diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c5253099677e2cdf03218bee1b4c5c598c6468bb..2fbcbd206a774dbd8a2f55d34ba26b10477a7462 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -2,3 +2,4 @@ include:
- project: 'platform-one/big-bang/pipeline-templates/pipeline-templates'
ref: master
file: '/pipelines/bigbang.yaml'
+
diff --git a/chart/templates/vault/values.yaml b/chart/templates/vault/values.yaml
index 3a69412e3d3ea0fe13381127538782ee4336e21d..bdacc8b9751fe2755ab0ff5c2ff0c0a31f3bc9e5 100644
--- a/chart/templates/vault/values.yaml
+++ b/chart/templates/vault/values.yaml
@@ -5,7 +5,6 @@
{{- define "bigbang.defaults.vault" -}}
# hostname is deprecated and replaced with domain. But if hostname exists then use it.
{{- $domainName := default .Values.domain .Values.hostname }}
-hostname: {{ $domainName }}
domain: {{ $domainName }}
openshift: {{ .Values.openshift }}
diff --git a/chart/values.yaml b/chart/values.yaml
index 07db4abd550b2019f6065cd50608caea5c1741f5..cd776ce933f3f9ee3fd18403ec57a923d68ebaf4 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1343,7 +1343,7 @@ addons:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/vault.git
path: "./chart"
- tag: "0.19.0-bb.9"
+ tag: "0.20.0-bb.1"
# -- Flux reconciliation overrides specifically for the Vault Package
flux: {}
diff --git a/docs/example_configs/vault-production-values.yaml b/docs/example_configs/vault-production-values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..cd38071787d1ac0fb1194b5c6fe9bce96d8bb314
--- /dev/null
+++ b/docs/example_configs/vault-production-values.yaml
@@ -0,0 +1,129 @@
+istio:
+ enabled: true
+
+ ingressGateways:
+ passthrough-ingressgateway:
+ type: "LoadBalancer"
+ # nodePortBase: 30200
+
+ gateways:
+ passthrough:
+ ingressGateway: "passthrough-ingressgateway"
+ hosts:
+ - "*.{{ .Values.domain }}"
+ tls:
+ mode: "PASSTHROUGH"
+
+addons:
+ vault:
+ enabled: true
+ ingress:
+ gateway: "passthrough"
+ # provide the Vault TLS cert and key. BigBang will create the secret and volumemount for you
+ # Leave blank to create your own secret and provide values for your own volume and volumemount
+ key: |
+ -----BEGIN PRIVATE KEY-----
+ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ -----END PRIVATE KEY-----
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ -----END CERTIFICATE-----
+
+ values:
+ # disable autoInit. It should not be used for operations.
+ autoInit:
+ enabled: false
+
+ global:
+ # this is a double negative. Put "false" to enable TLS for passthrough ingress
+ tlsDisable: false
+
+ injector:
+ extraEnvironmentVars:
+ AGENT_INJECT_VAULT_ADDR: "https://vault.bigbang.dev"
+
+ server:
+ # Increase default resources
+ resources:
+ requests:
+ memory: 8Gi
+ cpu: 2000m
+ limits:
+ memory: 8Gi
+ cpu: 2000m
+
+ # disable the Vault provided ingress so that Istio ingress can be used.
+ ingress:
+ enabled: false
+
+ # Extra environment variable to support high availability
+ extraEnvironmentVars:
+ # the istio gateway domain
+ VAULT_API_ADDR: https://vault.bigbang.dev
+ VAULT_SKIP_VERIFY: "true"
+ VAULT_LOG_FORMAT: "json"
+ VAULT_LICENSE: "your-license-key-goes-here"
+
+ ha:
+ # enable high availability.
+ enabled: true
+ replicas: 3
+
+ # raft is the license free most simple solution for a distributed filesystem
+ raft:
+ enabled: true
+ setNodeId: true
+
+ # these values should be encrypted to prevent the kms_key_id from being revealed
+ config: |
+ ui = true
+
+ listener "tcp" {
+ tls_disable = 0
+ address = "[::]:8200"
+ cluster_address = "[::]:8201"
+ tls_cert_file = "/vault/tls/tls.crt"
+ tls_key_file = "/vault/tls/tls.key"
+ }
+
+ storage "raft" {
+ path = "/vault/data"
+
+ retry_join {
+ leader_api_addr = "https://vault-vault-0.vault-vault-internal:8200"
+ leader_client_cert_file = "/vault/tls/tls.crt"
+ leader_client_key_file = "/vault/tls/tls.key"
+ leader_tls_servername = "vault.bigbang.dev"
+ }
+
+ retry_join {
+ leader_api_addr = "https://vault-vault-1.vault-vault-internal:8200"
+ leader_client_cert_file = "/vault/tls/tls.crt"
+ leader_client_key_file = "/vault/tls/tls.key"
+ leader_tls_servername = "vault.bigbang.dev"
+ }
+
+ retry_join {
+ leader_api_addr = "https://vault-vault-2.vault-vault-internal:8200"
+ leader_client_cert_file = "/vault/tls/tls.crt"
+ leader_client_key_file = "/vault/tls/tls.key"
+ leader_tls_servername = "vault.bigbang.dev"
+ }
+ }
+
+ seal "awskms" {
+ region = "us-gov-west-1"
+ kms_key_id = "your-kms-key-goes-here"
+ endpoint = "https://kms.us-gov-west-1.amazonaws.com"
+ }
+
+ telemetry {
+ prometheus_retention_time = "24h"
+ disable_hostname = true
+ unauthenticated_metrics_access = true
+ }
+
+ service_registration "kubernetes" {}
\ No newline at end of file
diff --git a/tests/test-values.yaml b/tests/test-values.yaml
index 34f1280b0e595d81e9813cfc7dde7740781f127c..3ac53569997369f757387f04e235a0f4d0eb418c 100644
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -160,6 +160,7 @@ gatekeeper:
- keycloak/keycloak-cypress-test
- jaeger/jaeger-operator-cypress-test
- monitoring/kube-prometheus-stack-cypress-test
+ - vault/vault-cypress-test
# Allow kyverno test vectors for Helm test
- default/restrict-host-path-mount-.?
- default/restrict-host-path-write-.?
@@ -253,6 +254,7 @@ gatekeeper:
- keycloak/keycloak-cypress-test
- jaeger/jaeger-operator-cypress-test
- monitoring/kube-prometheus-stack-cypress-test
+ - vault/vault-cypress-test
# Allow kyverno test vectors for Helm test
- default/restrict-host-path-mount-.?
- default/restrict-host-path-write-.?
@@ -359,6 +361,7 @@ kyvernopolicies:
- keycloak
- jaeger
- monitoring
+ - vault
names:
- "*-cypress-test*"
parameters:
@@ -377,6 +380,7 @@ kyvernopolicies:
- keycloak
- jaeger
- monitoring
+ - vault
names:
- "*-cypress-test*"
parameters:
@@ -410,6 +414,7 @@ kyvernopolicies:
- keycloak
- jaeger
- monitoring
+ - vault
names:
- "*-cypress-test*"
update-image-pull-policy:
@@ -1278,17 +1283,23 @@ addons:
vault:
enabled: false
+ ingress:
+ gateway: "passthrough"
+ key: "" # Gets added via chart/ingress-certs.yaml
+ cert: "" # Gets added via chart/ingress-certs.yaml
sso:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_vault
values:
- server:
- dataStorage:
- enabled: true
- size: 256Mi
- auditStorage:
- size: 256Mi
+ autoInit:
+ enabled: true
+ global:
+ tlsDisable: false
injector:
+ extraEnvironmentVars:
+ VAULT_API_ADDR: https://vault.bigbang.dev
+ certs:
+ secretName: vault-tls
affinity: |
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
@@ -1300,6 +1311,58 @@ addons:
app.kubernetes.io/instance: "{{ .Release.Name }}"
component: webhook
topologyKey: kubernetes.io/hostname
+ server:
+ extraEnvironmentVars:
+ VAULT_API_ADDR: https://vault.bigbang.dev #istio GW
+ VAULT_SKIP_VERIFY: "true"
+ VAULT_LOG_FORMAT: "json"
+ dataStorage:
+ enabled: true
+ size: 256Mi
+ auditStorage:
+ size: 256Mi
+ ha:
+ enabled: true
+ replicas: 1
+
+ raft:
+ enabled: true
+ config: |
+ ui = true
+
+ listener "tcp" {
+ tls_disable = 0
+ address = "[::]:8200"
+ cluster_address = "[::]:8201"
+ tls_cert_file = "/vault/tls/tls.crt"
+ tls_key_file = "/vault/tls/tls.key"
+ }
+
+ storage "raft" {
+ path = "/vault/data"
+
+ retry_join {
+ leader_api_addr = "https://vault-vault-0.vault-vault-internal:8200"
+ leader_client_cert_file = "/vault/tls/tls.crt"
+ leader_client_key_file = "/vault/tls/tls.key"
+ leader_tls_servername = "vault.bigbang.dev"
+ }
+ }
+
+ seal "awskms" {
+ region = "us-gov-west-1"
+ kms_key_id = "17c01cdf-2bf9-4f58-9a54-c1c4e4b145be"
+ endpoint = "https://kms.us-gov-west-1.amazonaws.com"
+ }
+
+ telemetry {
+ prometheus_retention_time = "24h"
+ disable_hostname = true
+ unauthenticated_metrics_access = true
+ }
+
+ service_registration "kubernetes" {}
+
bbtests:
enabled: true
cypress: