From eef4c2cd497c171308a16fd03e0f02727681d318 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 18:22:25 +1000 Subject: [PATCH 1/5] feat(vault): deploy HashiCorp Vault 2.0.1 with raft HA (5 replicas) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit StatefulSet with templated PVC (cephrbd-fast-delete, 10Gi), headless service for raft cluster communication, HTTPS gateway (443→8200), and kubernetes provider retry_join for automatic cluster formation. --- apps/base/vault/gateway.yaml | 31 +++++ apps/base/vault/httproute.yaml | 23 ++++ apps/base/vault/kustomization.yaml | 21 ++++ apps/base/vault/namespace.yaml | 5 + apps/base/vault/resources/vault.hcl | 19 +++ apps/base/vault/role.yaml | 16 +++ apps/base/vault/rolebinding.yaml | 17 +++ apps/base/vault/service.yaml | 23 ++++ apps/base/vault/service_headless.yaml | 24 ++++ apps/base/vault/serviceaccount.yaml | 9 ++ apps/base/vault/statefulset.yaml | 110 ++++++++++++++++++ .../overlays/au-syd1/vault/kustomization.yaml | 8 ++ argocd/applicationsets/platform.yaml | 1 + 13 files changed, 307 insertions(+) create mode 100644 apps/base/vault/gateway.yaml create mode 100644 apps/base/vault/httproute.yaml create mode 100644 apps/base/vault/kustomization.yaml create mode 100644 apps/base/vault/namespace.yaml create mode 100644 apps/base/vault/resources/vault.hcl create mode 100644 apps/base/vault/role.yaml create mode 100644 apps/base/vault/rolebinding.yaml create mode 100644 apps/base/vault/service.yaml create mode 100644 apps/base/vault/service_headless.yaml create mode 100644 apps/base/vault/serviceaccount.yaml create mode 100644 apps/base/vault/statefulset.yaml create mode 100644 apps/overlays/au-syd1/vault/kustomization.yaml diff --git a/apps/base/vault/gateway.yaml b/apps/base/vault/gateway.yaml new file mode 100644 index 0000000..6895ff6 --- /dev/null +++ b/apps/base/vault/gateway.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: vault + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + traefik.io/instance: internal + annotations: + cert-manager.io/cluster-issuer: vault-issuer + cert-manager.io/common-name: vault.k8s.syd1.au.unkin.net + cert-manager.io/private-key-size: "4096" + external-dns.alpha.kubernetes.io/hostname: vault.k8s.syd1.au.unkin.net + external-dns.alpha.kubernetes.io/target: 198.18.200.4 +spec: + gatewayClassName: traefik-internal + listeners: + - name: https + port: 443 + protocol: HTTPS + hostname: vault.k8s.syd1.au.unkin.net + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: vault-tls diff --git a/apps/base/vault/httproute.yaml b/apps/base/vault/httproute.yaml new file mode 100644 index 0000000..2622095 --- /dev/null +++ b/apps/base/vault/httproute.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: vault + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault +spec: + hostnames: + - vault.k8s.syd1.au.unkin.net + parentRefs: + - name: vault + sectionName: https + rules: + - backendRefs: + - name: vault + port: 8200 + matches: + - path: + type: PathPrefix + value: / diff --git a/apps/base/vault/kustomization.yaml b/apps/base/vault/kustomization.yaml new file mode 100644 index 0000000..19dd192 --- /dev/null +++ b/apps/base/vault/kustomization.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - serviceaccount.yaml + - role.yaml + - rolebinding.yaml + - statefulset.yaml + - service.yaml + - service_headless.yaml + - gateway.yaml + - httproute.yaml + +configMapGenerator: + - name: vault-config + files: + - resources/vault.hcl + options: + disableNameSuffixHash: true diff --git a/apps/base/vault/namespace.yaml b/apps/base/vault/namespace.yaml new file mode 100644 index 0000000..33be07a --- /dev/null +++ b/apps/base/vault/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: vault diff --git a/apps/base/vault/resources/vault.hcl b/apps/base/vault/resources/vault.hcl new file mode 100644 index 0000000..7612cf2 --- /dev/null +++ b/apps/base/vault/resources/vault.hcl @@ -0,0 +1,19 @@ +ui = true + +listener "tcp" { + address = "0.0.0.0:8200" + cluster_address = "0.0.0.0:8201" + tls_disable = "true" +} + +storage "raft" { + path = "/vault/data" + + retry_join { + auto_join = "provider=k8s label_selector=\"app.kubernetes.io/name=vault\" namespace=\"vault\"" + auto_join_scheme = "http" + auto_join_port = 8200 + } +} + +service_registration "kubernetes" {} diff --git a/apps/base/vault/role.yaml b/apps/base/vault/role.yaml new file mode 100644 index 0000000..5a24a84 --- /dev/null +++ b/apps/base/vault/role.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vault + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["patch", "update"] diff --git a/apps/base/vault/rolebinding.yaml b/apps/base/vault/rolebinding.yaml new file mode 100644 index 0000000..1a67374 --- /dev/null +++ b/apps/base/vault/rolebinding.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: vault + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vault +subjects: + - kind: ServiceAccount + name: vault + namespace: vault diff --git a/apps/base/vault/service.yaml b/apps/base/vault/service.yaml new file mode 100644 index 0000000..ad7d519 --- /dev/null +++ b/apps/base/vault/service.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: vault + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault +spec: + type: ClusterIP + ports: + - name: api + port: 8200 + targetPort: api + protocol: TCP + - name: cluster + port: 8201 + targetPort: cluster + protocol: TCP + selector: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault diff --git a/apps/base/vault/service_headless.yaml b/apps/base/vault/service_headless.yaml new file mode 100644 index 0000000..9e0daa6 --- /dev/null +++ b/apps/base/vault/service_headless.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: vault-internal + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault +spec: + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: api + port: 8200 + targetPort: api + protocol: TCP + - name: cluster + port: 8201 + targetPort: cluster + protocol: TCP + selector: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault diff --git a/apps/base/vault/serviceaccount.yaml b/apps/base/vault/serviceaccount.yaml new file mode 100644 index 0000000..2263fca --- /dev/null +++ b/apps/base/vault/serviceaccount.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault diff --git a/apps/base/vault/statefulset.yaml b/apps/base/vault/statefulset.yaml new file mode 100644 index 0000000..2b19aa0 --- /dev/null +++ b/apps/base/vault/statefulset.yaml @@ -0,0 +1,110 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vault + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + app.kubernetes.io/version: 2.0.1 +spec: + serviceName: vault-internal + replicas: 5 + selector: + matchLabels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + template: + metadata: + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + app.kubernetes.io/version: 2.0.1 + spec: + serviceAccountName: vault + terminationGracePeriodSeconds: 10 + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + app.kubernetes.io/name: vault + containers: + - name: vault + image: hashicorp/vault:2.0.1 + command: + - vault + - server + - -config=/vault/config + ports: + - name: api + containerPort: 8200 + protocol: TCP + - name: cluster + containerPort: 8201 + protocol: TCP + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: VAULT_ADDR + value: "http://127.0.0.1:8200" + - name: VAULT_API_ADDR + value: "http://$(POD_IP):8200" + - name: VAULT_CLUSTER_ADDR + value: "http://$(POD_IP):8201" + - name: VAULT_RAFT_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SKIP_SETCAP + value: "true" + readinessProbe: + httpGet: + path: /v1/sys/health?standbyok=true&sealedok=true&uninitok=true + port: 8200 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 3 + livenessProbe: + httpGet: + path: /v1/sys/health?standbyok=true&sealedok=true&uninitok=true + port: 8200 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 30 + failureThreshold: 3 + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 1000m + memory: 2Gi + volumeMounts: + - name: data + mountPath: /vault/data + - name: config + mountPath: /vault/config + volumes: + - name: config + configMap: + name: vault-config + volumeClaimTemplates: + - metadata: + name: data + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + spec: + accessModes: ["ReadWriteOnce"] + storageClassName: cephrbd-fast-delete + resources: + requests: + storage: 10Gi diff --git a/apps/overlays/au-syd1/vault/kustomization.yaml b/apps/overlays/au-syd1/vault/kustomization.yaml new file mode 100644 index 0000000..6347401 --- /dev/null +++ b/apps/overlays/au-syd1/vault/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: vault + +resources: + - ../../../base/vault diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index 218d5ea..63be86a 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -27,6 +27,7 @@ spec: - path: apps/overlays/*/reposync - path: apps/overlays/*/traefik-system - path: apps/overlays/*/vm-system + - path: apps/overlays/*/vault - path: apps/overlays/*/vso-system - path: apps/overlays/*/woodpecker template: -- 2.47.3 From ba405250175e3164c17daf9fdeca3339e43189fa Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 18:46:50 +1000 Subject: [PATCH 2/5] feat(vault): deploy HashiCorp Vault 2.0.1 via Helm chart 0.32.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit HA raft cluster (5 replicas) with disable_mlock=true, IPC_LOCK capability, headless-DNS retry_join, kubernetes service_registration, 10Gi cephrbd-fast-delete PVC. Gateway API HTTPRoute on 443→8200. ArgoCD platform ApplicationSet entry added. --- apps/base/vault/kustomization.yaml | 13 --- apps/base/vault/resources/vault.hcl | 19 --- apps/base/vault/role.yaml | 16 --- apps/base/vault/rolebinding.yaml | 17 --- apps/base/vault/service.yaml | 23 ---- apps/base/vault/service_headless.yaml | 24 ---- apps/base/vault/serviceaccount.yaml | 9 -- apps/base/vault/statefulset.yaml | 110 ------------------ .../overlays/au-syd1/vault/kustomization.yaml | 10 +- apps/overlays/au-syd1/vault/values.yaml | 71 +++++++++++ 10 files changed, 79 insertions(+), 233 deletions(-) delete mode 100644 apps/base/vault/resources/vault.hcl delete mode 100644 apps/base/vault/role.yaml delete mode 100644 apps/base/vault/rolebinding.yaml delete mode 100644 apps/base/vault/service.yaml delete mode 100644 apps/base/vault/service_headless.yaml delete mode 100644 apps/base/vault/serviceaccount.yaml delete mode 100644 apps/base/vault/statefulset.yaml create mode 100644 apps/overlays/au-syd1/vault/values.yaml diff --git a/apps/base/vault/kustomization.yaml b/apps/base/vault/kustomization.yaml index 19dd192..2c2b5da 100644 --- a/apps/base/vault/kustomization.yaml +++ b/apps/base/vault/kustomization.yaml @@ -4,18 +4,5 @@ kind: Kustomization resources: - namespace.yaml - - serviceaccount.yaml - - role.yaml - - rolebinding.yaml - - statefulset.yaml - - service.yaml - - service_headless.yaml - gateway.yaml - httproute.yaml - -configMapGenerator: - - name: vault-config - files: - - resources/vault.hcl - options: - disableNameSuffixHash: true diff --git a/apps/base/vault/resources/vault.hcl b/apps/base/vault/resources/vault.hcl deleted file mode 100644 index 7612cf2..0000000 --- a/apps/base/vault/resources/vault.hcl +++ /dev/null @@ -1,19 +0,0 @@ -ui = true - -listener "tcp" { - address = "0.0.0.0:8200" - cluster_address = "0.0.0.0:8201" - tls_disable = "true" -} - -storage "raft" { - path = "/vault/data" - - retry_join { - auto_join = "provider=k8s label_selector=\"app.kubernetes.io/name=vault\" namespace=\"vault\"" - auto_join_scheme = "http" - auto_join_port = 8200 - } -} - -service_registration "kubernetes" {} diff --git a/apps/base/vault/role.yaml b/apps/base/vault/role.yaml deleted file mode 100644 index 5a24a84..0000000 --- a/apps/base/vault/role.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: vault - namespace: vault - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault -rules: - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["patch", "update"] diff --git a/apps/base/vault/rolebinding.yaml b/apps/base/vault/rolebinding.yaml deleted file mode 100644 index 1a67374..0000000 --- a/apps/base/vault/rolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: vault - namespace: vault - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: vault -subjects: - - kind: ServiceAccount - name: vault - namespace: vault diff --git a/apps/base/vault/service.yaml b/apps/base/vault/service.yaml deleted file mode 100644 index ad7d519..0000000 --- a/apps/base/vault/service.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: vault - namespace: vault - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault -spec: - type: ClusterIP - ports: - - name: api - port: 8200 - targetPort: api - protocol: TCP - - name: cluster - port: 8201 - targetPort: cluster - protocol: TCP - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault diff --git a/apps/base/vault/service_headless.yaml b/apps/base/vault/service_headless.yaml deleted file mode 100644 index 9e0daa6..0000000 --- a/apps/base/vault/service_headless.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: vault-internal - namespace: vault - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault -spec: - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: api - port: 8200 - targetPort: api - protocol: TCP - - name: cluster - port: 8201 - targetPort: cluster - protocol: TCP - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault diff --git a/apps/base/vault/serviceaccount.yaml b/apps/base/vault/serviceaccount.yaml deleted file mode 100644 index 2263fca..0000000 --- a/apps/base/vault/serviceaccount.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault - namespace: vault - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault diff --git a/apps/base/vault/statefulset.yaml b/apps/base/vault/statefulset.yaml deleted file mode 100644 index 2b19aa0..0000000 --- a/apps/base/vault/statefulset.yaml +++ /dev/null @@ -1,110 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: vault - namespace: vault - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/version: 2.0.1 -spec: - serviceName: vault-internal - replicas: 5 - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - template: - metadata: - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/version: 2.0.1 - spec: - serviceAccountName: vault - terminationGracePeriodSeconds: 10 - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - app.kubernetes.io/name: vault - containers: - - name: vault - image: hashicorp/vault:2.0.1 - command: - - vault - - server - - -config=/vault/config - ports: - - name: api - containerPort: 8200 - protocol: TCP - - name: cluster - containerPort: 8201 - protocol: TCP - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: VAULT_ADDR - value: "http://127.0.0.1:8200" - - name: VAULT_API_ADDR - value: "http://$(POD_IP):8200" - - name: VAULT_CLUSTER_ADDR - value: "http://$(POD_IP):8201" - - name: VAULT_RAFT_NODE_ID - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: SKIP_SETCAP - value: "true" - readinessProbe: - httpGet: - path: /v1/sys/health?standbyok=true&sealedok=true&uninitok=true - port: 8200 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - failureThreshold: 3 - livenessProbe: - httpGet: - path: /v1/sys/health?standbyok=true&sealedok=true&uninitok=true - port: 8200 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 30 - failureThreshold: 3 - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 1000m - memory: 2Gi - volumeMounts: - - name: data - mountPath: /vault/data - - name: config - mountPath: /vault/config - volumes: - - name: config - configMap: - name: vault-config - volumeClaimTemplates: - - metadata: - name: data - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - spec: - accessModes: ["ReadWriteOnce"] - storageClassName: cephrbd-fast-delete - resources: - requests: - storage: 10Gi diff --git a/apps/overlays/au-syd1/vault/kustomization.yaml b/apps/overlays/au-syd1/vault/kustomization.yaml index 6347401..c2a204f 100644 --- a/apps/overlays/au-syd1/vault/kustomization.yaml +++ b/apps/overlays/au-syd1/vault/kustomization.yaml @@ -2,7 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: vault - resources: - ../../../base/vault + +helmCharts: + - name: vault + repo: https://helm.releases.hashicorp.com + version: "0.32.0" + releaseName: vault + namespace: vault + valuesFile: values.yaml diff --git a/apps/overlays/au-syd1/vault/values.yaml b/apps/overlays/au-syd1/vault/values.yaml new file mode 100644 index 0000000..8485dbe --- /dev/null +++ b/apps/overlays/au-syd1/vault/values.yaml @@ -0,0 +1,71 @@ +server: + image: + repository: hashicorp/vault + tag: "2.0.1" + + ha: + enabled: true + replicas: 5 + + raft: + enabled: true + setNodeId: true + config: | + ui = true + disable_mlock = true + + listener "tcp" { + address = "[::]:8200" + cluster_address = "[::]:8201" + tls_disable = "true" + } + + storage "raft" { + path = "/vault/data" + + retry_join { + leader_api_addr = "http://vault-0.vault-internal.vault.svc.cluster.local:8200" + } + retry_join { + leader_api_addr = "http://vault-1.vault-internal.vault.svc.cluster.local:8200" + } + retry_join { + leader_api_addr = "http://vault-2.vault-internal.vault.svc.cluster.local:8200" + } + retry_join { + leader_api_addr = "http://vault-3.vault-internal.vault.svc.cluster.local:8200" + } + retry_join { + leader_api_addr = "http://vault-4.vault-internal.vault.svc.cluster.local:8200" + } + } + + service_registration "kubernetes" {} + + dataStorage: + enabled: true + size: 10Gi + storageClass: cephrbd-fast-delete + accessMode: ReadWriteOnce + + statefulSet: + securityContext: + container: + capabilities: + add: + - IPC_LOCK + + resources: + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 2Gi + cpu: 1000m + +injector: + enabled: false + +ui: + enabled: true + serviceType: ClusterIP -- 2.47.3 From 0d146dc9429206f3be9b3989c2bbbe43cc839497 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 22:08:41 +1000 Subject: [PATCH 3/5] feat(vault): add port 8200 listener, consul SANs, consul service_registration - Add SAN altnames vault.service.consul and vault.query.consul to cert - Add vault-direct HTTPS listener on port 8200 (TLS terminate, same cert) - Add vault-consul HTTPRoute binding consul DNS names to port 8200 listener - Add vault-direct port 8200 entrypoint to traefik-internal - Switch service_registration from kubernetes to consul (consul-server.consul.svc.cluster.local:8500) --- apps/base/vault/gateway.yaml | 12 ++++++++++ apps/base/vault/httproute.yaml | 24 +++++++++++++++++++ .../traefik-system/values-internal.yaml | 2 ++ apps/overlays/au-syd1/vault/values.yaml | 4 +++- 4 files changed, 41 insertions(+), 1 deletion(-) diff --git a/apps/base/vault/gateway.yaml b/apps/base/vault/gateway.yaml index 6895ff6..4c24ccc 100644 --- a/apps/base/vault/gateway.yaml +++ b/apps/base/vault/gateway.yaml @@ -12,6 +12,7 @@ metadata: cert-manager.io/cluster-issuer: vault-issuer cert-manager.io/common-name: vault.k8s.syd1.au.unkin.net cert-manager.io/private-key-size: "4096" + cert-manager.io/subject-alternative-names: vault.service.consul,vault.query.consul external-dns.alpha.kubernetes.io/hostname: vault.k8s.syd1.au.unkin.net external-dns.alpha.kubernetes.io/target: 198.18.200.4 spec: @@ -29,3 +30,14 @@ spec: certificateRefs: - kind: Secret name: vault-tls + - name: vault-direct + port: 8200 + protocol: HTTPS + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: vault-tls diff --git a/apps/base/vault/httproute.yaml b/apps/base/vault/httproute.yaml index 2622095..9668808 100644 --- a/apps/base/vault/httproute.yaml +++ b/apps/base/vault/httproute.yaml @@ -21,3 +21,27 @@ spec: - path: type: PathPrefix value: / +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: vault-consul + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault +spec: + hostnames: + - vault.service.consul + - vault.query.consul + parentRefs: + - name: vault + sectionName: vault-direct + rules: + - backendRefs: + - name: vault + port: 8200 + matches: + - path: + type: PathPrefix + value: / diff --git a/apps/overlays/au-syd1/traefik-system/values-internal.yaml b/apps/overlays/au-syd1/traefik-system/values-internal.yaml index 3c28466..c119afc 100644 --- a/apps/overlays/au-syd1/traefik-system/values-internal.yaml +++ b/apps/overlays/au-syd1/traefik-system/values-internal.yaml @@ -94,5 +94,7 @@ ports: port: 80 websecure: port: 443 + vault-direct: + port: 8200 enabled: true diff --git a/apps/overlays/au-syd1/vault/values.yaml b/apps/overlays/au-syd1/vault/values.yaml index 8485dbe..d1f646a 100644 --- a/apps/overlays/au-syd1/vault/values.yaml +++ b/apps/overlays/au-syd1/vault/values.yaml @@ -40,7 +40,9 @@ server: } } - service_registration "kubernetes" {} + service_registration "consul" { + address = "consul-server.consul.svc.cluster.local:8500" + } dataStorage: enabled: true -- 2.47.3 From eb5e75da8959e778121d4d397cd16b2a233b0475 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 22:12:20 +1000 Subject: [PATCH 4/5] fix(vault): use correct cert-manager alt-names annotation for consul SANs --- apps/base/vault/gateway.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/base/vault/gateway.yaml b/apps/base/vault/gateway.yaml index 4c24ccc..8490020 100644 --- a/apps/base/vault/gateway.yaml +++ b/apps/base/vault/gateway.yaml @@ -12,7 +12,7 @@ metadata: cert-manager.io/cluster-issuer: vault-issuer cert-manager.io/common-name: vault.k8s.syd1.au.unkin.net cert-manager.io/private-key-size: "4096" - cert-manager.io/subject-alternative-names: vault.service.consul,vault.query.consul + cert-manager.io/alt-names: vault.service.consul,vault.query.consul external-dns.alpha.kubernetes.io/hostname: vault.k8s.syd1.au.unkin.net external-dns.alpha.kubernetes.io/target: 198.18.200.4 spec: -- 2.47.3 From baca4c94f1bb1537fdd40a654facccd6c8c985d9 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 22:13:50 +1000 Subject: [PATCH 5/5] =?UTF-8?q?feat(vault):=20add=20HTTP=E2=86=92HTTPS=20r?= =?UTF-8?q?edirect=20on=20port=2080?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/base/vault/gateway.yaml | 7 +++++++ apps/base/vault/httproute.yaml | 25 +++++++++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/apps/base/vault/gateway.yaml b/apps/base/vault/gateway.yaml index 8490020..7227dc7 100644 --- a/apps/base/vault/gateway.yaml +++ b/apps/base/vault/gateway.yaml @@ -18,6 +18,13 @@ metadata: spec: gatewayClassName: traefik-internal listeners: + - name: http + port: 80 + protocol: HTTP + hostname: vault.k8s.syd1.au.unkin.net + allowedRoutes: + namespaces: + from: Same - name: https port: 443 protocol: HTTPS diff --git a/apps/base/vault/httproute.yaml b/apps/base/vault/httproute.yaml index 9668808..61fd1c4 100644 --- a/apps/base/vault/httproute.yaml +++ b/apps/base/vault/httproute.yaml @@ -1,6 +1,31 @@ --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute +metadata: + name: vault-http-redirect + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault +spec: + hostnames: + - vault.k8s.syd1.au.unkin.net + parentRefs: + - name: vault + sectionName: http + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute metadata: name: vault namespace: vault -- 2.47.3