From 554a384b6a3d8db0ce0788d1f012548546cb1ece Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Wed, 1 Nov 2023 11:23:03 -0700 Subject: [PATCH 01/12] docs: clarify requirement to explicitly specify storage class for vault on rke2 --- docs/docs-content/integrations/rke2.md | 7 +++++++ docs/docs-content/integrations/vault.md | 10 ++++++++++ 2 files changed, 17 insertions(+) diff --git a/docs/docs-content/integrations/rke2.md b/docs/docs-content/integrations/rke2.md index 20e09b4460..05a39a1772 100644 --- a/docs/docs-content/integrations/rke2.md +++ b/docs/docs-content/integrations/rke2.md @@ -35,6 +35,13 @@ RKE2 is only available for Edge host deployments. Refer to the [Edge](../cluster ::: + +:::caution + +If you use the Vault add-on pack in a cluster profile that uses RKE2 as its Kubernetes layer, you need to explicitly specify a storage class for your Vault application. Refer to [the Vault pack documentation](./vault.md) for details. + +::: + ## Versions Supported The following RKE2 versions are supported to work with Palette. diff --git a/docs/docs-content/integrations/vault.md b/docs/docs-content/integrations/vault.md index f6d0dc0040..840281fc47 100644 --- a/docs/docs-content/integrations/vault.md +++ b/docs/docs-content/integrations/vault.md @@ -62,7 +62,17 @@ Vault integration has the following components: * UI (Optional). * [Agent injector](https://www.vaultproject.io/docs/platform/k8s/injector/) (Optional). +:::caution +When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class for the Vault server. To specify a storage class, insert the following fields under the `server` field in `values.yaml` for the Vault layer in your cluster profile. + +```yaml +server: + dataStorage: + storageClass: +``` + +::: ## Supported Use cases From 4c56562a1d9513ba0ef72e545592bff1685c2a85 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Thu, 2 Nov 2023 10:17:59 -0700 Subject: [PATCH 02/12] docs: specify location of change --- docs/docs-content/integrations/vault.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/docs/docs-content/integrations/vault.md b/docs/docs-content/integrations/vault.md index 840281fc47..27c5d4d485 100644 --- a/docs/docs-content/integrations/vault.md +++ b/docs/docs-content/integrations/vault.md @@ -64,13 +64,7 @@ Vault integration has the following components: :::caution -When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class for the Vault server. To specify a storage class, insert the following fields under the `server` field in `values.yaml` for the Vault layer in your cluster profile. - -```yaml -server: - dataStorage: - storageClass: -``` +When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class for the Vault server. To specify a storage class, change the value of the field `charts.vault.server.dataStorage.storageClass` in `values.yaml` for the Vault pack in your cluster profile from `null` to a storage class that meets your needs. Refer to [Kubernetes documentation on storage classes](https://kubernetes.io/docs/concepts/storage/storage-classes/) for more details. ::: From 917bfde02a801f937f61f2e772313368bed6b187 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Thu, 2 Nov 2023 17:03:30 -0700 Subject: [PATCH 03/12] docs: refactor vault pack page --- docs/docs-content/integrations/rke2.md | 7 -- docs/docs-content/integrations/vault.md | 106 ++++++++++++------------ 2 files changed, 53 insertions(+), 60 deletions(-) diff --git a/docs/docs-content/integrations/rke2.md b/docs/docs-content/integrations/rke2.md index 05a39a1772..20e09b4460 100644 --- a/docs/docs-content/integrations/rke2.md +++ b/docs/docs-content/integrations/rke2.md @@ -35,13 +35,6 @@ RKE2 is only available for Edge host deployments. Refer to the [Edge](../cluster ::: - -:::caution - -If you use the Vault add-on pack in a cluster profile that uses RKE2 as its Kubernetes layer, you need to explicitly specify a storage class for your Vault application. Refer to [the Vault pack documentation](./vault.md) for details. - -::: - ## Versions Supported The following RKE2 versions are supported to work with Palette. diff --git a/docs/docs-content/integrations/vault.md b/docs/docs-content/integrations/vault.md index 27c5d4d485..a904c022a1 100644 --- a/docs/docs-content/integrations/vault.md +++ b/docs/docs-content/integrations/vault.md @@ -12,98 +12,98 @@ tags: ['packs', 'vault', 'security'] [Vault](https://www.vaultproject.io/) helps secure, store, and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets, and other sensitive data using a UI, CLI, or HTTP API. +Vault integration has the following components: + +* Vault server. +* UI (Optional). +* [Agent injector](https://www.vaultproject.io/docs/platform/k8s/injector/) (Optional). + ## Versions Supported -* **0.22.0** +### Prerequisites - +- A Kubernetes cluster with Kubernetes version 1.22 or later. - +### Parameters -* **0.20.1** +The table lists commonly used parameters you can configure when adding this pack. - - +| Parameters | Description | Default | +-------------|-------------|---------| +|`charts.server.ingress` | Enable ingress traffic to the Vault server. If you want to enable ingress traffic, make sure that `charts.server.serviceType` is set to `"ClusterIP"` or is left empty. | `false` | +|`charts.global.tlsDisable` | Disable TLS for end-to-end encrypted transport. | `true` | +|`charts.agent.enabled` | Enable vault agent injection to inject secrets into the pods. | `-` | +|`charts.server.ha` | Enable high-availability mode to protect against outages by running multiple Vault servers. For more information, refer to [Vault documentation](https://developer.hashicorp.com/vault/docs/internals/high-availability). | `false` | +|`charts.server.dataStorage`| Controls the size, location, storage class of the persistent storage used by the Vault. | | -* **0.11.0** +:::caution - +When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class for the Vault server. To specify a storage class, change the value of the field `charts.vault.server.dataStorage.storageClass` in `values.yaml` for the Vault pack in your cluster profile from `null` to a storage class that meets your needs. Refer to [Kubernetes documentation on storage classes](https://kubernetes.io/docs/concepts/storage/storage-classes/) for more details. - +::: - * **0.9.0** +### Usage - +HashiCorp provides many uses cases for Vault. For examples, refer to [HashiCorp Vault documentation](https://developer.hashicorp.com/vault/docs/use-cases). - +#### Initialize and unseal Vault -* **0.6.0** +If you did not configure Vault to automatically initialize in the cluster profile, you need to initialize the first root token and keys that can be used to unseal Vault. +You can do so by following these steps: - +1. Log in to [Palette](https://console.spectrocloud.com). - +2. Navigate to the left **Main Menu** and select **Clusters**. -* **0.3.1** +3. Select the cluster that has Vault installed to view its details page. - - +4. Download the cluster **kubeconfig** file. +5. Set up your local kubectl environment to use the **kubeconfig** file you downloaded. Review the [Access Cluster with CLI](../clusters/cluster-management/palette-webctl.md) guide for additional guidance. -## Components +6. You need to get the Vault namespace and application name. Issue the following command to get the unique values. -Vault integration has the following components: +
-* Vault server. -* UI (Optional). -* [Agent injector](https://www.vaultproject.io/docs/platform/k8s/injector/) (Optional). + ```shell + VAULT_NAMESPACE=$(kubectl get pods --selector app.kubernetes.io/name=vault --all-namespaces --output jsonpath='{.items[0].metadata.namespace}') && \ + APP_NAME=$(echo "$VAULT_NAMESPACE" | sed 's/-ns$//') + ``` -:::caution +7. Set up port forwarding by issuing the following command so you can access the Vault UI: -When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class for the Vault server. To specify a storage class, change the value of the field `charts.vault.server.dataStorage.storageClass` in `values.yaml` for the Vault pack in your cluster profile from `null` to a storage class that meets your needs. Refer to [Kubernetes documentation on storage classes](https://kubernetes.io/docs/concepts/storage/storage-classes/) for more details. + ``` + kubectl port-forward $APP_NAME 8200:8200 --namespace $VAULT_NAMESPACE + ``` -::: +8. Open your browser and visit https://localhost:8200/ui to access the Vault UI. You will receive a warning due to the usage of a self-signed certificate but you can ignore this warning. In the browser, follow the prompts on the UI to initialize your root token. -## Supported Use cases +:::tip -1. Running a Vault Service: - * Vault is set up to run in **Dev mode** by default and so, Vault will be unsealed and initialized. - * For production use cases, we recommend disabling Dev mode and enable HA. - * Also, see [Production Checklist](https://www.vaultproject.io/docs/platform/k8s/helm/run#architecture) recommendations. -1. Injecting application secrets from an external Vault into pods (**Agent Injector**). - * For running agent injector alone in the cluster, use v0.6.0 of Vault pack. - * Make sure to set `injector.externalVaultAddr` to point to the external Vault server. +If you don't want to use the Vault UI, you can also initialize and unseal Vault using the Vault CLI or API. For more information, refer to [Vault documentation](https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#initialize-and-unseal-vault). -## How secrets are injected in deployments? +::: -In Kubernetes clusters with Vault integrated, secrets can be injected into the application pods by adding the following annotations: + + + -```yaml -vault.hashicorp.com/agent-inject: "true" -vault.hashicorp.com/agent-inject-secret-: /path/to/secret -vault.hashicorp.com/role: "" -``` +:::caution -More information on consuming Vault secrets can be found in [Vault docs](https://www.vaultproject.io/docs/platform/k8s/injector) +All versions of the manifest-based pack less than v0.22.x are considered deprecated. Upgrade to a newer version to take advantage of new features. -## Ingress +::: -Follow below steps to configure Ingress on Vault Server + + + -1. Make sure serviceType is not set for Vault Server. That way, serviceType will default to ClusterIP - * Version 0.6.0 - line #289 - * Version 0.3.1 - line #96 -2. Ingress - * Enable Ingress ; Change enabled from false to "true" - * Set Ingress rules like annotations, path, hosts etc. - * Version 0.6.0 - line #146 - * Version 0.3.1 - line #96 -With these config changes, you can access Vault service on the Ingress Controller LoadBalancer hostname / IP ## References From 5495470d26586806eb2ca4a3faaee66761d37bb2 Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Fri, 3 Nov 2023 13:29:11 -0700 Subject: [PATCH 04/12] Apply suggestions from code review Co-authored-by: Rita Watson <117382432+ritawatson@users.noreply.github.com> --- docs/docs-content/integrations/vault.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/docs-content/integrations/vault.md b/docs/docs-content/integrations/vault.md index a904c022a1..747cdf56fe 100644 --- a/docs/docs-content/integrations/vault.md +++ b/docs/docs-content/integrations/vault.md @@ -14,9 +14,9 @@ tags: ['packs', 'vault', 'security'] Vault integration has the following components: -* Vault server. -* UI (Optional). -* [Agent injector](https://www.vaultproject.io/docs/platform/k8s/injector/) (Optional). +* Vault server +* UI (optional). +* [Agent injector](https://www.vaultproject.io/docs/platform/k8s/injector/) (optional). ## Versions Supported @@ -51,7 +51,7 @@ When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you m HashiCorp provides many uses cases for Vault. For examples, refer to [HashiCorp Vault documentation](https://developer.hashicorp.com/vault/docs/use-cases). -#### Initialize and unseal Vault +#### Initialize and Unseal Vault If you did not configure Vault to automatically initialize in the cluster profile, you need to initialize the first root token and keys that can be used to unseal Vault. You can do so by following these steps: @@ -81,7 +81,7 @@ You can do so by following these steps: kubectl port-forward $APP_NAME 8200:8200 --namespace $VAULT_NAMESPACE ``` -8. Open your browser and visit https://localhost:8200/ui to access the Vault UI. You will receive a warning due to the usage of a self-signed certificate but you can ignore this warning. In the browser, follow the prompts on the UI to initialize your root token. +8. Open your browser and access the [Vault UI](https://localhost:8200/ui. You will receive a warning due to using a self-signed certificate, but you can ignore this warning. Follow the prompts on the UI to initialize your root token. :::tip From 8083f03e5c5ae301dd0cae0275844d52ea5565c3 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Fri, 3 Nov 2023 14:08:59 -0700 Subject: [PATCH 05/12] Added a terraform section --- docs/docs-content/integrations/vault.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docs/docs-content/integrations/vault.md b/docs/docs-content/integrations/vault.md index a904c022a1..9bb65c8886 100644 --- a/docs/docs-content/integrations/vault.md +++ b/docs/docs-content/integrations/vault.md @@ -89,6 +89,23 @@ If you don't want to use the Vault UI, you can also initialize and unseal Vault ::: +### Terraform + +You can reference the Vault pack in Terraform with a data resource: + +```tf +data "spectrocloud_registry" "public_registry" { + name = "Public Repo" +} + +data "spectrocloud_pack_simple" "pack-info" { + name = "vault" + version = "0.22.0" + type = "helm" + registry_uid = data.spectrocloud_registry.public_registry.id +} +``` + From f0cabc9f5a8dc8af6472752269b0d3cd7cee3db2 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Fri, 3 Nov 2023 14:22:49 -0700 Subject: [PATCH 06/12] Add bullet in troubleshooting section on rke2 page --- docs/docs-content/integrations/rke2.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/docs-content/integrations/rke2.md b/docs/docs-content/integrations/rke2.md index 20e09b4460..4f5cb1c6f0 100644 --- a/docs/docs-content/integrations/rke2.md +++ b/docs/docs-content/integrations/rke2.md @@ -182,6 +182,10 @@ data "spectrocloud_pack_simple" "k8s" { } ``` +## Troubleshooting + +- When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class for the Vault server. See [the Vault pack page](./vault.md#parameters) for details. + ## Resources - [RKE2 Documentation](https://docs.rke2.io) From 0540f357c20b30f8ba900a4f55e92c8abb6de8b3 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Fri, 3 Nov 2023 14:35:35 -0700 Subject: [PATCH 07/12] address vale comments --- docs/docs-content/integrations/rke2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/integrations/rke2.md b/docs/docs-content/integrations/rke2.md index 4f5cb1c6f0..5119a19552 100644 --- a/docs/docs-content/integrations/rke2.md +++ b/docs/docs-content/integrations/rke2.md @@ -184,7 +184,7 @@ data "spectrocloud_pack_simple" "k8s" { ## Troubleshooting -- When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class for the Vault server. See [the Vault pack page](./vault.md#parameters) for details. +- When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class for the Vault server. Refer to [the Vault pack page](./vault.md#parameters) for details. ## Resources From b49c3cb333d12013b4f00a5a4547b29f4094ced6 Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Mon, 6 Nov 2023 11:31:08 -0800 Subject: [PATCH 08/12] Apply suggestions from code review Co-authored-by: Karl Cardenas Co-authored-by: Rita Watson <117382432+ritawatson@users.noreply.github.com> --- docs/docs-content/integrations/vault.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/docs-content/integrations/vault.md b/docs/docs-content/integrations/vault.md index 59082d7e0e..c0a451005b 100644 --- a/docs/docs-content/integrations/vault.md +++ b/docs/docs-content/integrations/vault.md @@ -81,11 +81,11 @@ You can do so by following these steps: kubectl port-forward $APP_NAME 8200:8200 --namespace $VAULT_NAMESPACE ``` -8. Open your browser and access the [Vault UI](https://localhost:8200/ui. You will receive a warning due to using a self-signed certificate, but you can ignore this warning. Follow the prompts on the UI to initialize your root token. +8. Open your browser and access the [Vault UI](https://localhost:8200/ui). You will receive a warning due to using a self-signed certificate, but you can ignore this warning. Follow the prompts on the UI to initialize your root token. :::tip -If you don't want to use the Vault UI, you can also initialize and unseal Vault using the Vault CLI or API. For more information, refer to [Vault documentation](https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#initialize-and-unseal-vault). +If you do not want to use the Vault UI, you can also initialize and unseal Vault using the Vault CLI or API. For more information, refer to [Vault documentation](https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#initialize-and-unseal-vault). ::: @@ -93,7 +93,7 @@ If you don't want to use the Vault UI, you can also initialize and unseal Vault You can reference the Vault pack in Terraform with a data resource: -```tf +```hcl data "spectrocloud_registry" "public_registry" { name = "Public Repo" } From 98b9d10a5d9edc77300ed1ff14002b75f8aa805d Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Mon, 6 Nov 2023 13:45:47 -0800 Subject: [PATCH 09/12] Address review comments --- docs/docs-content/integrations/vault.md | 31 ++++++++++++++++++------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/docs/docs-content/integrations/vault.md b/docs/docs-content/integrations/vault.md index c0a451005b..e255ec23c8 100644 --- a/docs/docs-content/integrations/vault.md +++ b/docs/docs-content/integrations/vault.md @@ -34,16 +34,16 @@ The table lists commonly used parameters you can configure when adding this pack | Parameters | Description | Default | -------------|-------------|---------| -|`charts.server.ingress` | Enable ingress traffic to the Vault server. If you want to enable ingress traffic, make sure that `charts.server.serviceType` is set to `"ClusterIP"` or is left empty. | `false` | -|`charts.global.tlsDisable` | Disable TLS for end-to-end encrypted transport. | `true` | -|`charts.agent.enabled` | Enable vault agent injection to inject secrets into the pods. | `-` | -|`charts.server.ha` | Enable high-availability mode to protect against outages by running multiple Vault servers. For more information, refer to [Vault documentation](https://developer.hashicorp.com/vault/docs/internals/high-availability). | `false` | -|`charts.server.dataStorage`| Controls the size, location, storage class of the persistent storage used by the Vault. | | +|`charts.vault.server.ingress` | Enable ingress traffic to the Vault server. If you want to enable ingress traffic, make sure that `charts.server.serviceType` is set to `"ClusterIP"` or is left empty. | `False` | +|`charts.vault.global.tlsDisable` | Disable TLS for end-to-end encrypted transport. | `True` | +|`charts.vault.agent.enabled` | Enable vault agent injection to inject secrets into the pods. | `-` | +|`charts.vault.server.ha` | Enable high-availability mode to protect against outages by running multiple Vault servers. For more information, refer to [Vault documentation](https://developer.hashicorp.com/vault/docs/internals/high-availability). | `false` | +|`charts.vault.server.dataStorage`| Controls the size, location, storage class of the persistent storage used by the Vault. | | +|`charts.vault.server.dev` | Enable dev server mode. The dev server mode skips most setup required before you can begin to use a Vault server, including initialization and unseal, and stores all data in-memory. For more details about dev server mode, refer to [Vault documentation](https://developer.hashicorp.com/vault/docs/concepts/dev-server). | `False` | +|`charts.server.dev.devRootToken` | If you enabled dev server mode, this parameter specifies the root token for your Vault server. Root token has unlimited privileges and can do anything in Vault. | `"root"` | :::caution - -When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class for the Vault server. To specify a storage class, change the value of the field `charts.vault.server.dataStorage.storageClass` in `values.yaml` for the Vault pack in your cluster profile from `null` to a storage class that meets your needs. Refer to [Kubernetes documentation on storage classes](https://kubernetes.io/docs/concepts/storage/storage-classes/) for more details. - +Never run a dev mode server in production. It is insecure and loses data on every restart. ::: ### Usage @@ -53,7 +53,9 @@ HashiCorp provides many uses cases for Vault. For examples, refer to [HashiCorp #### Initialize and Unseal Vault -If you did not configure Vault to automatically initialize in the cluster profile, you need to initialize the first root token and keys that can be used to unseal Vault. +If you enabled dev server mode, you do not need to initialize Vault and it is already unsealed. Use the root token you configured in the `values.yaml` file to sign in to Vault directly. + +Before any operation can be performed on Vault, you need to initialize the first root token and keys that can be used to unseal Vault. You can do so by following these steps: 1. Log in to [Palette](https://console.spectrocloud.com). @@ -89,6 +91,17 @@ If you do not want to use the Vault UI, you can also initialize and unseal Vault ::: +#### Storage + +In a production Vault server, backend storage is on a data persistent layer, is untrusted and only stores encrypted data. In a dev mode Vault server, all data is stored in-memory and will be erased when Vault restarts. + +:::caution + +When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class for the Vault server. To specify a storage class, change the value of the field `charts.vault.server.dataStorage.storageClass` in `values.yaml` for the Vault pack in your cluster profile from `null` to a storage class that meets your needs. Refer to [Kubernetes documentation on storage classes](https://kubernetes.io/docs/concepts/storage/storage-classes/) for more details. + +::: + + ### Terraform You can reference the Vault pack in Terraform with a data resource: From 435b4fa76de491adbea10ab82b6cb29d85e80e44 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Mon, 6 Nov 2023 13:49:19 -0800 Subject: [PATCH 10/12] address vale comments --- docs/docs-content/integrations/vault.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/integrations/vault.md b/docs/docs-content/integrations/vault.md index e255ec23c8..59e1bb0cf4 100644 --- a/docs/docs-content/integrations/vault.md +++ b/docs/docs-content/integrations/vault.md @@ -43,7 +43,7 @@ The table lists commonly used parameters you can configure when adding this pack |`charts.server.dev.devRootToken` | If you enabled dev server mode, this parameter specifies the root token for your Vault server. Root token has unlimited privileges and can do anything in Vault. | `"root"` | :::caution -Never run a dev mode server in production. It is insecure and loses data on every restart. +Never operate a dev mode server in production. It is insecure and loses data on every restart. ::: ### Usage From b12a3e2a156247e750de4d4027136022054e0594 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Mon, 6 Nov 2023 13:50:24 -0800 Subject: [PATCH 11/12] Fix parameter path --- docs/docs-content/integrations/vault.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/integrations/vault.md b/docs/docs-content/integrations/vault.md index 59e1bb0cf4..2b285b5535 100644 --- a/docs/docs-content/integrations/vault.md +++ b/docs/docs-content/integrations/vault.md @@ -40,7 +40,7 @@ The table lists commonly used parameters you can configure when adding this pack |`charts.vault.server.ha` | Enable high-availability mode to protect against outages by running multiple Vault servers. For more information, refer to [Vault documentation](https://developer.hashicorp.com/vault/docs/internals/high-availability). | `false` | |`charts.vault.server.dataStorage`| Controls the size, location, storage class of the persistent storage used by the Vault. | | |`charts.vault.server.dev` | Enable dev server mode. The dev server mode skips most setup required before you can begin to use a Vault server, including initialization and unseal, and stores all data in-memory. For more details about dev server mode, refer to [Vault documentation](https://developer.hashicorp.com/vault/docs/concepts/dev-server). | `False` | -|`charts.server.dev.devRootToken` | If you enabled dev server mode, this parameter specifies the root token for your Vault server. Root token has unlimited privileges and can do anything in Vault. | `"root"` | +|`charts.vault.server.dev.devRootToken` | If you enabled dev server mode, this parameter specifies the root token for your Vault server. Root token has unlimited privileges and can do anything in Vault. | `"root"` | :::caution Never operate a dev mode server in production. It is insecure and loses data on every restart. From c97e4faea6d315068a6cbaa39b0a40b9a9ad9c8b Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Mon, 6 Nov 2023 17:30:34 -0800 Subject: [PATCH 12/12] remove warning callout --- docs/docs-content/integrations/vault.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/docs-content/integrations/vault.md b/docs/docs-content/integrations/vault.md index 2b285b5535..6d1b0f83e6 100644 --- a/docs/docs-content/integrations/vault.md +++ b/docs/docs-content/integrations/vault.md @@ -95,11 +95,10 @@ If you do not want to use the Vault UI, you can also initialize and unseal Vault In a production Vault server, backend storage is on a data persistent layer, is untrusted and only stores encrypted data. In a dev mode Vault server, all data is stored in-memory and will be erased when Vault restarts. -:::caution +##### RKE2 When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class for the Vault server. To specify a storage class, change the value of the field `charts.vault.server.dataStorage.storageClass` in `values.yaml` for the Vault pack in your cluster profile from `null` to a storage class that meets your needs. Refer to [Kubernetes documentation on storage classes](https://kubernetes.io/docs/concepts/storage/storage-classes/) for more details. -::: ### Terraform