feat(vault): deploy HashiCorp Vault 2.0.1 with raft HA (5 replicas)

StatefulSet with templated PVC (cephrbd-fast-delete, 10Gi), headless
service for raft cluster communication, HTTPS gateway (443→8200), and
kubernetes provider retry_join for automatic cluster formation.
This commit is contained in:
2026-05-23 18:22:25 +10:00
parent dcea768c15
commit eef4c2cd49
13 changed files with 307 additions and 0 deletions
+31
View File
@@ -0,0 +1,31 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: vault.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: vault.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
spec:
gatewayClassName: traefik-internal
listeners:
- name: https
port: 443
protocol: HTTPS
hostname: vault.k8s.syd1.au.unkin.net
allowedRoutes:
namespaces:
from: Same
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: vault-tls
+23
View File
@@ -0,0 +1,23 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
spec:
hostnames:
- vault.k8s.syd1.au.unkin.net
parentRefs:
- name: vault
sectionName: https
rules:
- backendRefs:
- name: vault
port: 8200
matches:
- path:
type: PathPrefix
value: /
+21
View File
@@ -0,0 +1,21 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- serviceaccount.yaml
- role.yaml
- rolebinding.yaml
- statefulset.yaml
- service.yaml
- service_headless.yaml
- gateway.yaml
- httproute.yaml
configMapGenerator:
- name: vault-config
files:
- resources/vault.hcl
options:
disableNameSuffixHash: true
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: vault
+19
View File
@@ -0,0 +1,19 @@
ui = true
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201"
tls_disable = "true"
}
storage "raft" {
path = "/vault/data"
retry_join {
auto_join = "provider=k8s label_selector=\"app.kubernetes.io/name=vault\" namespace=\"vault\""
auto_join_scheme = "http"
auto_join_port = 8200
}
}
service_registration "kubernetes" {}
+16
View File
@@ -0,0 +1,16 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["patch", "update"]
+17
View File
@@ -0,0 +1,17 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: vault
subjects:
- kind: ServiceAccount
name: vault
namespace: vault
+23
View File
@@ -0,0 +1,23 @@
---
apiVersion: v1
kind: Service
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
spec:
type: ClusterIP
ports:
- name: api
port: 8200
targetPort: api
protocol: TCP
- name: cluster
port: 8201
targetPort: cluster
protocol: TCP
selector:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
+24
View File
@@ -0,0 +1,24 @@
---
apiVersion: v1
kind: Service
metadata:
name: vault-internal
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
spec:
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: api
port: 8200
targetPort: api
protocol: TCP
- name: cluster
port: 8201
targetPort: cluster
protocol: TCP
selector:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
+9
View File
@@ -0,0 +1,9 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
+110
View File
@@ -0,0 +1,110 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/version: 2.0.1
spec:
serviceName: vault-internal
replicas: 5
selector:
matchLabels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
template:
metadata:
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/version: 2.0.1
spec:
serviceAccountName: vault
terminationGracePeriodSeconds: 10
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app.kubernetes.io/name: vault
containers:
- name: vault
image: hashicorp/vault:2.0.1
command:
- vault
- server
- -config=/vault/config
ports:
- name: api
containerPort: 8200
protocol: TCP
- name: cluster
containerPort: 8201
protocol: TCP
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: VAULT_ADDR
value: "http://127.0.0.1:8200"
- name: VAULT_API_ADDR
value: "http://$(POD_IP):8200"
- name: VAULT_CLUSTER_ADDR
value: "http://$(POD_IP):8201"
- name: VAULT_RAFT_NODE_ID
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: SKIP_SETCAP
value: "true"
readinessProbe:
httpGet:
path: /v1/sys/health?standbyok=true&sealedok=true&uninitok=true
port: 8200
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 3
livenessProbe:
httpGet:
path: /v1/sys/health?standbyok=true&sealedok=true&uninitok=true
port: 8200
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 30
failureThreshold: 3
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 2Gi
volumeMounts:
- name: data
mountPath: /vault/data
- name: config
mountPath: /vault/config
volumes:
- name: config
configMap:
name: vault-config
volumeClaimTemplates:
- metadata:
name: data
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: cephrbd-fast-delete
resources:
requests:
storage: 10Gi
@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: vault
resources:
- ../../../base/vault
+1
View File
@@ -27,6 +27,7 @@ spec:
- path: apps/overlays/*/reposync
- path: apps/overlays/*/traefik-system
- path: apps/overlays/*/vm-system
- path: apps/overlays/*/vault
- path: apps/overlays/*/vso-system
- path: apps/overlays/*/woodpecker
template: