From ee23fda56c98c85f1b86e59701a58df95e7f1b98 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Tue, 5 Jan 2021 17:42:43 -0800 Subject: [PATCH 1/3] Adding documentation for multiple replicas Describes the setup and config for using multiple injector replicas with auto and manual TLS. --- .../platform/k8s/injector/installation.mdx | 28 ++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/website/content/docs/platform/k8s/injector/installation.mdx b/website/content/docs/platform/k8s/injector/installation.mdx index 3f5d82ea30f..d87409b1019 100644 --- a/website/content/docs/platform/k8s/injector/installation.mdx +++ b/website/content/docs/platform/k8s/injector/installation.mdx @@ -21,7 +21,7 @@ $ helm repo add hashicorp https://helm.releases.hashicorp.com $ helm search repo hashicorp/vault NAME CHART VERSION APP VERSION DESCRIPTION -hashicorp/vault 0.5.0 Install and configure Vault on Kubernetes. +hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart ``` Then install the chart and enable the injection feature by setting the @@ -65,6 +65,32 @@ The following is required to configure TLS manually: For more information on configuring manual TLS, see the [Vault Helm cert values](/docs/platform/k8s/helm/configuration#certs). +## Multiple Replicas and TLS + +The Vault Agent Injector can be run with multiple replicas if using [Manual +TLS](#manual-tls), and as of v0.7.0 multiple replicas are also supported with +[Auto TLS](#auto-tls). The number of replicas is controlled in the Vault Helm +chart by the [injector.replicas +value](/docs/platform/k8s/helm/configuration#replicas). + +With Auto TLS, a leader-elector sidecar container is deployed with each replica. +These sidecars determine which injector replica is the "leader" in charge of +generating the CA and patching the webhook caBundle in Kubernetes, and also +generating and distributing the certificate and key to the "followers". The +followers read the certificate and key needed for the webhook service listener +from a Kubernetes Secret, which is updated by the leader when a certificate is +near expiration. + +The leader-elector sidecar in use is described in detail [here][k8s-blog]. For +more information on configuring leader election, see the [Vault Helm +leaderElector values](/docs/platform/k8s/helm/configuration#leaderelector). + +With Manual TLS, +[injector.leaderElector.enabled](/docs/platform/k8s/helm/configuration#enabled-2) +should be set to `false` since leader-election is not necessary in this case. + +[k8s-blog]: "Simple leader election with Kubernetes and Docker" + ## Namespace Selector By default, the Vault Agent Injector will process all namespaces in Kubernetes except From fa2b264b688c5868709135947e7c7973641a91a1 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 6 Jan 2021 09:38:31 -0800 Subject: [PATCH 2/3] Update website/content/docs/platform/k8s/injector/installation.mdx Co-authored-by: Tom Proctor --- website/content/docs/platform/k8s/injector/installation.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/platform/k8s/injector/installation.mdx b/website/content/docs/platform/k8s/injector/installation.mdx index d87409b1019..d1a7a161a42 100644 --- a/website/content/docs/platform/k8s/injector/installation.mdx +++ b/website/content/docs/platform/k8s/injector/installation.mdx @@ -85,7 +85,7 @@ The leader-elector sidecar in use is described in detail [here][k8s-blog]. For more information on configuring leader election, see the [Vault Helm leaderElector values](/docs/platform/k8s/helm/configuration#leaderelector). -With Manual TLS, +With Manual TLS and multiple replicas, [injector.leaderElector.enabled](/docs/platform/k8s/helm/configuration#enabled-2) should be set to `false` since leader-election is not necessary in this case. From 8158cf7999ae4c83a9c14d822e38c694393c502a Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Wed, 6 Jan 2021 10:14:40 -0800 Subject: [PATCH 3/3] More info around multiple vs one replica --- .../docs/platform/k8s/injector/installation.mdx | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/website/content/docs/platform/k8s/injector/installation.mdx b/website/content/docs/platform/k8s/injector/installation.mdx index d1a7a161a42..5e63eff86f8 100644 --- a/website/content/docs/platform/k8s/injector/installation.mdx +++ b/website/content/docs/platform/k8s/injector/installation.mdx @@ -73,13 +73,13 @@ TLS](#manual-tls), and as of v0.7.0 multiple replicas are also supported with chart by the [injector.replicas value](/docs/platform/k8s/helm/configuration#replicas). -With Auto TLS, a leader-elector sidecar container is deployed with each replica. -These sidecars determine which injector replica is the "leader" in charge of -generating the CA and patching the webhook caBundle in Kubernetes, and also -generating and distributing the certificate and key to the "followers". The -followers read the certificate and key needed for the webhook service listener -from a Kubernetes Secret, which is updated by the leader when a certificate is -near expiration. +With Auto TLS and multiple replicas, a leader-elector sidecar container is +deployed with each replica. These sidecars determine which injector replica is +the "leader" in charge of generating the CA and patching the webhook caBundle in +Kubernetes, and also generating and distributing the certificate and key to the +"followers". The followers read the certificate and key needed for the webhook +service listener from a Kubernetes Secret, which is updated by the leader when a +certificate is near expiration. The leader-elector sidecar in use is described in detail [here][k8s-blog]. For more information on configuring leader election, see the [Vault Helm @@ -89,6 +89,9 @@ With Manual TLS and multiple replicas, [injector.leaderElector.enabled](/docs/platform/k8s/helm/configuration#enabled-2) should be set to `false` since leader-election is not necessary in this case. +If there is only one replica set (regardless of other TLS or leaderElector +settings), no leader-elector containers will be deployed. + [k8s-blog]: "Simple leader election with Kubernetes and Docker" ## Namespace Selector