feat(vault): deploy HashiCorp Vault 2.0.1 via Helm chart (5-replica HA raft) #148

Merged
unkinben merged 5 commits from benvin/vault into main 2026-05-23 22:39:42 +10:00
13 changed files with 307 additions and 0 deletions
Showing only changes of commit eef4c2cd49 - Show all commits
+31
View File
@@ -0,0 +1,31 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: vault.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: vault.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
spec:
gatewayClassName: traefik-internal
listeners:
- name: https
port: 443
unkinben marked this conversation as resolved Outdated
Outdated
Review

also listen on tcp 8200 to match the current production vault environment

also listen on tcp 8200 to match the current production vault environment
protocol: HTTPS
hostname: vault.k8s.syd1.au.unkin.net
allowedRoutes:
namespaces:
from: Same
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: vault-tls
+23
View File
@@ -0,0 +1,23 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
spec:
hostnames:
- vault.k8s.syd1.au.unkin.net
unkinben marked this conversation as resolved Outdated
Outdated
Review

I want this to respond to vault.service.consul and vault.query.consul too

I want this to respond to vault.service.consul and vault.query.consul too
parentRefs:
- name: vault
sectionName: https
rules:
- backendRefs:
- name: vault
port: 8200
matches:
- path:
type: PathPrefix
value: /
+21
View File
@@ -0,0 +1,21 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- serviceaccount.yaml
- role.yaml
- rolebinding.yaml
- statefulset.yaml
- service.yaml
- service_headless.yaml
- gateway.yaml
- httproute.yaml
configMapGenerator:
- name: vault-config
files:
- resources/vault.hcl
options:
disableNameSuffixHash: true
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: vault
+19
View File
@@ -0,0 +1,19 @@
ui = true
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201"
tls_disable = "true"
}
storage "raft" {
path = "/vault/data"
retry_join {
auto_join = "provider=k8s label_selector=\"app.kubernetes.io/name=vault\" namespace=\"vault\""
auto_join_scheme = "http"
auto_join_port = 8200
}
}
service_registration "kubernetes" {}
+16
View File
@@ -0,0 +1,16 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["patch", "update"]
+17
View File
@@ -0,0 +1,17 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: vault
subjects:
- kind: ServiceAccount
name: vault
namespace: vault
+23
View File
@@ -0,0 +1,23 @@
---
apiVersion: v1
kind: Service
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
spec:
type: ClusterIP
ports:
- name: api
port: 8200
targetPort: api
protocol: TCP
- name: cluster
port: 8201
targetPort: cluster
protocol: TCP
selector:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
+24
View File
@@ -0,0 +1,24 @@
---
apiVersion: v1
kind: Service
metadata:
name: vault-internal
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
spec:
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: api
port: 8200
targetPort: api
protocol: TCP
- name: cluster
port: 8201
targetPort: cluster
protocol: TCP
selector:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
+9
View File
@@ -0,0 +1,9 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
+110
View File
@@ -0,0 +1,110 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/version: 2.0.1
spec:
serviceName: vault-internal
replicas: 5
selector:
matchLabels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
template:
metadata:
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/version: 2.0.1
spec:
serviceAccountName: vault
terminationGracePeriodSeconds: 10
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app.kubernetes.io/name: vault
containers:
- name: vault
image: hashicorp/vault:2.0.1
command:
- vault
- server
- -config=/vault/config
ports:
- name: api
containerPort: 8200
protocol: TCP
- name: cluster
containerPort: 8201
protocol: TCP
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: VAULT_ADDR
value: "http://127.0.0.1:8200"
- name: VAULT_API_ADDR
value: "http://$(POD_IP):8200"
- name: VAULT_CLUSTER_ADDR
value: "http://$(POD_IP):8201"
- name: VAULT_RAFT_NODE_ID
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: SKIP_SETCAP
value: "true"
readinessProbe:
httpGet:
path: /v1/sys/health?standbyok=true&sealedok=true&uninitok=true
port: 8200
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 3
livenessProbe:
httpGet:
path: /v1/sys/health?standbyok=true&sealedok=true&uninitok=true
port: 8200
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 30
failureThreshold: 3
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 2Gi
volumeMounts:
- name: data
mountPath: /vault/data
- name: config
mountPath: /vault/config
volumes:
- name: config
configMap:
name: vault-config
volumeClaimTemplates:
- metadata:
name: data
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: cephrbd-fast-delete
resources:
requests:
storage: 10Gi
@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: vault
resources:
- ../../../base/vault
+1
View File
@@ -27,6 +27,7 @@ spec:
- path: apps/overlays/*/reposync
- path: apps/overlays/*/traefik-system
- path: apps/overlays/*/vm-system
- path: apps/overlays/*/vault
- path: apps/overlays/*/vso-system
- path: apps/overlays/*/woodpecker
template: