feat(vault): deploy HashiCorp Vault 2.0.1 via Helm chart (5-replica HA raft) #148

Merged
unkinben merged 5 commits from benvin/vault into main 2026-05-23 22:39:42 +10:00
Owner

Summary

  • Deploys HashiCorp Vault 2.0.1 using Helm chart 0.32.0 in HA raft mode (5 replicas)
  • Configuration modelled on production vault: `disable_mlock=true`, headless-DNS retry_join for all 5 pods
  • IPC_LOCK capability added via `server.statefulSet.securityContext.container`
  • 10Gi cephrbd-fast-delete PVC per pod via `dataStorage`
  • Gateway API: HTTPS gateway + HTTPRoute (443→vault service port 8200) at `vault.k8s.syd1.au.unkin.net`
  • ArgoCD platform ApplicationSet updated to include vault overlay path
  • Injector disabled (no agent sidecar injection needed)

Requires

  • PR #147 (artifactapi: add hashicorp/vault to docker immutable patterns) to be merged first

Test plan

  • Sandbox tested in `sandbox-vault`: all 5 pods Running, raft cluster forming
  • After merge: ArgoCD syncs vault namespace
  • Operator runs `vault operator init` to initialize, then unseals all 5 nodes
  • Verify `vault.k8s.syd1.au.unkin.net` is accessible via Gateway
## Summary - Deploys HashiCorp Vault 2.0.1 using Helm chart 0.32.0 in HA raft mode (5 replicas) - Configuration modelled on production vault: \`disable_mlock=true\`, headless-DNS retry_join for all 5 pods - IPC_LOCK capability added via \`server.statefulSet.securityContext.container\` - 10Gi cephrbd-fast-delete PVC per pod via \`dataStorage\` - Gateway API: HTTPS gateway + HTTPRoute (443→vault service port 8200) at \`vault.k8s.syd1.au.unkin.net\` - ArgoCD platform ApplicationSet updated to include vault overlay path - Injector disabled (no agent sidecar injection needed) ## Requires - PR #147 (artifactapi: add hashicorp/vault to docker immutable patterns) to be merged first ## Test plan - [ ] Sandbox tested in \`sandbox-vault\`: all 5 pods Running, raft cluster forming - [ ] After merge: ArgoCD syncs vault namespace - [ ] Operator runs \`vault operator init\` to initialize, then unseals all 5 nodes - [ ] Verify \`vault.k8s.syd1.au.unkin.net\` is accessible via Gateway
unkinben added 2 commits 2026-05-23 18:47:19 +10:00
StatefulSet with templated PVC (cephrbd-fast-delete, 10Gi), headless
service for raft cluster communication, HTTPS gateway (443→8200), and
kubernetes provider retry_join for automatic cluster formation.
feat(vault): deploy HashiCorp Vault 2.0.1 via Helm chart 0.32.0
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
ba40525017
HA raft cluster (5 replicas) with disable_mlock=true, IPC_LOCK capability,
headless-DNS retry_join, kubernetes service_registration, 10Gi cephrbd-fast-delete
PVC. Gateway API HTTPRoute on 443→8200. ArgoCD platform ApplicationSet entry added.
unkinben reviewed 2026-05-23 21:56:42 +10:00
@@ -0,0 +9,4 @@
app.kubernetes.io/instance: vault
spec:
hostnames:
- vault.k8s.syd1.au.unkin.net
Author
Owner

I want this to respond to vault.service.consul and vault.query.consul too

I want this to respond to vault.service.consul and vault.query.consul too
unkinben marked this conversation as resolved
unkinben reviewed 2026-05-23 21:57:03 +10:00
@@ -0,0 +18,4 @@
gatewayClassName: traefik-internal
listeners:
- name: https
port: 443
Author
Owner

also listen on tcp 8200 to match the current production vault environment

also listen on tcp 8200 to match the current production vault environment
unkinben marked this conversation as resolved
unkinben added 1 commit 2026-05-23 22:08:48 +10:00
feat(vault): add port 8200 listener, consul SANs, consul service_registration
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
0d146dc942
- Add SAN altnames vault.service.consul and vault.query.consul to cert
- Add vault-direct HTTPS listener on port 8200 (TLS terminate, same cert)
- Add vault-consul HTTPRoute binding consul DNS names to port 8200 listener
- Add vault-direct port 8200 entrypoint to traefik-internal
- Switch service_registration from kubernetes to consul
  (consul-server.consul.svc.cluster.local:8500)
unkinben added 1 commit 2026-05-23 22:12:22 +10:00
fix(vault): use correct cert-manager alt-names annotation for consul SANs
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
eb5e75da89
unkinben added 1 commit 2026-05-23 22:13:53 +10:00
feat(vault): add HTTP→HTTPS redirect on port 80
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
baca4c94f1
unkinben merged commit d2be521878 into main 2026-05-23 22:39:42 +10:00
unkinben deleted branch benvin/vault 2026-05-23 22:39:42 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#148