This directory holds the code of the Banzai Cloud Vault Operator.
GO111MODULE=on go mod download GO111MODULE=on go mod vendor cd operator operator-sdk build banzaicloud/vault-operator
Regenerate the k8s code by the operator-sdk:
GO111MODULE=on go mod download GO111MODULE=on go mod vendor cd operator ln -s ../vendor vendor operator-sdk generate k8s
Some deployment samples can be found at the projects
kubectl apply -f operator/deploy/operator-rbac.yaml # If you have an RBAC enabled cluster kubectl apply -f operator/deploy/operator.yaml
This will create a Kubernetes
CustomResourceDefinition called Vault (and a PersistentVolume for it). A documented example of this CRD can be found in operator/deploy/cr.yaml:
kubectl apply -f operator/deploy/rbac.yaml kubectl apply -f operator/deploy/cr.yaml
Delete Vault and the PersistentVolume and RBAC:
kubectl delete -f operator/deploy/rbac.yaml kubectl delete -f operator/deploy/cr.yaml
Additionally you have to deploy the etcd-operator to the cluster as well:
kubectl apply -f operator/deploy/etcd-rbac.yaml kubectl apply -f operator/deploy/etcd-operator.yaml
Now deploy a HA vault which connects to an etcd storage backend:
kubectl apply -f operator/deploy/cr-etcd-ha.yaml
From now on, if you deploy a Vault CRD into the cluster which has an Etcd Storage Backend defined in its configuration the Vault operator will create an EtcdCluster CRD for the Vault instance, and the etcd-operator will orchestrate the etcd cluster. After the etcd cluster is ready the Vault instance can connect to it and will start up. If the Vault CRD is deleted from the cluster the etcd cluster will be GCd as well. You have to make sure you define backup and restore for the etcd cluster to prevent data loss, this part is not handled by the Vault operator, see this document for more details.
If you want to use an existing etcd. You can set
etcdSize vault to < 0. Then it won’t create a new etcd.
And all config under etcd storage will not be override.
If you want setup pod anti-affinity. You can set
podAntiAffinity vault with a topologyKey value.
For example, you can use
failure-domain.beta.kubernetes.io/zone to force K8S deploy vault on multi AZ.