diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3de29b65..8b49bf68 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -43,3 +43,50 @@ jobs: - name: Build run: hugo + + test: + name: Link check with htmltest + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + with: + submodules: 'recursive' + + - name: Set up Hugo + uses: peaceiris/actions-hugo@16361eb4acea8698b220b76c0d4e84e1fd22c61d # v2.6.0 + with: + hugo-version: '0.110.0' + extended: true + + - name: Set up Node + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + with: + node-version: 16 + + - name: Install dependencies + run: | + cd themes/docsy + npm install + + - name: Set up PostCSS + run: npm install --save-dev autoprefixer postcss-cli postcss + + - name: Build + run: hugo + + - name: Test HTML + # https://github.com/wjdp/htmltest-action/ + continue-on-error: false # <- Set to true if run shouldn't fail with broken links + uses: wjdp/htmltest-action@master + with: + config: .htmltest.yml + path: public + + - name: Archive htmltest results + uses: actions/upload-artifact@v3 + with: + name: htmltest-report + path: tmp/.htmltest/htmltest.log + retention-days: 7 # default is 90 days diff --git a/.htmltest.yml b/.htmltest.yml new file mode 100644 index 00000000..d855f89e --- /dev/null +++ b/.htmltest.yml @@ -0,0 +1,13 @@ +DirectoryPath: public +CheckDoctype: true +IgnoreAltMissing: false +IgnoreDirectoryMissingTrailingSlash: true +IgnoreDirs: [_print] +IgnoreEmptyHref: false +IgnoreInternalEmptyHash: true +IgnoreURLs: +- ^https?://localhost\b +- ^https://github\.com/bank-vaults/bank-vaults\.dev/commit/ +- ^https://github\.com/orgs/bank-vaults/projects/ +- ^https://www.nitrokey.com/ +TestFilesConcurrently: false diff --git a/content/docs/installing/_index.md b/content/docs/installing/_index.md index ffe010ca..4be13b20 100644 --- a/content/docs/installing/_index.md +++ b/content/docs/installing/_index.md @@ -4,12 +4,12 @@ weight: 10 --- Bank-Vaults is a swiss-army knife with multiple manifestations, so the first steps depend on what you want to achieve. -Check one of the following guides to get an overview: + ## Deploy with Helm diff --git a/content/docs/mutating-webhook/configuration.md b/content/docs/mutating-webhook/configuration.md index e826874b..ed06e681 100644 --- a/content/docs/mutating-webhook/configuration.md +++ b/content/docs/mutating-webhook/configuration.md @@ -144,7 +144,7 @@ In this case, an init-container will be injected into the given Pod. This contai Currently, the Kubernetes Service Account-based Vault authentication mechanism is used by `vault-env`, so it requests a Vault token based on the Service Account of the container it is injected into. -- [GCP](https://developer.hashicorp.com/vault/docs/auth/gcp) and general [OIDC/JWT](https://developer.hashicorp.com/vault/docs/auth/jwt) authentication methods are supported as well, see the [example manifest](https://github.com/bank-vaults/vault-operator/blob/main/test/deploy/test-deployment-gcp.yaml). +- [GCP](https://developer.hashicorp.com/vault/docs/auth/gcp) and general [OIDC/JWT](https://developer.hashicorp.com/vault/docs/auth/jwt) authentication methods are supported as well, see the [example manifest](https://github.com/bank-vaults/secrets-webhook/blob/main/examples/test-deployment-gcp.yaml). - Kubernetes [Projected Service Account Tokens](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) work too, as shown in [this example](https://github.com/bank-vaults/vault-operator/blob/main/test/oidc-pod.yaml). Kubernetes 1.12 introduced a feature called [APIServer dry-run](https://kubernetes.io/blog/2019/01/14/apiserver-dry-run-and-kubectl-diff/) which became beta as of 1.13. This feature requires some changes in webhooks with side effects. Vault mutating admission webhook is `dry-run aware`. diff --git a/content/docs/mutating-webhook/deploy.md b/content/docs/mutating-webhook/deploy.md index 6edfc855..de2ba8a7 100644 --- a/content/docs/mutating-webhook/deploy.md +++ b/content/docs/mutating-webhook/deploy.md @@ -16,7 +16,7 @@ If you are getting the **x509: certificate signed by unknown authority app=vault `vault-env` by default replaces itself with the original process of the Pod after reading the secrets from Vault, but with the `vault.security.banzaicloud.io/vault-env-daemon: "true"` annotation this behavior can be changed. So `vault-env` can change to `daemon mode`, so `vault-env` starts the original process as a child process and remains in memory, and renews the lease of the requested Vault token and of the dynamic secrets (if requested any) until their final expiration time. -You can find a full example using MySQL dynamic secrets in the [Bank-Vaults project's Vault Operator repository](https://github.com/bank-vaults/vault-operator/blob/main/test/deploy/test-dynamic-env-vars.yaml): +You can find a full example using MySQL dynamic secrets in the [Bank-Vaults project's Vault Operator repository](https://github.com/bank-vaults/secrets-webhook/blob/main/examples/test-dynamic-env-vars.yaml): ```bash # Deploy MySQL first as the Vault storage backend and our application will request dynamic secrets for this database as well: diff --git a/content/docs/mutating-webhook/vault-agent-templating.md b/content/docs/mutating-webhook/vault-agent-templating.md index 7825c0cd..98eb1cfd 100644 --- a/content/docs/mutating-webhook/vault-agent-templating.md +++ b/content/docs/mutating-webhook/vault-agent-templating.md @@ -55,7 +55,7 @@ For the webhook to detect that it will need to mutate or change a PodSpec, add t |-------------------------------------|-----------------------------------------------------------------|--------------------------------------------------------------| | VAULT_IMAGE | hashicorp/vault:latest | The vault image to use for the sidecar container | | VAULT_IMAGE_PULL_POLICY | IfNotPresent | The pull policy for the vault agent container | -| VAULT_ADDR | | Kubernetes service Vault endpoint URL | +| VAULT_ADDR | https://127.0.0.1:8200 | Kubernetes service Vault endpoint URL | | VAULT_TLS_SECRET | "" | Supply a secret with the vault TLS CA so TLS can be verified | | VAULT_AGENT_SHARE_PROCESS_NAMESPACE | Kubernetes version <1.12 default off, 1.12 or higher default on | ShareProcessNamespace override | diff --git a/content/docs/operator/hsm/nitrokey-opensc.md b/content/docs/operator/hsm/nitrokey-opensc.md index 3389beba..9b34be0d 100644 --- a/content/docs/operator/hsm/nitrokey-opensc.md +++ b/content/docs/operator/hsm/nitrokey-opensc.md @@ -202,8 +202,8 @@ Since the HSM is a hardware device connected to a physical node, Bank-Vaults has time="2020-03-04T13:32:29Z" level=info msg="joining leader vault..." time="2020-03-04T13:32:29Z" level=info msg="vault metrics exporter enabled: :9091/metrics" [GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production. - - using env: export GIN_MODE=release - - using code: gin.SetMode(gin.ReleaseMode) + - using env: export GIN_MODE=release + - using code: gin.SetMode(gin.ReleaseMode) [GIN-debug] GET /metrics --> github.com/gin-gonic/gin.WrapH.func1 (3 handlers) [GIN-debug] Listening and serving HTTP on :9091 diff --git a/content/docs/operator/reference.md b/content/docs/operator/reference.md index 9c47f845..c54c3719 100644 --- a/content/docs/operator/reference.md +++ b/content/docs/operator/reference.md @@ -119,13 +119,13 @@ _Appears in:_ #### `name` (_string_) -Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names +Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names #### `labels` (_object (keys:string, values:string)_) -Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels +Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ #### `annotations` (_object (keys:string, values:string)_) -Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations +Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ### EmbeddedPersistentVolumeClaim @@ -565,12 +565,13 @@ VaultConfigurerLabels define a set of Kubernetes labels that will be added to al #### `vaultConfigurerPodSpec` (_[EmbeddedPodSpec](#embeddedpodspec)_) VaultConfigurerPodSpec is a Kubernetes Pod specification snippet (`spec:` block) that will be merged into the operator generated Vault Configurer Pod specification. default: -#### `config` (_[JSON](#json)_) +#### `config` (_JSON_) Config is the Vault Server configuration. See https://www.vaultproject.io/docs/configuration/ for more details. default: -#### `externalConfig` (_[JSON](#json)_) +#### `externalConfig` (_JSON_) + +ExternalConfig is higher level configuration block which instructs the Bank Vaults Configurer to configure Vault through its API, thus allows setting up: - Secret Engines - Auth Methods - Audit Devices - Plugin Backends - Policies - Startup Secrets (Bank Vaults feature) -ExternalConfig is higher level configuration block which instructs the Bank Vaults Configurer to configure Vault through its API, thus allows setting up: - Secret Engines - Auth Methods - Audit Devices - Plugin Backends - Policies - Startup Secrets (Bank Vaults feature) A documented example: https://github.com/bank-vaults/vault-operator/blob/main/vault-config.yml default: #### `unsealConfig` (_[UnsealConfig](#unsealconfig)_) UnsealConfig defines where the Vault cluster's unseal keys and root token should be stored after initialization. See the type's documentation for more details. Only one method may be specified. default: Kubernetes Secret based unsealing diff --git a/content/docs/operator/templating-configuration.md b/content/docs/operator/templating-configuration.md index f82e43c6..c8be6c0f 100644 --- a/content/docs/operator/templating-configuration.md +++ b/content/docs/operator/templating-configuration.md @@ -34,7 +34,7 @@ In this case, `vault-configurer` evaluates the value of `MY_ENVIRONMENT_VARIABLE Note that you can also use [Sprig functions](#sprig-functions) and [custom Kubernetes-related functions](#custom-functions) in your templates. -For a detailed example, see the [Using templates for injecting dynamic configuration in Vault](https://techblog.cisco.com/bank-vaults-templates#full-example) blog post. + ## Sprig functions diff --git a/content/docs/operator/tls/_index.md b/content/docs/operator/tls/_index.md index 2d539f44..8f42cf6c 100644 --- a/content/docs/operator/tls/_index.md +++ b/content/docs/operator/tls/_index.md @@ -77,7 +77,7 @@ To use an existing secret which contains the TLS certificate, define [existingTl If you don't want to use the certificates generated by Helm or the Bank-Vaults operator, the easiest way to create a custom certificate for Bank-Vaults is using [CFSSL](https://github.com/cloudflare/cfssl). -The [TLS directory in the documentation](https://github.com/bank-vaults/bank-vaults.dev/tree/main/content/docs/tls) holds a set of custom CFSSL configurations which are prepared for the Helm release name `vault` in the `default` namespace. Of course, you can put any other certificates into the Secret below, this is just an example. +The [TLS directory in the documentation](https://github.com/bank-vaults/bank-vaults.dev/tree/main/content/docs/operator/tls) holds a set of custom CFSSL configurations which are prepared for the Helm release name `vault` in the `default` namespace. Of course, you can put any other certificates into the Secret below, this is just an example. 1. Install [CFSSL](https://github.com/cloudflare/cfssl). 2. Create a CA: