From 0d146dc9429206f3be9b3989c2bbbe43cc839497 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 22:08:41 +1000 Subject: [PATCH] feat(vault): add port 8200 listener, consul SANs, consul service_registration - Add SAN altnames vault.service.consul and vault.query.consul to cert - Add vault-direct HTTPS listener on port 8200 (TLS terminate, same cert) - Add vault-consul HTTPRoute binding consul DNS names to port 8200 listener - Add vault-direct port 8200 entrypoint to traefik-internal - Switch service_registration from kubernetes to consul (consul-server.consul.svc.cluster.local:8500) --- apps/base/vault/gateway.yaml | 12 ++++++++++ apps/base/vault/httproute.yaml | 24 +++++++++++++++++++ .../traefik-system/values-internal.yaml | 2 ++ apps/overlays/au-syd1/vault/values.yaml | 4 +++- 4 files changed, 41 insertions(+), 1 deletion(-) diff --git a/apps/base/vault/gateway.yaml b/apps/base/vault/gateway.yaml index 6895ff6..4c24ccc 100644 --- a/apps/base/vault/gateway.yaml +++ b/apps/base/vault/gateway.yaml @@ -12,6 +12,7 @@ metadata: cert-manager.io/cluster-issuer: vault-issuer cert-manager.io/common-name: vault.k8s.syd1.au.unkin.net cert-manager.io/private-key-size: "4096" + cert-manager.io/subject-alternative-names: vault.service.consul,vault.query.consul external-dns.alpha.kubernetes.io/hostname: vault.k8s.syd1.au.unkin.net external-dns.alpha.kubernetes.io/target: 198.18.200.4 spec: @@ -29,3 +30,14 @@ spec: certificateRefs: - kind: Secret name: vault-tls + - name: vault-direct + port: 8200 + protocol: HTTPS + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: vault-tls diff --git a/apps/base/vault/httproute.yaml b/apps/base/vault/httproute.yaml index 2622095..9668808 100644 --- a/apps/base/vault/httproute.yaml +++ b/apps/base/vault/httproute.yaml @@ -21,3 +21,27 @@ spec: - path: type: PathPrefix value: / +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: vault-consul + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault +spec: + hostnames: + - vault.service.consul + - vault.query.consul + parentRefs: + - name: vault + sectionName: vault-direct + rules: + - backendRefs: + - name: vault + port: 8200 + matches: + - path: + type: PathPrefix + value: / diff --git a/apps/overlays/au-syd1/traefik-system/values-internal.yaml b/apps/overlays/au-syd1/traefik-system/values-internal.yaml index 3c28466..c119afc 100644 --- a/apps/overlays/au-syd1/traefik-system/values-internal.yaml +++ b/apps/overlays/au-syd1/traefik-system/values-internal.yaml @@ -94,5 +94,7 @@ ports: port: 80 websecure: port: 443 + vault-direct: + port: 8200 enabled: true diff --git a/apps/overlays/au-syd1/vault/values.yaml b/apps/overlays/au-syd1/vault/values.yaml index 8485dbe..d1f646a 100644 --- a/apps/overlays/au-syd1/vault/values.yaml +++ b/apps/overlays/au-syd1/vault/values.yaml @@ -40,7 +40,9 @@ server: } } - service_registration "kubernetes" {} + service_registration "consul" { + address = "consul-server.consul.svc.cluster.local:8500" + } dataStorage: enabled: true