feat(vault): deploy HashiCorp Vault 2.0.1 with raft HA (5 replicas)
StatefulSet with templated PVC (cephrbd-fast-delete, 10Gi), headless service for raft cluster communication, HTTPS gateway (443→8200), and kubernetes provider retry_join for automatic cluster formation.
This commit is contained in:
@@ -0,0 +1,31 @@
|
||||
---
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: vault
|
||||
labels:
|
||||
app.kubernetes.io/name: vault
|
||||
app.kubernetes.io/instance: vault
|
||||
traefik.io/instance: internal
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: vault-issuer
|
||||
cert-manager.io/common-name: vault.k8s.syd1.au.unkin.net
|
||||
cert-manager.io/private-key-size: "4096"
|
||||
external-dns.alpha.kubernetes.io/hostname: vault.k8s.syd1.au.unkin.net
|
||||
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
||||
spec:
|
||||
gatewayClassName: traefik-internal
|
||||
listeners:
|
||||
- name: https
|
||||
port: 443
|
||||
protocol: HTTPS
|
||||
hostname: vault.k8s.syd1.au.unkin.net
|
||||
allowedRoutes:
|
||||
namespaces:
|
||||
from: Same
|
||||
tls:
|
||||
mode: Terminate
|
||||
certificateRefs:
|
||||
- kind: Secret
|
||||
name: vault-tls
|
||||
@@ -0,0 +1,23 @@
|
||||
---
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: vault
|
||||
labels:
|
||||
app.kubernetes.io/name: vault
|
||||
app.kubernetes.io/instance: vault
|
||||
spec:
|
||||
hostnames:
|
||||
- vault.k8s.syd1.au.unkin.net
|
||||
parentRefs:
|
||||
- name: vault
|
||||
sectionName: https
|
||||
rules:
|
||||
- backendRefs:
|
||||
- name: vault
|
||||
port: 8200
|
||||
matches:
|
||||
- path:
|
||||
type: PathPrefix
|
||||
value: /
|
||||
@@ -0,0 +1,21 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- serviceaccount.yaml
|
||||
- role.yaml
|
||||
- rolebinding.yaml
|
||||
- statefulset.yaml
|
||||
- service.yaml
|
||||
- service_headless.yaml
|
||||
- gateway.yaml
|
||||
- httproute.yaml
|
||||
|
||||
configMapGenerator:
|
||||
- name: vault-config
|
||||
files:
|
||||
- resources/vault.hcl
|
||||
options:
|
||||
disableNameSuffixHash: true
|
||||
@@ -0,0 +1,5 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: vault
|
||||
@@ -0,0 +1,19 @@
|
||||
ui = true
|
||||
|
||||
listener "tcp" {
|
||||
address = "0.0.0.0:8200"
|
||||
cluster_address = "0.0.0.0:8201"
|
||||
tls_disable = "true"
|
||||
}
|
||||
|
||||
storage "raft" {
|
||||
path = "/vault/data"
|
||||
|
||||
retry_join {
|
||||
auto_join = "provider=k8s label_selector=\"app.kubernetes.io/name=vault\" namespace=\"vault\""
|
||||
auto_join_scheme = "http"
|
||||
auto_join_port = 8200
|
||||
}
|
||||
}
|
||||
|
||||
service_registration "kubernetes" {}
|
||||
@@ -0,0 +1,16 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: vault
|
||||
labels:
|
||||
app.kubernetes.io/name: vault
|
||||
app.kubernetes.io/instance: vault
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["pods"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["pods"]
|
||||
verbs: ["patch", "update"]
|
||||
@@ -0,0 +1,17 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: vault
|
||||
labels:
|
||||
app.kubernetes.io/name: vault
|
||||
app.kubernetes.io/instance: vault
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: vault
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: vault
|
||||
namespace: vault
|
||||
@@ -0,0 +1,23 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: vault
|
||||
labels:
|
||||
app.kubernetes.io/name: vault
|
||||
app.kubernetes.io/instance: vault
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: api
|
||||
port: 8200
|
||||
targetPort: api
|
||||
protocol: TCP
|
||||
- name: cluster
|
||||
port: 8201
|
||||
targetPort: cluster
|
||||
protocol: TCP
|
||||
selector:
|
||||
app.kubernetes.io/name: vault
|
||||
app.kubernetes.io/instance: vault
|
||||
@@ -0,0 +1,24 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: vault-internal
|
||||
namespace: vault
|
||||
labels:
|
||||
app.kubernetes.io/name: vault
|
||||
app.kubernetes.io/instance: vault
|
||||
spec:
|
||||
clusterIP: None
|
||||
publishNotReadyAddresses: true
|
||||
ports:
|
||||
- name: api
|
||||
port: 8200
|
||||
targetPort: api
|
||||
protocol: TCP
|
||||
- name: cluster
|
||||
port: 8201
|
||||
targetPort: cluster
|
||||
protocol: TCP
|
||||
selector:
|
||||
app.kubernetes.io/name: vault
|
||||
app.kubernetes.io/instance: vault
|
||||
@@ -0,0 +1,9 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: vault
|
||||
labels:
|
||||
app.kubernetes.io/name: vault
|
||||
app.kubernetes.io/instance: vault
|
||||
@@ -0,0 +1,110 @@
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: vault
|
||||
labels:
|
||||
app.kubernetes.io/name: vault
|
||||
app.kubernetes.io/instance: vault
|
||||
app.kubernetes.io/version: 2.0.1
|
||||
spec:
|
||||
serviceName: vault-internal
|
||||
replicas: 5
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: vault
|
||||
app.kubernetes.io/instance: vault
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: vault
|
||||
app.kubernetes.io/instance: vault
|
||||
app.kubernetes.io/version: 2.0.1
|
||||
spec:
|
||||
serviceAccountName: vault
|
||||
terminationGracePeriodSeconds: 10
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- weight: 100
|
||||
podAffinityTerm:
|
||||
topologyKey: kubernetes.io/hostname
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: vault
|
||||
containers:
|
||||
- name: vault
|
||||
image: hashicorp/vault:2.0.1
|
||||
command:
|
||||
- vault
|
||||
- server
|
||||
- -config=/vault/config
|
||||
ports:
|
||||
- name: api
|
||||
containerPort: 8200
|
||||
protocol: TCP
|
||||
- name: cluster
|
||||
containerPort: 8201
|
||||
protocol: TCP
|
||||
env:
|
||||
- name: POD_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.podIP
|
||||
- name: VAULT_ADDR
|
||||
value: "http://127.0.0.1:8200"
|
||||
- name: VAULT_API_ADDR
|
||||
value: "http://$(POD_IP):8200"
|
||||
- name: VAULT_CLUSTER_ADDR
|
||||
value: "http://$(POD_IP):8201"
|
||||
- name: VAULT_RAFT_NODE_ID
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: SKIP_SETCAP
|
||||
value: "true"
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /v1/sys/health?standbyok=true&sealedok=true&uninitok=true
|
||||
port: 8200
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
failureThreshold: 3
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /v1/sys/health?standbyok=true&sealedok=true&uninitok=true
|
||||
port: 8200
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 30
|
||||
failureThreshold: 3
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
limits:
|
||||
cpu: 1000m
|
||||
memory: 2Gi
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /vault/data
|
||||
- name: config
|
||||
mountPath: /vault/config
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: vault-config
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: data
|
||||
labels:
|
||||
app.kubernetes.io/name: vault
|
||||
app.kubernetes.io/instance: vault
|
||||
spec:
|
||||
accessModes: ["ReadWriteOnce"]
|
||||
storageClassName: cephrbd-fast-delete
|
||||
resources:
|
||||
requests:
|
||||
storage: 10Gi
|
||||
@@ -0,0 +1,8 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namespace: vault
|
||||
|
||||
resources:
|
||||
- ../../../base/vault
|
||||
@@ -27,6 +27,7 @@ spec:
|
||||
- path: apps/overlays/*/reposync
|
||||
- path: apps/overlays/*/traefik-system
|
||||
- path: apps/overlays/*/vm-system
|
||||
- path: apps/overlays/*/vault
|
||||
- path: apps/overlays/*/vso-system
|
||||
- path: apps/overlays/*/woodpecker
|
||||
template:
|
||||
|
||||
Reference in New Issue
Block a user