d2be521878
## Summary - Deploys HashiCorp Vault 2.0.1 using Helm chart 0.32.0 in HA raft mode (5 replicas) - Configuration modelled on production vault: \`disable_mlock=true\`, headless-DNS retry_join for all 5 pods - IPC_LOCK capability added via \`server.statefulSet.securityContext.container\` - 10Gi cephrbd-fast-delete PVC per pod via \`dataStorage\` - Gateway API: HTTPS gateway + HTTPRoute (443→vault service port 8200) at \`vault.k8s.syd1.au.unkin.net\` - ArgoCD platform ApplicationSet updated to include vault overlay path - Injector disabled (no agent sidecar injection needed) ## Requires - PR #147 (artifactapi: add hashicorp/vault to docker immutable patterns) to be merged first ## Test plan - [ ] Sandbox tested in \`sandbox-vault\`: all 5 pods Running, raft cluster forming - [ ] After merge: ArgoCD syncs vault namespace - [ ] Operator runs \`vault operator init\` to initialize, then unseals all 5 nodes - [ ] Verify \`vault.k8s.syd1.au.unkin.net\` is accessible via Gateway Reviewed-on: #148
74 lines
1.6 KiB
YAML
74 lines
1.6 KiB
YAML
server:
|
|
image:
|
|
repository: hashicorp/vault
|
|
tag: "2.0.1"
|
|
|
|
ha:
|
|
enabled: true
|
|
replicas: 5
|
|
|
|
raft:
|
|
enabled: true
|
|
setNodeId: true
|
|
config: |
|
|
ui = true
|
|
disable_mlock = true
|
|
|
|
listener "tcp" {
|
|
address = "[::]:8200"
|
|
cluster_address = "[::]:8201"
|
|
tls_disable = "true"
|
|
}
|
|
|
|
storage "raft" {
|
|
path = "/vault/data"
|
|
|
|
retry_join {
|
|
leader_api_addr = "http://vault-0.vault-internal.vault.svc.cluster.local:8200"
|
|
}
|
|
retry_join {
|
|
leader_api_addr = "http://vault-1.vault-internal.vault.svc.cluster.local:8200"
|
|
}
|
|
retry_join {
|
|
leader_api_addr = "http://vault-2.vault-internal.vault.svc.cluster.local:8200"
|
|
}
|
|
retry_join {
|
|
leader_api_addr = "http://vault-3.vault-internal.vault.svc.cluster.local:8200"
|
|
}
|
|
retry_join {
|
|
leader_api_addr = "http://vault-4.vault-internal.vault.svc.cluster.local:8200"
|
|
}
|
|
}
|
|
|
|
service_registration "consul" {
|
|
address = "consul-server.consul.svc.cluster.local:8500"
|
|
}
|
|
|
|
dataStorage:
|
|
enabled: true
|
|
size: 10Gi
|
|
storageClass: cephrbd-fast-delete
|
|
accessMode: ReadWriteOnce
|
|
|
|
statefulSet:
|
|
securityContext:
|
|
container:
|
|
capabilities:
|
|
add:
|
|
- IPC_LOCK
|
|
|
|
resources:
|
|
requests:
|
|
memory: 256Mi
|
|
cpu: 100m
|
|
limits:
|
|
memory: 2Gi
|
|
cpu: 1000m
|
|
|
|
injector:
|
|
enabled: false
|
|
|
|
ui:
|
|
enabled: true
|
|
serviceType: ClusterIP
|