bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vault: fix manifest and disable mlock

Browse Source
This commit is contained in:
Brad Stein 2025-12-19 20:32:10 -03:00
parent fad7204dfb
commit 524868b05d
2 changed files with 34 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
services/vault/configmap.yaml
View File

@ -8,6 +8,7 @@ data:
local.hcl: | local.hcl: |
ui = true ui = true
cluster_name = "vault-k8s" cluster_name = "vault-k8s"
disable_mlock = true
listener "tcp" { listener "tcp" {
address = "0.0.0.0:8200" address = "0.0.0.0:8200"

35
services/vault/statefulset.yaml
View File

@ -19,10 +19,31 @@ spec:
spec: spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
initContainers:
- name: setup-config
image: alpine:3.20
command:
- sh
- -c
- |
set -euo pipefail
cp /config-src/local.hcl /vault/config/local.hcl
chown 1000:1000 /vault/config/local.hcl
chmod 640 /vault/config/local.hcl
securityContext:
runAsUser: 0
runAsGroup: 0
allowPrivilegeEscalation: false
volumeMounts:
- name: config-template
mountPath: /config-src
- name: config
mountPath: /vault/config
containers: containers:
- name: vault - name: vault
image: hashicorp/vault:1.17.6 image: hashicorp/vault:1.17.6
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: ["vault"]
args: ["server", "-config=/vault/config/local.hcl"] args: ["server", "-config=/vault/config/local.hcl"]
ports: ports:
- name: api - name: api
@ -38,6 +59,14 @@ spec:
value: "https://secret.bstein.dev" value: "https://secret.bstein.dev"
- name: VAULT_LOG_LEVEL - name: VAULT_LOG_LEVEL
value: "info" value: "info"
- name: VAULT_DISABLE_MLOCK
value: "true"
- name: VAULT_DISABLE_PERM_MGMT
value: "true"
- name: SKIP_CHOWN
value: "true"
- name: SKIP_SETCAP
value: "true"
readinessProbe: readinessProbe:
exec: exec:
command: ["vault", "status", "-tls-skip-verify"] command: ["vault", "status", "-tls-skip-verify"]
@ -47,7 +76,7 @@ spec:
failureThreshold: 6 failureThreshold: 6
livenessProbe: livenessProbe:
exec: exec:
command: ["vault", "status", "-tls-skip-verify"] command: ["sh", "-c", "vault status -tls-skip-verify >/dev/null 2>&1 || true"]
initialDelaySeconds: 60 initialDelaySeconds: 60
periodSeconds: 20 periodSeconds: 20
timeoutSeconds: 5 timeoutSeconds: 5
@ -69,9 +98,11 @@ spec:
mountPath: /vault/userconfig/tls mountPath: /vault/userconfig/tls
readOnly: true readOnly: true
volumes: volumes:
- name: config - name: config-template
configMap: configMap:
name: vault-config name: vault-config
- name: config
emptyDir: {}
- name: tls - name: tls
secret: secret:
secretName: vault-server-tls secretName: vault-server-tls