Files
argocd-apps/apps/overlays/au-syd1/vault/values.yaml
T
unkinben 0d146dc942
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
feat(vault): add port 8200 listener, consul SANs, consul service_registration
- Add SAN altnames vault.service.consul and vault.query.consul to cert
- Add vault-direct HTTPS listener on port 8200 (TLS terminate, same cert)
- Add vault-consul HTTPRoute binding consul DNS names to port 8200 listener
- Add vault-direct port 8200 entrypoint to traefik-internal
- Switch service_registration from kubernetes to consul
  (consul-server.consul.svc.cluster.local:8500)
2026-05-23 22:08:41 +10:00

74 lines
1.6 KiB
YAML

server:
image:
repository: hashicorp/vault
tag: "2.0.1"
ha:
enabled: true
replicas: 5
raft:
enabled: true
setNodeId: true
config: |
ui = true
disable_mlock = true
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_disable = "true"
}
storage "raft" {
path = "/vault/data"
retry_join {
leader_api_addr = "http://vault-0.vault-internal.vault.svc.cluster.local:8200"
}
retry_join {
leader_api_addr = "http://vault-1.vault-internal.vault.svc.cluster.local:8200"
}
retry_join {
leader_api_addr = "http://vault-2.vault-internal.vault.svc.cluster.local:8200"
}
retry_join {
leader_api_addr = "http://vault-3.vault-internal.vault.svc.cluster.local:8200"
}
retry_join {
leader_api_addr = "http://vault-4.vault-internal.vault.svc.cluster.local:8200"
}
}
service_registration "consul" {
address = "consul-server.consul.svc.cluster.local:8500"
}
dataStorage:
enabled: true
size: 10Gi
storageClass: cephrbd-fast-delete
accessMode: ReadWriteOnce
statefulSet:
securityContext:
container:
capabilities:
add:
- IPC_LOCK
resources:
requests:
memory: 256Mi
cpu: 100m
limits:
memory: 2Gi
cpu: 1000m
injector:
enabled: false
ui:
enabled: true
serviceType: ClusterIP