bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
titan-iac/services/vault/statefulset.yaml

88 lines
2.3 KiB
YAML
Raw Blame History

# services/vault/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: vault
namespace: vault
labels:
app: vault
spec:
serviceName: vault-internal
replicas: 1
selector:
matchLabels:
app: vault
template:
metadata:
labels:
app: vault
spec:
securityContext:
fsGroup: 1000
containers:
- name: vault
image: hashicorp/vault:1.17.6
imagePullPolicy: IfNotPresent
args: ["server", "-config=/vault/config/local.hcl"]
ports:
- name: api
containerPort: 8200
- name: cluster
containerPort: 8201
env:
- name: VAULT_API_ADDR
value: "https://secret.bstein.dev"
- name: VAULT_CLUSTER_ADDR
value: "https://vault-0.vault-internal:8201"
- name: VAULT_REDIRECT_ADDR
value: "https://secret.bstein.dev"
- name: VAULT_LOG_LEVEL
value: "info"
readinessProbe:
exec:
command: ["vault", "status", "-tls-skip-verify"]
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
livenessProbe:
exec:
command: ["vault", "status", "-tls-skip-verify"]
initialDelaySeconds: 60
periodSeconds: 20
timeoutSeconds: 5
failureThreshold: 6
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
capabilities:
add: ["IPC_LOCK"]
drop: ["ALL"]
volumeMounts:
- name: config
mountPath: /vault/config
- name: data
mountPath: /vault/data
- name: tls
mountPath: /vault/userconfig/tls
readOnly: true
volumes:
- name: config
configMap:
name: vault-config
- name: tls
secret:
secretName: vault-server-tls
optional: false
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
storageClassName: astreae
Reference in New Issue View Git Blame Copy Permalink