chore: Update manifests after change

2026-05-22 18:46:32 +00:00
parent 7e378877af
commit d669a25654
43 changed files with 4 additions and 1175 deletions
@@ -153,7 +153,6 @@ data:
        sparkyfitness                   IN      CNAME   traefik-cl01tl
        tdarr                           IN      CNAME   traefik-cl01tl
        tubearchivist                   IN      CNAME   traefik-cl01tl
-        vault                           IN      CNAME   traefik-cl01tl
        whodb                           IN      CNAME   traefik-cl01tl
        yamtrack                        IN      CNAME   traefik-cl01tl
        yubal                           IN      CNAME   traefik-cl01tl
@@ -22,7 +22,7 @@ spec:
  template:
    metadata:
      annotations:
-        checksum/configMaps: 8aadfb0f8e3c44c960e3daba036be7e8b635c50df168eef754e6cdd0745e118c
+        checksum/configMaps: 9896e1f76ba730d198b720637dc5ad6903cb51fce3bd554ff8866bf252c11b03
      labels:
        app.kubernetes.io/controller: main
        app.kubernetes.io/instance: blocky
@@ -456,15 +456,6 @@ data:
      interval: 30s
      name: whodb
      url: https://whodb.alexlebens.net
-    - alerts:
-      - type: ntfy
-      conditions:
-      - '[STATUS] == 200'
-      - '[CERTIFICATE_EXPIRATION] > 240h'
-      group: core
-      interval: 30s
-      name: vault
-      url: https://vault.alexlebens.net
    - alerts:
      - type: ntfy
      conditions:
@@ -26,7 +26,7 @@ spec:
        app.kubernetes.io/name: gatus
        app.kubernetes.io/instance: gatus
      annotations:
-        checksum/config: d9ee58caa34a5c15e53b782c6fb620492f6f9054f598cc17e4d51ea91d98d2cc
+        checksum/config: 8e95a6f2ad7d4bb7edf60154d0e7c1ffe9cff0313e507d1a6870ca3af4b43499
    spec:
      serviceAccountName: default
      automountServiceAccountToken: false
@@ -46,7 +46,7 @@ spec:
              done
              echo "Gitea has been reached!"
        - name: dind
-          image: "docker.io/docker:29.5.2-dind@sha256:eb37f58646a901dc7727cf448cae36daaefaba79de33b5058dab79aa4c04aefb"
+          image: "docker.io/docker:29.5.2-dind@sha256:6b9cd914eb9c6b342c040a49a27a5eb3804453bae6ecc90f7ff96133595a95e8"
          restartPolicy: Always
          imagePullPolicy: IfNotPresent
          securityContext:
@@ -1,17 +0,0 @@
-apiVersion: grafana.integreatly.org/v1beta1
-kind: GrafanaDashboard
-metadata:
-  name: grafana-dashboard-vault
-  namespace: grafana-operator
-  labels:
-    app.kubernetes.io/name: grafana-dashboard-vault
-    app.kubernetes.io/instance: grafana-operator
-    app.kubernetes.io/part-of: grafana-operator
-spec:
-  instanceSelector:
-    matchLabels:
-      app: grafana-main
-  contentCacheDuration: 6h
-  folderUID: grafana-folder-platform
-  resyncPeriod: 6h
-  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/vault.json
@@ -534,18 +534,6 @@ data:
            href: https://whodb.alexlebens.net
            siteMonitor: http://whodb.whodb:80
            statusStyle: dot
-        - Secrets:
-            icon: sh-hashicorp-vault.webp
-            description: Vault
-            href: https://vault.alexlebens.net
-            siteMonitor: http://vault.vault:8200
-            statusStyle: dot
-            namespace: vault
-            app: vault
-            podSelector: >-
-                app.kubernetes.io/instance in (
-                    vault
-                )
        - Secrets:
            icon: sh-openbao.webp
            description: OpenBao
@@ -24,7 +24,7 @@ spec:
  template:
    metadata:
      annotations:
-        checksum/configMaps: 3961d0f5ae725dd1e304dac409388ca1912e656ddf41fdd298c1ee2fc404bbc3
+        checksum/configMaps: 52976622e46503ade5b5046760e6006d1b9d0ac30131509c883b9006283520d8
      labels:
        app.kubernetes.io/controller: main
        app.kubernetes.io/instance: homepage
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: vault-backup-script
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault-backup-script
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
-data:
-  backup.sh: |
-    echo " ";
-    echo ">> Running S3 backup for Vault snapshot";
-    OUTPUT=$(s3cmd sync --no-check-certificate -v /opt/backup/* "${BUCKET}/cl01tl/cl01tl-vault-snapshots/" 2>&1)
@@ -1,44 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: vault-config
-  namespace: vault
-  labels:
-    helm.sh/chart: vault-0.32.0
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-data:
-  extraconfig-from-values.hcl: |-
-    ui = true
-
-    listener "tcp" {
-      tls_disable = 1
-      address = "[::]:8200"
-      cluster_address = "[::]:8201"
-      telemetry {
-        unauthenticated_metrics_access = "true"
-      }
-    }
-
-    storage "raft" {
-      path = "/vault/data"
-      retry_join {
-        leader_api_addr = "http://vault-0.vault-internal:8200"
-      }
-      retry_join {
-        leader_api_addr = "http://vault-1.vault-internal:8200"
-      }
-      retry_join {
-        leader_api_addr = "http://vault-2.vault-internal:8200"
-      }
-    }
-
-    service_registration "kubernetes" {}
-
-    telemetry {
-      prometheus_retention_time = "30s"
-      disable_hostname = true
-    }
-
-    disable_mlock = true
@@ -1,35 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: vault-snapshot-script
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault-snapshot-script
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
-data:
-  snapshot.sh: |
-    DATE=$(date +"%Y%m%d-%H-%M")
-
-    echo " "
-    echo ">> Running Vault Snapshot Script ..."
-
-    echo " "
-    echo ">> Fetching Vault token ..."
-    export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID)
-
-    if [ -z "$VAULT_TOKEN" ]; then
-        echo ">> ERROR: Failed to fetch Vault token! Exiting..."
-        exit 1
-    fi
-
-    echo " "
-    echo ">> Taking Vault snapshot ..."
-    vault operator raft snapshot save /opt/backup/vault-snapshot-$DATE.snap
-
-    echo " "
-    echo ">> Setting ownership of Vault snapshot ..."
-    chown 100:1000 /opt/backup/vault-snapshot-$DATE.snap
-
-    echo " "
-    echo ">> Completed Vault snapshot"
@@ -1,147 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: vault-snapshot
-  labels:
-    app.kubernetes.io/controller: snapshot
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: vault
-    helm.sh/chart: snapshot-5.0.1
-  namespace: vault
-spec:
-  suspend: false
-  concurrencyPolicy: Forbid
-  startingDeadlineSeconds: 30
-  timeZone: America/Chicago
-  schedule: "0 4 * * *"
-  successfulJobsHistoryLimit: 1
-  failedJobsHistoryLimit: 1
-  jobTemplate:
-    spec:
-      parallelism: 1
-      backoffLimit: 3
-      template:
-        metadata:
-          labels:
-            app.kubernetes.io/controller: snapshot
-            app.kubernetes.io/instance: vault
-            app.kubernetes.io/name: vault
-        spec:
-          enableServiceLinks: false
-          serviceAccountName: vault-snapshot
-          automountServiceAccountToken: true
-          hostIPC: false
-          hostNetwork: false
-          hostPID: false
-          dnsPolicy: ClusterFirst
-          restartPolicy: Never
-          initContainers:
-            - args:
-                - -ec
-                - /scripts/snapshot.sh
-              command:
-                - /bin/ash
-              env:
-                - name: VAULT_ADDR
-                  value: http://vault-active.vault.svc.cluster.local:8200
-              envFrom:
-                - secretRef:
-                    name: vault-snapshot-agent-role
-              image: hashicorp/vault:2.0.1@sha256:7553550027156b8f04e81f61a98c3f53a7bce57104f2a400e2012c851f66ac19
-              name: snapshot
-              volumeMounts:
-                - mountPath: /opt/backup
-                  name: backup
-                - mountPath: /scripts/snapshot.sh
-                  name: snapshot-script
-                  subPath: snapshot.sh
-          containers:
-            - args:
-                - -ec
-                - /scripts/backup.sh
-              command:
-                - /bin/sh
-              env:
-                - name: BUCKET
-                  valueFrom:
-                    secretKeyRef:
-                      key: BUCKET
-                      name: vault-backup-local-config
-                - name: TARGET
-                  value: Local
-              envFrom:
-                - secretRef:
-                    name: vault-ntfy-config
-              image: d3fk/s3cmd:latest@sha256:d66cc5677b30b31a7981f9fde0af064a9072e8b8a57d5e9b4cc02f44f02acbf2
-              name: s3-backup-local
-              volumeMounts:
-                - mountPath: /opt/backup
-                  name: backup
-                - mountPath: /root/.s3cfg
-                  mountPropagation: None
-                  name: backup-local-config
-                  readOnly: true
-                  subPath: .s3cfg
-                - mountPath: /scripts/backup.sh
-                  name: backup-script
-                  subPath: backup.sh
-            - args:
-                - -ec
-                - /scripts/backup.sh
-              command:
-                - /bin/sh
-              env:
-                - name: BUCKET
-                  valueFrom:
-                    secretKeyRef:
-                      key: BUCKET
-                      name: vault-backup-remote-config
-                - name: TARGET
-                  value: Remote
-              envFrom:
-                - secretRef:
-                    name: vault-ntfy-config
-              image: d3fk/s3cmd:latest@sha256:d66cc5677b30b31a7981f9fde0af064a9072e8b8a57d5e9b4cc02f44f02acbf2
-              name: s3-backup-remote
-              volumeMounts:
-                - mountPath: /opt/backup
-                  name: backup
-                - mountPath: /root/.s3cfg
-                  mountPropagation: None
-                  name: backup-remote-config
-                  readOnly: true
-                  subPath: .s3cfg
-                - mountPath: /scripts/backup.sh
-                  name: backup-script
-                  subPath: backup.sh
-          volumes:
-            - name: backup
-              persistentVolumeClaim:
-                claimName: vault-storage-backup
-            - csi:
-                driver: secrets-store.csi.k8s.io
-                readOnly: true
-                volumeAttributes:
-                  secretProviderClass: vault-backup-external-config
-              name: backup-external-config
-            - csi:
-                driver: secrets-store.csi.k8s.io
-                readOnly: true
-                volumeAttributes:
-                  secretProviderClass: vault-backup-local-config
-              name: backup-local-config
-            - csi:
-                driver: secrets-store.csi.k8s.io
-                readOnly: true
-                volumeAttributes:
-                  secretProviderClass: vault-backup-remote-config
-              name: backup-remote-config
-            - configMap:
-                defaultMode: 493
-                name: vault-backup-script
-              name: backup-script
-            - configMap:
-                defaultMode: 493
-                name: vault-snapshot-script
-              name: snapshot-script
@@ -1,47 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: vault-unseal-unseal-1
-  labels:
-    app.kubernetes.io/controller: unseal-1
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: vault
-    helm.sh/chart: unseal-5.0.1
-  namespace: vault
-spec:
-  revisionHistoryLimit: 3
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app.kubernetes.io/controller: unseal-1
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: vault
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/controller: unseal-1
-        app.kubernetes.io/instance: vault
-        app.kubernetes.io/name: vault
-    spec:
-      enableServiceLinks: false
-      serviceAccountName: vault-unseal
-      automountServiceAccountToken: false
-      hostIPC: false
-      hostNetwork: false
-      hostPID: false
-      dnsPolicy: ClusterFirst
-      containers:
-        - envFrom:
-            - secretRef:
-                name: vault-unseal-config-1
-            - secretRef:
-                name: vault-ntfy-unseal-config
-          image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:9b936fadc8dea2a473972806bffc218a4dd2fbc3b373566138a60e058cc544aa
-          name: main
-          resources:
-            requests:
-              cpu: 1m
-              memory: 10Mi
@@ -1,47 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: vault-unseal-unseal-2
-  labels:
-    app.kubernetes.io/controller: unseal-2
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: vault
-    helm.sh/chart: unseal-5.0.1
-  namespace: vault
-spec:
-  revisionHistoryLimit: 3
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app.kubernetes.io/controller: unseal-2
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: vault
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/controller: unseal-2
-        app.kubernetes.io/instance: vault
-        app.kubernetes.io/name: vault
-    spec:
-      enableServiceLinks: false
-      serviceAccountName: vault-unseal
-      automountServiceAccountToken: false
-      hostIPC: false
-      hostNetwork: false
-      hostPID: false
-      dnsPolicy: ClusterFirst
-      containers:
-        - envFrom:
-            - secretRef:
-                name: vault-unseal-config-2
-            - secretRef:
-                name: vault-ntfy-unseal-config
-          image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:9b936fadc8dea2a473972806bffc218a4dd2fbc3b373566138a60e058cc544aa
-          name: main
-          resources:
-            requests:
-              cpu: 1m
-              memory: 10Mi
@@ -1,47 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: vault-unseal-unseal-3
-  labels:
-    app.kubernetes.io/controller: unseal-3
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: vault
-    helm.sh/chart: unseal-5.0.1
-  namespace: vault
-spec:
-  revisionHistoryLimit: 3
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app.kubernetes.io/controller: unseal-3
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: vault
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/controller: unseal-3
-        app.kubernetes.io/instance: vault
-        app.kubernetes.io/name: vault
-    spec:
-      enableServiceLinks: false
-      serviceAccountName: vault-unseal
-      automountServiceAccountToken: false
-      hostIPC: false
-      hostNetwork: false
-      hostPID: false
-      dnsPolicy: ClusterFirst
-      containers:
-        - envFrom:
-            - secretRef:
-                name: vault-unseal-config-3
-            - secretRef:
-                name: vault-ntfy-unseal-config
-          image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:9b936fadc8dea2a473972806bffc218a4dd2fbc3b373566138a60e058cc544aa
-          name: main
-          resources:
-            requests:
-              cpu: 1m
-              memory: 10Mi
@@ -1,18 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: vault-backup-local-config
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault-backup-local-config
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: BUCKET
-      remoteRef:
-        key: /garage/home-infra/vault-backups
-        property: BUCKET_PATH
@@ -1,18 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: vault-backup-remote-config
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault-backup-remote-config
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: BUCKET
-      remoteRef:
-        key: /garage/home-infra/vault-backups
-        property: BUCKET_PATH
@@ -1,26 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: vault-ntfy-config
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault-ntfy-config
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: NTFY_TOKEN
-      remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
-        property: token
-    - secretKey: NTFY_ENDPOINT
-      remoteRef:
-        key: /cl01tl/ntfy/config
-        property: internal-endpoint
-    - secretKey: NTFY_TOPIC
-      remoteRef:
-        key: /cl01tl/ntfy/topics
-        property: vault
@@ -1,28 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: vault-ntfy-unseal-config
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault-ntfy-unseal-config
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        NOTIFY_QUEUE_URLS: "{{ .endpoint }}/{{ .topic }}/?priority=4&tags=vault,unseal&title=Vault+Unsealed"
-  data:
-    - secretKey: endpoint
-      remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
-        property: internal-endpoint-credential
-    - secretKey: topic
-      remoteRef:
-        key: /cl01tl/ntfy/topics
-        property: vault
@@ -1,22 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: vault-snapshot-agent-role
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault-snapshot-agent-role
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: VAULT_APPROLE_ROLE_ID
-      remoteRef:
-        key: /cl01tl/vault/role/snapshot
-        property: role-id
-    - secretKey: VAULT_APPROLE_SECRET_ID
-      remoteRef:
-        key: /cl01tl/vault/role/snapshot
-        property: secret-id
@@ -1,18 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: vault-token
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault-token
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: token
-      remoteRef:
-        key: /cl01tl/vault/token
-        property: root
@@ -1,26 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: vault-unseal-config-1
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault-unseal-config-1
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: ENVIRONMENT
-      remoteRef:
-        key: /cl01tl/vault/unseal
-        property: environment
-    - secretKey: NODES
-      remoteRef:
-        key: /cl01tl/vault/unseal
-        property: nodes
-    - secretKey: TOKENS
-      remoteRef:
-        key: /cl01tl/vault/unseal
-        property: tokens-1
@@ -1,26 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: vault-unseal-config-2
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault-unseal-config-2
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: ENVIRONMENT
-      remoteRef:
-        key: /cl01tl/vault/unseal
-        property: environment
-    - secretKey: NODES
-      remoteRef:
-        key: /cl01tl/vault/unseal
-        property: nodes
-    - secretKey: TOKENS
-      remoteRef:
-        key: /cl01tl/vault/unseal
-        property: tokens-2
@@ -1,26 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: vault-unseal-config-3
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault-unseal-config-3
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: ENVIRONMENT
-      remoteRef:
-        key: /cl01tl/vault/unseal
-        property: environment
-    - secretKey: NODES
-      remoteRef:
-        key: /cl01tl/vault/unseal
-        property: nodes
-    - secretKey: TOKENS
-      remoteRef:
-        key: /cl01tl/vault/unseal
-        property: tokens-3
@@ -1,27 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: vault
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - vault.alexlebens.net
-  rules:
-    - matches:
-        - path:
-            type: PathPrefix
-            value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: vault-active
-          port: 8200
@@ -1,29 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: vault-tailscale
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault-tailscale
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
-    tailscale.com/proxy-class: no-metrics
-  annotations:
-    tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
-spec:
-  ingressClassName: tailscale
-  tls:
-    - hosts:
-        - vault-cl01tl
-      secretName: vault-cl01tl
-  rules:
-    - host: vault-cl01tl
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: vault-active
-                port:
-                  number: 8200
@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: vault-storage-backup
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault-storage-backup
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
-spec:
-  volumeMode: Filesystem
-  storageClassName: ceph-filesystem
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
@@ -1,44 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: vault-server-test
-  namespace: vault
-  annotations:
-    "helm.sh/hook": test
-spec:
-  containers:
-    - name: vault-server-test
-      image: hashicorp/vault:2.0.1@sha256:7553550027156b8f04e81f61a98c3f53a7bce57104f2a400e2012c851f66ac19
-      imagePullPolicy: IfNotPresent
-      env:
-        - name: VAULT_ADDR
-          value: http://vault.vault.svc:8200
-      command:
-        - /bin/sh
-        - -c
-        - |
-          echo "Checking for sealed info in 'vault status' output"
-          ATTEMPTS=10
-          n=0
-          until [ "$n" -ge $ATTEMPTS ]
-          do
-            echo "Attempt" $n...
-            vault status -format yaml | grep -E '^sealed: (true|false)' && break
-            n=$((n+1))
-            sleep 5
-          done
-          if [ $n -ge $ATTEMPTS ]; then
-            echo "timed out looking for sealed info in 'vault status' output"
-            exit 1
-          fi
-
-          exit 0
-      volumeMounts:
-        - mountPath: /opt/backups/
-          name: vault-storage-backup
-          readOnly: false
-  volumes:
-    - name: vault-storage-backup
-      persistentVolumeClaim:
-        claimName: vault-storage-backup
-  restartPolicy: Never
@@ -1,17 +0,0 @@
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
-  name: vault
-  namespace: vault
-  labels:
-    helm.sh/chart: vault-0.32.0
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  maxUnavailable: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: vault
-      component: server
@@ -1,28 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
-  name: vault
-  labels:
-    helm.sh/chart: vault-0.32.0
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-    release: prometheus
-spec:
-  groups:
-    - name: vault
-      rules:
-        - alert: vault-HighResponseTime
-          annotations:
-            message: The response time of Vault is over 500ms on average over the last 5 minutes.
-          expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
-          for: 5m
-          labels:
-            severity: warning
-        - alert: vault-HighResponseTime
-          annotations:
-            message: The response time of Vault is over 1s on average over the last 5 minutes.
-          expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
-          for: 5m
-          labels:
-            severity: critical
@@ -1,14 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  namespace: vault
-  name: vault-discovery-role
-  labels:
-    helm.sh/chart: vault-0.32.0
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get", "watch", "list", "update", "patch"]
@@ -1,18 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: vault-discovery-rolebinding
-  namespace: vault
-  labels:
-    helm.sh/chart: vault-0.32.0
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: vault-discovery-role
-subjects:
-  - kind: ServiceAccount
-    name: vault
-    namespace: vault
@@ -1,19 +0,0 @@
-apiVersion: secrets-store.csi.x-k8s.io/v1
-kind: SecretProviderClass
-metadata:
-  name: vault-backup-local-config
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault-backup-local-config
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
-spec:
-  provider: openbao
-  parameters:
-    baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: vault
-    objects: |
-      - objectName: .s3cfg
-        fileName: .s3cfg
-        secretPath: secret/data/garage/home-infra/vault-backups
-        secretKey: s3cfg-local
@@ -1,19 +0,0 @@
-apiVersion: secrets-store.csi.x-k8s.io/v1
-kind: SecretProviderClass
-metadata:
-  name: vault-backup-remote-config
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault-backup-remote-config
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
-spec:
-  provider: openbao
-  parameters:
-    baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: vault
-    objects: |
-      - objectName: .s3cfg
-        fileName: .s3cfg
-        secretPath: secret/data/garage/home-infra/vault-backups
-        secretKey: s3cfg-remote
@@ -1,26 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: vault-active
-  namespace: vault
-  labels:
-    helm.sh/chart: vault-0.32.0
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-    vault-active: "true"
-  annotations:
-spec:
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    component: server
-    vault-active: "true"
@@ -1,26 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: vault-internal
-  namespace: vault
-  labels:
-    helm.sh/chart: vault-0.32.0
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-    vault-internal: "true"
-  annotations:
-spec:
-  clusterIP: None
-  publishNotReadyAddresses: true
-  ports:
-    - name: "http"
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    component: server
@@ -1,25 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: vault-standby
-  namespace: vault
-  labels:
-    helm.sh/chart: vault-0.32.0
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-spec:
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    component: server
-    vault-active: "false"
@@ -1,24 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: vault
-  namespace: vault
-  labels:
-    helm.sh/chart: vault-0.32.0
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-spec:
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    component: server
@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vault-snapshot
-  labels:
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: vault
-    helm.sh/chart: snapshot-5.0.1
-  namespace: vault
@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vault-unseal
-  labels:
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: vault
-    helm.sh/chart: unseal-5.0.1
-  namespace: vault
@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vault
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/part-of: vault
@@ -1,30 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: vault
-  labels:
-    helm.sh/chart: vault-0.32.0
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-    release: prometheus
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: vault
-      vault-active: "true"
-  endpoints:
-    - port: http
-      interval: 30s
-      scrapeTimeout: 10s
-      scheme: http
-      path: /v1/sys/metrics
-      params:
-        format:
-          - prometheus
-      tlsConfig:
-        insecureSkipVerify: true
-  namespaceSelector:
-    matchNames:
-      - vault
@@ -1,151 +0,0 @@
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: vault
-  namespace: vault
-  labels:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  serviceName: vault-internal
-  podManagementPolicy: Parallel
-  replicas: 3
-  updateStrategy:
-    type: RollingUpdate
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: vault
-      component: server
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: vault-0.32.0
-        app.kubernetes.io/name: vault
-        app.kubernetes.io/instance: vault
-        component: server
-      annotations:
-    spec:
-      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchLabels:
-                  app.kubernetes.io/name: vault
-                  app.kubernetes.io/instance: "vault"
-                  component: server
-              topologyKey: kubernetes.io/hostname
-      terminationGracePeriodSeconds: 10
-      serviceAccountName: vault
-      securityContext:
-        runAsNonRoot: true
-        runAsGroup: 1000
-        runAsUser: 100
-        fsGroup: 1000
-      hostNetwork: false
-      volumes:
-        - name: config
-          configMap:
-            name: vault-config
-        - name: vault-storage-backup
-          persistentVolumeClaim:
-            claimName: vault-storage-backup
-        - name: home
-          emptyDir: {}
-      containers:
-        - name: vault
-          resources:
-            requests:
-              cpu: 50m
-              memory: 512Mi
-          image: hashicorp/vault:2.0.1@sha256:7553550027156b8f04e81f61a98c3f53a7bce57104f2a400e2012c851f66ac19
-          imagePullPolicy: IfNotPresent
-          command:
-            - "/bin/sh"
-            - "-ec"
-          args:
-            - "cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;\n[ -n \"${HOST_IP}\" ] && sed -Ei \"s|HOST_IP|${HOST_IP?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${POD_IP}\" ] && sed -Ei \"s|POD_IP|${POD_IP?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${HOSTNAME}\" ] && sed -Ei \"s|HOSTNAME|${HOSTNAME?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${API_ADDR}\" ] && sed -Ei \"s|API_ADDR|${API_ADDR?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${TRANSIT_ADDR}\" ] && sed -Ei \"s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${RAFT_ADDR}\" ] && sed -Ei \"s|RAFT_ADDR|${RAFT_ADDR?}|g\" /tmp/storageconfig.hcl;\n/usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl \n"
-          securityContext:
-            allowPrivilegeEscalation: false
-          env:
-            - name: HOST_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.hostIP
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
-            - name: VAULT_K8S_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_K8S_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: VAULT_ADDR
-              value: "http://127.0.0.1:8200"
-            - name: VAULT_API_ADDR
-              value: "http://$(POD_IP):8200"
-            - name: SKIP_CHOWN
-              value: "true"
-            - name: SKIP_SETCAP
-              value: "true"
-            - name: HOSTNAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_CLUSTER_ADDR
-              value: "https://$(HOSTNAME).vault-internal:8201"
-            - name: HOME
-              value: "/home/vault"
-            - name: VAULT_LOG_LEVEL
-              value: "debug"
-            - name: VAULT_LOG_FORMAT
-              value: "standard"
-          volumeMounts:
-            - name: data
-              mountPath: /vault/data
-            - name: config
-              mountPath: /vault/config
-            - mountPath: /opt/backups/
-              name: vault-storage-backup
-              readOnly: false
-            - name: home
-              mountPath: /home/vault
-          ports:
-            - containerPort: 8200
-              name: http
-            - containerPort: 8201
-              name: https-internal
-            - containerPort: 8202
-              name: http-rep
-          readinessProbe:
-            exec:
-              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            successThreshold: 1
-            timeoutSeconds: 3
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                  - "/bin/sh"
-                  - "-c"
-                  - "sleep 5 && kill -SIGTERM $(pidof vault)"
-  volumeClaimTemplates:
-    - apiVersion: v1
-      kind: PersistentVolumeClaim
-      metadata:
-        name: data
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 1Gi
-        storageClassName: ceph-block