From 3990fbfe062791ce8e727654e8c86d8f38182d25 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 26 May 2026 00:06:56 +1000 Subject: [PATCH] feat(vault): switch to Kubernetes service registration (#171) Replaces Consul service registration with the native Kubernetes provider so Vault labels its own pods with active/standby/perf-standby status without requiring a Consul dependency. ## Changes - `values.yaml`: swap `service_registration "consul"` for `service_registration "kubernetes" {}`, add `VAULT_K8S_NAMESPACE` and `VAULT_K8S_POD_NAME` env vars via downward API - `role_k8s-service-registration.yaml`: Role + RoleBinding granting the `vault` service account `get`/`update`/`patch` on pods - `kustomization.yaml`: include new RBAC file Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/171 --- apps/base/vault/kustomization.yaml | 1 + .../vault/role_k8s-service-registration.yaml | 24 +++++++++++++++++++ apps/overlays/au-syd1/vault/values.yaml | 12 +++++++--- 3 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 apps/base/vault/role_k8s-service-registration.yaml diff --git a/apps/base/vault/kustomization.yaml b/apps/base/vault/kustomization.yaml index 2c2b5da..aa4c1ab 100644 --- a/apps/base/vault/kustomization.yaml +++ b/apps/base/vault/kustomization.yaml @@ -6,3 +6,4 @@ resources: - namespace.yaml - gateway.yaml - httproute.yaml + - role_k8s-service-registration.yaml diff --git a/apps/base/vault/role_k8s-service-registration.yaml b/apps/base/vault/role_k8s-service-registration.yaml new file mode 100644 index 0000000..68427ef --- /dev/null +++ b/apps/base/vault/role_k8s-service-registration.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vault-k8s-service-registration + namespace: vault +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: vault-k8s-service-registration + namespace: vault +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vault-k8s-service-registration +subjects: + - kind: ServiceAccount + name: vault + namespace: vault diff --git a/apps/overlays/au-syd1/vault/values.yaml b/apps/overlays/au-syd1/vault/values.yaml index d1f646a..95744bb 100644 --- a/apps/overlays/au-syd1/vault/values.yaml +++ b/apps/overlays/au-syd1/vault/values.yaml @@ -40,9 +40,7 @@ server: } } - service_registration "consul" { - address = "consul-server.consul.svc.cluster.local:8500" - } + service_registration "kubernetes" {} dataStorage: enabled: true @@ -50,6 +48,14 @@ server: storageClass: cephrbd-fast-delete accessMode: ReadWriteOnce + extraEnv: + - name: VAULT_K8S_NAMESPACE + value: vault + - name: VAULT_K8S_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + statefulSet: securityContext: container: