# services/vault/statefulset.yaml apiVersion: apps/v1 kind: StatefulSet metadata: name: vault namespace: vault labels: app: vault spec: serviceName: vault-internal replicas: 1 selector: matchLabels: app: vault template: metadata: labels: app: vault spec: securityContext: fsGroup: 1000 containers: - name: vault image: hashicorp/vault:1.17.6 imagePullPolicy: IfNotPresent args: ["server", "-config=/vault/config/local.hcl"] ports: - name: api containerPort: 8200 - name: cluster containerPort: 8201 env: - name: VAULT_API_ADDR value: "https://secret.bstein.dev" - name: VAULT_CLUSTER_ADDR value: "https://vault-0.vault-internal:8201" - name: VAULT_REDIRECT_ADDR value: "https://secret.bstein.dev" - name: VAULT_LOG_LEVEL value: "info" readinessProbe: exec: command: ["vault", "status", "-tls-skip-verify"] initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 6 livenessProbe: exec: command: ["vault", "status", "-tls-skip-verify"] initialDelaySeconds: 60 periodSeconds: 20 timeoutSeconds: 5 failureThreshold: 6 securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 allowPrivilegeEscalation: false capabilities: add: ["IPC_LOCK"] drop: ["ALL"] volumeMounts: - name: config mountPath: /vault/config - name: data mountPath: /vault/data - name: tls mountPath: /vault/userconfig/tls readOnly: true volumes: - name: config configMap: name: vault-config - name: tls secret: secretName: vault-server-tls optional: false volumeClaimTemplates: - metadata: name: data spec: accessModes: ["ReadWriteOnce"] resources: requests: storage: 10Gi storageClassName: astreae