starlingx/vault-armada-app
Code Issues Proposed changes
vault-armada-app/vault-helm/debian/deb_folder/patches/0001-Add-vault-manager-repository-to-values.yaml.patch
Tae Park fae21895d7 Update helm charts for new vm docker image 
Updating helm charts with the latest vault manager docker image tag.

Test Plan:
PASS Vault sanity
PASS Check for installation of correct image

Story: 2010930
Task: 49526

Depends-On: https://review.opendev.org/c/starlingx/root/+/908336

Change-Id: I54d33f7c9c8d58df7424c51f9bf366d8746264f0
Signed-off-by: Tae Park <tae.park@windriver.com>
2024-02-08 13:18:06 -05:00

113 lines
4.0 KiB
Diff
Raw Blame History

From fda70b8f0e34be97e9c80251afdec45518314ab1 Mon Sep 17 00:00:00 2001
From: Greg Waines <greg.waines@windriver.com>
Date: Sat, 5 Nov 2022 20:14:58 -0400
Subject: [PATCH] Add vault manager repository to values.yaml
Add image repository for vault-manager pod
Add timing parameters for the vault-manager main function, rate at which
to check for and unseal vault pods.
Add timing parameters for the vault API. These parameters tune the
timing of unsealing the vault server/raft, queries and operations for
vault rekey.
Add option to enable/disable rekey of vault after conversion of storage
backend from PVC to k8s secrets.
Add option to select kubectl version.
Signed-off-by: Michel Thebeau <michel.thebeau@windriver.com>
---
values.yaml | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 74 insertions(+)
diff --git a/values.yaml b/values.yaml
index 9e35ac8..3e311d6 100644
--- a/values.yaml
+++ b/values.yaml
@@ -40,6 +40,80 @@ global:
# See the top level serverTelemetry section below before enabling this feature.
prometheusOperator: false
+manager:
+ image:
+ repository: starlingx/stx-vault-manager
+ tag: stx.9.0-v1.28.6-1
+
+ # Rate at which vault-manager checks status of vault servers.
+ # After initialization of the raft, Vault manager will loop forever
+ # checking the pods for vault servers that need to be unsealed.
+ # This value is the sleep, in seconds, between intervals. Value
+ # must be a positive integer
+ statusCheckRate: 5
+
+ # After initial configuration, in combination with statusCheckRate,
+ # the amount of time to wait before unsealing a recovering vault
+ # server. The option is intended to allow the active vault server
+ # time to start sending heartbeats to the recovering pod before
+ # unsealing the server.
+ #
+ # A value of 0 indicates no wait time: unseal the vault server without
+ # delay. The wait time is statusCheckRate * unsealWaitIntervals.
+ # Default is 5 s/interval * 3 intervals == 15 seconds.
+ #
+ unsealWaitIntervals: 3
+
+ api:
+ # Network timeout for queries to vault server /sys/health endpoint
+ #
+ # The maximum time in seconds to wait for a server to respond to
+ # health query. This applies for the HA recovery situations, not the
+ # initialization of vault cluster. Unsetting the value is not
+ # recommended, and defaults to timeout of 120 seconds.
+ #
+ # vault-manager will appear to hang if healthQueryTimeout is
+ # over-large. This setting affects the logs, since vault-manager will
+ # issue a log when the 'sealed' status toggles between true/false and
+ # the 'unknown' value
+ healthQueryTimeout: 2
+
+ # Network timeout for vault API operations against /sys/unseal
+ #
+ # The maximum time in seconds to wait for a server to respond to
+ # the unseal request.
+ unsealOpTimeout: 10
+
+ # Network timeout for queries to vault server /sys/rekey/init
+ # and /sys/rekey/verify
+ #
+ # The maximum time in seconds to wait for a server to respond to
+ # the query.
+ rekeyStatusTimeout: 2
+
+ # Network timeout for vault API operations against /sys/rekey/init
+ # and /sys/rekey/verify
+ #
+ # The maximum time in seconds to wait for a server to respond to
+ # the request.
+ rekeyOpTimeout: 10
+
+ rekey:
+ # During upgrade of the application from PVC storage to storage
+ # using kubernetes, enable vault rekey to run automatically to
+ # resecure the vault with new shards.
+ # See also Hashicorp vault documentation:
+ # https://developer.hashicorp.com/vault/tutorials/operations/rekeying-and-rotating
+ # https://developer.hashicorp.com/vault/api-docs/v1.13.x/system/rekey
+ #
+ enableOnPVCConversion: true
+
+ k8s:
+ # The major/minor version of kubectl client binary to use. Must
+ # exist within the vault manager image for example
+ # client_version: v1.28
+ client_version: ""
+
injector:
# True if you want to enable vault agent injection.
# @default: global.enabled
--
2.34.1
View Git Blame Copy Permalink