Skip to content

How to upgrade the Vault Package chart📜

  1. Sync with upstream chart. This can be done with kpt or meld:
    kpt pkg update chart/@{TAG} --strategy alpha-git-patch
    
    or
    kpt pkg update chart/@{TAG} --strategy force-delete-replace
    
    or

Meld UI

BigBang makes modifications to the upstream helm chart. The full list of changes is at the end of this document.

Testing new Vault version📜

  1. Create a k8s dev environment. One option is to use the Big Bang k3d-dev.sh with no arguments which will give you the default configuration. The following steps assume you are using the script.
  2. Follow the instructions at the end of the script to connect to the k8s cluster and install flux.
  3. Deploy Vault with these dev values overrides. Core apps are disabled for quick deployment.
  4. Kyverno blocks PVC provisioning on k3d by default because they are local path, need to add the dev exception(s)
        domain: bigbang.dev
    
        flux:
          interval: 1m
          rollback:
            cleanupOnFail: false
    
        networkPolicies:
          enabled: true
    
        istio:
          enabled: true
    
        istiooperator:
          enabled: true
    
        jaeger:
          enabled: false
    
        kiali:
          enabled: false
    
        clusterAuditor:
          enabled: false
    
        gatekeeper:
          enabled: false
    
        logging:
          enabled: false
    
        eckoperator:
          enabled: false
    
        fluentbit:
          enabled: false
    
        monitoring:
          enabled: false
    
        twistlock:
          enabled: false
    
      kyvernoPolicies:
      enabled: true
      values:
        exclude:
          any:
          # Allows k3d load balancer to bypass policies.
          - resources:
              namespaces:
              - istio-system
              - vault
              names:
              - svclb-*
        policies:
          restrict-host-path-mount-pv:
            parameters:
              allow:
              - /var/lib/rancher/k3s/storage/pvc-*
    
        sso:
          oidc:
            host: login.dso.mil
            realm: baby-yoda
          client_secret: ""
    
        addons:
          vault:
            enabled: true
            values: 
              autoInit:
                enabled: true 
    

Modifications made to upstream chart📜

This is a high-level list of modifitations that Big Bang has made to the upstream helm chart. You can use this as as cross-check to make sure that no modifications were lost during the upgrade process.

chart/charts/*📜

  • sub-charts generated with helm dependency update

chart/dashboards/*📜

  • Grafana dashboard support

chart/deps/*📜

  • add MinIO and helm dependency update

chart/templates/bigbang/*📜

  • add templates to support Big Bang integration

chart/templates/server-service.yaml📜

  • add prometeus-metrics: "true" to end of metadata: labels:

chart/templates/injector-deployment.yaml📜

  • ensure AGENT_INJECT_VAULT_ADDR environment variable has third if else option checking for .Values.server.ha.apiAddr. This is a BigBang addition.

chart/templates/csi-daemonset.yaml📜

  • ensure VAULT_ADDR environment variable has if else option checking for .Values.server.ha.apiAddr. This is a BigBang addition.

chart/templates/tests/*📜

  • delete server-test.yaml

chart/tests/*📜

  • add cypress tests

chart/Chart.yaml📜

  • version/appVersion
  • add gluon dependency
  • Update bigbang.dev/applicationVersions

chart/values.yaml📜


Last update: 2023-04-25 by Christopher O'Connell