From aef6698e2dee4e08ae3c4af9591e1c475f08749d Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 26 May 2026 00:03:39 +1000 Subject: [PATCH] feat(vault): switch to Kubernetes service registration Replaces Consul service registration with the native Kubernetes provider so Vault labels its own pods with active/standby status without requiring a Consul dependency. --- apps/base/vault/kustomization.yaml | 1 + .../vault/role_k8s-service-registration.yaml | 24 +++++++++++++++++++ apps/overlays/au-syd1/vault/values.yaml | 12 +++++++--- 3 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 apps/base/vault/role_k8s-service-registration.yaml diff --git a/apps/base/vault/kustomization.yaml b/apps/base/vault/kustomization.yaml index 2c2b5da..aa4c1ab 100644 --- a/apps/base/vault/kustomization.yaml +++ b/apps/base/vault/kustomization.yaml @@ -6,3 +6,4 @@ resources: - namespace.yaml - gateway.yaml - httproute.yaml + - role_k8s-service-registration.yaml diff --git a/apps/base/vault/role_k8s-service-registration.yaml b/apps/base/vault/role_k8s-service-registration.yaml new file mode 100644 index 0000000..68427ef --- /dev/null +++ b/apps/base/vault/role_k8s-service-registration.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vault-k8s-service-registration + namespace: vault +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: vault-k8s-service-registration + namespace: vault +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vault-k8s-service-registration +subjects: + - kind: ServiceAccount + name: vault + namespace: vault diff --git a/apps/overlays/au-syd1/vault/values.yaml b/apps/overlays/au-syd1/vault/values.yaml index d1f646a..95744bb 100644 --- a/apps/overlays/au-syd1/vault/values.yaml +++ b/apps/overlays/au-syd1/vault/values.yaml @@ -40,9 +40,7 @@ server: } } - service_registration "consul" { - address = "consul-server.consul.svc.cluster.local:8500" - } + service_registration "kubernetes" {} dataStorage: enabled: true @@ -50,6 +48,14 @@ server: storageClass: cephrbd-fast-delete accessMode: ReadWriteOnce + extraEnv: + - name: VAULT_K8S_NAMESPACE + value: vault + - name: VAULT_K8S_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + statefulSet: securityContext: container: -- 2.47.3