diff --git a/services/vault/configmap.yaml b/services/vault/configmap.yaml index 6f36043..6fc1d6b 100644 --- a/services/vault/configmap.yaml +++ b/services/vault/configmap.yaml @@ -8,6 +8,7 @@ data: local.hcl: | ui = true cluster_name = "vault-k8s" + disable_mlock = true listener "tcp" { address = "0.0.0.0:8200" diff --git a/services/vault/statefulset.yaml b/services/vault/statefulset.yaml index fbbc028..94dd383 100644 --- a/services/vault/statefulset.yaml +++ b/services/vault/statefulset.yaml @@ -19,10 +19,31 @@ spec: spec: securityContext: fsGroup: 1000 + initContainers: + - name: setup-config + image: alpine:3.20 + command: + - sh + - -c + - | + set -euo pipefail + cp /config-src/local.hcl /vault/config/local.hcl + chown 1000:1000 /vault/config/local.hcl + chmod 640 /vault/config/local.hcl + securityContext: + runAsUser: 0 + runAsGroup: 0 + allowPrivilegeEscalation: false + volumeMounts: + - name: config-template + mountPath: /config-src + - name: config + mountPath: /vault/config containers: - name: vault image: hashicorp/vault:1.17.6 imagePullPolicy: IfNotPresent + command: ["vault"] args: ["server", "-config=/vault/config/local.hcl"] ports: - name: api @@ -38,6 +59,14 @@ spec: value: "https://secret.bstein.dev" - name: VAULT_LOG_LEVEL value: "info" + - name: VAULT_DISABLE_MLOCK + value: "true" + - name: VAULT_DISABLE_PERM_MGMT + value: "true" + - name: SKIP_CHOWN + value: "true" + - name: SKIP_SETCAP + value: "true" readinessProbe: exec: command: ["vault", "status", "-tls-skip-verify"] @@ -47,7 +76,7 @@ spec: failureThreshold: 6 livenessProbe: exec: - command: ["vault", "status", "-tls-skip-verify"] + command: ["sh", "-c", "vault status -tls-skip-verify >/dev/null 2>&1 || true"] initialDelaySeconds: 60 periodSeconds: 20 timeoutSeconds: 5 @@ -69,9 +98,11 @@ spec: mountPath: /vault/userconfig/tls readOnly: true volumes: - - name: config + - name: config-template configMap: name: vault-config + - name: config + emptyDir: {} - name: tls secret: secretName: vault-server-tls