAME TYPE CLUSTER-IP PORT(S) # service/vault ClusterIP 10.96.42.1 8200/TCP,8201/TCP # service/vault-internal ClusterIP None 8200/TCP,8201/TCP # Initialize and unseal kubectl exec -n vault vault-0 -- vault operator init kubectl exec -n vault vault-0 -- vault operator unseal ``` -------------------------------- ### Install Vault HA with Integrated Raft Source: https://context7.com/hashicorp/vault-helm/llms.txt Deploys a 3-replica Vault cluster using Raft for HA and storage. Each pod gets a PVC. A PodDisruptionBudget is created automatically. ```bash helm install vault hashicorp/vault \ --namespace vault --create-namespace \ --set server.ha.enabled=true \ --set server.ha.raft.enabled=true \ --set server.ha.replicas=3 \ --set server.ha.raft.setNodeId=true # Initialize from the first pod only kubectl exec -n vault vault-0 -- vault operator init \ -key-shares=5 -key-threshold=3 # Unseal all three pods for pod in vault-0 vault-1 vault-2; do kubectl exec -n vault $pod -- vault operator unseal kubectl exec -n vault $pod -- vault operator unseal kubectl exec -n vault $pod -- vault operator unseal done # Join replicas to the Raft cluster (run on vault-1 and vault-2) kubectl exec -n vault vault-1 -- vault operator raft join http://vault-0.vault-internal:8200 kubectl exec -n vault vault-2 -- vault operator raft join http://vault-0.vault-internal:8200 ``` -------------------------------- ### Add HashiCorp Helm Repository and Install Vault Source: https://github.com/hashicorp/vault-helm/blob/main/README.md Add the HashiCorp Helm repository to your Helm configuration and then install the Vault chart. Ensure you have Helm 3.6+ and Kubernetes 1.29+. ```bash helm repo add hashicorp https://helm.releases.hashicorp.com "hashicorp" has been added to your repositories helm install vault hashicorp/vault ``` -------------------------------- ### Example Application Pod for Injection Source: https://context7.com/hashicorp/vault-helm/llms.txt An example Kubernetes Pod definition that opts into Vault Agent sidecar injection via annotations. It specifies the role, secrets to inject, and a template for rendering secrets. ```yaml # Example application pod that triggers injection apiVersion: v1 kind: Pod metadata: name: app annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/role: "my-app" vault.hashicorp.com/agent-inject-secret-config: "secret/data/myapp/config" vault.hashicorp.com/agent-inject-template-config: | {{- with secret "secret/data/myapp/config" -}} export DB_PASSWORD="{{ .Data.data.password }}" {{- end }} spec: containers: - name: app image: myapp:latest command: ["/bin/sh", "-c", "source /vault/secrets/config && ./myapp"] ``` -------------------------------- ### Render Vault Helm Chart Manifests Locally Source: https://context7.com/hashicorp/vault-helm/llms.txt Use `helm template` to inspect Kubernetes manifests without installation. Supports standalone, HA+Raft configurations, and custom values files. ```bash # Render standalone defaults helm template vault hashicorp/vault \ --namespace vault \ --set server.standalone.enabled=true ``` ```bash # Render HA + Raft configuration helm template vault hashicorp/vault \ --namespace vault \ --set server.ha.enabled=true \ --set server.ha.raft.enabled=true \ --set server.ha.replicas=3 ``` ```bash # Render with a custom values file and save output helm template vault hashicorp/vault \ -f values-production.yaml \ --namespace vault > vault-manifests.yaml ``` ```bash # Lint before upgrading helm lint hashicorp/vault -f values-production.yaml ``` -------------------------------- ### Run Specific Bats Unit Tests in Docker Source: https://github.com/hashicorp/vault-helm/blob/main/CONTRIBUTING.md Runs bats unit tests within the Docker container, filtered by a regular expression. This example filters for tests containing 'injector'. ```shell docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector" ``` -------------------------------- ### Upgrade Helm and Get UI Service IP Source: https://context7.com/hashicorp/vault-helm/llms.txt Upgrade the Vault Helm release with UI configuration and retrieve the external IP address of the LoadBalancer service to access the Vault UI. ```bash helm upgrade vault hashicorp/vault -f values-ui.yaml -n vault # Get the LoadBalancer external IP kubectl get svc -n vault vault-ui # NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) # vault-ui LoadBalancer 10.96.4.200 203.0.113.10 8200:30123/TCP # Access the UI open http://203.0.113.10:8200/ui ``` -------------------------------- ### Configure Kubernetes Auth Method Source: https://context7.com/hashicorp/vault-helm/llms.txt Set up the Kubernetes auth method in Vault, providing the Kubernetes host details. ```bash kubectl exec -n vault vault-0 -- vault auth enable kubernetes kubectl exec -n vault vault-0 -- vault write auth/kubernetes/config \ kubernetes_host="https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT" ``` -------------------------------- ### Deploy Vault Enterprise with License Source: https://context7.com/hashicorp/vault-helm/llms.txt Commands to create the license secret, upgrade the Vault deployment with the enterprise license configuration, and verify the license is loaded. ```bash # Create the license secret kubectl create secret generic vault-enterprise-license \ --from-file=license=./vault.hclic -n vault helm upgrade vault hashicorp/vault -f values-enterprise.yaml -n vault # Verify license is loaded kubectl exec -n vault vault-0 -- vault license get ``` -------------------------------- ### Run Vault Helm Acceptance Tests in GKE Source: https://github.com/hashicorp/vault-helm/blob/main/test/README.md Use these make targets to provision a GKE cluster, run acceptance tests, and tear down the cluster. Ensure GOOGLE_CREDENTIALS and CLOUDSDK_CORE_PROJECT are set. ```bash make test-image make test-provision make test-acceptance ``` ```bash make test-destroy ``` -------------------------------- ### Run Acceptance Tests Locally Source: https://github.com/hashicorp/vault-helm/blob/main/CONTRIBUTING.md Executes the acceptance tests using the Bats testing framework directly on your workstation. Requires a configured Kubernetes cluster. ```bash bats ./test/acceptance ``` -------------------------------- ### Build Docker Image for Tests Source: https://github.com/hashicorp/vault-helm/blob/main/CONTRIBUTING.md Builds the Docker image required for running bats tests. Ensure you are in the vault-helm directory. ```shell docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test ``` -------------------------------- ### Configure Vault Agent Lifecycle Hooks Source: https://context7.com/hashicorp/vault-helm/llms.txt Sets `preStopSleepSeconds` for graceful shutdown and defines `postStart` and `preStop` lifecycle hooks for Vault Agent initialization and shutdown procedures. Also sets extra environment variables. ```yaml # values-lifecycle.yaml server: preStopSleepSeconds: 10 postStart: - /bin/sh - -c - | sleep 5 vault login $VAULT_TOKEN vault audit enable file file_path=/vault/audit/audit.log preStop: - /bin/sh - -c - vault token revoke -self || true; sleep 10; kill -SIGTERM $(pidof vault) extraEnvironmentVars: VAULT_TOKEN: "s.my-bootstrap-token" ``` -------------------------------- ### Upgrade Vault with Storage Configuration Source: https://context7.com/hashicorp/vault-helm/llms.txt Apply the storage configuration to the Vault Helm deployment. ```bash helm upgrade vault hashicorp/vault -f values-storage.yaml -n vault ``` -------------------------------- ### Test Custom Resource Limits Source: https://github.com/hashicorp/vault-helm/blob/main/CONTRIBUTING.md Verifies that custom memory limit values are correctly rendered for the server standalone StatefulSet. It uses '--set' to configure resource limits and 'yq' to extract the memory value. ```shell local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.resources.limits.memory=256Mi' \ --set 'server.resources.limits.cpu=250m' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].resources.limits.memory' | tee /dev/stderr) [ "${actual}" = "256Mi" ] ``` -------------------------------- ### Verify Network Policy Source: https://context7.com/hashicorp/vault-helm/llms.txt Check the created NetworkPolicy resources in the Vault namespace. ```bash kubectl get networkpolicy -n vault ``` -------------------------------- ### Test Case Naming Convention Source: https://github.com/hashicorp/vault-helm/blob/main/CONTRIBUTING.md Follow this naming convention for individual test cases, specifying the section and a brief description. ```shell @test "
: " { ``` -------------------------------- ### Upgrade Vault with Network Policy Configuration Source: https://context7.com/hashicorp/vault-helm/llms.txt Apply the network policy configuration to the Vault Helm deployment. ```bash helm upgrade vault hashicorp/vault -f values-netpol.yaml -n vault ``` -------------------------------- ### Create TLS Secret and Upgrade Helm Source: https://context7.com/hashicorp/vault-helm/llms.txt Create a Kubernetes TLS secret from certificate and key files, then upgrade the Vault Helm release with the custom TLS configuration. ```bash # Create the TLS secret (e.g., from cert-manager Certificate resource output) kubectl create secret tls vault-injector-tls \ --cert=injector.crt --key=injector.key -n vault helm upgrade vault hashicorp/vault -f values-injector-tls.yaml -n vault ``` -------------------------------- ### Run Unit Tests Locally Source: https://github.com/hashicorp/vault-helm/blob/main/CONTRIBUTING.md Executes the unit tests using the Bats testing framework directly on your workstation. Does not require a Kubernetes cluster. ```bash bats ./test/unit ``` -------------------------------- ### Run Vault Helm Acceptance Tests in kind Cluster Source: https://github.com/hashicorp/vault-helm/blob/main/test/README.md Execute acceptance tests locally within a kind cluster. You can specify a custom cluster name or K8S version using environment variables. ```bash make test-acceptance LOCAL_ACCEPTANCE_TESTS=true ``` ```bash make delete-kind ``` -------------------------------- ### Test Default Service Type Source: https://github.com/hashicorp/vault-helm/blob/main/CONTRIBUTING.md Verifies that the 'ui.serviceType' is null by default. It uses 'helm template' to render the 'ui-service.yaml' and 'yq' to extract '.spec.type' for comparison. ```shell cd `chart_dir` local actual=$(helm template \ --show-only templates/ui-service.yaml \ . | tee /dev/stderr | yq -r '.spec.type' | tee /dev/stderr) [ "${actual}" = "null" ] ``` -------------------------------- ### Configure Pod to Use CSI Volume Source: https://context7.com/hashicorp/vault-helm/llms.txt Mount a CSI volume into a pod to access secrets managed by Vault. The volume uses the `secrets-store.csi.k8s.io` driver and references the `SecretProviderClass`. ```yaml apiVersion: v1 kind: Pod metadata: name: app-csi spec: containers: - name: app image: myapp:latest volumeMounts: - name: secrets mountPath: /mnt/secrets readOnly: true volumes: - name: secrets csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: "vault-db-creds" ``` -------------------------------- ### Upgrade Helm and Verify ServiceMonitor Source: https://context7.com/hashicorp/vault-helm/llms.txt Upgrade the Vault Helm release with monitoring configurations and verify that the `ServiceMonitor` resource is created and picked up by Prometheus. ```bash helm upgrade vault hashicorp/vault -f values-monitoring.yaml -n vault # Verify ServiceMonitor is picked up by Prometheus kubectl get servicemonitor -n vault # NAME AGE # vault 2m ``` -------------------------------- ### Configure Prometheus ServiceMonitor and Rules Source: https://context7.com/hashicorp/vault-helm/llms.txt Enable `serverTelemetry.serviceMonitor` to create a `ServiceMonitor` CRD for Prometheus. Configure `serverTelemetry.prometheusRules` to define alerts based on Vault metrics. ```yaml serverTelemetry: serviceMonitor: enabled: true interval: 30s scrapeTimeout: 10s selectors: release: kube-prometheus-stack # To scrape all pods including standbys (HA + Enterprise): # matchLabels: # vault-internal: "true" metricRelabelings: - sourceLabels: [__name__] regex: "vault_core_.*" action: keep prometheusRules: enabled: true selectors: release: kube-prometheus-stack rules: - alert: VaultSealed expr: vault_core_unsealed == 0 for: 5m labels: severity: critical annotations: message: "Vault pod {{ $labels.pod }} is sealed." - alert: VaultHighResponseTime expr: vault_core_handle_request{quantile="0.5"} > 500 for: 5m labels: severity: warning annotations: message: "Vault p50 response time > 500ms." ``` -------------------------------- ### Test Header Formatting Source: https://github.com/hashicorp/vault-helm/blob/main/CONTRIBUTING.md Use this format for headers in test files to indicate the section being tested. ```shell #-------------------------------------------------------------------- # annotations ``` -------------------------------- ### Create Role for Kubernetes Auth Source: https://context7.com/hashicorp/vault-helm/llms.txt Define a role for the Kubernetes auth method, specifying bound service accounts, namespaces, and policies. ```bash kubectl exec -n vault vault-0 -- vault write auth/kubernetes/role/my-app \ bound_service_account_names=my-app \ bound_service_account_namespaces=default \ policies=my-app-policy \ ttl=24h ``` -------------------------------- ### Run Helm Test for Vault Release Source: https://github.com/hashicorp/vault-helm/blob/main/test/README.md Execute a standard Helm test against a deployed Vault Helm release. Replace with the actual name of your Helm release. ```bash helm test ``` -------------------------------- ### Upgrade Vault with Service Account Configuration Source: https://context7.com/hashicorp/vault-helm/llms.txt Apply the service account configuration to the Vault Helm deployment. ```bash helm upgrade vault hashicorp/vault -f values-serviceaccount.yaml -n vault ``` -------------------------------- ### Configure Vault for OpenShift Source: https://context7.com/hashicorp/vault-helm/llms.txt Enables OpenShift specific configurations, including TLS settings and volume mounts for service CA certificates. Requires `helm upgrade` to apply. ```yaml global: openshift: true tlsDisable: false server: serviceCA: enabled: true secretName: "vault-tls" configMapName: "service-ca-bundle" volumes: - name: vault-tls secret: secretName: vault-tls - name: service-ca-bundle configMap: name: service-ca-bundle volumeMounts: - name: vault-tls mountPath: /vault/userconfig/vault-tls readOnly: true - name: service-ca-bundle mountPath: /vault/userconfig/service-ca-bundle readOnly: true ha: enabled: true raft: enabled: true config: | ui = true listener "tcp" { tls_disable = 0 address = "[::]:8200" cluster_address = "[::]:8201" tls_cert_file = "/vault/userconfig/vault-tls/tls.crt" tls_key_file = "/vault/userconfig/vault-tls/tls.key" tls_client_ca_file = "/vault/userconfig/service-ca-bundle/service-ca.crt" } storage "raft" { path = "/vault/data" } service_registration "kubernetes" {} ``` -------------------------------- ### Configure Vault TLS and Auto-unseal with GCP KMS Source: https://context7.com/hashicorp/vault-helm/llms.txt Enable TLS on the Vault listener and configure Google Cloud KMS for auto-unsealing. GCP credentials must be provided via a Kubernetes Secret. ```yaml global: tlsDisable: false server: extraSecretEnvironmentVars: - envName: GOOGLE_APPLICATION_CREDENTIALS secretName: gcp-kms-creds secretKey: credentials.json extraVolumes: - type: secret name: vault-tls standalone: config: |- ui = true listener "tcp" { address = "[::]:8200" tls_cert_file = "/vault/userconfig/vault-tls/tls.crt" tls_key_file = "/vault/userconfig/vault-tls/tls.key" } storage "file" { path = "/vault/data" } seal "gcpckms" { project = "my-gcp-project" region = "global" key_ring = "vault-helm-unseal-kr" crypto_key = "vault-helm-unseal-key" } ``` ```bash # Create the TLS secret first kubectl create secret tls vault-tls \ --cert=tls.crt --key=tls.key -n vault # Create GCP credentials secret kubectl create secret generic gcp-kms-creds \ --from-file=credentials.json=./sa-key.json -n vault helm upgrade vault hashicorp/vault -f values-tls-gcpkms.yaml -n vault ``` -------------------------------- ### Run Vault Helm Chart Verification Tests Source: https://github.com/hashicorp/vault-helm/blob/main/test/README.md Verify the Vault Helm chart using chart-verifier. This can be done by having chart-verifier in your PATH or by using the official Docker container. ```bash bats test/chart/verifier.bats ``` ```bash USE_DOCKER=true bats test/chart/verifier.bats ``` -------------------------------- ### Run All Bats Unit Tests in Docker Source: https://github.com/hashicorp/vault-helm/blob/main/CONTRIBUTING.md Executes all bats unit tests within the Docker container. Mounts the local vault-helm directory into the container. ```shell docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit ``` -------------------------------- ### Enable File Audit Device Source: https://context7.com/hashicorp/vault-helm/llms.txt Enable the file audit device after Vault is unsealed, specifying the path for audit logs. ```bash kubectl exec -n vault vault-0 -- \ vault audit enable file file_path=/vault/audit/vault_audit.log ``` -------------------------------- ### Configure Vault Standalone Deployment Source: https://context7.com/hashicorp/vault-helm/llms.txt Use this configuration for a simple, single-instance Vault deployment. It specifies image details, resource requests and limits, and storage configurations for data and audit logs. ```yaml server: enabled: true standalone: enabled: true config: |- ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" telemetry { unauthenticated_metrics_access = "true" } } storage "file" { path = "/vault/data" } telemetry { prometheus_retention_time = "30s" disable_hostname = true } image: repository: hashicorp/vault tag: "1.21.2" pullPolicy: IfNotPresent resources: requests: memory: 256Mi cpu: 250m limits: memory: 512Mi cpu: 500m dataStorage: enabled: true size: 20Gi storageClass: "fast-ssd" accessMode: ReadWriteOnce auditStorage: enabled: true size: 10Gi updateStrategyType: "OnDelete" logLevel: "info" logFormat: "json" ``` ```bash helm upgrade vault hashicorp/vault -f values-standalone.yaml -n vault ``` -------------------------------- ### Upgrade Vault deployment on OpenShift Source: https://context7.com/hashicorp/vault-helm/llms.txt Command to upgrade the Vault deployment using Helm with the specified values file for OpenShift. ```bash helm upgrade vault hashicorp/vault -f values-openshift.yaml -n vault # The service-ca operator populates vault-tls secret automatically after the # service is annotated; no manual cert creation needed. ``` -------------------------------- ### Test Specified Service Type Source: https://github.com/hashicorp/vault-helm/blob/main/CONTRIBUTING.md Checks if a specific service type, like 'LoadBalancer', is rendered when specified via '--set'. It renders 'ui-service.yaml' and asserts the '.spec.type' value. ```shell cd `chart_dir` local actual=$(helm template \ --show-only templates/ui-service.yaml \ --set 'ui.serviceType=LoadBalancer' \ . | tee /dev/stderr | yq -r '.spec.type' | tee /dev/stderr) [ "${actual}" = "LoadBalancer" ] ``` -------------------------------- ### Configure Service Account for Vault Source: https://context7.com/hashicorp/vault-helm/llms.txt Define ServiceAccount creation, token generation, and IAM role binding for Vault using `server.serviceAccount` in `values-serviceaccount.yaml`. ```yaml # values-serviceaccount.yaml server: serviceAccount: create: true name: "vault" createSecret: false # Set true for pre-1.24 clusters needing a static token annotations: eks.amazonaws.com/role-arn: "arn:aws:iam::123456789:role/vault-role" serviceDiscovery: enabled: true # Grants get/list/watch on pods/services for service_registration authDelegator: enabled: true ``` -------------------------------- ### Configure SecretProviderClass for Vault CSI Source: https://context7.com/hashicorp/vault-helm/llms.txt Define a `SecretProviderClass` to mount Vault secrets using the CSI driver. Specify the Vault address, role name, and the objects to retrieve from Vault. ```yaml apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: vault-db-creds spec: provider: vault parameters: vaultAddress: "http://vault.vault.svc:8200" roleName: "my-app" objects: | - objectName: "db-password" secretPath: "secret/data/myapp/db" secretKey: "password" ``` -------------------------------- ### Generate Vault Helm Values Schema Source: https://github.com/hashicorp/vault-helm/blob/main/test/README.md Generate the values.schema.json file for the Vault Helm chart using the make target. This process may require manual adjustments for multi-type properties. ```bash make values-schema ``` -------------------------------- ### Query Vault Metrics Source: https://context7.com/hashicorp/vault-helm/llms.txt Port-forward to the Vault service and query Prometheus metrics to check if Vault is unsealed. ```bash kubectl port-forward -n vault vault-0 8200 curl http://localhost:8200/v1/sys/metrics?format=prometheus | grep vault_core_unsealed ``` -------------------------------- ### Test Disabled Deployment Rendering Source: https://github.com/hashicorp/vault-helm/blob/main/CONTRIBUTING.md Ensures that a specific template file ('syncCatalog/Deployment') is not rendered when a global disable flag is set. It checks the length of the 'helm template' output using 'yq'. ```shell cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-statefulset.yaml \ --set 'global.enabled=false' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] ``` -------------------------------- ### Configure Persistent Storage for Vault Source: https://context7.com/hashicorp/vault-helm/llms.txt Define PersistentVolumeClaim templates for Vault's data and audit logs using `server.dataStorage` and `server.auditStorage` in `values-storage.yaml`. ```yaml # values-storage.yaml server: dataStorage: enabled: true size: 50Gi storageClass: "premium-rwo" accessMode: ReadWriteOnce annotations: backup.velero.io/backup-volumes: "data" labels: environment: production auditStorage: enabled: true size: 20Gi storageClass: "standard" mountPath: "/vault/audit" persistentVolumeClaimRetentionPolicy: whenDeleted: Retain whenScaled: Retain ``` -------------------------------- ### Test Vault Ingress access Source: https://context7.com/hashicorp/vault-helm/llms.txt Command to upgrade Vault with Ingress configuration and then test access to the Vault health endpoint. ```bash helm upgrade vault hashicorp/vault -f values-ingress.yaml -n vault curl https://vault.example.com/v1/sys/health # {"initialized":true,"sealed":false,"standby":false,...} ``` -------------------------------- ### Test Custom Resource Requests Source: https://github.com/hashicorp/vault-helm/blob/main/CONTRIBUTING.md Validates that custom memory request values are correctly rendered for the server standalone StatefulSet. It uses '--set' to configure resource requests and 'yq' to extract the memory value. ```shell cd `chart_dir` local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ --set 'server.standalone.enabled=true' \ --set 'server.resources.requests.memory=256Mi' \ --set 'server.resources.requests.cpu=250m' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].resources.requests.memory' | tee /dev/stderr) [ "${actual}" = "256Mi" ] ``` -------------------------------- ### Configure Vault UI Service Source: https://context7.com/hashicorp/vault-helm/llms.txt Enable and configure the Vault web UI service by setting `ui.enabled` to true. Customize the `serviceType`, ports, and load balancer settings. `activeVaultPodOnly: true` restricts the service to the active HA node. ```yaml ui: enabled: true serviceType: LoadBalancer externalPort: 8200 targetPort: 8200 activeVaultPodOnly: false publishNotReadyAddresses: true externalTrafficPolicy: Local loadBalancerSourceRanges: - 10.0.0.0/8 annotations: service.beta.kubernetes.io/aws-load-balancer-type: nlb ``` -------------------------------- ### Configure Vault CSI Provider Source: https://context7.com/hashicorp/vault-helm/llms.txt Enable and configure the Vault CSI provider by setting `csi.enabled` to true. Specify image details, log level, and DaemonSet configurations. Optionally enable the Vault Agent sidecar for token caching and lease renewals. ```yaml csi: enabled: true image: repository: hashicorp/vault-csi-provider tag: "1.7.0" logLevel: "info" daemonSet: providersDir: "/var/run/secrets-store-csi-providers" kubeletRootDir: "/var/lib/kubelet" updateStrategy: type: RollingUpdate agent: enabled: true image: repository: hashicorp/vault tag: "1.21.2" logLevel: info resources: requests: cpu: 50m memory: 128Mi limits: cpu: 50m memory: 128Mi ``` -------------------------------- ### Configure Network Policy for Vault Source: https://context7.com/hashicorp/vault-helm/llms.txt Define ingress and egress rules for Vault pods using `server.networkPolicy` in `values-netpol.yaml`. ```yaml # values-netpol.yaml server: networkPolicy: enabled: true ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: my-app-ns - namespaceSelector: matchLabels: kubernetes.io/metadata.name: monitoring ports: - port: 8200 protocol: TCP - port: 8201 protocol: TCP egress: - to: - ipBlock: cidr: 10.0.0.0/8 ports: - protocol: TCP port: 8500 # Consul ``` -------------------------------- ### Configure Vault HA with Consul Backend Source: https://context7.com/hashicorp/vault-helm/llms.txt Deploy Vault in High Availability mode with Consul as the storage backend. This configuration requires an existing Consul cluster and sets up 3 Vault replicas. ```yaml server: ha: enabled: true replicas: 3 config: | ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" } storage "consul" { path = "vault" address = "HOST_IP:8500" } service_registration "kubernetes" {} disruptionBudget: enabled: true maxUnavailable: 1 affinity: | podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/name: vault component: server topologyKey: kubernetes.io/hostname ``` ```bash helm upgrade vault hashicorp/vault -f values-ha-consul.yaml -n vault ``` -------------------------------- ### Upgrade and Rollback Vault Helm Chart Source: https://context7.com/hashicorp/vault-helm/llms.txt Manage Vault releases using `helm upgrade` and `helm rollback`. Note the `OnDelete` update strategy requires manual pod deletion for config changes. The `helm-diff` plugin can preview changes. ```bash # Check what will change helm diff upgrade vault hashicorp/vault -f values.yaml -n vault # requires helm-diff plugin ``` ```bash # Upgrade the chart helm upgrade vault hashicorp/vault \ --namespace vault \ --version 0.32.0 \ -f values-production.yaml ``` ```bash # With OnDelete strategy, manually delete pods to pick up the new config kubectl delete pod vault-0 -n vault # StatefulSet recreates it kubectl delete pod vault-1 -n vault kubectl delete pod vault-2 -n vault ``` ```bash # Roll back to the previous release if something goes wrong helm rollback vault 0 -n vault ``` ```bash # List release history helm history vault -n vault ``` -------------------------------- ### Configure Vault Agent Sidecar Injector Source: https://context7.com/hashicorp/vault-helm/llms.txt Enables the mutating webhook for automatic Vault Agent sidecar injection into pods. Configures replicas, leader election, log level, agent defaults, and webhook settings. Requires `helm upgrade` to apply. ```yaml # values-injector.yaml injector: enabled: true replicas: 2 leaderElector: enabled: true logLevel: "info" logFormat: "json" revokeOnShutdown: true authPath: "auth/kubernetes" agentDefaults: cpuLimit: "500m" cpuRequest: "250m" memLimit: "128Mi" memRequest: "64Mi" template: "map" templateConfig: exitOnRetryFailure: true staticSecretRenderInterval: "30s" webhook: failurePolicy: Ignore timeoutSeconds: 30 namespaceSelector: matchLabels: vault-injection: enabled ``` -------------------------------- ### Configure Vault for Prometheus Metrics Source: https://context7.com/hashicorp/vault-helm/llms.txt Configure Vault's listener to expose metrics with `unauthenticated_metrics_access = "true"`. This is required for Prometheus ServiceMonitor auto-discovery. ```yaml server: standalone: config: |- ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" telemetry { unauthenticated_metrics_access = "true" } } storage "file" { path = "/vault/data" } telemetry { prometheus_retention_time = "30s" disable_hostname = true } ``` -------------------------------- ### Configure Vault Server Standalone Source: https://context7.com/hashicorp/vault-helm/llms.txt Controls the Vault StatefulSet for single-replica standalone mode. `server.standalone.config` is an HCL or JSON string written to a ConfigMap. ```yaml # values-standalone.yaml server: standalone: config: | ui = true listener "tcp" { tls_disable = 1 } storage "file" { path = "/vault/data" } service_registration "kubernetes" {} ``` -------------------------------- ### Verify Persistent Volume Claims Source: https://context7.com/hashicorp/vault-helm/llms.txt Check the status and details of the PVCs created for Vault's data and audit logs. ```bash kubectl get pvc -n vault ``` -------------------------------- ### Configure Vault Ingress Source: https://context7.com/hashicorp/vault-helm/llms.txt Enables and configures Kubernetes Ingress for Vault, specifying the ingress class, path type, and host. Routes traffic to the active service in HA mode. Requires `helm upgrade` to apply. ```yaml # values-ingress.yaml server: ingress: enabled: true ingressClassName: "nginx" pathType: Prefix activeService: true # Routes to vault-active service in HA mode annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTP" cert-manager.io/cluster-issuer: "letsencrypt-prod" hosts: - host: vault.example.com paths: - / tls: - secretName: vault-tls hosts: - vault.example.com ``` -------------------------------- ### Configure Custom TLS for Injector Source: https://context7.com/hashicorp/vault-helm/llms.txt Set `injector.certs.secretName` to use a custom TLS certificate for the injector. Ensure the secret contains the CA bundle, certificate, and key. ```yaml injector: certs: secretName: "vault-injector-tls" caBundle: "" certName: tls.crt keyName: tls.key ``` -------------------------------- ### Configure Vault Enterprise License Source: https://context7.com/hashicorp/vault-helm/llms.txt Specifies the Kubernetes Secret containing the Vault Enterprise license and the key within the secret. The license path is exported as `VAULT_LICENSE_PATH`. ```yaml # values-enterprise.yaml server: enterpriseLicense: secretName: "vault-enterprise-license" secretKey: "license" ``` -------------------------------- ### Configure Global Vault Chart Values Source: https://context7.com/hashicorp/vault-helm/llms.txt Top-level switches affecting all chart components. Setting `global.enabled=false` disables all components unless explicitly enabled. ```yaml # values-global.yaml global: enabled: true # Master on/off for all components namespace: "vault" # Override Helm release namespace tlsDisable: true # Set false to enable end-to-end TLS on port 8200 externalVaultAddr: "" # Point injector/CSI at an existing Vault outside this chart openshift: false # Enables OpenShift-specific defaults (drops securityContext, enables routes) imagePullSecrets: - name: my-registry-secret psp: enable: false serverTelemetry: prometheusOperator: false # Shortcut to enable ServiceMonitor via global flag ``` ```bash helm upgrade vault hashicorp/vault -f values-global.yaml -n vault ``` -------------------------------- ### Configure Vault HA Raft with Enterprise Redundancy Zones Source: https://context7.com/hashicorp/vault-helm/llms.txt Set up Vault in HA mode using the Raft storage backend, leveraging Enterprise Redundancy Zones. This requires Kubernetes 1.35+ and nodes labeled with topology.kubernetes.io/zone. It automatically sets VAULT_REDUNDANCY_ZONE from the pod's topology label. ```yaml server: ha: enabled: true replicas: 6 raft: enabled: true setNodeId: true redundancyZones: enabled: true # Requires k8s >= 1.35, nodes labeled topology.kubernetes.io/zone config: | ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" } storage "raft" { path = "/vault/data" autopilot_redundancy_zone = "VAULT_REDUNDANCY_ZONE" } service_registration "kubernetes" {} topologySpreadConstraints: - maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: DoNotSchedule labelSelector: matchLabels: component: server ``` ```bash helm upgrade vault hashicorp/vault -f values-redundancy-zones.yaml -n vault # Verify zone labels propagated to pods kubectl get pods -n vault -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.labels.topology\.kubernetes\.io/zone}{"\n"}{end}' ``` -------------------------------- ### Configure Vault for OpenShift with service-ca Operator Source: https://context7.com/hashicorp/vault-helm/llms.txt This configuration automates TLS certificate issuance for Vault on OpenShift using the service-ca operator. The operator injects a signed TLS certificate into a Secret and a CA bundle into a ConfigMap. ```yaml # values-openshift.yaml server: ha: enabled: true replicas: 3 config: | ui = true listener "tcp" { address = "[::]:8200" cluster_address = "[::]:8201" } storage "raft" { path = "/vault/data" } service_registration "kubernetes" { # Use the service-ca operator to issue TLS certificates # See https://github.com/cert-manager/cert-manager/blob/master/docs/usage/ingress.md#openshift-routes ca_bundle = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" cert_file = "/etc/tls/private/tls.crt" key_file = "/etc/tls/private/tls.key" } # Mount the CA bundle from the service-ca operator extraVolumes: - type: configMap name: service-ca.crt mountPath: /etc/ssl/certs/ca-certificates.crt subPath: service-ca.crt # Mount the TLS certificate and key from the service-ca operator extraVolumes: - type: secret name: vault-tls mountPath: /etc/tls/private readOnly: true ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.