From ba405250175e3164c17daf9fdeca3339e43189fa Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 18:46:50 +1000 Subject: [PATCH] feat(vault): deploy HashiCorp Vault 2.0.1 via Helm chart 0.32.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit HA raft cluster (5 replicas) with disable_mlock=true, IPC_LOCK capability, headless-DNS retry_join, kubernetes service_registration, 10Gi cephrbd-fast-delete PVC. Gateway API HTTPRoute on 443→8200. ArgoCD platform ApplicationSet entry added. --- apps/base/vault/kustomization.yaml | 13 --- apps/base/vault/resources/vault.hcl | 19 --- apps/base/vault/role.yaml | 16 --- apps/base/vault/rolebinding.yaml | 17 --- apps/base/vault/service.yaml | 23 ---- apps/base/vault/service_headless.yaml | 24 ---- apps/base/vault/serviceaccount.yaml | 9 -- apps/base/vault/statefulset.yaml | 110 ------------------ .../overlays/au-syd1/vault/kustomization.yaml | 10 +- apps/overlays/au-syd1/vault/values.yaml | 71 +++++++++++ 10 files changed, 79 insertions(+), 233 deletions(-) delete mode 100644 apps/base/vault/resources/vault.hcl delete mode 100644 apps/base/vault/role.yaml delete mode 100644 apps/base/vault/rolebinding.yaml delete mode 100644 apps/base/vault/service.yaml delete mode 100644 apps/base/vault/service_headless.yaml delete mode 100644 apps/base/vault/serviceaccount.yaml delete mode 100644 apps/base/vault/statefulset.yaml create mode 100644 apps/overlays/au-syd1/vault/values.yaml diff --git a/apps/base/vault/kustomization.yaml b/apps/base/vault/kustomization.yaml index 19dd192..2c2b5da 100644 --- a/apps/base/vault/kustomization.yaml +++ b/apps/base/vault/kustomization.yaml @@ -4,18 +4,5 @@ kind: Kustomization resources: - namespace.yaml - - serviceaccount.yaml - - role.yaml - - rolebinding.yaml - - statefulset.yaml - - service.yaml - - service_headless.yaml - gateway.yaml - httproute.yaml - -configMapGenerator: - - name: vault-config - files: - - resources/vault.hcl - options: - disableNameSuffixHash: true diff --git a/apps/base/vault/resources/vault.hcl b/apps/base/vault/resources/vault.hcl deleted file mode 100644 index 7612cf2..0000000 --- a/apps/base/vault/resources/vault.hcl +++ /dev/null @@ -1,19 +0,0 @@ -ui = true - -listener "tcp" { - address = "0.0.0.0:8200" - cluster_address = "0.0.0.0:8201" - tls_disable = "true" -} - -storage "raft" { - path = "/vault/data" - - retry_join { - auto_join = "provider=k8s label_selector=\"app.kubernetes.io/name=vault\" namespace=\"vault\"" - auto_join_scheme = "http" - auto_join_port = 8200 - } -} - -service_registration "kubernetes" {} diff --git a/apps/base/vault/role.yaml b/apps/base/vault/role.yaml deleted file mode 100644 index 5a24a84..0000000 --- a/apps/base/vault/role.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: vault - namespace: vault - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault -rules: - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["patch", "update"] diff --git a/apps/base/vault/rolebinding.yaml b/apps/base/vault/rolebinding.yaml deleted file mode 100644 index 1a67374..0000000 --- a/apps/base/vault/rolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: vault - namespace: vault - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: vault -subjects: - - kind: ServiceAccount - name: vault - namespace: vault diff --git a/apps/base/vault/service.yaml b/apps/base/vault/service.yaml deleted file mode 100644 index ad7d519..0000000 --- a/apps/base/vault/service.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: vault - namespace: vault - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault -spec: - type: ClusterIP - ports: - - name: api - port: 8200 - targetPort: api - protocol: TCP - - name: cluster - port: 8201 - targetPort: cluster - protocol: TCP - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault diff --git a/apps/base/vault/service_headless.yaml b/apps/base/vault/service_headless.yaml deleted file mode 100644 index 9e0daa6..0000000 --- a/apps/base/vault/service_headless.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: vault-internal - namespace: vault - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault -spec: - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: api - port: 8200 - targetPort: api - protocol: TCP - - name: cluster - port: 8201 - targetPort: cluster - protocol: TCP - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault diff --git a/apps/base/vault/serviceaccount.yaml b/apps/base/vault/serviceaccount.yaml deleted file mode 100644 index 2263fca..0000000 --- a/apps/base/vault/serviceaccount.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault - namespace: vault - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault diff --git a/apps/base/vault/statefulset.yaml b/apps/base/vault/statefulset.yaml deleted file mode 100644 index 2b19aa0..0000000 --- a/apps/base/vault/statefulset.yaml +++ /dev/null @@ -1,110 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: vault - namespace: vault - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/version: 2.0.1 -spec: - serviceName: vault-internal - replicas: 5 - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - template: - metadata: - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/version: 2.0.1 - spec: - serviceAccountName: vault - terminationGracePeriodSeconds: 10 - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - app.kubernetes.io/name: vault - containers: - - name: vault - image: hashicorp/vault:2.0.1 - command: - - vault - - server - - -config=/vault/config - ports: - - name: api - containerPort: 8200 - protocol: TCP - - name: cluster - containerPort: 8201 - protocol: TCP - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: VAULT_ADDR - value: "http://127.0.0.1:8200" - - name: VAULT_API_ADDR - value: "http://$(POD_IP):8200" - - name: VAULT_CLUSTER_ADDR - value: "http://$(POD_IP):8201" - - name: VAULT_RAFT_NODE_ID - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: SKIP_SETCAP - value: "true" - readinessProbe: - httpGet: - path: /v1/sys/health?standbyok=true&sealedok=true&uninitok=true - port: 8200 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - failureThreshold: 3 - livenessProbe: - httpGet: - path: /v1/sys/health?standbyok=true&sealedok=true&uninitok=true - port: 8200 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 30 - failureThreshold: 3 - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 1000m - memory: 2Gi - volumeMounts: - - name: data - mountPath: /vault/data - - name: config - mountPath: /vault/config - volumes: - - name: config - configMap: - name: vault-config - volumeClaimTemplates: - - metadata: - name: data - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - spec: - accessModes: ["ReadWriteOnce"] - storageClassName: cephrbd-fast-delete - resources: - requests: - storage: 10Gi diff --git a/apps/overlays/au-syd1/vault/kustomization.yaml b/apps/overlays/au-syd1/vault/kustomization.yaml index 6347401..c2a204f 100644 --- a/apps/overlays/au-syd1/vault/kustomization.yaml +++ b/apps/overlays/au-syd1/vault/kustomization.yaml @@ -2,7 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: vault - resources: - ../../../base/vault + +helmCharts: + - name: vault + repo: https://helm.releases.hashicorp.com + version: "0.32.0" + releaseName: vault + namespace: vault + valuesFile: values.yaml diff --git a/apps/overlays/au-syd1/vault/values.yaml b/apps/overlays/au-syd1/vault/values.yaml new file mode 100644 index 0000000..8485dbe --- /dev/null +++ b/apps/overlays/au-syd1/vault/values.yaml @@ -0,0 +1,71 @@ +server: + image: + repository: hashicorp/vault + tag: "2.0.1" + + ha: + enabled: true + replicas: 5 + + raft: + enabled: true + setNodeId: true + config: | + ui = true + disable_mlock = true + + listener "tcp" { + address = "[::]:8200" + cluster_address = "[::]:8201" + tls_disable = "true" + } + + storage "raft" { + path = "/vault/data" + + retry_join { + leader_api_addr = "http://vault-0.vault-internal.vault.svc.cluster.local:8200" + } + retry_join { + leader_api_addr = "http://vault-1.vault-internal.vault.svc.cluster.local:8200" + } + retry_join { + leader_api_addr = "http://vault-2.vault-internal.vault.svc.cluster.local:8200" + } + retry_join { + leader_api_addr = "http://vault-3.vault-internal.vault.svc.cluster.local:8200" + } + retry_join { + leader_api_addr = "http://vault-4.vault-internal.vault.svc.cluster.local:8200" + } + } + + service_registration "kubernetes" {} + + dataStorage: + enabled: true + size: 10Gi + storageClass: cephrbd-fast-delete + accessMode: ReadWriteOnce + + statefulSet: + securityContext: + container: + capabilities: + add: + - IPC_LOCK + + resources: + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 2Gi + cpu: 1000m + +injector: + enabled: false + +ui: + enabled: true + serviceType: ClusterIP