3990fbfe06
Replaces Consul service registration with the native Kubernetes provider so Vault labels its own pods with active/standby/perf-standby status without requiring a Consul dependency.
## Changes
- `values.yaml`: swap `service_registration "consul"` for `service_registration "kubernetes" {}`, add `VAULT_K8S_NAMESPACE` and `VAULT_K8S_POD_NAME` env vars via downward API
- `role_k8s-service-registration.yaml`: Role + RoleBinding granting the `vault` service account `get`/`update`/`patch` on pods
- `kustomization.yaml`: include new RBAC file
Reviewed-on: #171
80 lines
1.7 KiB
YAML
80 lines
1.7 KiB
YAML
server:
|
|
image:
|
|
repository: hashicorp/vault
|
|
tag: "2.0.1"
|
|
|
|
ha:
|
|
enabled: true
|
|
replicas: 5
|
|
|
|
raft:
|
|
enabled: true
|
|
setNodeId: true
|
|
config: |
|
|
ui = true
|
|
disable_mlock = true
|
|
|
|
listener "tcp" {
|
|
address = "[::]:8200"
|
|
cluster_address = "[::]:8201"
|
|
tls_disable = "true"
|
|
}
|
|
|
|
storage "raft" {
|
|
path = "/vault/data"
|
|
|
|
retry_join {
|
|
leader_api_addr = "http://vault-0.vault-internal.vault.svc.cluster.local:8200"
|
|
}
|
|
retry_join {
|
|
leader_api_addr = "http://vault-1.vault-internal.vault.svc.cluster.local:8200"
|
|
}
|
|
retry_join {
|
|
leader_api_addr = "http://vault-2.vault-internal.vault.svc.cluster.local:8200"
|
|
}
|
|
retry_join {
|
|
leader_api_addr = "http://vault-3.vault-internal.vault.svc.cluster.local:8200"
|
|
}
|
|
retry_join {
|
|
leader_api_addr = "http://vault-4.vault-internal.vault.svc.cluster.local:8200"
|
|
}
|
|
}
|
|
|
|
service_registration "kubernetes" {}
|
|
|
|
dataStorage:
|
|
enabled: true
|
|
size: 10Gi
|
|
storageClass: cephrbd-fast-delete
|
|
accessMode: ReadWriteOnce
|
|
|
|
extraEnv:
|
|
- name: VAULT_K8S_NAMESPACE
|
|
value: vault
|
|
- name: VAULT_K8S_POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
|
|
statefulSet:
|
|
securityContext:
|
|
container:
|
|
capabilities:
|
|
add:
|
|
- IPC_LOCK
|
|
|
|
resources:
|
|
requests:
|
|
memory: 256Mi
|
|
cpu: 100m
|
|
limits:
|
|
memory: 2Gi
|
|
cpu: 1000m
|
|
|
|
injector:
|
|
enabled: false
|
|
|
|
ui:
|
|
enabled: true
|
|
serviceType: ClusterIP
|