-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathREADME.md.gotmpl
More file actions
114 lines (86 loc) · 3.58 KB
/
README.md.gotmpl
File metadata and controls
114 lines (86 loc) · 3.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.badgesSection" . }}
{{ template "chart.description" . }}
This chart is used by the Validated Patterns installation script that can be found [here](https://github.com/validatedpatterns/common/blob/main/scripts/pattern-util.sh)
{{ template "chart.homepageLine" . }}
{{ template "chart.maintainersSection" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
{{ template "chart.valuesSection" . }}
{{ template "helm-docs.versionFooter" . }}
## Network Policies
This chart supports deploying Kubernetes NetworkPolicies for network isolation
in the vault namespace. Two layers are available:
### Default-deny policy
A namespace-wide default-deny NetworkPolicy that blocks all ingress and egress
traffic for every pod in the vault namespace unless an explicit allow policy
exists. Enable it by setting:
```yaml
defaultDenyNetworkPolicy:
enabled: true
```
### Per-pod allow rules
The upstream vault subchart includes a `vault.server.networkPolicy` value that
lets you define fine-grained ingress and egress rules for vault server pods.
When combined with the default-deny policy above, only explicitly allowed
traffic can reach or leave vault.
Example — allow ingress from a specific namespace and egress to DNS:
```yaml
vault:
server:
networkPolicy:
enabled: true
ingress:
- ports:
- protocol: TCP
port: 8200
from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: my-app
egress:
- ports:
- protocol: UDP
port: 5353
- protocol: TCP
port: 5353
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
```
Patterns can supply these values via `extraValueFiles` in their
`values-hub.yaml` to keep network policy configuration separate from the main
chart values.
## Updating the chart
1. Edit Chart.yaml with the new version
2. In the hashicorp-vault folder, run: `helm dependency update .`
3. Run `./update-helm-dependency.sh`
4. Check that the images in ./values.yaml are the same version as [upstream](https://github.com/hashicorp/vault-helm/blob/main/values.openshift.yaml)
5. Git add the new chart in `./charts/vault-<version>.tgz`
## Patches
### Issue 674
In order to be able to use vault ssl we need to patch the helm chart to fix
upstream issue 674. Basically a single annotation for both internal service and
non-internal service is a problem because the annotations in the service
section are applied to both the vault and the vault-internal services and there
is not way to distinguish between the two. When deploying to OpenShift and the
annotation is used to request a certificate, this causes a race condition
because two services are trying to modify the same secret (containing the
certificate)
This is why we set the following in the values files:
```
nonha:
# -- Annotation to inject a secret called `vault-secret` to the nonha service
annotations:
service.beta.openshift.io/serving-cert-secret-name: vault-secret
internal:
# -- Annotation to inject a secret called `vault-secret` to the internal service
annotations:
service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal
```
Make sure to run "./update-helm-dependency.sh" after you updated the subchart
(by calling helm dependency update .)
We can drop this local patch once upstream fixes the bug (which would need reopining, discuss
and fixing)