alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 8 Actions Packages Projects Releases Wiki Activity

restore operations

Browse Source
This commit is contained in:
Alex Lebens
2025-03-02 22:50:23 -06:00
parent 6802f95c05
commit 673d7860fb
2 changed files with 530 additions and 530 deletions
Download Patch File Download Diff File Expand all files Collapse all files

768
clusters/cl01tl/platform/vault/templates/external-secret.yaml
View File

@@ -1,390 +1,390 @@
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-snapshot-agent-token
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-snapshot-agent-token
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: snapshot
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: VAULT_APPROLE_ROLE_ID
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/snapshot
# metadataPolicy: None
# property: VAULT_APPROLE_ROLE_ID
# - secretKey: VAULT_APPROLE_SECRET_ID
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/snapshot
# metadataPolicy: None
# property: VAULT_APPROLE_SECRET_ID
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-snapshot-agent-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-snapshot-agent-token
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: snapshot
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: VAULT_APPROLE_ROLE_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/snapshot
metadataPolicy: None
property: VAULT_APPROLE_ROLE_ID
- secretKey: VAULT_APPROLE_SECRET_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/snapshot
metadataPolicy: None
property: VAULT_APPROLE_SECRET_ID
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-snapshot-s3
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-snapshot-s3
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: snapshot
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: AWS_ACCESS_KEY_ID
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/vault-backup
# metadataPolicy: None
# property: AWS_ACCESS_KEY_ID
# - secretKey: AWS_SECRET_ACCESS_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/vault-backup
# metadataPolicy: None
# property: AWS_SECRET_ACCESS_KEY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-snapshot-s3
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-snapshot-s3
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: snapshot
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/vault-backup
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/vault-backup
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-s3cmd-config
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-snapshot-s3
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: snapshot
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: .s3cfg
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/snapshot
# metadataPolicy: None
# property: s3cfg
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-s3cmd-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-snapshot-s3
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: snapshot
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: .s3cfg
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/snapshot
metadataPolicy: None
property: s3cfg
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-unseal-config-1
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-unseal-key-1
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: unseal
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: ENVIRONMENT
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: ENVIRONMENT
# - secretKey: CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: CHECK_INTERVAL
# - secretKey: MAX_CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: MAX_CHECK_INTERVAL
# - secretKey: NODES
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: NODES
# - secretKey: TLS_SKIP_VERIFY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: TLS_SKIP_VERIFY
# - secretKey: TOKENS
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: TOKENS
# - secretKey: EMAIL_ENABLED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: EMAIL_ENABLED
# - secretKey: NOTIFY_MAX_ELAPSED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: NOTIFY_MAX_ELAPSED
# - secretKey: NOTIFY_QUEUE_DELAY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: NOTIFY_QUEUE_DELAY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-unseal-config-1
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-unseal-key-1
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: unseal
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: ENVIRONMENT
- secretKey: CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: CHECK_INTERVAL
- secretKey: MAX_CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: MAX_CHECK_INTERVAL
- secretKey: NODES
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: NODES
- secretKey: TLS_SKIP_VERIFY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: TLS_SKIP_VERIFY
- secretKey: TOKENS
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: TOKENS
- secretKey: EMAIL_ENABLED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: EMAIL_ENABLED
- secretKey: NOTIFY_MAX_ELAPSED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: NOTIFY_MAX_ELAPSED
- secretKey: NOTIFY_QUEUE_DELAY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: NOTIFY_QUEUE_DELAY
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-unseal-config-2
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-unseal-key-2
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: unseal
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: ENVIRONMENT
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: ENVIRONMENT
# - secretKey: CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: CHECK_INTERVAL
# - secretKey: MAX_CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: MAX_CHECK_INTERVAL
# - secretKey: NODES
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: NODES
# - secretKey: TLS_SKIP_VERIFY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: TLS_SKIP_VERIFY
# - secretKey: TOKENS
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: TOKENS
# - secretKey: EMAIL_ENABLED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: EMAIL_ENABLED
# - secretKey: NOTIFY_MAX_ELAPSED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: NOTIFY_MAX_ELAPSED
# - secretKey: NOTIFY_QUEUE_DELAY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: NOTIFY_QUEUE_DELAY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-unseal-config-2
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-unseal-key-2
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: unseal
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: ENVIRONMENT
- secretKey: CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: CHECK_INTERVAL
- secretKey: MAX_CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: MAX_CHECK_INTERVAL
- secretKey: NODES
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: NODES
- secretKey: TLS_SKIP_VERIFY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: TLS_SKIP_VERIFY
- secretKey: TOKENS
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: TOKENS
- secretKey: EMAIL_ENABLED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: EMAIL_ENABLED
- secretKey: NOTIFY_MAX_ELAPSED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: NOTIFY_MAX_ELAPSED
- secretKey: NOTIFY_QUEUE_DELAY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: NOTIFY_QUEUE_DELAY
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-unseal-config-3
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-unseal-config-3
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: unseal
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: ENVIRONMENT
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: ENVIRONMENT
# - secretKey: CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: CHECK_INTERVAL
# - secretKey: MAX_CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: MAX_CHECK_INTERVAL
# - secretKey: NODES
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: NODES
# - secretKey: TLS_SKIP_VERIFY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: TLS_SKIP_VERIFY
# - secretKey: TOKENS
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: TOKENS
# - secretKey: EMAIL_ENABLED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: EMAIL_ENABLED
# - secretKey: NOTIFY_MAX_ELAPSED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: NOTIFY_MAX_ELAPSED
# - secretKey: NOTIFY_QUEUE_DELAY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: NOTIFY_QUEUE_DELAY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-unseal-config-3
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-unseal-config-3
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: unseal
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: ENVIRONMENT
- secretKey: CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: CHECK_INTERVAL
- secretKey: MAX_CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: MAX_CHECK_INTERVAL
- secretKey: NODES
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: NODES
- secretKey: TLS_SKIP_VERIFY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: TLS_SKIP_VERIFY
- secretKey: TOKENS
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: TOKENS
- secretKey: EMAIL_ENABLED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: EMAIL_ENABLED
- secretKey: NOTIFY_MAX_ELAPSED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: NOTIFY_MAX_ELAPSED
- secretKey: NOTIFY_QUEUE_DELAY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: NOTIFY_QUEUE_DELAY
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-token
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-token
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: token
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: token
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: token
# - secretKey: unseal_key_1
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_1
# - secretKey: unseal_key_2
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_2
# - secretKey: unseal_key_3
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_3
# - secretKey: unseal_key_4
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_4
# - secretKey: unseal_key_5
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_5
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-token
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: token
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: token
- secretKey: unseal_key_1
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_1
- secretKey: unseal_key_2
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_2
- secretKey: unseal_key_3
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_3
- secretKey: unseal_key_4
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_4
- secretKey: unseal_key_5
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_5

292
clusters/cl01tl/platform/vault/values.yaml
View File

@@ -150,149 +150,149 @@ vault:
for: 5m
labels:
severity: critical
# snapshot:
# global:
# fullnameOverride: vault-snapshot
# controllers:
# snapshot:
# type: cronjob
# cronjob:
# suspend: false
# concurrencyPolicy: Forbid
# timeZone: US/Central
# schedule: 0 4 * * *
# startingDeadlineSeconds: 90
# successfulJobsHistory: 3
# failedJobsHistory: 3
# backoffLimit: 3
# parallelism: 1
# initContainers:
# snapshot:
# image:
# repository: hashicorp/vault
# tag: 1.18.5
# pullPolicy: IfNotPresent
# command:
# - /bin/ash
# args:
# - -ec
# - |
# apk add --no-cache jq;
# export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
# vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap;
# cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
# cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap;
# envFrom:
# - secretRef:
# name: vault-snapshot-agent-token
# env:
# - name: VAULT_ADDR
# value: http://vault-active.vault.svc.cluster.local:8200
# resources:
# requests:
# cpu: 10m
# memory: 64Mi
# containers:
# backup:
# image:
# repository: d3fk/s3cmd
# tag: latest@sha256:4bdc8e5817cbdd048e6dc487f42e3d96a6b58af69b4be6f256de5e2416da90e9
# pullPolicy: IfNotPresent
# command:
# - /bin/sh
# args:
# - -ec
# - |
# s3cmd put --no-check-md5 --no-check-certificate /opt/backup/vault-snapshot-s3.snap s3://vault-backups-bcc1e1433e0ce4be526561cb/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
# rm -f /opt/backup/vault-snapshot-s3.snap;
# envFrom:
# - secretRef:
# name: vault-snapshot-s3
# resources:
# requests:
# cpu: 10m
# memory: 64Mi
# serviceAccount:
# create: true
# persistence:
# config:
# existingClaim: vault-nfs-storage-backup
# advancedMounts:
# snapshot:
# snapshot:
# - path: /opt/backup
# readOnly: false
# backup:
# - path: /opt/backup
# readOnly: false
# s3cmd-config:
# enabled: true
# type: secret
# name: vault-s3cmd-config
# advancedMounts:
# snapshot:
# backup:
# - path: /root/.s3cfg
# readOnly: true
# mountPropagation: None
# subPath: .s3cfg
# unseal:
# global:
# fullnameOverride: vault-unseal
# controllers:
# unseal-1:
# type: deployment
# replicas: 1
# strategy: Recreate
# revisionHistoryLimit: 3
# containers:
# main:
# image:
# repository: ghcr.io/lrstanley/vault-unseal
# tag: 0.7.0
# pullPolicy: IfNotPresent
# envFrom:
# - secretRef:
# name: vault-unseal-config-1
# resources:
# requests:
# cpu: 10m
# memory: 24Mi
# unseal-2:
# type: deployment
# replicas: 1
# strategy: Recreate
# revisionHistoryLimit: 3
# containers:
# main:
# image:
# repository: ghcr.io/lrstanley/vault-unseal
# tag: 0.7.0
# pullPolicy: IfNotPresent
# envFrom:
# - secretRef:
# name: vault-unseal-config-2
# resources:
# requests:
# cpu: 10m
# memory: 24Mi
# unseal-3:
# type: deployment
# replicas: 1
# strategy: Recreate
# revisionHistoryLimit: 3
# containers:
# main:
# image:
# repository: ghcr.io/lrstanley/vault-unseal
# tag: 0.7.0
# pullPolicy: IfNotPresent
# envFrom:
# - secretRef:
# name: vault-unseal-config-3
# resources:
# requests:
# cpu: 10m
# memory: 24Mi
# serviceAccount:
# create: true
snapshot:
global:
fullnameOverride: vault-snapshot
controllers:
snapshot:
type: cronjob
cronjob:
suspend: false
concurrencyPolicy: Forbid
timeZone: US/Central
schedule: 0 4 * * *
startingDeadlineSeconds: 90
successfulJobsHistory: 3
failedJobsHistory: 3
backoffLimit: 3
parallelism: 1
initContainers:
snapshot:
image:
repository: hashicorp/vault
tag: 1.18.5
pullPolicy: IfNotPresent
command:
- /bin/ash
args:
- -ec
- |
apk add --no-cache jq;
export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap;
cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap;
envFrom:
- secretRef:
name: vault-snapshot-agent-token
env:
- name: VAULT_ADDR
value: http://vault-active.vault.svc.cluster.local:8200
resources:
requests:
cpu: 10m
memory: 64Mi
containers:
backup:
image:
repository: d3fk/s3cmd
tag: latest@sha256:4bdc8e5817cbdd048e6dc487f42e3d96a6b58af69b4be6f256de5e2416da90e9
pullPolicy: IfNotPresent
command:
- /bin/sh
args:
- -ec
- |
s3cmd put --no-check-md5 --no-check-certificate /opt/backup/vault-snapshot-s3.snap s3://vault-backups-bcc1e1433e0ce4be526561cb/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
rm -f /opt/backup/vault-snapshot-s3.snap;
envFrom:
- secretRef:
name: vault-snapshot-s3
resources:
requests:
cpu: 10m
memory: 64Mi
serviceAccount:
create: true
persistence:
config:
existingClaim: vault-nfs-storage-backup
advancedMounts:
snapshot:
snapshot:
- path: /opt/backup
readOnly: false
backup:
- path: /opt/backup
readOnly: false
s3cmd-config:
enabled: true
type: secret
name: vault-s3cmd-config
advancedMounts:
snapshot:
backup:
- path: /root/.s3cfg
readOnly: true
mountPropagation: None
subPath: .s3cfg
unseal:
global:
fullnameOverride: vault-unseal
controllers:
unseal-1:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/lrstanley/vault-unseal
tag: 0.7.0
pullPolicy: IfNotPresent
envFrom:
- secretRef:
name: vault-unseal-config-1
resources:
requests:
cpu: 10m
memory: 24Mi
unseal-2:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/lrstanley/vault-unseal
tag: 0.7.0
pullPolicy: IfNotPresent
envFrom:
- secretRef:
name: vault-unseal-config-2
resources:
requests:
cpu: 10m
memory: 24Mi
unseal-3:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/lrstanley/vault-unseal
tag: 0.7.0
pullPolicy: IfNotPresent
envFrom:
- secretRef:
name: vault-unseal-config-3
resources:
requests:
cpu: 10m
memory: 24Mi
serviceAccount:
create: true