vault: fix manifest and disable mlock

2025-12-19 20:32:10 -03:00 · 2025-12-19 20:32:10 -03:00 · 524868b05d
commit 524868b05d
parent fad7204dfb
2 changed files with 34 additions and 2 deletions
--- a/services/vault/configmap.yaml
+++ b/services/vault/configmap.yaml
@ -8,6 +8,7 @@ data:
  local.hcl: |
    ui = true
    cluster_name = "vault-k8s"
+    disable_mlock = true

    listener "tcp" {
      address         = "0.0.0.0:8200"
--- a/services/vault/statefulset.yaml
+++ b/services/vault/statefulset.yaml
@ -19,10 +19,31 @@ spec:
    spec:
      securityContext:
        fsGroup: 1000
+      initContainers:
+        - name: setup-config
+          image: alpine:3.20
+          command:
+            - sh
+            - -c
+            - |
+              set -euo pipefail
+              cp /config-src/local.hcl /vault/config/local.hcl
+              chown 1000:1000 /vault/config/local.hcl
+              chmod 640 /vault/config/local.hcl
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+            allowPrivilegeEscalation: false
+          volumeMounts:
+            - name: config-template
+              mountPath: /config-src
+            - name: config
+              mountPath: /vault/config
      containers:
        - name: vault
          image: hashicorp/vault:1.17.6
          imagePullPolicy: IfNotPresent
+          command: ["vault"]
          args: ["server", "-config=/vault/config/local.hcl"]
          ports:
            - name: api
@ -38,6 +59,14 @@ spec:
              value: "https://secret.bstein.dev"
            - name: VAULT_LOG_LEVEL
              value: "info"
+            - name: VAULT_DISABLE_MLOCK
+              value: "true"
+            - name: VAULT_DISABLE_PERM_MGMT
+              value: "true"
+            - name: SKIP_CHOWN
+              value: "true"
+            - name: SKIP_SETCAP
+              value: "true"
          readinessProbe:
            exec:
              command: ["vault", "status", "-tls-skip-verify"]
@ -47,7 +76,7 @@ spec:
            failureThreshold: 6
          livenessProbe:
            exec:
-              command: ["vault", "status", "-tls-skip-verify"]
+              command: ["sh", "-c", "vault status -tls-skip-verify >/dev/null 2>&1 || true"]
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 5
@ -69,9 +98,11 @@ spec:
              mountPath: /vault/userconfig/tls
              readOnly: true
      volumes:
-        - name: config
+        - name: config-template
          configMap:
            name: vault-config
+        - name: config
+          emptyDir: {}
        - name: tls
          secret:
            secretName: vault-server-tls