The Vault website is being redesigned to help you find what you are looking for more effectively.Join the Beta
»Configuring Vault Helm with Terraform
Terraform may also be used to configure and deploy the Vault Helm chart, by using the Helm provider.
For example, to configure the chart to deploy HA Vault with integrated storage (raft), the values overrides can be set on the command-line, in a values yaml file, or with a Terraform configuration:
Bash
- Bash
- YAML
- HCL
$ helm install vault hashicorp/vault \ --set='server.ha.enabled=true' \ --set='server.ha.raft.enabled=true'
$ helm install vault hashicorp/vault \
--set='server.ha.enabled=true' \
--set='server.ha.raft.enabled=true'
server: ha: enabled: true raft: enabled: true
server:
ha:
enabled: true
raft:
enabled: true
provider "helm" { kubernetes { config_path = "~/.kube/config" } } resource "helm_release" "vault" { name = "vault" repository = "https://helm.releases.hashicorp.com" chart = "vault" set { name = "server.ha.enabled" value = "true" } set { name = "server.ha.raft.enabled" value = "true" } }
provider "helm" {
kubernetes {
config_path = "~/.kube/config"
}
}
resource "helm_release" "vault" {
name = "vault"
repository = "https://helm.releases.hashicorp.com"
chart = "vault"
set {
name = "server.ha.enabled"
value = "true"
}
set {
name = "server.ha.raft.enabled"
value = "true"
}
}
The values file can also be used directly in the Terraform configuration with the values directive.
»Further Examples
»Vault config as a multi-line string
YAML
- YAML
- HCL
server: ha: enabled: true raft: enabled: true setNodeId: true config: | ui = false listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" } storage "raft" { path = "/vault/data" } service_registration "kubernetes" {} seal "awskms" { region = "us-west-2" kms_key_id = "alias/my-kms-key" }
server:
ha:
enabled: true
raft:
enabled: true
setNodeId: true
config: |
ui = false
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "raft" {
path = "/vault/data"
}
service_registration "kubernetes" {}
seal "awskms" {
region = "us-west-2"
kms_key_id = "alias/my-kms-key"
}
resource "helm_release" "vault" { name = "vault" repository = "https://helm.releases.hashicorp.com" chart = "vault" set { name = "server.ha.enabled" value = "true" } set { name = "server.ha.raft.enabled" value = "true" } set { name = "server.ha.raft.setNodeId" value = "true" } set { name = "server.ha.raft.config" value = <<EOT ui = false listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" } storage "raft" { path = "/vault/data" } service_registration "kubernetes" {} seal "awskms" { region = "us-west-2" kms_key_id = "alias/my-kms-key" } EOT } }
resource "helm_release" "vault" {
name = "vault"
repository = "https://helm.releases.hashicorp.com"
chart = "vault"
set {
name = "server.ha.enabled"
value = "true"
}
set {
name = "server.ha.raft.enabled"
value = "true"
}
set {
name = "server.ha.raft.setNodeId"
value = "true"
}
set {
name = "server.ha.raft.config"
value = <<EOT
ui = false
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "raft" {
path = "/vault/data"
}
service_registration "kubernetes" {}
seal "awskms" {
region = "us-west-2"
kms_key_id = "alias/my-kms-key"
}
EOT
}
}
»Lists of volumes and volumeMounts
YAML
- YAML
- HCL
server: volumes: - name: userconfig-my-gcp-iam secret: defaultMode: 420 secretName: my-gcp-iam volumeMounts: - mountPath: /vault/userconfig/my-gcp-iam name: userconfig-my-gcp-iam readOnly: true
server:
volumes:
- name: userconfig-my-gcp-iam
secret:
defaultMode: 420
secretName: my-gcp-iam
volumeMounts:
- mountPath: /vault/userconfig/my-gcp-iam
name: userconfig-my-gcp-iam
readOnly: true
resource "helm_release" "vault" { name = "vault" repository = "https://helm.releases.hashicorp.com" chart = "vault" set { name = "server.volumes[0].name" value = "userconfig-my-gcp-iam" } set { name = "server.volumes[0].secret.defaultMode" value = "420" } set { name = "server.volumes[0].secret.secretName" value = "my-gcp-iam" } set { name = "server.volumeMounts[0].mountPath" value = "/vault/userconfig/my-gcp-iam" } set { name = "server.volumeMounts[0].name" value = "userconfig-my-gcp-iam" } set { name = "server.volumeMounts[0].readOnly" value = "true" } }
resource "helm_release" "vault" {
name = "vault"
repository = "https://helm.releases.hashicorp.com"
chart = "vault"
set {
name = "server.volumes[0].name"
value = "userconfig-my-gcp-iam"
}
set {
name = "server.volumes[0].secret.defaultMode"
value = "420"
}
set {
name = "server.volumes[0].secret.secretName"
value = "my-gcp-iam"
}
set {
name = "server.volumeMounts[0].mountPath"
value = "/vault/userconfig/my-gcp-iam"
}
set {
name = "server.volumeMounts[0].name"
value = "userconfig-my-gcp-iam"
}
set {
name = "server.volumeMounts[0].readOnly"
value = "true"
}
}
»Annotations
Annotations can be set as a YAML map:
YAML
- YAML
- HCL
server: ingress: annotations: service.beta.kubernetes.io/azure-load-balancer-internal: true service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet
server:
ingress:
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: true
service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet
set { name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal" value = "true" } set { name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal-subnet" value = "apps-subnet" }
set {
name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal"
value = "true"
}
set {
name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal-subnet"
value = "apps-subnet"
}
or as a multi-line string:
YAML
- YAML
- HCL
server: ingress: annotations: | service.beta.kubernetes.io/azure-load-balancer-internal: true service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet
server:
ingress:
annotations: |
service.beta.kubernetes.io/azure-load-balancer-internal: true
service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet
set { name = "server.ingress.annotations" value = yamlencode({ "service.beta.kubernetes.io/azure-load-balancer-internal": "true" "service.beta.kubernetes.io/azure-load-balancer-internal-subnet": "apps-subnet" }) type = "auto" }
set {
name = "server.ingress.annotations"
value = yamlencode({
"service.beta.kubernetes.io/azure-load-balancer-internal": "true"
"service.beta.kubernetes.io/azure-load-balancer-internal-subnet": "apps-subnet"
})
type = "auto"
}
