diff --git a/apps/base/vault/kustomization.yaml b/apps/base/vault/kustomization.yaml index 2c2b5da..aa4c1ab 100644 --- a/apps/base/vault/kustomization.yaml +++ b/apps/base/vault/kustomization.yaml @@ -6,3 +6,4 @@ resources: - namespace.yaml - gateway.yaml - httproute.yaml + - role_k8s-service-registration.yaml diff --git a/apps/base/vault/role_k8s-service-registration.yaml b/apps/base/vault/role_k8s-service-registration.yaml new file mode 100644 index 0000000..68427ef --- /dev/null +++ b/apps/base/vault/role_k8s-service-registration.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vault-k8s-service-registration + namespace: vault +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: vault-k8s-service-registration + namespace: vault +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vault-k8s-service-registration +subjects: + - kind: ServiceAccount + name: vault + namespace: vault diff --git a/apps/overlays/au-syd1/vault/values.yaml b/apps/overlays/au-syd1/vault/values.yaml index d1f646a..95744bb 100644 --- a/apps/overlays/au-syd1/vault/values.yaml +++ b/apps/overlays/au-syd1/vault/values.yaml @@ -40,9 +40,7 @@ server: } } - service_registration "consul" { - address = "consul-server.consul.svc.cluster.local:8500" - } + service_registration "kubernetes" {} dataStorage: enabled: true @@ -50,6 +48,14 @@ server: storageClass: cephrbd-fast-delete accessMode: ReadWriteOnce + extraEnv: + - name: VAULT_K8S_NAMESPACE + value: vault + - name: VAULT_K8S_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + statefulSet: securityContext: container: