alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 7 Actions 1 Activity

add vault

Browse Source
This commit is contained in:
Alex Lebens
2025-03-02 22:09:12 -06:00
parent 1dd674535d
commit 0ac0009854
11 changed files with 750 additions and 735 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
clusters/cl01tl/platform/external-secrets/Chart.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v2
name: external-secrets
version: 1.0.0
description: External Secrets
keywords:
- external-secrets
- secrets
- vault
home: https://wiki.alexlebens.dev/doc/external-secrets-E68EWwvR0a
sources:
- https://github.com/external-secrets/external-secrets
- https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
dependencies:
- name: external-secrets
version: 0.14.3
repository: https://charts.external-secrets.io
icon: https://avatars.githubusercontent.com/u/68335991?s=48&v=4
appVersion: 0.14.1

21
clusters/cl01tl/platform/external-secrets/templates/cluster-secret-store.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: auth
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
provider:
vault:
server: http://vault-internal.vault:8200
path: secret
auth:
tokenSecretRef:
namespace: vault
name: vault-token
key: token

29
clusters/cl01tl/platform/vault/Chart.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: v2
name: vault
version: 1.0.0
description: Vault
keywords:
- vault
- secrets
home: https://wiki.alexlebens.dev/doc/vault-TJ1ocQp9WB
sources:
- https://github.com/hashicorp/vault
- https://github.com/lrstanley/vault-unseal
- https://hub.docker.com/r/hashicorp/vault
- https://github.com/hashicorp/vault-helm
maintainers:
- name: alexlebens
dependencies:
- name: vault
version: 0.29.1
repository: https://helm.releases.hashicorp.com
- name: app-template
alias: snapshot
repository: https://bjw-s.github.io/helm-charts/
version: 3.7.1
- name: app-template
alias: unseal
repository: https://bjw-s.github.io/helm-charts/
version: 3.7.1
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/vault.png
appVersion: 1.18.4

390
clusters/cl01tl/platform/vault/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,390 @@
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-snapshot-agent-token
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-snapshot-agent-token
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: snapshot
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: VAULT_APPROLE_ROLE_ID
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/snapshot
# metadataPolicy: None
# property: VAULT_APPROLE_ROLE_ID
# - secretKey: VAULT_APPROLE_SECRET_ID
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/snapshot
# metadataPolicy: None
# property: VAULT_APPROLE_SECRET_ID
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-snapshot-s3
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-snapshot-s3
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: snapshot
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: AWS_ACCESS_KEY_ID
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/vault-backup
# metadataPolicy: None
# property: AWS_ACCESS_KEY_ID
# - secretKey: AWS_SECRET_ACCESS_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/vault-backup
# metadataPolicy: None
# property: AWS_SECRET_ACCESS_KEY
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-s3cmd-config
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-snapshot-s3
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: snapshot
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: .s3cfg
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/snapshot
# metadataPolicy: None
# property: s3cfg
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-unseal-config-1
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-unseal-key-1
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: unseal
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: ENVIRONMENT
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: ENVIRONMENT
# - secretKey: CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: CHECK_INTERVAL
# - secretKey: MAX_CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: MAX_CHECK_INTERVAL
# - secretKey: NODES
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: NODES
# - secretKey: TLS_SKIP_VERIFY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: TLS_SKIP_VERIFY
# - secretKey: TOKENS
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: TOKENS
# - secretKey: EMAIL_ENABLED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: EMAIL_ENABLED
# - secretKey: NOTIFY_MAX_ELAPSED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: NOTIFY_MAX_ELAPSED
# - secretKey: NOTIFY_QUEUE_DELAY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: NOTIFY_QUEUE_DELAY
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-unseal-config-2
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-unseal-key-2
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: unseal
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: ENVIRONMENT
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: ENVIRONMENT
# - secretKey: CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: CHECK_INTERVAL
# - secretKey: MAX_CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: MAX_CHECK_INTERVAL
# - secretKey: NODES
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: NODES
# - secretKey: TLS_SKIP_VERIFY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: TLS_SKIP_VERIFY
# - secretKey: TOKENS
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: TOKENS
# - secretKey: EMAIL_ENABLED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: EMAIL_ENABLED
# - secretKey: NOTIFY_MAX_ELAPSED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: NOTIFY_MAX_ELAPSED
# - secretKey: NOTIFY_QUEUE_DELAY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: NOTIFY_QUEUE_DELAY
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-unseal-config-3
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-unseal-config-3
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: unseal
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: ENVIRONMENT
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: ENVIRONMENT
# - secretKey: CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: CHECK_INTERVAL
# - secretKey: MAX_CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: MAX_CHECK_INTERVAL
# - secretKey: NODES
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: NODES
# - secretKey: TLS_SKIP_VERIFY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: TLS_SKIP_VERIFY
# - secretKey: TOKENS
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: TOKENS
# - secretKey: EMAIL_ENABLED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: EMAIL_ENABLED
# - secretKey: NOTIFY_MAX_ELAPSED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: NOTIFY_MAX_ELAPSED
# - secretKey: NOTIFY_QUEUE_DELAY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: NOTIFY_QUEUE_DELAY
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-token
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-token
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: token
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: token
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: token
# - secretKey: unseal_key_1
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_1
# - secretKey: unseal_key_2
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_2
# - secretKey: unseal_key_3
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_3
# - secretKey: unseal_key_4
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_4
# - secretKey: unseal_key_5
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_5

30
clusters/cl01tl/platform/vault/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-vault
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-vault
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- vault.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: vault-active
port: 8200
weight: 100

32
clusters/cl01tl/platform/vault/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,32 @@
# apiVersion: networking.k8s.io/v1
# kind: Ingress
# metadata:
# name: vault-tailscale
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-tailscale
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: web
# app.kubernetes.io/part-of: {{ .Release.Name }}
# labels:
# tailscale.com/proxy-class: no-metrics
# annotations:
# tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
# spec:
# ingressClassName: tailscale
# tls:
# - hosts:
# - vault-cl01tl
# secretName: vault-cl01tl
# rules:
# - host: vault-cl01tl
# http:
# paths:
# - path: /
# pathType: Prefix
# backend:
# service:
# name: vault-active
# port:
# number: 8200

19
clusters/cl01tl/platform/vault/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vault-nfs-storage-backup
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-nfs-storage-backup
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeMode: Filesystem
storageClassName: nfs-client
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

298
clusters/cl01tl/platform/vault/values.yaml Normal file
View File

@@ -0,0 +1,298 @@
vault:
global:
enabled: true
tlsDisable: true
psp:
enable: false
serverTelemetry:
prometheusOperator: true
injector:
enabled: false
server:
enabled: true
image:
repository: hashicorp/vault
tag: 1.18.5
updateStrategyType: "RollingUpdate"
logLevel: debug
logFormat: standard
resources:
requests:
cpu: 50m
memory: 512Mi
ingress:
enabled: false
route:
enabled: false
authDelegator:
enabled: false
readinessProbe:
enabled: true
port: 8200
livenessProbe:
enabled: false
volumes:
- name: vault-nfs-storage-backup
persistentVolumeClaim:
claimName: vault-nfs-storage-backup
volumeMounts:
- mountPath: /opt/backups/
name: vault-nfs-storage-backup
readOnly: false
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: "{{ .Release.Name }}"
component: server
topologyKey: kubernetes.io/hostname
networkPolicy:
enabled: false
service:
enabled: true
active:
enabled: true
standby:
enabled: false
type: ClusterIP
port: 8200
targetPort: 8200
dataStorage:
enabled: true
size: 1Gi
mountPath: "/vault/data"
accessMode: ReadWriteOnce
auditStorage:
enabled: false
size: 5Gi
mountPath: "/vault/audit"
accessMode: ReadWriteOnce
dev:
enabled: false
standalone:
enabled: false
ha:
enabled: true
replicas: 3
raft:
enabled: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
telemetry {
unauthenticated_metrics_access = "true"
}
}
storage "raft" {
path = "/vault/data"
retry_join {
leader_api_addr = "http://vault-0.vault-internal:8200"
}
retry_join {
leader_api_addr = "http://vault-1.vault-internal:8200"
}
retry_join {
leader_api_addr = "http://vault-2.vault-internal:8200"
}
}
service_registration "kubernetes" {}
telemetry {
prometheus_retention_time = "30s"
disable_hostname = true
}
disruptionBudget:
enabled: true
maxUnavailable: null
serviceAccount:
create: true
serviceDiscovery:
enabled: true
hostNetwork: false
ui:
enabled: true
publishNotReadyAddresses: true
activeVaultPodOnly: false
serviceType: "ClusterIP"
serviceNodePort: null
externalPort: 8200
targetPort: 8200
csi:
enabled: false
serverTelemetry:
serviceMonitor:
enabled: true
interval: 30s
scrapeTimeout: 10s
prometheusRules:
enabled: true
rules:
- alert: vault-HighResponseTime
annotations:
message: The response time of Vault is over 500ms on average over the last 5 minutes.
expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
for: 5m
labels:
severity: warning
- alert: vault-HighResponseTime
annotations:
message: The response time of Vault is over 1s on average over the last 5 minutes.
expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
for: 5m
labels:
severity: critical
# snapshot:
# global:
# fullnameOverride: vault-snapshot
# controllers:
# snapshot:
# type: cronjob
# cronjob:
# suspend: false
# concurrencyPolicy: Forbid
# timeZone: US/Central
# schedule: 0 4 * * *
# startingDeadlineSeconds: 90
# successfulJobsHistory: 3
# failedJobsHistory: 3
# backoffLimit: 3
# parallelism: 1
# initContainers:
# snapshot:
# image:
# repository: hashicorp/vault
# tag: 1.18.5
# pullPolicy: IfNotPresent
# command:
# - /bin/ash
# args:
# - -ec
# - |
# apk add --no-cache jq;
# export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
# vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap;
# cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
# cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap;
# envFrom:
# - secretRef:
# name: vault-snapshot-agent-token
# env:
# - name: VAULT_ADDR
# value: http://vault-active.vault.svc.cluster.local:8200
# resources:
# requests:
# cpu: 10m
# memory: 64Mi
# containers:
# backup:
# image:
# repository: d3fk/s3cmd
# tag: latest@sha256:4bdc8e5817cbdd048e6dc487f42e3d96a6b58af69b4be6f256de5e2416da90e9
# pullPolicy: IfNotPresent
# command:
# - /bin/sh
# args:
# - -ec
# - |
# s3cmd put --no-check-md5 --no-check-certificate /opt/backup/vault-snapshot-s3.snap s3://vault-backups-bcc1e1433e0ce4be526561cb/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
# rm -f /opt/backup/vault-snapshot-s3.snap;
# envFrom:
# - secretRef:
# name: vault-snapshot-s3
# resources:
# requests:
# cpu: 10m
# memory: 64Mi
# serviceAccount:
# create: true
# persistence:
# config:
# existingClaim: vault-nfs-storage-backup
# advancedMounts:
# snapshot:
# snapshot:
# - path: /opt/backup
# readOnly: false
# backup:
# - path: /opt/backup
# readOnly: false
# s3cmd-config:
# enabled: true
# type: secret
# name: vault-s3cmd-config
# advancedMounts:
# snapshot:
# backup:
# - path: /root/.s3cfg
# readOnly: true
# mountPropagation: None
# subPath: .s3cfg
# unseal:
# global:
# fullnameOverride: vault-unseal
# controllers:
# unseal-1:
# type: deployment
# replicas: 1
# strategy: Recreate
# revisionHistoryLimit: 3
# containers:
# main:
# image:
# repository: ghcr.io/lrstanley/vault-unseal
# tag: 0.7.0
# pullPolicy: IfNotPresent
# envFrom:
# - secretRef:
# name: vault-unseal-config-1
# resources:
# requests:
# cpu: 10m
# memory: 24Mi
# unseal-2:
# type: deployment
# replicas: 1
# strategy: Recreate
# revisionHistoryLimit: 3
# containers:
# main:
# image:
# repository: ghcr.io/lrstanley/vault-unseal
# tag: 0.7.0
# pullPolicy: IfNotPresent
# envFrom:
# - secretRef:
# name: vault-unseal-config-2
# resources:
# requests:
# cpu: 10m
# memory: 24Mi
# unseal-3:
# type: deployment
# replicas: 1
# strategy: Recreate
# revisionHistoryLimit: 3
# containers:
# main:
# image:
# repository: ghcr.io/lrstanley/vault-unseal
# tag: 0.7.0
# pullPolicy: IfNotPresent
# envFrom:
# - secretRef:
# name: vault-unseal-config-3
# resources:
# requests:
# cpu: 10m
# memory: 24Mi
# serviceAccount:
# create: true