feat(vault): deploy HashiCorp Vault 2.0.1 via Helm chart 0.32.0
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful

HA raft cluster (5 replicas) with disable_mlock=true, IPC_LOCK capability,
headless-DNS retry_join, kubernetes service_registration, 10Gi cephrbd-fast-delete
PVC. Gateway API HTTPRoute on 443→8200. ArgoCD platform ApplicationSet entry added.
This commit is contained in:
2026-05-23 18:46:50 +10:00
parent eef4c2cd49
commit ba40525017
10 changed files with 79 additions and 233 deletions
-13
View File
@@ -4,18 +4,5 @@ kind: Kustomization
resources:
- namespace.yaml
- serviceaccount.yaml
- role.yaml
- rolebinding.yaml
- statefulset.yaml
- service.yaml
- service_headless.yaml
- gateway.yaml
- httproute.yaml
configMapGenerator:
- name: vault-config
files:
- resources/vault.hcl
options:
disableNameSuffixHash: true
-19
View File
@@ -1,19 +0,0 @@
ui = true
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201"
tls_disable = "true"
}
storage "raft" {
path = "/vault/data"
retry_join {
auto_join = "provider=k8s label_selector=\"app.kubernetes.io/name=vault\" namespace=\"vault\""
auto_join_scheme = "http"
auto_join_port = 8200
}
}
service_registration "kubernetes" {}
-16
View File
@@ -1,16 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["patch", "update"]
-17
View File
@@ -1,17 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: vault
subjects:
- kind: ServiceAccount
name: vault
namespace: vault
-23
View File
@@ -1,23 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
spec:
type: ClusterIP
ports:
- name: api
port: 8200
targetPort: api
protocol: TCP
- name: cluster
port: 8201
targetPort: cluster
protocol: TCP
selector:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
-24
View File
@@ -1,24 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: vault-internal
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
spec:
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: api
port: 8200
targetPort: api
protocol: TCP
- name: cluster
port: 8201
targetPort: cluster
protocol: TCP
selector:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
-9
View File
@@ -1,9 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
-110
View File
@@ -1,110 +0,0 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/version: 2.0.1
spec:
serviceName: vault-internal
replicas: 5
selector:
matchLabels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
template:
metadata:
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/version: 2.0.1
spec:
serviceAccountName: vault
terminationGracePeriodSeconds: 10
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app.kubernetes.io/name: vault
containers:
- name: vault
image: hashicorp/vault:2.0.1
command:
- vault
- server
- -config=/vault/config
ports:
- name: api
containerPort: 8200
protocol: TCP
- name: cluster
containerPort: 8201
protocol: TCP
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: VAULT_ADDR
value: "http://127.0.0.1:8200"
- name: VAULT_API_ADDR
value: "http://$(POD_IP):8200"
- name: VAULT_CLUSTER_ADDR
value: "http://$(POD_IP):8201"
- name: VAULT_RAFT_NODE_ID
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: SKIP_SETCAP
value: "true"
readinessProbe:
httpGet:
path: /v1/sys/health?standbyok=true&sealedok=true&uninitok=true
port: 8200
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 3
livenessProbe:
httpGet:
path: /v1/sys/health?standbyok=true&sealedok=true&uninitok=true
port: 8200
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 30
failureThreshold: 3
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 2Gi
volumeMounts:
- name: data
mountPath: /vault/data
- name: config
mountPath: /vault/config
volumes:
- name: config
configMap:
name: vault-config
volumeClaimTemplates:
- metadata:
name: data
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: cephrbd-fast-delete
resources:
requests:
storage: 10Gi