2025-12-19 19:30:09 -03:00
|
|
|
# services/vault/statefulset.yaml
|
|
|
|
|
apiVersion: apps/v1
|
|
|
|
|
kind: StatefulSet
|
|
|
|
|
metadata:
|
|
|
|
|
name: vault
|
|
|
|
|
namespace: vault
|
|
|
|
|
labels:
|
|
|
|
|
app: vault
|
|
|
|
|
spec:
|
|
|
|
|
serviceName: vault-internal
|
|
|
|
|
replicas: 1
|
|
|
|
|
selector:
|
|
|
|
|
matchLabels:
|
|
|
|
|
app: vault
|
|
|
|
|
template:
|
|
|
|
|
metadata:
|
|
|
|
|
labels:
|
|
|
|
|
app: vault
|
|
|
|
|
spec:
|
|
|
|
|
securityContext:
|
|
|
|
|
fsGroup: 1000
|
2025-12-19 20:32:10 -03:00
|
|
|
initContainers:
|
|
|
|
|
- name: setup-config
|
|
|
|
|
image: alpine:3.20
|
|
|
|
|
command:
|
|
|
|
|
- sh
|
|
|
|
|
- -c
|
|
|
|
|
- |
|
|
|
|
|
set -euo pipefail
|
|
|
|
|
cp /config-src/local.hcl /vault/config/local.hcl
|
|
|
|
|
chown 1000:1000 /vault/config/local.hcl
|
|
|
|
|
chmod 640 /vault/config/local.hcl
|
|
|
|
|
securityContext:
|
|
|
|
|
runAsUser: 0
|
|
|
|
|
runAsGroup: 0
|
|
|
|
|
allowPrivilegeEscalation: false
|
|
|
|
|
volumeMounts:
|
|
|
|
|
- name: config-template
|
|
|
|
|
mountPath: /config-src
|
|
|
|
|
- name: config
|
|
|
|
|
mountPath: /vault/config
|
2025-12-19 19:30:09 -03:00
|
|
|
containers:
|
|
|
|
|
- name: vault
|
|
|
|
|
image: hashicorp/vault:1.17.6
|
|
|
|
|
imagePullPolicy: IfNotPresent
|
2025-12-19 20:32:10 -03:00
|
|
|
command: ["vault"]
|
2025-12-19 19:30:09 -03:00
|
|
|
args: ["server", "-config=/vault/config/local.hcl"]
|
|
|
|
|
ports:
|
|
|
|
|
- name: api
|
|
|
|
|
containerPort: 8200
|
|
|
|
|
- name: cluster
|
|
|
|
|
containerPort: 8201
|
|
|
|
|
env:
|
|
|
|
|
- name: VAULT_API_ADDR
|
|
|
|
|
value: "https://secret.bstein.dev"
|
|
|
|
|
- name: VAULT_CLUSTER_ADDR
|
|
|
|
|
value: "https://vault-0.vault-internal:8201"
|
|
|
|
|
- name: VAULT_REDIRECT_ADDR
|
|
|
|
|
value: "https://secret.bstein.dev"
|
|
|
|
|
- name: VAULT_LOG_LEVEL
|
|
|
|
|
value: "info"
|
2025-12-19 20:32:10 -03:00
|
|
|
- name: VAULT_DISABLE_MLOCK
|
|
|
|
|
value: "true"
|
|
|
|
|
- name: VAULT_DISABLE_PERM_MGMT
|
|
|
|
|
value: "true"
|
|
|
|
|
- name: SKIP_CHOWN
|
|
|
|
|
value: "true"
|
|
|
|
|
- name: SKIP_SETCAP
|
|
|
|
|
value: "true"
|
2025-12-19 19:30:09 -03:00
|
|
|
readinessProbe:
|
|
|
|
|
exec:
|
|
|
|
|
command: ["vault", "status", "-tls-skip-verify"]
|
|
|
|
|
initialDelaySeconds: 10
|
|
|
|
|
periodSeconds: 10
|
|
|
|
|
timeoutSeconds: 5
|
|
|
|
|
failureThreshold: 6
|
|
|
|
|
livenessProbe:
|
|
|
|
|
exec:
|
2025-12-19 20:32:10 -03:00
|
|
|
command: ["sh", "-c", "vault status -tls-skip-verify >/dev/null 2>&1 || true"]
|
2025-12-19 19:30:09 -03:00
|
|
|
initialDelaySeconds: 60
|
|
|
|
|
periodSeconds: 20
|
|
|
|
|
timeoutSeconds: 5
|
|
|
|
|
failureThreshold: 6
|
|
|
|
|
securityContext:
|
|
|
|
|
runAsNonRoot: true
|
|
|
|
|
runAsUser: 1000
|
|
|
|
|
runAsGroup: 1000
|
|
|
|
|
allowPrivilegeEscalation: false
|
|
|
|
|
capabilities:
|
|
|
|
|
add: ["IPC_LOCK"]
|
|
|
|
|
drop: ["ALL"]
|
|
|
|
|
volumeMounts:
|
|
|
|
|
- name: config
|
|
|
|
|
mountPath: /vault/config
|
|
|
|
|
- name: data
|
|
|
|
|
mountPath: /vault/data
|
|
|
|
|
- name: tls
|
|
|
|
|
mountPath: /vault/userconfig/tls
|
|
|
|
|
readOnly: true
|
|
|
|
|
volumes:
|
2025-12-19 20:32:10 -03:00
|
|
|
- name: config-template
|
2025-12-19 19:30:09 -03:00
|
|
|
configMap:
|
|
|
|
|
name: vault-config
|
2025-12-19 20:32:10 -03:00
|
|
|
- name: config
|
|
|
|
|
emptyDir: {}
|
2025-12-19 19:30:09 -03:00
|
|
|
- name: tls
|
|
|
|
|
secret:
|
|
|
|
|
secretName: vault-server-tls
|
|
|
|
|
optional: false
|
|
|
|
|
volumeClaimTemplates:
|
|
|
|
|
- metadata:
|
|
|
|
|
name: data
|
|
|
|
|
spec:
|
|
|
|
|
accessModes: ["ReadWriteOnce"]
|
|
|
|
|
resources:
|
|
|
|
|
requests:
|
|
|
|
|
storage: 10Gi
|
|
|
|
|
storageClassName: astreae
|
