spectrocloud · lennessyy · Nov 7, 2023 · Nov 1, 2023 · Nov 2, 2023 · Nov 2, 2023
@@ -182,6 +182,10 @@ data "spectrocloud_pack_simple" "k8s" {
 }
 ```
 
+## Troubleshooting
+
+- When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class for the Vault server. Refer to [the Vault pack page](./vault.md#parameters) for details.
+
 ## Resources
 
 - [RKE2 Documentation](https://docs.rke2.io)

@@ -12,94 +12,127 @@ tags: ['packs', 'vault', 'security']
 
 [Vault](https://www.vaultproject.io/) helps secure, store, and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets, and other sensitive data using a UI, CLI, or HTTP API.
 
+Vault integration has the following components:
+
+* Vault server
+* UI (optional).
+* [Agent injector](https://www.vaultproject.io/docs/platform/k8s/injector/) (optional).
+
 ## Versions Supported
 
 <Tabs queryString="versions">
 
 <TabItem label="0.22.x" value="0.22.x">
 
-* **0.22.0**
+### Prerequisites
 
-</TabItem>
+- A Kubernetes cluster with Kubernetes version 1.22 or later.
 
-<TabItem label="0.20.x" value="0.20.x">
+### Parameters
 
-* **0.20.1**
+The table lists commonly used parameters you can configure when adding this pack.
 
-</TabItem>
-<TabItem label="0.11.x" value="0.11.x">
+| Parameters | Description | Default |
+-------------|-------------|---------|
+|`charts.vault.server.ingress` | Enable ingress traffic to the Vault server. If you want to enable ingress traffic, make sure that `charts.server.serviceType` is set to `"ClusterIP"` or is left empty. | `False` |
+|`charts.vault.global.tlsDisable` | Disable TLS for end-to-end encrypted transport. | `True` |
+|`charts.vault.agent.enabled` | Enable vault agent injection to inject secrets into the pods. | `-` |
+|`charts.vault.server.ha` | Enable high-availability mode to protect against outages by running multiple Vault servers. For more information, refer to [Vault documentation](https://developer.hashicorp.com/vault/docs/internals/high-availability). |  `false` |
+|`charts.vault.server.dataStorage`| Controls the size, location, storage class of the persistent storage used by the Vault. | |
+|`charts.vault.server.dev` | Enable dev server mode. The dev server mode skips most setup required before you can begin to use a Vault server, including initialization and unseal, and stores all data in-memory. For more details about dev server mode, refer to [Vault documentation](https://developer.hashicorp.com/vault/docs/concepts/dev-server). | `False` |  
+|`charts.vault.server.dev.devRootToken` | If you enabled dev server mode, this parameter specifies the root token for your Vault server. Root token has unlimited privileges and can do anything in Vault. | `"root"` |
 
-* **0.11.0**
+:::caution
+Never operate a dev mode server in production. It is insecure and loses data on every restart. 
+:::
 
-</TabItem>
+### Usage
 
-<TabItem label="0.9.x" value="0.9.x">
+HashiCorp provides many uses cases for Vault. For examples, refer to [HashiCorp Vault documentation](https://developer.hashicorp.com/vault/docs/use-cases). 
 
-  * **0.9.0**
 
-</TabItem>
+#### Initialize and Unseal Vault
 
+If you enabled dev server mode, you do not need to initialize Vault and it is already unsealed. Use the root token you configured in the `values.yaml` file to sign in to Vault directly.
 
-<TabItem label="0.6.x" value="0.6.x">
+Before any operation can be performed on Vault, you need to initialize the first root token and keys that can be used to unseal Vault.
+You can do so by following these steps:
 
-* **0.6.0**
+1. Log in to [Palette](https://console.spectrocloud.com).
 
-</TabItem>
+2. Navigate to the left **Main Menu** and select **Clusters**.
 
-<TabItem label="0.3.x" value="0.3.x">
+3. Select the cluster that has Vault installed to view its details page.
 
-* **0.3.1**
+4. Download the cluster **kubeconfig** file. 
 
-</TabItem>
-</Tabs>
+5. Set up your local kubectl environment to use the **kubeconfig** file you downloaded. Review the [Access Cluster with CLI](../clusters/cluster-management/palette-webctl.md) guide for additional guidance. 
 
+6. You need to get the Vault namespace and application name. Issue the following command to get the unique values.
 
-## Components
+    <br />
 
-Vault integration has the following components:
+    ```shell
+    VAULT_NAMESPACE=$(kubectl get pods --selector app.kubernetes.io/name=vault --all-namespaces --output jsonpath='{.items[0].metadata.namespace}') && \
+    APP_NAME=$(echo "$VAULT_NAMESPACE" | sed 's/-ns$//')
+    ```
+
+7. Set up port forwarding by issuing the following command so you can access the Vault UI:
+
+    ```
+    kubectl port-forward $APP_NAME 8200:8200 --namespace $VAULT_NAMESPACE
+    ```
 
-* Vault server.
-* UI (Optional).
-* [Agent injector](https://www.vaultproject.io/docs/platform/k8s/injector/) (Optional).
+8. Open your browser and access the [Vault UI](https://localhost:8200/ui). You will receive a warning due to using a self-signed certificate, but you can ignore this warning. Follow the prompts on the UI to initialize your root token.
 
+:::tip
 
+If you do not want to use the Vault UI, you can also initialize and unseal Vault using the Vault CLI or API. For more information, refer to [Vault documentation](https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#initialize-and-unseal-vault).  
 
-## Supported Use cases
+:::
 
-1. Running a Vault Service:
-    * Vault is set up to run in **Dev mode** by default and so, Vault will be unsealed and initialized.
-    * For production use cases, we recommend disabling Dev mode and enable HA.
-    * Also, see [Production Checklist](https://www.vaultproject.io/docs/platform/k8s/helm/run#architecture) recommendations.
-1. Injecting application secrets from an external Vault into pods (**Agent Injector**).
-    * For running agent injector alone in the cluster, use v0.6.0 of Vault pack.
-    * Make sure to set `injector.externalVaultAddr` to point to the external Vault server.
+#### Storage
 
-## How secrets are injected in deployments?
+In a production Vault server, backend storage is on a data persistent layer, is untrusted and only stores encrypted data. In a dev mode Vault server, all data is stored in-memory and will be erased when Vault restarts. 
-In a production Vault server, backend storage is on a data persistent layer, is untrusted and only stores encrypted data. In a dev mode Vault server, all data is stored in-memory and will be erased when Vault restarts. 
+In a production Vault server, backend storage is on a data persistent layer, is untrusted, and only stores encrypted data. In a dev mode Vault server, all data is stored in-memory and will be erased when Vault restarts. 
-In a production Vault server, backend storage is on a data persistent layer, is untrusted and only stores encrypted data. In a dev mode Vault server, all data is stored in-memory and will be erased when Vault restarts. 
+In a production Vault server, backend storage is on a data persistent layer, is untrusted, and only stores encrypted data. In a dev mode Vault server, all data is stored in-memory and will be erased when Vault restarts. 
 
-In Kubernetes clusters with Vault integrated, secrets can be injected into the application pods by adding the following annotations:
+##### RKE2
 
-```yaml
-vault.hashicorp.com/agent-inject: "true"
-vault.hashicorp.com/agent-inject-secret-<unique_name>: /path/to/secret
-vault.hashicorp.com/role: "<role using which the secret can be fetced>"
+When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class for the Vault server. To specify a storage class, change the value of the field  `charts.vault.server.dataStorage.storageClass` in `values.yaml` for the Vault pack in your cluster profile from `null` to a storage class that meets your needs. Refer to [Kubernetes documentation on storage classes](https://kubernetes.io/docs/concepts/storage/storage-classes/) for more details. 
+
+
+
+### Terraform
+
+You can reference the Vault pack in Terraform with a data resource:
+
+```hcl
+data "spectrocloud_registry" "public_registry" {
+  name = "Public Repo"
+}
+
+data "spectrocloud_pack_simple" "pack-info" {
+  name         = "vault"
+  version      = "0.22.0"
+  type         = "helm"
+  registry_uid = data.spectrocloud_registry.public_registry.id
+}
 ```
 
-More information on consuming Vault secrets can be found in [Vault docs](https://www.vaultproject.io/docs/platform/k8s/injector)
+</TabItem>
 
-## Ingress
+<TabItem label="Deprecated" value="Deprecated">
 
-Follow below steps to configure Ingress on Vault Server
+:::caution
+
+All versions of the manifest-based pack less than v0.22.x are considered deprecated. Upgrade to a newer version to take advantage of new features.
+
+:::
+
+</TabItem>
+
+</Tabs>
 
-1. Make sure serviceType is not set for Vault Server. That way, serviceType will default to ClusterIP
-   * Version 0.6.0 - line #289
-   * Version 0.3.1 - line #96
-2. Ingress
-   * Enable Ingress ; Change enabled from false to "true"
-   * Set Ingress rules like annotations, path, hosts etc.
-   * Version 0.6.0 - line #146
-   * Version 0.3.1 - line #96
 
-With these config changes, you can access Vault service on the Ingress Controller LoadBalancer hostname / IP
 
 ## References