From d3751ad150e1f32213ee2c83d914a66aae269376 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Tue, 19 Aug 2025 21:01:54 -0500 Subject: [PATCH] added cred req for vault --- .../sources/cert-manager/letsencrypt.yaml | 14 +++++++++++ services/vault/certificate.yaml | 14 +++++++++++ services/vault/helmrelease.yaml | 25 +++++++++++++++++++ services/vault/ingressroutetcp.yaml | 15 +++++++++++ 4 files changed, 68 insertions(+) create mode 100644 infrastructure/sources/cert-manager/letsencrypt.yaml create mode 100644 services/vault/certificate.yaml create mode 100644 services/vault/ingressroutetcp.yaml diff --git a/infrastructure/sources/cert-manager/letsencrypt.yaml b/infrastructure/sources/cert-manager/letsencrypt.yaml new file mode 100644 index 0000000..73f1210 --- /dev/null +++ b/infrastructure/sources/cert-manager/letsencrypt.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt +spec: + acme: + email: you@bstein.dev + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-account-key + solvers: + - http01: + ingress: + class: traefik diff --git a/services/vault/certificate.yaml b/services/vault/certificate.yaml new file mode 100644 index 0000000..983c7fe --- /dev/null +++ b/services/vault/certificate.yaml @@ -0,0 +1,14 @@ +# services/vault/certificate.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: vault-cert + namespace: vault +spec: + secretName: vault-server-tls + issuerRef: + kind: ClusterIssuer + name: letsencrypt-prod + commonName: secret.bstein.dev + dnsNames: + - secret.bstein.dev diff --git a/services/vault/helmrelease.yaml b/services/vault/helmrelease.yaml index 951e85c..f1882f2 100644 --- a/services/vault/helmrelease.yaml +++ b/services/vault/helmrelease.yaml @@ -30,6 +30,9 @@ spec: replicas: 1 raft: enabled: true + extraEnvironmentVars: + VAULT_API_ADDR: "https://secret.bstein.dev" + VAULT_REDIRECT_ADDR: "https://secret.bstein.dev" dataStorage: enabled: true size: 10Gi @@ -38,5 +41,27 @@ spec: requests: { cpu: "100m", memory: "256Mi" } service: type: ClusterIP + extraVolumes: + - type: secret + name: vault-server-tls + path: /vault/userconfig/tls + extraVolumeMounts: + - name: vault-server-tls + mountPath: /vault/userconfig/tls + readOnly: true + config: | + ui = true + cluster_name = "vault-k8s" + listener "tcp" { + address = "0.0.0.0:8200" + cluster_address = "0.0.0.0:8201" + tls_cert_file = "/vault/userconfig/tls/tls.crt" + tls_key_file = "/vault/userconfig/tls/tls.key" + } + storage "raft" { + path = "/vault/data" + } + api_addr = "https://secret.bstein.dev" + cluster_addr = "https://vault-0.vault-internal:8201" ui: enabled: true diff --git a/services/vault/ingressroutetcp.yaml b/services/vault/ingressroutetcp.yaml new file mode 100644 index 0000000..0da35b5 --- /dev/null +++ b/services/vault/ingressroutetcp.yaml @@ -0,0 +1,15 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRouteTCP +metadata: + name: vault-tcp + namespace: vault +spec: + entryPoints: + - websecure + routes: + - match: HostSNI(`secret.bstein.dev`) + services: + - name: vault-ui + port: 8200 + tls: + passthrough: true