init

clusters/cl01tl/platform/vault/templates/cron-job.yaml

@@ -0,0 +1,64 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: vault-snapshot-cronjob
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-snapshot-cronjob
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}  
+spec:
+  schedule: "@every 24h"
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3  
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure        
+          containers:
+            - name: snapshot
+              image: hashicorp/vault:1.16.2
+              imagePullPolicy: IfNotPresent
+              command:
+                - /bin/ash
+              args:
+                - -ec
+                - |
+                  apk add --no-cache jq;
+                  export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
+                  vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap;
+                  cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
+                  cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap;
+              envFrom:
+                - secretRef:
+                    name: vault-snapshot-agent-token
+              env:
+                - name: VAULT_ADDR
+                  value: http://vault-active.vault.svc.cluster.local:8200
+              volumeMounts:
+                - mountPath: /opt/backup
+                  name: backup
+            - name: upload
+              image: amazon/aws-cli:2.15.42
+              imagePullPolicy: IfNotPresent
+              command:
+                - /bin/sh
+              args:
+                - -ec
+                - |
+                  until [ -f /opt/backup/vault-snapshot-s3.snap ]; do sleep 5; done;
+                  aws s3 cp /opt/backup/vault-snapshot-s3.snap s3://cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
+                  rm /opt/backup/vault-snapshot-s3.snap;
+              envFrom:
+                - secretRef:
+                    name: vault-snapshot-s3
+              volumeMounts:
+                - mountPath: /opt/backup
+                  name: backup
+          volumes:
+            - name: backup
+              persistentVolumeClaim:
+                claimName: vault-nfs-storage-backup                  

clusters/cl01tl/platform/vault/templates/ingress.yaml

@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: tailscale-cl01tl-vault-ui
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: tailscale-cl01tl-vault-ui
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: tailscale
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  ingressClassName: tailscale
+  tls:
+    - hosts:
+        - vault-cl01tl
+  rules:
+    - http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: vault-ui
+                port:
+                  name: http

clusters/cl01tl/platform/vault/templates/persistent-volume-claim.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vault-nfs-storage-backup
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-nfs-storage-backup
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeMode: Filesystem
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi