bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vault: drop helm, add raw statefulset

Browse Source
This commit is contained in:
Brad Stein 2025-12-19 19:30:09 -03:00
parent 6405cd823d
commit 7533cec0ee
6 changed files with 154 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
services/vault/configmap.yaml Normal file
View File

@ -0,0 +1,24 @@
# services/vault/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-config
namespace: vault
data:
local.hcl: |
ui = true
cluster_name = "vault-k8s"
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201"
tls_cert_file = "/vault/userconfig/tls/tls.crt"
tls_key_file = "/vault/userconfig/tls/tls.key"
}
storage "raft" {
path = "/vault/data"
}
api_addr = "https://secret.bstein.dev"
cluster_addr = "https://vault-0.vault-internal:8201"

68
services/vault/helmrelease.yaml
View File

@ -1,68 +0,0 @@
# services/vault/helmrelease.yaml
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: vault
namespace: vault
spec:
interval: 30m
chart:
spec:
chart: vault
version: 0.x.x
sourceRef:
kind: HelmRepository
name: hashicorp
namespace: flux-system
install:
remediation: { retries: 3 }
upgrade:
remediation: { retries: 3 }
values:
injector:
enabled: true
resources:
requests: { cpu: "50m", memory: "64Mi" }
csi:
enabled: false
server:
ha:
enabled: true
replicas: 1
raft:
enabled: true
extraEnvironmentVars:
VAULT_API_ADDR: "https://secret.bstein.dev"
VAULT_REDIRECT_ADDR: "https://secret.bstein.dev"
dataStorage:
enabled: true
size: 10Gi
storageClass: astreae
resources:
requests: { cpu: "100m", memory: "256Mi" }
service:
type: ClusterIP
extraVolumes:
- type: secret
name: vault-server-tls
path: /vault/userconfig/tls
extraVolumeMounts:
- name: vault-server-tls
mountPath: /vault/userconfig/tls
readOnly: true
config: |
ui = true
cluster_name = "vault-k8s"
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201"
tls_cert_file = "/vault/userconfig/tls/tls.crt"
tls_key_file = "/vault/userconfig/tls/tls.key"
}
storage "raft" {
path = "/vault/data"
}
api_addr = "https://secret.bstein.dev"
cluster_addr = "https://vault-0.vault-internal:8201"
ui:
enabled: true

4
services/vault/ingress.yaml
View File

@ -1,4 +1,4 @@
# services/vault/helmrelease.yaml # services/vault/ingress.yaml
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
@ -22,6 +22,6 @@ spec:
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: vault-ui name: vault
port: port:
number: 8200 number: 8200

6
services/vault/kustomization.yaml
View File

@ -4,7 +4,9 @@ kind: Kustomization
namespace: vault namespace: vault
resources: resources:
- namespace.yaml - namespace.yaml
- helmrelease.yaml - configmap.yaml
- certificate.yaml - statefulset.yaml
- service.yaml
- ingress.yaml - ingress.yaml
- certificate.yaml
- serverstransport.yaml - serverstransport.yaml

37
services/vault/service.yaml Normal file
View File

@ -0,0 +1,37 @@
# services/vault/service.yaml
---
apiVersion: v1
kind: Service
metadata:
name: vault
namespace: vault
spec:
ports:
- name: api
port: 8200
targetPort: 8200
- name: cluster
port: 8201
targetPort: 8201
selector:
app: vault
---
apiVersion: v1
kind: Service
metadata:
name: vault-internal
namespace: vault
labels:
app: vault
spec:
clusterIP: None
ports:
- name: api
port: 8200
targetPort: 8200
- name: cluster
port: 8201
targetPort: 8201
selector:
app: vault

87
services/vault/statefulset.yaml Normal file
View File

@ -0,0 +1,87 @@
# services/vault/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: vault
namespace: vault
labels:
app: vault
spec:
serviceName: vault-internal
replicas: 1
selector:
matchLabels:
app: vault
template:
metadata:
labels:
app: vault
spec:
securityContext:
fsGroup: 1000
containers:
- name: vault
image: hashicorp/vault:1.17.6
imagePullPolicy: IfNotPresent
args: ["server", "-config=/vault/config/local.hcl"]
ports:
- name: api
containerPort: 8200
- name: cluster
containerPort: 8201
env:
- name: VAULT_API_ADDR
value: "https://secret.bstein.dev"
- name: VAULT_CLUSTER_ADDR
value: "https://vault-0.vault-internal:8201"
- name: VAULT_REDIRECT_ADDR
value: "https://secret.bstein.dev"
- name: VAULT_LOG_LEVEL
value: "info"
readinessProbe:
exec:
command: ["vault", "status", "-tls-skip-verify"]
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
livenessProbe:
exec:
command: ["vault", "status", "-tls-skip-verify"]
initialDelaySeconds: 60
periodSeconds: 20
timeoutSeconds: 5
failureThreshold: 6
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
capabilities:
add: ["IPC_LOCK"]
drop: ["ALL"]
volumeMounts:
- name: config
mountPath: /vault/config
- name: data
mountPath: /vault/data
- name: tls
mountPath: /vault/userconfig/tls
readOnly: true
volumes:
- name: config
configMap:
name: vault-config
- name: tls
secret:
secretName: vault-server-tls
optional: false
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
storageClassName: astreae