diff --git a/clusters/cl01tl/helm/blocky/values.yaml b/clusters/cl01tl/helm/blocky/values.yaml index cbf61edf7..8f7082a28 100644 --- a/clusters/cl01tl/helm/blocky/values.yaml +++ b/clusters/cl01tl/helm/blocky/values.yaml @@ -164,7 +164,6 @@ blocky: sparkyfitness IN CNAME traefik-cl01tl tdarr IN CNAME traefik-cl01tl tubearchivist IN CNAME traefik-cl01tl - vault IN CNAME traefik-cl01tl whodb IN CNAME traefik-cl01tl yamtrack IN CNAME traefik-cl01tl yubal IN CNAME traefik-cl01tl diff --git a/clusters/cl01tl/helm/gatus/values.yaml b/clusters/cl01tl/helm/gatus/values.yaml index 72437d00f..6ba324033 100644 --- a/clusters/cl01tl/helm/gatus/values.yaml +++ b/clusters/cl01tl/helm/gatus/values.yaml @@ -258,9 +258,6 @@ gatus: - name: whodb url: https://whodb.alexlebens.net <<: *defaults - - name: vault - url: https://vault.alexlebens.net - <<: *defaults - name: openbao url: https://bao.alexlebens.net <<: *defaults diff --git a/clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml b/clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml index 2dd2a5a1e..78931483a 100644 --- a/clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml +++ b/clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml @@ -591,24 +591,6 @@ spec: resyncPeriod: 6h url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/rclone.json ---- -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-vault - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: grafana-dashboard-vault - {{- include "custom.labels" . | nindent 4 }} -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 6h - folderUID: grafana-folder-platform - resyncPeriod: 6h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/vault.json - --- apiVersion: grafana.integreatly.org/v1beta1 kind: GrafanaDashboard diff --git a/clusters/cl01tl/helm/homepage/values.yaml b/clusters/cl01tl/helm/homepage/values.yaml index 9d5c69b36..05f653127 100644 --- a/clusters/cl01tl/helm/homepage/values.yaml +++ b/clusters/cl01tl/helm/homepage/values.yaml @@ -601,18 +601,6 @@ homepage: href: https://whodb.alexlebens.net siteMonitor: http://whodb.whodb:80 statusStyle: dot - - Secrets: - icon: sh-hashicorp-vault.webp - description: Vault - href: https://vault.alexlebens.net - siteMonitor: http://vault.vault:8200 - statusStyle: dot - namespace: vault - app: vault - podSelector: >- - app.kubernetes.io/instance in ( - vault - ) - Secrets: icon: sh-openbao.webp description: OpenBao diff --git a/clusters/cl01tl/helm/vault/Chart.lock b/clusters/cl01tl/helm/vault/Chart.lock deleted file mode 100644 index b7c9bfc55..000000000 --- a/clusters/cl01tl/helm/vault/Chart.lock +++ /dev/null @@ -1,12 +0,0 @@ -dependencies: -- name: vault - repository: https://helm.releases.hashicorp.com - version: 0.32.0 -- name: app-template - repository: https://bjw-s-labs.github.io/helm-charts/ - version: 5.0.1 -- name: app-template - repository: https://bjw-s-labs.github.io/helm-charts/ - version: 5.0.1 -digest: sha256:c555a9afad1b13f96d7a94c98182312fae388ab55b26cf177b15a0a4192e879f -generated: "2026-05-15T00:42:01.447358515Z" diff --git a/clusters/cl01tl/helm/vault/Chart.yaml b/clusters/cl01tl/helm/vault/Chart.yaml deleted file mode 100644 index a05fbdd64..000000000 --- a/clusters/cl01tl/helm/vault/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v2 -name: vault -version: 1.0.0 -description: Vault -keywords: - - vault - - secrets -home: https://docs.alexlebens.dev/applications/vault/ -sources: - - https://github.com/hashicorp/vault - - https://github.com/Angatar/s3cmd - - https://github.com/lrstanley/vault-unseal - - https://hub.docker.com/r/hashicorp/vault - - https://hub.docker.com/r/d3fk/s3cmd/ - - https://github.com/lrstanley/vault-unseal/pkgs/container/vault-unseal - - https://github.com/hashicorp/vault-helm - - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template -maintainers: - - name: alexlebens -dependencies: - - name: vault - version: 0.32.0 - repository: https://helm.releases.hashicorp.com - - name: app-template - alias: snapshot - repository: https://bjw-s-labs.github.io/helm-charts/ - version: 5.0.1 - - name: app-template - alias: unseal - repository: https://bjw-s-labs.github.io/helm-charts/ - version: 5.0.1 -icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/hashicorp-vault.png -# renovate: datasource=github-releases depName=hashicorp/vault -appVersion: 2.0.1 diff --git a/clusters/cl01tl/helm/vault/templates/_helpers.tpl b/clusters/cl01tl/helm/vault/templates/_helpers.tpl deleted file mode 100644 index 9505d8172..000000000 --- a/clusters/cl01tl/helm/vault/templates/_helpers.tpl +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -Common labels -*/}} -{{- define "custom.labels" -}} -{{ include "custom.selectorLabels" $ }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "custom.selectorLabels" -}} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/part-of: {{ .Release.Name }} -{{- end }} - -{{/* -ServiceAccount names -*/}} -{{- define "custom.serviceAccountName" -}} -vault -{{- end -}} diff --git a/clusters/cl01tl/helm/vault/templates/config-map.yaml b/clusters/cl01tl/helm/vault/templates/config-map.yaml deleted file mode 100644 index d2ca27929..000000000 --- a/clusters/cl01tl/helm/vault/templates/config-map.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: vault-snapshot-script - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-snapshot-script - {{- include "custom.labels" . | nindent 4 }} -data: - snapshot.sh: | - DATE=$(date +"%Y%m%d-%H-%M") - - echo " " - echo ">> Running Vault Snapshot Script ..." - - echo " " - echo ">> Fetching Vault token ..." - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID) - - if [ -z "$VAULT_TOKEN" ]; then - echo ">> ERROR: Failed to fetch Vault token! Exiting..." - exit 1 - fi - - echo " " - echo ">> Taking Vault snapshot ..." - vault operator raft snapshot save /opt/backup/vault-snapshot-$DATE.snap - - echo " " - echo ">> Setting ownership of Vault snapshot ..." - chown 100:1000 /opt/backup/vault-snapshot-$DATE.snap - - echo " " - echo ">> Completed Vault snapshot" - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: vault-backup-script - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-backup-script - {{- include "custom.labels" . | nindent 4 }} -data: - backup.sh: | - echo " "; - echo ">> Running S3 backup for Vault snapshot"; - OUTPUT=$(s3cmd sync --no-check-certificate -v /opt/backup/* "${BUCKET}/cl01tl/cl01tl-vault-snapshots/" 2>&1) diff --git a/clusters/cl01tl/helm/vault/templates/external-secret.yaml b/clusters/cl01tl/helm/vault/templates/external-secret.yaml deleted file mode 100644 index 197c31f01..000000000 --- a/clusters/cl01tl/helm/vault/templates/external-secret.yaml +++ /dev/null @@ -1,215 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-token - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-token - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: token - remoteRef: - key: /cl01tl/vault/token - property: root - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-snapshot-agent-role - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-snapshot-agent-role - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: VAULT_APPROLE_ROLE_ID - remoteRef: - key: /cl01tl/vault/role/snapshot - property: role-id - - secretKey: VAULT_APPROLE_SECRET_ID - remoteRef: - key: /cl01tl/vault/role/snapshot - property: secret-id - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-backup-local-config - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-backup-local-config - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: BUCKET - remoteRef: - key: /garage/home-infra/vault-backups - property: BUCKET_PATH - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-backup-remote-config - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-backup-remote-config - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: BUCKET - remoteRef: - key: /garage/home-infra/vault-backups - property: BUCKET_PATH - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-unseal-config-1 - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-unseal-config-1 - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: ENVIRONMENT - remoteRef: - key: /cl01tl/vault/unseal - property: environment - - secretKey: NODES - remoteRef: - key: /cl01tl/vault/unseal - property: nodes - - secretKey: TOKENS - remoteRef: - key: /cl01tl/vault/unseal - property: tokens-1 - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-unseal-config-2 - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-unseal-config-2 - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: ENVIRONMENT - remoteRef: - key: /cl01tl/vault/unseal - property: environment - - secretKey: NODES - remoteRef: - key: /cl01tl/vault/unseal - property: nodes - - secretKey: TOKENS - remoteRef: - key: /cl01tl/vault/unseal - property: tokens-2 - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-unseal-config-3 - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-unseal-config-3 - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: ENVIRONMENT - remoteRef: - key: /cl01tl/vault/unseal - property: environment - - secretKey: NODES - remoteRef: - key: /cl01tl/vault/unseal - property: nodes - - secretKey: TOKENS - remoteRef: - key: /cl01tl/vault/unseal - property: tokens-3 - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-ntfy-config - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-ntfy-config - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: NTFY_TOKEN - remoteRef: - key: /cl01tl/ntfy/users/cl01tl - property: token - - secretKey: NTFY_ENDPOINT - remoteRef: - key: /cl01tl/ntfy/config - property: internal-endpoint - - secretKey: NTFY_TOPIC - remoteRef: - key: /cl01tl/ntfy/topics - property: vault - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-ntfy-unseal-config - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-ntfy-unseal-config - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - NOTIFY_QUEUE_URLS: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}/?priority=4&tags=vault,unseal&title=Vault+Unsealed" - data: - - secretKey: endpoint - remoteRef: - key: /cl01tl/ntfy/users/cl01tl - property: internal-endpoint-credential - - secretKey: topic - remoteRef: - key: /cl01tl/ntfy/topics - property: vault diff --git a/clusters/cl01tl/helm/vault/templates/http-route.yaml b/clusters/cl01tl/helm/vault/templates/http-route.yaml deleted file mode 100644 index f849fc6ae..000000000 --- a/clusters/cl01tl/helm/vault/templates/http-route.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: vault - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault - {{- include "custom.labels" . | nindent 4 }} -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - vault.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: vault-active - port: 8200 diff --git a/clusters/cl01tl/helm/vault/templates/ingress.yaml b/clusters/cl01tl/helm/vault/templates/ingress.yaml deleted file mode 100644 index 213450d0d..000000000 --- a/clusters/cl01tl/helm/vault/templates/ingress.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: vault-tailscale - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-tailscale - {{- include "custom.labels" . | nindent 4 }} - tailscale.com/proxy-class: no-metrics - annotations: - tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" -spec: - ingressClassName: tailscale - tls: - - hosts: - - vault-cl01tl - secretName: vault-cl01tl - rules: - - host: vault-cl01tl - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: vault-active - port: - number: 8200 diff --git a/clusters/cl01tl/helm/vault/templates/persistent-volume-claim.yaml b/clusters/cl01tl/helm/vault/templates/persistent-volume-claim.yaml deleted file mode 100644 index 50c9e48e8..000000000 --- a/clusters/cl01tl/helm/vault/templates/persistent-volume-claim.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: vault-storage-backup - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-storage-backup - {{- include "custom.labels" . | nindent 4 }} -spec: - volumeMode: Filesystem - storageClassName: ceph-filesystem - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi diff --git a/clusters/cl01tl/helm/vault/templates/secret-provider-class.yaml b/clusters/cl01tl/helm/vault/templates/secret-provider-class.yaml deleted file mode 100644 index f0844281a..000000000 --- a/clusters/cl01tl/helm/vault/templates/secret-provider-class.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: secrets-store.csi.x-k8s.io/v1 -kind: SecretProviderClass -metadata: - name: vault-backup-local-config - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-backup-local-config - {{- include "custom.labels" . | nindent 4 }} -spec: - provider: openbao - parameters: - baoAddress: "http://openbao-internal.openbao:8200" - roleName: vault - objects: | - - objectName: .s3cfg - fileName: .s3cfg - secretPath: secret/data/garage/home-infra/vault-backups - secretKey: s3cfg-local - ---- -apiVersion: secrets-store.csi.x-k8s.io/v1 -kind: SecretProviderClass -metadata: - name: vault-backup-remote-config - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-backup-remote-config - {{- include "custom.labels" . | nindent 4 }} -spec: - provider: openbao - parameters: - baoAddress: "http://openbao-internal.openbao:8200" - roleName: vault - objects: | - - objectName: .s3cfg - fileName: .s3cfg - secretPath: secret/data/garage/home-infra/vault-backups - secretKey: s3cfg-remote diff --git a/clusters/cl01tl/helm/vault/templates/service-account.yaml b/clusters/cl01tl/helm/vault/templates/service-account.yaml deleted file mode 100644 index 5db759b3e..000000000 --- a/clusters/cl01tl/helm/vault/templates/service-account.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "custom.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "custom.serviceAccountName" . }} - {{- include "custom.labels" . | nindent 4 }} diff --git a/clusters/cl01tl/helm/vault/values.yaml b/clusters/cl01tl/helm/vault/values.yaml deleted file mode 100644 index 0931c74f9..000000000 --- a/clusters/cl01tl/helm/vault/values.yaml +++ /dev/null @@ -1,314 +0,0 @@ -vault: - global: - serverTelemetry: - prometheusOperator: true - injector: - enabled: false - server: - enabled: true - image: - repository: hashicorp/vault - tag: 2.0.1@sha256:7553550027156b8f04e81f61a98c3f53a7bce57104f2a400e2012c851f66ac19 - updateStrategyType: RollingUpdate - logLevel: debug - logFormat: standard - resources: - requests: - cpu: 50m - memory: 512Mi - authDelegator: - enabled: false - livenessProbe: - enabled: false - volumes: - - name: vault-storage-backup - persistentVolumeClaim: - claimName: vault-storage-backup - volumeMounts: - - mountPath: /opt/backups/ - name: vault-storage-backup - readOnly: false - dataStorage: - size: 1Gi - storageClass: ceph-block - auditStorage: - enabled: false - size: 5Gi - storageClass: ceph-block - standalone: - enabled: false - ha: - enabled: true - raft: - enabled: true - config: | - ui = true - - listener "tcp" { - tls_disable = 1 - address = "[::]:8200" - cluster_address = "[::]:8201" - telemetry { - unauthenticated_metrics_access = "true" - } - } - - storage "raft" { - path = "/vault/data" - retry_join { - leader_api_addr = "http://vault-0.vault-internal:8200" - } - retry_join { - leader_api_addr = "http://vault-1.vault-internal:8200" - } - retry_join { - leader_api_addr = "http://vault-2.vault-internal:8200" - } - } - - service_registration "kubernetes" {} - - telemetry { - prometheus_retention_time = "30s" - disable_hostname = true - } - disruptionBudget: - enabled: true - maxUnavailable: 1 - serverTelemetry: - serviceMonitor: - enabled: true - prometheusRules: - enabled: true - rules: - - alert: vault-HighResponseTime - annotations: - message: The response time of Vault is over 500ms on average over the last 5 minutes. - expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 - for: 5m - labels: - severity: warning - - alert: vault-HighResponseTime - annotations: - message: The response time of Vault is over 1s on average over the last 5 minutes. - expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 - for: 5m - labels: - severity: critical -snapshot: - global: - fullnameOverride: vault-snapshot - controllers: - snapshot: - type: cronjob - pod: - automountServiceAccountToken: true - cronjob: - suspend: false - timeZone: America/Chicago - schedule: 0 4 * * * - backoffLimit: 3 - parallelism: 1 - initContainers: - snapshot: - image: - repository: hashicorp/vault - tag: 2.0.1@sha256:7553550027156b8f04e81f61a98c3f53a7bce57104f2a400e2012c851f66ac19 - command: - - /bin/ash - args: - - -ec - - /scripts/snapshot.sh - envFrom: - - secretRef: - name: vault-snapshot-agent-role - env: - - name: VAULT_ADDR - value: http://vault-active.vault.svc.cluster.local:8200 - containers: - s3-backup-local: - image: - repository: d3fk/s3cmd - tag: latest@sha256:d66cc5677b30b31a7981f9fde0af064a9072e8b8a57d5e9b4cc02f44f02acbf2 - command: - - /bin/sh - args: - - -ec - - /scripts/backup.sh - envFrom: - - secretRef: - name: vault-ntfy-config - env: - - name: BUCKET - valueFrom: - secretKeyRef: - name: vault-backup-local-config - key: BUCKET - - name: TARGET - value: Local - s3-backup-remote: - image: - repository: d3fk/s3cmd - tag: latest@sha256:d66cc5677b30b31a7981f9fde0af064a9072e8b8a57d5e9b4cc02f44f02acbf2 - command: - - /bin/sh - args: - - -ec - - /scripts/backup.sh - envFrom: - - secretRef: - name: vault-ntfy-config - env: - - name: BUCKET - valueFrom: - secretKeyRef: - name: vault-backup-remote-config - key: BUCKET - - name: TARGET - value: Remote - persistence: - snapshot-script: - enabled: true - type: configMap - name: vault-snapshot-script - defaultMode: 0755 - advancedMounts: - snapshot: - snapshot: - - path: /scripts/snapshot.sh - subPath: snapshot.sh - backup-script: - enabled: true - type: configMap - name: vault-backup-script - defaultMode: 0755 - advancedMounts: - snapshot: - s3-backup-local: - - path: /scripts/backup.sh - subPath: backup.sh - s3-backup-remote: - - path: /scripts/backup.sh - subPath: backup.sh - s3-backup-external: - - path: /scripts/backup.sh - subPath: backup.sh - backup-local-config: - type: custom - volumeSpec: - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: vault-backup-local-config - advancedMounts: - snapshot: - s3-backup-local: - - path: /root/.s3cfg - readOnly: true - mountPropagation: None - subPath: .s3cfg - backup-remote-config: - type: custom - volumeSpec: - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: vault-backup-remote-config - advancedMounts: - snapshot: - s3-backup-remote: - - path: /root/.s3cfg - readOnly: true - mountPropagation: None - subPath: .s3cfg - backup-external-config: - type: custom - volumeSpec: - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: vault-backup-external-config - advancedMounts: - snapshot: - s3-backup-external: - - path: /root/.s3cfg - readOnly: true - mountPropagation: None - subPath: .s3cfg - backup: - existingClaim: vault-storage-backup - advancedMounts: - snapshot: - snapshot: - - path: /opt/backup - readOnly: false - s3-backup-local: - - path: /opt/backup - readOnly: false - s3-backup-remote: - - path: /opt/backup - readOnly: false - s3-backup-external: - - path: /opt/backup - readOnly: false -unseal: - global: - fullnameOverride: vault-unseal - controllers: - unseal-1: - type: deployment - replicas: 1 - strategy: Recreate - containers: - main: - image: - repository: ghcr.io/lrstanley/vault-unseal - tag: 1.0.0@sha256:9b936fadc8dea2a473972806bffc218a4dd2fbc3b373566138a60e058cc544aa - envFrom: - - secretRef: - name: vault-unseal-config-1 - - secretRef: - name: vault-ntfy-unseal-config - resources: - requests: - cpu: 1m - memory: 10Mi - unseal-2: - type: deployment - replicas: 1 - strategy: Recreate - containers: - main: - image: - repository: ghcr.io/lrstanley/vault-unseal - tag: 1.0.0@sha256:9b936fadc8dea2a473972806bffc218a4dd2fbc3b373566138a60e058cc544aa - envFrom: - - secretRef: - name: vault-unseal-config-2 - - secretRef: - name: vault-ntfy-unseal-config - resources: - requests: - cpu: 1m - memory: 10Mi - unseal-3: - type: deployment - replicas: 1 - strategy: Recreate - containers: - main: - image: - repository: ghcr.io/lrstanley/vault-unseal - tag: 1.0.0@sha256:9b936fadc8dea2a473972806bffc218a4dd2fbc3b373566138a60e058cc544aa - envFrom: - - secretRef: - name: vault-unseal-config-3 - - secretRef: - name: vault-ntfy-unseal-config - resources: - requests: - cpu: 1m - memory: 10Mi diff --git a/hosts/ps08rp/blocky/config.yml b/hosts/ps08rp/blocky/config.yml index 9e749919c..8922f4245 100644 --- a/hosts/ps08rp/blocky/config.yml +++ b/hosts/ps08rp/blocky/config.yml @@ -142,7 +142,6 @@ customDNS: sparkyfitness IN CNAME traefik-cl01tl tdarr IN CNAME traefik-cl01tl tubearchivist IN CNAME traefik-cl01tl - vault IN CNAME traefik-cl01tl whodb IN CNAME traefik-cl01tl yamtrack IN CNAME traefik-cl01tl yubal IN CNAME traefik-cl01tl diff --git a/hosts/ps09rp/blocky/config.yml b/hosts/ps09rp/blocky/config.yml index 71ea5bbce..9f9f7fd13 100644 --- a/hosts/ps09rp/blocky/config.yml +++ b/hosts/ps09rp/blocky/config.yml @@ -163,7 +163,6 @@ customDNS: sparkyfitness IN CNAME traefik-cl01tl tdarr IN CNAME traefik-cl01tl tubearchivist IN CNAME traefik-cl01tl - vault IN CNAME traefik-cl01tl whodb IN CNAME traefik-cl01tl yamtrack IN CNAME traefik-cl01tl yubal IN CNAME traefik-cl01tl