added cred req for vault

2025-08-19 21:01:54 -05:00 · 2025-08-19 21:01:54 -05:00 · d3751ad150
commit d3751ad150
parent 4b372126dd
4 changed files with 68 additions and 0 deletions
--- a/infrastructure/sources/cert-manager/letsencrypt.yaml
+++ b/infrastructure/sources/cert-manager/letsencrypt.yaml
@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    email: you@bstein.dev
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-account-key
+    solvers:
+    - http01:
+        ingress:
+          class: traefik
--- a/services/vault/certificate.yaml
+++ b/services/vault/certificate.yaml
@ -0,0 +1,14 @@
+# services/vault/certificate.yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: vault-cert
+  namespace: vault
+spec:
+  secretName: vault-server-tls
+  issuerRef:
+    kind: ClusterIssuer
+    name: letsencrypt-prod
+  commonName: secret.bstein.dev
+  dnsNames:
+  - secret.bstein.dev
--- a/services/vault/helmrelease.yaml
+++ b/services/vault/helmrelease.yaml
@ -30,6 +30,9 @@ spec:
        replicas: 1
        raft:
          enabled: true
+      extraEnvironmentVars:
+        VAULT_API_ADDR: "https://secret.bstein.dev"
+        VAULT_REDIRECT_ADDR: "https://secret.bstein.dev"
      dataStorage:
        enabled: true
        size: 10Gi
@ -38,5 +41,27 @@ spec:
        requests: { cpu: "100m", memory: "256Mi" }
      service:
        type: ClusterIP
+      extraVolumes:
+        - type: secret
+          name: vault-server-tls
+          path: /vault/userconfig/tls
+      extraVolumeMounts:
+        - name: vault-server-tls
+          mountPath: /vault/userconfig/tls
+          readOnly: true
+      config: |
+        ui = true
+        cluster_name = "vault-k8s"
+        listener "tcp" {
+          address         = "0.0.0.0:8200"
+          cluster_address = "0.0.0.0:8201"
+          tls_cert_file   = "/vault/userconfig/tls/tls.crt"
+          tls_key_file    = "/vault/userconfig/tls/tls.key"
+        }
+        storage "raft" {
+          path = "/vault/data"
+        }
+        api_addr      = "https://secret.bstein.dev"
+        cluster_addr  = "https://vault-0.vault-internal:8201"
    ui:
      enabled: true
--- a/services/vault/ingressroutetcp.yaml
+++ b/services/vault/ingressroutetcp.yaml
@ -0,0 +1,15 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: vault-tcp
+  namespace: vault
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: HostSNI(`secret.bstein.dev`)
+      services:
+        - name: vault-ui
+          port: 8200
+  tls:
+    passthrough: true