add vault

2025-02-17 13:09:28 -06:00
parent 0df95e32fa
commit ebb507d0ff
7 changed files with 4 additions and 4 deletions
--- a/clusters/cl01tl/platform/vault/values.yaml
+++ b/clusters/cl01tl/platform/vault/values.yaml
@@ -0,0 +1,300 @@
+vault:
+  global:
+    enabled: true
+    tlsDisable: true
+    psp:
+      enable: false
+    serverTelemetry:
+      prometheusOperator: true
+  injector:
+    enabled: false
+  server:
+    enabled: true
+    image:
+      repository: hashicorp/vault
+      tag: 1.18.4
+    updateStrategyType: "RollingUpdate"
+    logLevel: debug
+    logFormat: standard
+    resources:
+      requests:
+        cpu: 50m
+        memory: 512Mi
+    ingress:
+      enabled: true
+      annotations:
+        tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
+      ingressClassName: tailscale
+      pathType: Prefix
+      activeService: true
+      hosts:
+        - host: vault-cl01tl
+          paths:
+            - /
+      tls:
+        - secretName: vault-cl01tl
+          hosts:
+            - vault-cl01tl
+    route:
+      enabled: false
+    authDelegator:
+      enabled: false
+    readinessProbe:
+      enabled: true
+      port: 8200
+    livenessProbe:
+      enabled: false
+    volumes:
+      - name: vault-nfs-storage-backup
+        persistentVolumeClaim:
+          claimName: vault-nfs-storage-backup
+    volumeMounts:
+      - mountPath: /opt/backups/
+        name: vault-nfs-storage-backup
+        readOnly: false
+    affinity: |
+      podAntiAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+                app.kubernetes.io/name: {{ template "vault.name" . }}
+                app.kubernetes.io/instance: "{{ .Release.Name }}"
+                component: server
+            topologyKey: kubernetes.io/hostname
+    networkPolicy:
+      enabled: false
+    service:
+      enabled: true
+      active:
+        enabled: true
+      standby:
+        enabled: false
+      type: ClusterIP
+      port: 8200
+      targetPort: 8200
+    dataStorage:
+      enabled: true
+      size: 1Gi
+      mountPath: "/vault/data"
+      accessMode: ReadWriteOnce
+    auditStorage:
+      enabled: false
+      size: 5Gi
+      mountPath: "/vault/audit"
+      accessMode: ReadWriteOnce
+    dev:
+      enabled: false
+    standalone:
+      enabled: false
+    ha:
+      enabled: true
+      replicas: 3
+      raft:
+        enabled: true
+        config: |
+          ui = true
+
+          listener "tcp" {
+            tls_disable = 1
+            address = "[::]:8200"
+            cluster_address = "[::]:8201"
+            telemetry {
+              unauthenticated_metrics_access = "true"
+            }
+          }
+
+          storage "raft" {
+            path = "/vault/data"
+            retry_join {
+              leader_api_addr = "http://vault-0.vault-internal:8200"
+            }
+            retry_join {
+              leader_api_addr = "http://vault-1.vault-internal:8200"
+            }
+            retry_join {
+              leader_api_addr = "http://vault-2.vault-internal:8200"
+            }
+          }
+
+          service_registration "kubernetes" {}
+
+          telemetry {
+            prometheus_retention_time = "30s"
+            disable_hostname = true
+          }
+
+      disruptionBudget:
+        enabled: true
+        maxUnavailable: null
+    serviceAccount:
+      create: true
+      serviceDiscovery:
+        enabled: true
+    hostNetwork: false
+  ui:
+    enabled: true
+    publishNotReadyAddresses: true
+    activeVaultPodOnly: false
+    serviceType: "ClusterIP"
+    serviceNodePort: null
+    externalPort: 8200
+    targetPort: 8200
+  csi:
+    enabled: false
+  serverTelemetry:
+    serviceMonitor:
+      enabled: true
+      interval: 30s
+      scrapeTimeout: 10s
+    prometheusRules:
+      enabled: true
+      rules:
+        - alert: vault-HighResponseTime
+          annotations:
+            message: The response time of Vault is over 500ms on average over the last 5 minutes.
+          expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
+          for: 5m
+          labels:
+            severity: warning
+        - alert: vault-HighResponseTime
+          annotations:
+            message: The response time of Vault is over 1s on average over the last 5 minutes.
+          expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
+          for: 5m
+          labels:
+            severity: critical
+snapshot:
+  global:
+    fullnameOverride: vault-snapshot
+  controllers:
+    snapshot:
+      type: cronjob
+      cronjob:
+        suspend: false
+        concurrencyPolicy: Forbid
+        timeZone: US/Central
+        schedule: 0 4 * * *
+        startingDeadlineSeconds: 90
+        successfulJobsHistory: 3
+        failedJobsHistory: 3
+        backoffLimit: 3
+        parallelism: 1
+      containers:
+        snapshot:
+          image:
+            repository: hashicorp/vault
+            tag: 1.18.4
+            pullPolicy: IfNotPresent
+          command:
+            - /bin/ash
+          args:
+            - -ec
+            - |
+              apk add --no-cache jq;
+              export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
+              vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap;
+              cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
+              cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap;
+          envFrom:
+            - secretRef:
+                name: vault-snapshot-agent-token
+          env:
+            - name: VAULT_ADDR
+              value: http://vault-active.vault.svc.cluster.local:8200
+          resources:
+            requests:
+              cpu: 10m
+              memory: 64Mi
+        backup:
+          image:
+            repository: amazon/aws-cli
+            tag: 2.24.0
+            pullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+          args:
+            - -ec
+            - |
+              until [ -f /opt/backup/vault-snapshot-s3.snap ]; do sleep 5; done;
+              aws s3 cp /opt/backup/vault-snapshot-s3.snap s3://cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
+              rm /opt/backup/vault-snapshot-s3.snap;
+          envFrom:
+            - secretRef:
+                name: vault-snapshot-s3
+          resources:
+            requests:
+              cpu: 10m
+              memory: 64Mi
+  serviceAccount:
+    create: true
+  persistence:
+    config:
+      existingClaim: vault-nfs-storage-backup
+      advancedMounts:
+        snapshot:
+          snapshot:
+            - path: /opt/backup
+              readOnly: false
+          backup:
+            - path: /opt/backup
+              readOnly: false
+unseal:
+  global:
+    fullnameOverride: vault-unseal
+  controllers:
+    unseal-1:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/lrstanley/vault-unseal
+            tag: 0.7.0
+            pullPolicy: IfNotPresent
+          envFrom:
+            - secretRef:
+                name: vault-unseal-config-1
+          resources:
+            requests:
+              cpu: 10m
+              memory: 24Mi
+    unseal-2:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/lrstanley/vault-unseal
+            tag: 0.7.0
+            pullPolicy: IfNotPresent
+          envFrom:
+            - secretRef:
+                name: vault-unseal-config-2
+          resources:
+            requests:
+              cpu: 10m
+              memory: 24Mi
+    unseal-3:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/lrstanley/vault-unseal
+            tag: 0.7.0
+            pullPolicy: IfNotPresent
+          envFrom:
+            - secretRef:
+                name: vault-unseal-config-3
+          resources:
+            requests:
+              cpu: 10m
+              memory: 24Mi
+  serviceAccount:
+    create: true