diff --git a/apps/base/vault/gateway.yaml b/apps/base/vault/gateway.yaml new file mode 100644 index 0000000..7227dc7 --- /dev/null +++ b/apps/base/vault/gateway.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: vault + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + traefik.io/instance: internal + annotations: + cert-manager.io/cluster-issuer: vault-issuer + cert-manager.io/common-name: vault.k8s.syd1.au.unkin.net + cert-manager.io/private-key-size: "4096" + cert-manager.io/alt-names: vault.service.consul,vault.query.consul + external-dns.alpha.kubernetes.io/hostname: vault.k8s.syd1.au.unkin.net + external-dns.alpha.kubernetes.io/target: 198.18.200.4 +spec: + gatewayClassName: traefik-internal + listeners: + - name: http + port: 80 + protocol: HTTP + hostname: vault.k8s.syd1.au.unkin.net + allowedRoutes: + namespaces: + from: Same + - name: https + port: 443 + protocol: HTTPS + hostname: vault.k8s.syd1.au.unkin.net + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: vault-tls + - name: vault-direct + port: 8200 + protocol: HTTPS + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: vault-tls diff --git a/apps/base/vault/httproute.yaml b/apps/base/vault/httproute.yaml new file mode 100644 index 0000000..61fd1c4 --- /dev/null +++ b/apps/base/vault/httproute.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: vault-http-redirect + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault +spec: + hostnames: + - vault.k8s.syd1.au.unkin.net + parentRefs: + - name: vault + sectionName: http + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: vault + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault +spec: + hostnames: + - vault.k8s.syd1.au.unkin.net + parentRefs: + - name: vault + sectionName: https + rules: + - backendRefs: + - name: vault + port: 8200 + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: vault-consul + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault +spec: + hostnames: + - vault.service.consul + - vault.query.consul + parentRefs: + - name: vault + sectionName: vault-direct + rules: + - backendRefs: + - name: vault + port: 8200 + matches: + - path: + type: PathPrefix + value: / diff --git a/apps/base/vault/kustomization.yaml b/apps/base/vault/kustomization.yaml new file mode 100644 index 0000000..2c2b5da --- /dev/null +++ b/apps/base/vault/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - gateway.yaml + - httproute.yaml diff --git a/apps/base/vault/namespace.yaml b/apps/base/vault/namespace.yaml new file mode 100644 index 0000000..33be07a --- /dev/null +++ b/apps/base/vault/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: vault diff --git a/apps/overlays/au-syd1/traefik-system/values-internal.yaml b/apps/overlays/au-syd1/traefik-system/values-internal.yaml index 3c28466..c119afc 100644 --- a/apps/overlays/au-syd1/traefik-system/values-internal.yaml +++ b/apps/overlays/au-syd1/traefik-system/values-internal.yaml @@ -94,5 +94,7 @@ ports: port: 80 websecure: port: 443 + vault-direct: + port: 8200 enabled: true diff --git a/apps/overlays/au-syd1/vault/kustomization.yaml b/apps/overlays/au-syd1/vault/kustomization.yaml new file mode 100644 index 0000000..c2a204f --- /dev/null +++ b/apps/overlays/au-syd1/vault/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/vault + +helmCharts: + - name: vault + repo: https://helm.releases.hashicorp.com + version: "0.32.0" + releaseName: vault + namespace: vault + valuesFile: values.yaml diff --git a/apps/overlays/au-syd1/vault/values.yaml b/apps/overlays/au-syd1/vault/values.yaml new file mode 100644 index 0000000..d1f646a --- /dev/null +++ b/apps/overlays/au-syd1/vault/values.yaml @@ -0,0 +1,73 @@ +server: + image: + repository: hashicorp/vault + tag: "2.0.1" + + ha: + enabled: true + replicas: 5 + + raft: + enabled: true + setNodeId: true + config: | + ui = true + disable_mlock = true + + listener "tcp" { + address = "[::]:8200" + cluster_address = "[::]:8201" + tls_disable = "true" + } + + storage "raft" { + path = "/vault/data" + + retry_join { + leader_api_addr = "http://vault-0.vault-internal.vault.svc.cluster.local:8200" + } + retry_join { + leader_api_addr = "http://vault-1.vault-internal.vault.svc.cluster.local:8200" + } + retry_join { + leader_api_addr = "http://vault-2.vault-internal.vault.svc.cluster.local:8200" + } + retry_join { + leader_api_addr = "http://vault-3.vault-internal.vault.svc.cluster.local:8200" + } + retry_join { + leader_api_addr = "http://vault-4.vault-internal.vault.svc.cluster.local:8200" + } + } + + service_registration "consul" { + address = "consul-server.consul.svc.cluster.local:8500" + } + + dataStorage: + enabled: true + size: 10Gi + storageClass: cephrbd-fast-delete + accessMode: ReadWriteOnce + + statefulSet: + securityContext: + container: + capabilities: + add: + - IPC_LOCK + + resources: + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 2Gi + cpu: 1000m + +injector: + enabled: false + +ui: + enabled: true + serviceType: ClusterIP diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index 218d5ea..63be86a 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -27,6 +27,7 @@ spec: - path: apps/overlays/*/reposync - path: apps/overlays/*/traefik-system - path: apps/overlays/*/vm-system + - path: apps/overlays/*/vault - path: apps/overlays/*/vso-system - path: apps/overlays/*/woodpecker template: