From d2be521878daa6629c91ebb1dd855bc1784dc4b6 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 22:39:41 +1000 Subject: [PATCH] feat(vault): deploy HashiCorp Vault 2.0.1 via Helm chart (5-replica HA raft) (#148) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Deploys HashiCorp Vault 2.0.1 using Helm chart 0.32.0 in HA raft mode (5 replicas) - Configuration modelled on production vault: \`disable_mlock=true\`, headless-DNS retry_join for all 5 pods - IPC_LOCK capability added via \`server.statefulSet.securityContext.container\` - 10Gi cephrbd-fast-delete PVC per pod via \`dataStorage\` - Gateway API: HTTPS gateway + HTTPRoute (443→vault service port 8200) at \`vault.k8s.syd1.au.unkin.net\` - ArgoCD platform ApplicationSet updated to include vault overlay path - Injector disabled (no agent sidecar injection needed) ## Requires - PR #147 (artifactapi: add hashicorp/vault to docker immutable patterns) to be merged first ## Test plan - [ ] Sandbox tested in \`sandbox-vault\`: all 5 pods Running, raft cluster forming - [ ] After merge: ArgoCD syncs vault namespace - [ ] Operator runs \`vault operator init\` to initialize, then unseals all 5 nodes - [ ] Verify \`vault.k8s.syd1.au.unkin.net\` is accessible via Gateway Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/148 --- apps/base/vault/gateway.yaml | 50 +++++++++++++ apps/base/vault/httproute.yaml | 72 ++++++++++++++++++ apps/base/vault/kustomization.yaml | 8 ++ apps/base/vault/namespace.yaml | 5 ++ .../traefik-system/values-internal.yaml | 2 + .../overlays/au-syd1/vault/kustomization.yaml | 14 ++++ apps/overlays/au-syd1/vault/values.yaml | 73 +++++++++++++++++++ argocd/applicationsets/platform.yaml | 1 + 8 files changed, 225 insertions(+) create mode 100644 apps/base/vault/gateway.yaml create mode 100644 apps/base/vault/httproute.yaml create mode 100644 apps/base/vault/kustomization.yaml create mode 100644 apps/base/vault/namespace.yaml create mode 100644 apps/overlays/au-syd1/vault/kustomization.yaml create mode 100644 apps/overlays/au-syd1/vault/values.yaml diff --git a/apps/base/vault/gateway.yaml b/apps/base/vault/gateway.yaml new file mode 100644 index 0000000..7227dc7 --- /dev/null +++ b/apps/base/vault/gateway.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: vault + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + traefik.io/instance: internal + annotations: + cert-manager.io/cluster-issuer: vault-issuer + cert-manager.io/common-name: vault.k8s.syd1.au.unkin.net + cert-manager.io/private-key-size: "4096" + cert-manager.io/alt-names: vault.service.consul,vault.query.consul + external-dns.alpha.kubernetes.io/hostname: vault.k8s.syd1.au.unkin.net + external-dns.alpha.kubernetes.io/target: 198.18.200.4 +spec: + gatewayClassName: traefik-internal + listeners: + - name: http + port: 80 + protocol: HTTP + hostname: vault.k8s.syd1.au.unkin.net + allowedRoutes: + namespaces: + from: Same + - name: https + port: 443 + protocol: HTTPS + hostname: vault.k8s.syd1.au.unkin.net + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: vault-tls + - name: vault-direct + port: 8200 + protocol: HTTPS + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: vault-tls diff --git a/apps/base/vault/httproute.yaml b/apps/base/vault/httproute.yaml new file mode 100644 index 0000000..61fd1c4 --- /dev/null +++ b/apps/base/vault/httproute.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: vault-http-redirect + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault +spec: + hostnames: + - vault.k8s.syd1.au.unkin.net + parentRefs: + - name: vault + sectionName: http + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: vault + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault +spec: + hostnames: + - vault.k8s.syd1.au.unkin.net + parentRefs: + - name: vault + sectionName: https + rules: + - backendRefs: + - name: vault + port: 8200 + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: vault-consul + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault +spec: + hostnames: + - vault.service.consul + - vault.query.consul + parentRefs: + - name: vault + sectionName: vault-direct + rules: + - backendRefs: + - name: vault + port: 8200 + matches: + - path: + type: PathPrefix + value: / diff --git a/apps/base/vault/kustomization.yaml b/apps/base/vault/kustomization.yaml new file mode 100644 index 0000000..2c2b5da --- /dev/null +++ b/apps/base/vault/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - gateway.yaml + - httproute.yaml diff --git a/apps/base/vault/namespace.yaml b/apps/base/vault/namespace.yaml new file mode 100644 index 0000000..33be07a --- /dev/null +++ b/apps/base/vault/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: vault diff --git a/apps/overlays/au-syd1/traefik-system/values-internal.yaml b/apps/overlays/au-syd1/traefik-system/values-internal.yaml index 3c28466..c119afc 100644 --- a/apps/overlays/au-syd1/traefik-system/values-internal.yaml +++ b/apps/overlays/au-syd1/traefik-system/values-internal.yaml @@ -94,5 +94,7 @@ ports: port: 80 websecure: port: 443 + vault-direct: + port: 8200 enabled: true diff --git a/apps/overlays/au-syd1/vault/kustomization.yaml b/apps/overlays/au-syd1/vault/kustomization.yaml new file mode 100644 index 0000000..c2a204f --- /dev/null +++ b/apps/overlays/au-syd1/vault/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/vault + +helmCharts: + - name: vault + repo: https://helm.releases.hashicorp.com + version: "0.32.0" + releaseName: vault + namespace: vault + valuesFile: values.yaml diff --git a/apps/overlays/au-syd1/vault/values.yaml b/apps/overlays/au-syd1/vault/values.yaml new file mode 100644 index 0000000..d1f646a --- /dev/null +++ b/apps/overlays/au-syd1/vault/values.yaml @@ -0,0 +1,73 @@ +server: + image: + repository: hashicorp/vault + tag: "2.0.1" + + ha: + enabled: true + replicas: 5 + + raft: + enabled: true + setNodeId: true + config: | + ui = true + disable_mlock = true + + listener "tcp" { + address = "[::]:8200" + cluster_address = "[::]:8201" + tls_disable = "true" + } + + storage "raft" { + path = "/vault/data" + + retry_join { + leader_api_addr = "http://vault-0.vault-internal.vault.svc.cluster.local:8200" + } + retry_join { + leader_api_addr = "http://vault-1.vault-internal.vault.svc.cluster.local:8200" + } + retry_join { + leader_api_addr = "http://vault-2.vault-internal.vault.svc.cluster.local:8200" + } + retry_join { + leader_api_addr = "http://vault-3.vault-internal.vault.svc.cluster.local:8200" + } + retry_join { + leader_api_addr = "http://vault-4.vault-internal.vault.svc.cluster.local:8200" + } + } + + service_registration "consul" { + address = "consul-server.consul.svc.cluster.local:8500" + } + + dataStorage: + enabled: true + size: 10Gi + storageClass: cephrbd-fast-delete + accessMode: ReadWriteOnce + + statefulSet: + securityContext: + container: + capabilities: + add: + - IPC_LOCK + + resources: + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 2Gi + cpu: 1000m + +injector: + enabled: false + +ui: + enabled: true + serviceType: ClusterIP diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index 218d5ea..63be86a 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -27,6 +27,7 @@ spec: - path: apps/overlays/*/reposync - path: apps/overlays/*/traefik-system - path: apps/overlays/*/vm-system + - path: apps/overlays/*/vault - path: apps/overlays/*/vso-system - path: apps/overlays/*/woodpecker template: