Skip to content

How to upgrade the Vault Package chart💣

  1. Sync with upstream chart. This can be done with kpt or meld:
kpt pkg update chart/@{TAG} --strategy alpha-git-patch

or

kpt pkg update chart/@{TAG} --strategy force-delete-replace

or

Meld UI

BigBang makes modifications to the upstream helm chart. The full list of changes is at the end of this document.

Testing new Vault version💣

  1. Create a k8s dev environment. One option is to use the Big Bang k3d-dev.sh with no arguments which will give you the default configuration. The following steps assume you are using the script.
  2. Follow the instructions at the end of the script to connect to the k8s cluster and install flux.
  3. Deploy Vault with these dev values overrides. Core apps are disabled for quick deployment.
  4. Kyverno blocks PVC provisioning on k3d by default because they are local path, need to add the dev exception(s)
    domain: bigbang.dev

    flux:
      interval: 1m
      rollback:
        cleanupOnFail: false

    networkPolicies:
      enabled: true

    istio:
      enabled: true

    istiooperator:
      enabled: true

    jaeger:
      enabled: false

    kiali:
      enabled: false

    clusterAuditor:
      enabled: false

    gatekeeper:
      enabled: false

    logging:
      enabled: false

    eckoperator:
      enabled: false

    fluentbit:
      enabled: false

    monitoring:
      enabled: false

    twistlock:
      enabled: false

  kyvernoPolicies:
  enabled: true
  values:
    exclude:
      any:
      # Allows k3d load balancer to bypass policies.
      - resources:
          namespaces:
          - istio-system
          - vault
          names:
          - svclb-*
    policies:
      restrict-host-path-mount-pv:
        parameters:
          allow:
          - /var/lib/rancher/k3s/storage/pvc-*

    sso:
      oidc:
        host: login.dso.mil
        realm: baby-yoda
      client_secret: ""

    addons:
      vault:
        enabled: true
        values:
          autoInit:
            enabled: true

Modifications made to upstream chart💣

This is a high-level list of modifitations that Big Bang has made to the upstream helm chart. You can use this as as cross-check to make sure that no modifications were lost during the upgrade process.

chart/charts/*💣

  • sub-charts generated with helm dependency update

chart/dashboards/*💣

  • Grafana dashboard support

chart/deps/*💣

  • add MinIO and helm dependency update

chart/templates/bigbang/*💣

  • add templates to support Big Bang integration

chart/templates/server-service.yaml💣

  • add prometeus-metrics: "true" to end of metadata: labels:

chart/templates/injector-deployment.yaml💣

  • ensure AGENT_INJECT_VAULT_ADDR environment variable has third if else option checking for .Values.server.ha.apiAddr. This is a BigBang addition.

chart/templates/csi-daemonset.yaml💣

  • ensure VAULT_ADDR environment variable has if else option checking for .Values.server.ha.apiAddr. This is a BigBang addition.

chart/templates/tests/*💣

  • delete server-test.yaml

chart/tests/*💣

  • add cypress tests

chart/Chart.yaml💣

  • version/appVersion
  • add gluon dependency
  • Update bigbang.dev/applicationVersions

chart/values.yaml💣


Last update: 2023-04-25 by Christopher O'Connell