add vault

2025-03-02 22:09:12 -06:00
parent 1dd674535d
commit 0ac0009854
11 changed files with 750 additions and 735 deletions
--- a/clusters/cl01tl/platform/vault/values.yaml
+++ b/clusters/cl01tl/platform/vault/values.yaml
@@ -0,0 +1,298 @@
+vault:
+  global:
+    enabled: true
+    tlsDisable: true
+    psp:
+      enable: false
+    serverTelemetry:
+      prometheusOperator: true
+  injector:
+    enabled: false
+  server:
+    enabled: true
+    image:
+      repository: hashicorp/vault
+      tag: 1.18.5
+    updateStrategyType: "RollingUpdate"
+    logLevel: debug
+    logFormat: standard
+    resources:
+      requests:
+        cpu: 50m
+        memory: 512Mi
+    ingress:
+      enabled: false
+    route:
+      enabled: false
+    authDelegator:
+      enabled: false
+    readinessProbe:
+      enabled: true
+      port: 8200
+    livenessProbe:
+      enabled: false
+    volumes:
+      - name: vault-nfs-storage-backup
+        persistentVolumeClaim:
+          claimName: vault-nfs-storage-backup
+    volumeMounts:
+      - mountPath: /opt/backups/
+        name: vault-nfs-storage-backup
+        readOnly: false
+    affinity: |
+      podAntiAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+                app.kubernetes.io/name: {{ template "vault.name" . }}
+                app.kubernetes.io/instance: "{{ .Release.Name }}"
+                component: server
+            topologyKey: kubernetes.io/hostname
+    networkPolicy:
+      enabled: false
+    service:
+      enabled: true
+      active:
+        enabled: true
+      standby:
+        enabled: false
+      type: ClusterIP
+      port: 8200
+      targetPort: 8200
+    dataStorage:
+      enabled: true
+      size: 1Gi
+      mountPath: "/vault/data"
+      accessMode: ReadWriteOnce
+    auditStorage:
+      enabled: false
+      size: 5Gi
+      mountPath: "/vault/audit"
+      accessMode: ReadWriteOnce
+    dev:
+      enabled: false
+    standalone:
+      enabled: false
+    ha:
+      enabled: true
+      replicas: 3
+      raft:
+        enabled: true
+        config: |
+          ui = true
+
+          listener "tcp" {
+            tls_disable = 1
+            address = "[::]:8200"
+            cluster_address = "[::]:8201"
+            telemetry {
+              unauthenticated_metrics_access = "true"
+            }
+          }
+
+          storage "raft" {
+            path = "/vault/data"
+            retry_join {
+              leader_api_addr = "http://vault-0.vault-internal:8200"
+            }
+            retry_join {
+              leader_api_addr = "http://vault-1.vault-internal:8200"
+            }
+            retry_join {
+              leader_api_addr = "http://vault-2.vault-internal:8200"
+            }
+          }
+
+          service_registration "kubernetes" {}
+
+          telemetry {
+            prometheus_retention_time = "30s"
+            disable_hostname = true
+          }
+
+      disruptionBudget:
+        enabled: true
+        maxUnavailable: null
+    serviceAccount:
+      create: true
+      serviceDiscovery:
+        enabled: true
+    hostNetwork: false
+  ui:
+    enabled: true
+    publishNotReadyAddresses: true
+    activeVaultPodOnly: false
+    serviceType: "ClusterIP"
+    serviceNodePort: null
+    externalPort: 8200
+    targetPort: 8200
+  csi:
+    enabled: false
+  serverTelemetry:
+    serviceMonitor:
+      enabled: true
+      interval: 30s
+      scrapeTimeout: 10s
+    prometheusRules:
+      enabled: true
+      rules:
+        - alert: vault-HighResponseTime
+          annotations:
+            message: The response time of Vault is over 500ms on average over the last 5 minutes.
+          expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
+          for: 5m
+          labels:
+            severity: warning
+        - alert: vault-HighResponseTime
+          annotations:
+            message: The response time of Vault is over 1s on average over the last 5 minutes.
+          expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
+          for: 5m
+          labels:
+            severity: critical
+# snapshot:
+#   global:
+#     fullnameOverride: vault-snapshot
+#   controllers:
+#     snapshot:
+#       type: cronjob
+#       cronjob:
+#         suspend: false
+#         concurrencyPolicy: Forbid
+#         timeZone: US/Central
+#         schedule: 0 4 * * *
+#         startingDeadlineSeconds: 90
+#         successfulJobsHistory: 3
+#         failedJobsHistory: 3
+#         backoffLimit: 3
+#         parallelism: 1
+#       initContainers:
+#         snapshot:
+#           image:
+#             repository: hashicorp/vault
+#             tag: 1.18.5
+#             pullPolicy: IfNotPresent
+#           command:
+#             - /bin/ash
+#           args:
+#             - -ec
+#             - |
+#               apk add --no-cache jq;
+#               export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
+#               vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap;
+#               cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
+#               cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap;
+#           envFrom:
+#             - secretRef:
+#                 name: vault-snapshot-agent-token
+#           env:
+#             - name: VAULT_ADDR
+#               value: http://vault-active.vault.svc.cluster.local:8200
+#           resources:
+#             requests:
+#               cpu: 10m
+#               memory: 64Mi
+#       containers:
+#         backup:
+#           image:
+#             repository: d3fk/s3cmd
+#             tag: latest@sha256:4bdc8e5817cbdd048e6dc487f42e3d96a6b58af69b4be6f256de5e2416da90e9
+#             pullPolicy: IfNotPresent
+#           command:
+#             - /bin/sh
+#           args:
+#             - -ec
+#             - |
+#               s3cmd put --no-check-md5 --no-check-certificate /opt/backup/vault-snapshot-s3.snap s3://vault-backups-bcc1e1433e0ce4be526561cb/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
+#               rm -f /opt/backup/vault-snapshot-s3.snap;
+#           envFrom:
+#             - secretRef:
+#                 name: vault-snapshot-s3
+#           resources:
+#             requests:
+#               cpu: 10m
+#               memory: 64Mi
+#   serviceAccount:
+#     create: true
+#   persistence:
+#     config:
+#       existingClaim: vault-nfs-storage-backup
+#       advancedMounts:
+#         snapshot:
+#           snapshot:
+#             - path: /opt/backup
+#               readOnly: false
+#           backup:
+#             - path: /opt/backup
+#               readOnly: false
+#     s3cmd-config:
+#       enabled: true
+#       type: secret
+#       name: vault-s3cmd-config
+#       advancedMounts:
+#         snapshot:
+#           backup:
+#             - path: /root/.s3cfg
+#               readOnly: true
+#               mountPropagation: None
+#               subPath: .s3cfg
+# unseal:
+#   global:
+#     fullnameOverride: vault-unseal
+#   controllers:
+#     unseal-1:
+#       type: deployment
+#       replicas: 1
+#       strategy: Recreate
+#       revisionHistoryLimit: 3
+#       containers:
+#         main:
+#           image:
+#             repository: ghcr.io/lrstanley/vault-unseal
+#             tag: 0.7.0
+#             pullPolicy: IfNotPresent
+#           envFrom:
+#             - secretRef:
+#                 name: vault-unseal-config-1
+#           resources:
+#             requests:
+#               cpu: 10m
+#               memory: 24Mi
+#     unseal-2:
+#       type: deployment
+#       replicas: 1
+#       strategy: Recreate
+#       revisionHistoryLimit: 3
+#       containers:
+#         main:
+#           image:
+#             repository: ghcr.io/lrstanley/vault-unseal
+#             tag: 0.7.0
+#             pullPolicy: IfNotPresent
+#           envFrom:
+#             - secretRef:
+#                 name: vault-unseal-config-2
+#           resources:
+#             requests:
+#               cpu: 10m
+#               memory: 24Mi
+#     unseal-3:
+#       type: deployment
+#       replicas: 1
+#       strategy: Recreate
+#       revisionHistoryLimit: 3
+#       containers:
+#         main:
+#           image:
+#             repository: ghcr.io/lrstanley/vault-unseal
+#             tag: 0.7.0
+#             pullPolicy: IfNotPresent
+#           envFrom:
+#             - secretRef:
+#                 name: vault-unseal-config-3
+#           resources:
+#             requests:
+#               cpu: 10m
+#               memory: 24Mi
+#   serviceAccount:
+#     create: true