From 7533cec0eefc1532f042847ae1740230dc73627f Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Fri, 19 Dec 2025 19:30:09 -0300 Subject: [PATCH] vault: drop helm, add raw statefulset --- services/vault/configmap.yaml | 24 +++++++++ services/vault/helmrelease.yaml | 68 ------------------------ services/vault/ingress.yaml | 4 +- services/vault/kustomization.yaml | 6 ++- services/vault/service.yaml | 37 +++++++++++++ services/vault/statefulset.yaml | 87 +++++++++++++++++++++++++++++++ 6 files changed, 154 insertions(+), 72 deletions(-) create mode 100644 services/vault/configmap.yaml delete mode 100644 services/vault/helmrelease.yaml create mode 100644 services/vault/service.yaml create mode 100644 services/vault/statefulset.yaml diff --git a/services/vault/configmap.yaml b/services/vault/configmap.yaml new file mode 100644 index 0000000..6f36043 --- /dev/null +++ b/services/vault/configmap.yaml @@ -0,0 +1,24 @@ +# services/vault/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: vault-config + namespace: vault +data: + local.hcl: | + ui = true + cluster_name = "vault-k8s" + + listener "tcp" { + address = "0.0.0.0:8200" + cluster_address = "0.0.0.0:8201" + tls_cert_file = "/vault/userconfig/tls/tls.crt" + tls_key_file = "/vault/userconfig/tls/tls.key" + } + + storage "raft" { + path = "/vault/data" + } + + api_addr = "https://secret.bstein.dev" + cluster_addr = "https://vault-0.vault-internal:8201" diff --git a/services/vault/helmrelease.yaml b/services/vault/helmrelease.yaml deleted file mode 100644 index 604d31c..0000000 --- a/services/vault/helmrelease.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# services/vault/helmrelease.yaml -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: vault - namespace: vault -spec: - interval: 30m - chart: - spec: - chart: vault - version: 0.x.x - sourceRef: - kind: HelmRepository - name: hashicorp - namespace: flux-system - install: - remediation: { retries: 3 } - upgrade: - remediation: { retries: 3 } - values: - injector: - enabled: true - resources: - requests: { cpu: "50m", memory: "64Mi" } - csi: - enabled: false - server: - ha: - enabled: true - replicas: 1 - raft: - enabled: true - extraEnvironmentVars: - VAULT_API_ADDR: "https://secret.bstein.dev" - VAULT_REDIRECT_ADDR: "https://secret.bstein.dev" - dataStorage: - enabled: true - size: 10Gi - storageClass: astreae - resources: - requests: { cpu: "100m", memory: "256Mi" } - service: - type: ClusterIP - extraVolumes: - - type: secret - name: vault-server-tls - path: /vault/userconfig/tls - extraVolumeMounts: - - name: vault-server-tls - mountPath: /vault/userconfig/tls - readOnly: true - config: | - ui = true - cluster_name = "vault-k8s" - listener "tcp" { - address = "0.0.0.0:8200" - cluster_address = "0.0.0.0:8201" - tls_cert_file = "/vault/userconfig/tls/tls.crt" - tls_key_file = "/vault/userconfig/tls/tls.key" - } - storage "raft" { - path = "/vault/data" - } - api_addr = "https://secret.bstein.dev" - cluster_addr = "https://vault-0.vault-internal:8201" - ui: - enabled: true diff --git a/services/vault/ingress.yaml b/services/vault/ingress.yaml index 91d9ca4..bb8d336 100644 --- a/services/vault/ingress.yaml +++ b/services/vault/ingress.yaml @@ -1,4 +1,4 @@ -# services/vault/helmrelease.yaml +# services/vault/ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -22,6 +22,6 @@ spec: pathType: Prefix backend: service: - name: vault-ui + name: vault port: number: 8200 diff --git a/services/vault/kustomization.yaml b/services/vault/kustomization.yaml index 1d7af87..9fdb061 100644 --- a/services/vault/kustomization.yaml +++ b/services/vault/kustomization.yaml @@ -4,7 +4,9 @@ kind: Kustomization namespace: vault resources: - namespace.yaml - - helmrelease.yaml - - certificate.yaml + - configmap.yaml + - statefulset.yaml + - service.yaml - ingress.yaml + - certificate.yaml - serverstransport.yaml diff --git a/services/vault/service.yaml b/services/vault/service.yaml new file mode 100644 index 0000000..0c1c451 --- /dev/null +++ b/services/vault/service.yaml @@ -0,0 +1,37 @@ +# services/vault/service.yaml +--- +apiVersion: v1 +kind: Service +metadata: + name: vault + namespace: vault +spec: + ports: + - name: api + port: 8200 + targetPort: 8200 + - name: cluster + port: 8201 + targetPort: 8201 + selector: + app: vault + +--- +apiVersion: v1 +kind: Service +metadata: + name: vault-internal + namespace: vault + labels: + app: vault +spec: + clusterIP: None + ports: + - name: api + port: 8200 + targetPort: 8200 + - name: cluster + port: 8201 + targetPort: 8201 + selector: + app: vault diff --git a/services/vault/statefulset.yaml b/services/vault/statefulset.yaml new file mode 100644 index 0000000..fbbc028 --- /dev/null +++ b/services/vault/statefulset.yaml @@ -0,0 +1,87 @@ +# services/vault/statefulset.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vault + namespace: vault + labels: + app: vault +spec: + serviceName: vault-internal + replicas: 1 + selector: + matchLabels: + app: vault + template: + metadata: + labels: + app: vault + spec: + securityContext: + fsGroup: 1000 + containers: + - name: vault + image: hashicorp/vault:1.17.6 + imagePullPolicy: IfNotPresent + args: ["server", "-config=/vault/config/local.hcl"] + ports: + - name: api + containerPort: 8200 + - name: cluster + containerPort: 8201 + env: + - name: VAULT_API_ADDR + value: "https://secret.bstein.dev" + - name: VAULT_CLUSTER_ADDR + value: "https://vault-0.vault-internal:8201" + - name: VAULT_REDIRECT_ADDR + value: "https://secret.bstein.dev" + - name: VAULT_LOG_LEVEL + value: "info" + readinessProbe: + exec: + command: ["vault", "status", "-tls-skip-verify"] + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + livenessProbe: + exec: + command: ["vault", "status", "-tls-skip-verify"] + initialDelaySeconds: 60 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 6 + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: false + capabilities: + add: ["IPC_LOCK"] + drop: ["ALL"] + volumeMounts: + - name: config + mountPath: /vault/config + - name: data + mountPath: /vault/data + - name: tls + mountPath: /vault/userconfig/tls + readOnly: true + volumes: + - name: config + configMap: + name: vault-config + - name: tls + secret: + secretName: vault-server-tls + optional: false + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 10Gi + storageClassName: astreae