d2be521878
## Summary - Deploys HashiCorp Vault 2.0.1 using Helm chart 0.32.0 in HA raft mode (5 replicas) - Configuration modelled on production vault: \`disable_mlock=true\`, headless-DNS retry_join for all 5 pods - IPC_LOCK capability added via \`server.statefulSet.securityContext.container\` - 10Gi cephrbd-fast-delete PVC per pod via \`dataStorage\` - Gateway API: HTTPS gateway + HTTPRoute (443→vault service port 8200) at \`vault.k8s.syd1.au.unkin.net\` - ArgoCD platform ApplicationSet updated to include vault overlay path - Injector disabled (no agent sidecar injection needed) ## Requires - PR #147 (artifactapi: add hashicorp/vault to docker immutable patterns) to be merged first ## Test plan - [ ] Sandbox tested in \`sandbox-vault\`: all 5 pods Running, raft cluster forming - [ ] After merge: ArgoCD syncs vault namespace - [ ] Operator runs \`vault operator init\` to initialize, then unseals all 5 nodes - [ ] Verify \`vault.k8s.syd1.au.unkin.net\` is accessible via Gateway Reviewed-on: #148
101 lines
1.8 KiB
YAML
101 lines
1.8 KiB
YAML
image:
|
|
tag: v3.7.0
|
|
|
|
|
|
podDisruptionBudget:
|
|
enabled: true
|
|
maxUnavailable: 1
|
|
|
|
gateway:
|
|
enabled: false
|
|
|
|
gatewayClass:
|
|
enabled: false
|
|
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
rollingUpdate:
|
|
maxUnavailable: 1
|
|
|
|
providers:
|
|
kubernetesCRD:
|
|
enabled: false
|
|
kubernetesIngress:
|
|
enabled: false
|
|
kubernetesGateway:
|
|
enabled: true
|
|
experimentalChannel: false
|
|
namespaces: []
|
|
nativeLBByDefault: false
|
|
labelSelector: "traefik.io/instance=internal"
|
|
|
|
logs:
|
|
access:
|
|
enabled: true
|
|
|
|
global:
|
|
checkNewVersion: true
|
|
sendAnonymousUsage: false
|
|
notAppendXForwardedFor: false
|
|
|
|
service:
|
|
enabled: true
|
|
single: true
|
|
annotations:
|
|
purelb.io/service-group: "common"
|
|
purelb.io/addresses: 198.18.200.4
|
|
annotationsTCP: {}
|
|
annotationsUDP: {}
|
|
labels: {}
|
|
spec:
|
|
type: LoadBalancer
|
|
loadBalancerIP: "198.18.200.4"
|
|
additionalServices: {}
|
|
|
|
autoscaling:
|
|
enabled: true
|
|
minReplicas: 2
|
|
maxReplicas: 5
|
|
metrics: []
|
|
behavior: {}
|
|
scaleTargetRef:
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
name: "{{ template \"traefik.fullname\" . }}"
|
|
|
|
persistence:
|
|
enabled: false
|
|
|
|
affinity:
|
|
podAntiAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
- labelSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: '{{ template "traefik.name" . }}'
|
|
app.kubernetes.io/instance: '{{ .Release.Name }}-{{ include "traefik.namespace" . }}'
|
|
topologyKey: kubernetes.io/hostname
|
|
|
|
podSecurityContext:
|
|
runAsGroup: 65532
|
|
runAsNonRoot: true
|
|
runAsUser: 65532
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: [ALL]
|
|
add: [NET_BIND_SERVICE]
|
|
readOnlyRootFilesystem: true
|
|
|
|
ports:
|
|
web:
|
|
port: 80
|
|
websecure:
|
|
port: 443
|
|
vault-direct:
|
|
port: 8200
|
|
|
|
enabled: true
|