Files
argocd-apps/apps/base/vault/statefulset.yaml
T
unkinben eef4c2cd49 feat(vault): deploy HashiCorp Vault 2.0.1 with raft HA (5 replicas)
StatefulSet with templated PVC (cephrbd-fast-delete, 10Gi), headless
service for raft cluster communication, HTTPS gateway (443→8200), and
kubernetes provider retry_join for automatic cluster formation.
2026-05-23 18:22:25 +10:00

111 lines
3.1 KiB
YAML

---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/version: 2.0.1
spec:
serviceName: vault-internal
replicas: 5
selector:
matchLabels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
template:
metadata:
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/version: 2.0.1
spec:
serviceAccountName: vault
terminationGracePeriodSeconds: 10
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app.kubernetes.io/name: vault
containers:
- name: vault
image: hashicorp/vault:2.0.1
command:
- vault
- server
- -config=/vault/config
ports:
- name: api
containerPort: 8200
protocol: TCP
- name: cluster
containerPort: 8201
protocol: TCP
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: VAULT_ADDR
value: "http://127.0.0.1:8200"
- name: VAULT_API_ADDR
value: "http://$(POD_IP):8200"
- name: VAULT_CLUSTER_ADDR
value: "http://$(POD_IP):8201"
- name: VAULT_RAFT_NODE_ID
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: SKIP_SETCAP
value: "true"
readinessProbe:
httpGet:
path: /v1/sys/health?standbyok=true&sealedok=true&uninitok=true
port: 8200
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 3
livenessProbe:
httpGet:
path: /v1/sys/health?standbyok=true&sealedok=true&uninitok=true
port: 8200
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 30
failureThreshold: 3
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 2Gi
volumeMounts:
- name: data
mountPath: /vault/data
- name: config
mountPath: /vault/config
volumes:
- name: config
configMap:
name: vault-config
volumeClaimTemplates:
- metadata:
name: data
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: cephrbd-fast-delete
resources:
requests:
storage: 10Gi