diff --git a/clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml b/clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml index 35a216a2a..e9e14643a 100644 --- a/clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml +++ b/clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml @@ -153,7 +153,6 @@ data: sparkyfitness IN CNAME traefik-cl01tl tdarr IN CNAME traefik-cl01tl tubearchivist IN CNAME traefik-cl01tl - vault IN CNAME traefik-cl01tl whodb IN CNAME traefik-cl01tl yamtrack IN CNAME traefik-cl01tl yubal IN CNAME traefik-cl01tl diff --git a/clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml b/clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml index cc8f8bfb6..da3942392 100644 --- a/clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml +++ b/clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml @@ -22,7 +22,7 @@ spec: template: metadata: annotations: - checksum/configMaps: 8aadfb0f8e3c44c960e3daba036be7e8b635c50df168eef754e6cdd0745e118c + checksum/configMaps: 9896e1f76ba730d198b720637dc5ad6903cb51fce3bd554ff8866bf252c11b03 labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: blocky diff --git a/clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml b/clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml index 047065e8e..36e8bf253 100644 --- a/clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml +++ b/clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml @@ -456,15 +456,6 @@ data: interval: 30s name: whodb url: https://whodb.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: vault - url: https://vault.alexlebens.net - alerts: - type: ntfy conditions: diff --git a/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml b/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml index ac513a4fe..9ab5a8da7 100644 --- a/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml +++ b/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml @@ -26,7 +26,7 @@ spec: app.kubernetes.io/name: gatus app.kubernetes.io/instance: gatus annotations: - checksum/config: d9ee58caa34a5c15e53b782c6fb620492f6f9054f598cc17e4d51ea91d98d2cc + checksum/config: 8e95a6f2ad7d4bb7edf60154d0e7c1ffe9cff0313e507d1a6870ca3af4b43499 spec: serviceAccountName: default automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-runner.yaml b/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-runner.yaml index e858b6139..d98b5ae18 100644 --- a/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-runner.yaml +++ b/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-runner.yaml @@ -46,7 +46,7 @@ spec: done echo "Gitea has been reached!" - name: dind - image: "docker.io/docker:29.5.2-dind@sha256:eb37f58646a901dc7727cf448cae36daaefaba79de33b5058dab79aa4c04aefb" + image: "docker.io/docker:29.5.2-dind@sha256:6b9cd914eb9c6b342c040a49a27a5eb3804453bae6ecc90f7ff96133595a95e8" restartPolicy: Always imagePullPolicy: IfNotPresent securityContext: diff --git a/clusters/cl01tl/manifests/grafana-operator/GrafanaDashboard-grafana-dashboard-vault.yaml b/clusters/cl01tl/manifests/grafana-operator/GrafanaDashboard-grafana-dashboard-vault.yaml deleted file mode 100644 index f0ca5060e..000000000 --- a/clusters/cl01tl/manifests/grafana-operator/GrafanaDashboard-grafana-dashboard-vault.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-vault - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-vault - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 6h - folderUID: grafana-folder-platform - resyncPeriod: 6h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/vault.json diff --git a/clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml b/clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml index cdb756d41..5d7c8dc26 100644 --- a/clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml +++ b/clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml @@ -534,18 +534,6 @@ data: href: https://whodb.alexlebens.net siteMonitor: http://whodb.whodb:80 statusStyle: dot - - Secrets: - icon: sh-hashicorp-vault.webp - description: Vault - href: https://vault.alexlebens.net - siteMonitor: http://vault.vault:8200 - statusStyle: dot - namespace: vault - app: vault - podSelector: >- - app.kubernetes.io/instance in ( - vault - ) - Secrets: icon: sh-openbao.webp description: OpenBao diff --git a/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml b/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml index 4891fae44..7c691f2ce 100644 --- a/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml +++ b/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml @@ -24,7 +24,7 @@ spec: template: metadata: annotations: - checksum/configMaps: 3961d0f5ae725dd1e304dac409388ca1912e656ddf41fdd298c1ee2fc404bbc3 + checksum/configMaps: 52976622e46503ade5b5046760e6006d1b9d0ac30131509c883b9006283520d8 labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: homepage diff --git a/clusters/cl01tl/manifests/vault/ConfigMap-vault-backup-script.yaml b/clusters/cl01tl/manifests/vault/ConfigMap-vault-backup-script.yaml deleted file mode 100644 index a374cb5af..000000000 --- a/clusters/cl01tl/manifests/vault/ConfigMap-vault-backup-script.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: vault-backup-script - namespace: vault - labels: - app.kubernetes.io/name: vault-backup-script - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -data: - backup.sh: | - echo " "; - echo ">> Running S3 backup for Vault snapshot"; - OUTPUT=$(s3cmd sync --no-check-certificate -v /opt/backup/* "${BUCKET}/cl01tl/cl01tl-vault-snapshots/" 2>&1) diff --git a/clusters/cl01tl/manifests/vault/ConfigMap-vault-config.yaml b/clusters/cl01tl/manifests/vault/ConfigMap-vault-config.yaml deleted file mode 100644 index a78ecd123..000000000 --- a/clusters/cl01tl/manifests/vault/ConfigMap-vault-config.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: vault-config - namespace: vault - labels: - helm.sh/chart: vault-0.32.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm -data: - extraconfig-from-values.hcl: |- - ui = true - - listener "tcp" { - tls_disable = 1 - address = "[::]:8200" - cluster_address = "[::]:8201" - telemetry { - unauthenticated_metrics_access = "true" - } - } - - storage "raft" { - path = "/vault/data" - retry_join { - leader_api_addr = "http://vault-0.vault-internal:8200" - } - retry_join { - leader_api_addr = "http://vault-1.vault-internal:8200" - } - retry_join { - leader_api_addr = "http://vault-2.vault-internal:8200" - } - } - - service_registration "kubernetes" {} - - telemetry { - prometheus_retention_time = "30s" - disable_hostname = true - } - - disable_mlock = true diff --git a/clusters/cl01tl/manifests/vault/ConfigMap-vault-snapshot-script.yaml b/clusters/cl01tl/manifests/vault/ConfigMap-vault-snapshot-script.yaml deleted file mode 100644 index 0188c47e1..000000000 --- a/clusters/cl01tl/manifests/vault/ConfigMap-vault-snapshot-script.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: vault-snapshot-script - namespace: vault - labels: - app.kubernetes.io/name: vault-snapshot-script - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -data: - snapshot.sh: | - DATE=$(date +"%Y%m%d-%H-%M") - - echo " " - echo ">> Running Vault Snapshot Script ..." - - echo " " - echo ">> Fetching Vault token ..." - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID) - - if [ -z "$VAULT_TOKEN" ]; then - echo ">> ERROR: Failed to fetch Vault token! Exiting..." - exit 1 - fi - - echo " " - echo ">> Taking Vault snapshot ..." - vault operator raft snapshot save /opt/backup/vault-snapshot-$DATE.snap - - echo " " - echo ">> Setting ownership of Vault snapshot ..." - chown 100:1000 /opt/backup/vault-snapshot-$DATE.snap - - echo " " - echo ">> Completed Vault snapshot" diff --git a/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml b/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml deleted file mode 100644 index 16d63c77b..000000000 --- a/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml +++ /dev/null @@ -1,147 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: vault-snapshot - labels: - app.kubernetes.io/controller: snapshot - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: vault - helm.sh/chart: snapshot-5.0.1 - namespace: vault -spec: - suspend: false - concurrencyPolicy: Forbid - startingDeadlineSeconds: 30 - timeZone: America/Chicago - schedule: "0 4 * * *" - successfulJobsHistoryLimit: 1 - failedJobsHistoryLimit: 1 - jobTemplate: - spec: - parallelism: 1 - backoffLimit: 3 - template: - metadata: - labels: - app.kubernetes.io/controller: snapshot - app.kubernetes.io/instance: vault - app.kubernetes.io/name: vault - spec: - enableServiceLinks: false - serviceAccountName: vault-snapshot - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - restartPolicy: Never - initContainers: - - args: - - -ec - - /scripts/snapshot.sh - command: - - /bin/ash - env: - - name: VAULT_ADDR - value: http://vault-active.vault.svc.cluster.local:8200 - envFrom: - - secretRef: - name: vault-snapshot-agent-role - image: hashicorp/vault:2.0.1@sha256:7553550027156b8f04e81f61a98c3f53a7bce57104f2a400e2012c851f66ac19 - name: snapshot - volumeMounts: - - mountPath: /opt/backup - name: backup - - mountPath: /scripts/snapshot.sh - name: snapshot-script - subPath: snapshot.sh - containers: - - args: - - -ec - - /scripts/backup.sh - command: - - /bin/sh - env: - - name: BUCKET - valueFrom: - secretKeyRef: - key: BUCKET - name: vault-backup-local-config - - name: TARGET - value: Local - envFrom: - - secretRef: - name: vault-ntfy-config - image: d3fk/s3cmd:latest@sha256:d66cc5677b30b31a7981f9fde0af064a9072e8b8a57d5e9b4cc02f44f02acbf2 - name: s3-backup-local - volumeMounts: - - mountPath: /opt/backup - name: backup - - mountPath: /root/.s3cfg - mountPropagation: None - name: backup-local-config - readOnly: true - subPath: .s3cfg - - mountPath: /scripts/backup.sh - name: backup-script - subPath: backup.sh - - args: - - -ec - - /scripts/backup.sh - command: - - /bin/sh - env: - - name: BUCKET - valueFrom: - secretKeyRef: - key: BUCKET - name: vault-backup-remote-config - - name: TARGET - value: Remote - envFrom: - - secretRef: - name: vault-ntfy-config - image: d3fk/s3cmd:latest@sha256:d66cc5677b30b31a7981f9fde0af064a9072e8b8a57d5e9b4cc02f44f02acbf2 - name: s3-backup-remote - volumeMounts: - - mountPath: /opt/backup - name: backup - - mountPath: /root/.s3cfg - mountPropagation: None - name: backup-remote-config - readOnly: true - subPath: .s3cfg - - mountPath: /scripts/backup.sh - name: backup-script - subPath: backup.sh - volumes: - - name: backup - persistentVolumeClaim: - claimName: vault-storage-backup - - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: vault-backup-external-config - name: backup-external-config - - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: vault-backup-local-config - name: backup-local-config - - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: vault-backup-remote-config - name: backup-remote-config - - configMap: - defaultMode: 493 - name: vault-backup-script - name: backup-script - - configMap: - defaultMode: 493 - name: vault-snapshot-script - name: snapshot-script diff --git a/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-1.yaml b/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-1.yaml deleted file mode 100644 index aa2731bb1..000000000 --- a/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-1.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vault-unseal-unseal-1 - labels: - app.kubernetes.io/controller: unseal-1 - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: vault - helm.sh/chart: unseal-5.0.1 - namespace: vault -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: unseal-1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - template: - metadata: - labels: - app.kubernetes.io/controller: unseal-1 - app.kubernetes.io/instance: vault - app.kubernetes.io/name: vault - spec: - enableServiceLinks: false - serviceAccountName: vault-unseal - automountServiceAccountToken: false - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - envFrom: - - secretRef: - name: vault-unseal-config-1 - - secretRef: - name: vault-ntfy-unseal-config - image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:9b936fadc8dea2a473972806bffc218a4dd2fbc3b373566138a60e058cc544aa - name: main - resources: - requests: - cpu: 1m - memory: 10Mi diff --git a/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-2.yaml b/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-2.yaml deleted file mode 100644 index 6155164fd..000000000 --- a/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-2.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vault-unseal-unseal-2 - labels: - app.kubernetes.io/controller: unseal-2 - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: vault - helm.sh/chart: unseal-5.0.1 - namespace: vault -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: unseal-2 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - template: - metadata: - labels: - app.kubernetes.io/controller: unseal-2 - app.kubernetes.io/instance: vault - app.kubernetes.io/name: vault - spec: - enableServiceLinks: false - serviceAccountName: vault-unseal - automountServiceAccountToken: false - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - envFrom: - - secretRef: - name: vault-unseal-config-2 - - secretRef: - name: vault-ntfy-unseal-config - image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:9b936fadc8dea2a473972806bffc218a4dd2fbc3b373566138a60e058cc544aa - name: main - resources: - requests: - cpu: 1m - memory: 10Mi diff --git a/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-3.yaml b/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-3.yaml deleted file mode 100644 index 3c258189c..000000000 --- a/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-3.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vault-unseal-unseal-3 - labels: - app.kubernetes.io/controller: unseal-3 - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: vault - helm.sh/chart: unseal-5.0.1 - namespace: vault -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: unseal-3 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - template: - metadata: - labels: - app.kubernetes.io/controller: unseal-3 - app.kubernetes.io/instance: vault - app.kubernetes.io/name: vault - spec: - enableServiceLinks: false - serviceAccountName: vault-unseal - automountServiceAccountToken: false - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - envFrom: - - secretRef: - name: vault-unseal-config-3 - - secretRef: - name: vault-ntfy-unseal-config - image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:9b936fadc8dea2a473972806bffc218a4dd2fbc3b373566138a60e058cc544aa - name: main - resources: - requests: - cpu: 1m - memory: 10Mi diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-local-config.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-local-config.yaml deleted file mode 100644 index 89161e130..000000000 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-local-config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-backup-local-config - namespace: vault - labels: - app.kubernetes.io/name: vault-backup-local-config - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: BUCKET - remoteRef: - key: /garage/home-infra/vault-backups - property: BUCKET_PATH diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-remote-config.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-remote-config.yaml deleted file mode 100644 index e18f8b5c6..000000000 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-remote-config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-backup-remote-config - namespace: vault - labels: - app.kubernetes.io/name: vault-backup-remote-config - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: BUCKET - remoteRef: - key: /garage/home-infra/vault-backups - property: BUCKET_PATH diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-config.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-config.yaml deleted file mode 100644 index 875e72495..000000000 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-config.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-ntfy-config - namespace: vault - labels: - app.kubernetes.io/name: vault-ntfy-config - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: NTFY_TOKEN - remoteRef: - key: /cl01tl/ntfy/users/cl01tl - property: token - - secretKey: NTFY_ENDPOINT - remoteRef: - key: /cl01tl/ntfy/config - property: internal-endpoint - - secretKey: NTFY_TOPIC - remoteRef: - key: /cl01tl/ntfy/topics - property: vault diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-unseal-config.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-unseal-config.yaml deleted file mode 100644 index fa33f1b62..000000000 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-unseal-config.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-ntfy-unseal-config - namespace: vault - labels: - app.kubernetes.io/name: vault-ntfy-unseal-config - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - NOTIFY_QUEUE_URLS: "{{ .endpoint }}/{{ .topic }}/?priority=4&tags=vault,unseal&title=Vault+Unsealed" - data: - - secretKey: endpoint - remoteRef: - key: /cl01tl/ntfy/users/cl01tl - property: internal-endpoint-credential - - secretKey: topic - remoteRef: - key: /cl01tl/ntfy/topics - property: vault diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-snapshot-agent-role.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-snapshot-agent-role.yaml deleted file mode 100644 index 73a81d8d4..000000000 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-snapshot-agent-role.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-snapshot-agent-role - namespace: vault - labels: - app.kubernetes.io/name: vault-snapshot-agent-role - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: VAULT_APPROLE_ROLE_ID - remoteRef: - key: /cl01tl/vault/role/snapshot - property: role-id - - secretKey: VAULT_APPROLE_SECRET_ID - remoteRef: - key: /cl01tl/vault/role/snapshot - property: secret-id diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-token.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-token.yaml deleted file mode 100644 index 4e095e5e2..000000000 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-token.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-token - namespace: vault - labels: - app.kubernetes.io/name: vault-token - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: token - remoteRef: - key: /cl01tl/vault/token - property: root diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-1.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-1.yaml deleted file mode 100644 index 2cc9bbcd2..000000000 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-1.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-unseal-config-1 - namespace: vault - labels: - app.kubernetes.io/name: vault-unseal-config-1 - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: ENVIRONMENT - remoteRef: - key: /cl01tl/vault/unseal - property: environment - - secretKey: NODES - remoteRef: - key: /cl01tl/vault/unseal - property: nodes - - secretKey: TOKENS - remoteRef: - key: /cl01tl/vault/unseal - property: tokens-1 diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-2.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-2.yaml deleted file mode 100644 index 173425663..000000000 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-2.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-unseal-config-2 - namespace: vault - labels: - app.kubernetes.io/name: vault-unseal-config-2 - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: ENVIRONMENT - remoteRef: - key: /cl01tl/vault/unseal - property: environment - - secretKey: NODES - remoteRef: - key: /cl01tl/vault/unseal - property: nodes - - secretKey: TOKENS - remoteRef: - key: /cl01tl/vault/unseal - property: tokens-2 diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-3.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-3.yaml deleted file mode 100644 index b5f29558b..000000000 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-3.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-unseal-config-3 - namespace: vault - labels: - app.kubernetes.io/name: vault-unseal-config-3 - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: ENVIRONMENT - remoteRef: - key: /cl01tl/vault/unseal - property: environment - - secretKey: NODES - remoteRef: - key: /cl01tl/vault/unseal - property: nodes - - secretKey: TOKENS - remoteRef: - key: /cl01tl/vault/unseal - property: tokens-3 diff --git a/clusters/cl01tl/manifests/vault/HTTPRoute-vault.yaml b/clusters/cl01tl/manifests/vault/HTTPRoute-vault.yaml deleted file mode 100644 index c67d79b66..000000000 --- a/clusters/cl01tl/manifests/vault/HTTPRoute-vault.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: vault - namespace: vault - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - vault.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: vault-active - port: 8200 diff --git a/clusters/cl01tl/manifests/vault/Ingress-vault-tailscale.yaml b/clusters/cl01tl/manifests/vault/Ingress-vault-tailscale.yaml deleted file mode 100644 index e067e3f7d..000000000 --- a/clusters/cl01tl/manifests/vault/Ingress-vault-tailscale.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: vault-tailscale - namespace: vault - labels: - app.kubernetes.io/name: vault-tailscale - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault - tailscale.com/proxy-class: no-metrics - annotations: - tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" -spec: - ingressClassName: tailscale - tls: - - hosts: - - vault-cl01tl - secretName: vault-cl01tl - rules: - - host: vault-cl01tl - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: vault-active - port: - number: 8200 diff --git a/clusters/cl01tl/manifests/vault/PersistentVolumeClaim-vault-storage-backup.yaml b/clusters/cl01tl/manifests/vault/PersistentVolumeClaim-vault-storage-backup.yaml deleted file mode 100644 index 21ff4c017..000000000 --- a/clusters/cl01tl/manifests/vault/PersistentVolumeClaim-vault-storage-backup.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: vault-storage-backup - namespace: vault - labels: - app.kubernetes.io/name: vault-storage-backup - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - volumeMode: Filesystem - storageClassName: ceph-filesystem - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi diff --git a/clusters/cl01tl/manifests/vault/Pod-vault-server-test.yaml b/clusters/cl01tl/manifests/vault/Pod-vault-server-test.yaml deleted file mode 100644 index 350a50a47..000000000 --- a/clusters/cl01tl/manifests/vault/Pod-vault-server-test.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: vault-server-test - namespace: vault - annotations: - "helm.sh/hook": test -spec: - containers: - - name: vault-server-test - image: hashicorp/vault:2.0.1@sha256:7553550027156b8f04e81f61a98c3f53a7bce57104f2a400e2012c851f66ac19 - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: http://vault.vault.svc:8200 - command: - - /bin/sh - - -c - - | - echo "Checking for sealed info in 'vault status' output" - ATTEMPTS=10 - n=0 - until [ "$n" -ge $ATTEMPTS ] - do - echo "Attempt" $n... - vault status -format yaml | grep -E '^sealed: (true|false)' && break - n=$((n+1)) - sleep 5 - done - if [ $n -ge $ATTEMPTS ]; then - echo "timed out looking for sealed info in 'vault status' output" - exit 1 - fi - - exit 0 - volumeMounts: - - mountPath: /opt/backups/ - name: vault-storage-backup - readOnly: false - volumes: - - name: vault-storage-backup - persistentVolumeClaim: - claimName: vault-storage-backup - restartPolicy: Never diff --git a/clusters/cl01tl/manifests/vault/PodDisruptionBudget-vault.yaml b/clusters/cl01tl/manifests/vault/PodDisruptionBudget-vault.yaml deleted file mode 100644 index 98df31a89..000000000 --- a/clusters/cl01tl/manifests/vault/PodDisruptionBudget-vault.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: vault - namespace: vault - labels: - helm.sh/chart: vault-0.32.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm -spec: - maxUnavailable: 1 - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - component: server diff --git a/clusters/cl01tl/manifests/vault/PrometheusRule-vault.yaml b/clusters/cl01tl/manifests/vault/PrometheusRule-vault.yaml deleted file mode 100644 index 25ff1a39a..000000000 --- a/clusters/cl01tl/manifests/vault/PrometheusRule-vault.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: vault - labels: - helm.sh/chart: vault-0.32.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - release: prometheus -spec: - groups: - - name: vault - rules: - - alert: vault-HighResponseTime - annotations: - message: The response time of Vault is over 500ms on average over the last 5 minutes. - expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 - for: 5m - labels: - severity: warning - - alert: vault-HighResponseTime - annotations: - message: The response time of Vault is over 1s on average over the last 5 minutes. - expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 - for: 5m - labels: - severity: critical diff --git a/clusters/cl01tl/manifests/vault/Role-vault-discovery-role.yaml b/clusters/cl01tl/manifests/vault/Role-vault-discovery-role.yaml deleted file mode 100644 index b6016e562..000000000 --- a/clusters/cl01tl/manifests/vault/Role-vault-discovery-role.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: vault - name: vault-discovery-role - labels: - helm.sh/chart: vault-0.32.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list", "update", "patch"] diff --git a/clusters/cl01tl/manifests/vault/RoleBinding-vault-discovery-rolebinding.yaml b/clusters/cl01tl/manifests/vault/RoleBinding-vault-discovery-rolebinding.yaml deleted file mode 100644 index abe1c3cee..000000000 --- a/clusters/cl01tl/manifests/vault/RoleBinding-vault-discovery-rolebinding.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: vault-discovery-rolebinding - namespace: vault - labels: - helm.sh/chart: vault-0.32.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: vault-discovery-role -subjects: - - kind: ServiceAccount - name: vault - namespace: vault diff --git a/clusters/cl01tl/manifests/vault/SecretProviderClass-vault-backup-local-config.yaml b/clusters/cl01tl/manifests/vault/SecretProviderClass-vault-backup-local-config.yaml deleted file mode 100644 index e9556ac83..000000000 --- a/clusters/cl01tl/manifests/vault/SecretProviderClass-vault-backup-local-config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: secrets-store.csi.x-k8s.io/v1 -kind: SecretProviderClass -metadata: - name: vault-backup-local-config - namespace: vault - labels: - app.kubernetes.io/name: vault-backup-local-config - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - provider: openbao - parameters: - baoAddress: "http://openbao-internal.openbao:8200" - roleName: vault - objects: | - - objectName: .s3cfg - fileName: .s3cfg - secretPath: secret/data/garage/home-infra/vault-backups - secretKey: s3cfg-local diff --git a/clusters/cl01tl/manifests/vault/SecretProviderClass-vault-backup-remote-config.yaml b/clusters/cl01tl/manifests/vault/SecretProviderClass-vault-backup-remote-config.yaml deleted file mode 100644 index 56c0a6a54..000000000 --- a/clusters/cl01tl/manifests/vault/SecretProviderClass-vault-backup-remote-config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: secrets-store.csi.x-k8s.io/v1 -kind: SecretProviderClass -metadata: - name: vault-backup-remote-config - namespace: vault - labels: - app.kubernetes.io/name: vault-backup-remote-config - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - provider: openbao - parameters: - baoAddress: "http://openbao-internal.openbao:8200" - roleName: vault - objects: | - - objectName: .s3cfg - fileName: .s3cfg - secretPath: secret/data/garage/home-infra/vault-backups - secretKey: s3cfg-remote diff --git a/clusters/cl01tl/manifests/vault/Service-vault-active.yaml b/clusters/cl01tl/manifests/vault/Service-vault-active.yaml deleted file mode 100644 index eca12f7cb..000000000 --- a/clusters/cl01tl/manifests/vault/Service-vault-active.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: vault-active - namespace: vault - labels: - helm.sh/chart: vault-0.32.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - vault-active: "true" - annotations: -spec: - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - component: server - vault-active: "true" diff --git a/clusters/cl01tl/manifests/vault/Service-vault-internal.yaml b/clusters/cl01tl/manifests/vault/Service-vault-internal.yaml deleted file mode 100644 index 6db02caec..000000000 --- a/clusters/cl01tl/manifests/vault/Service-vault-internal.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: vault-internal - namespace: vault - labels: - helm.sh/chart: vault-0.32.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - vault-internal: "true" - annotations: -spec: - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: "http" - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - component: server diff --git a/clusters/cl01tl/manifests/vault/Service-vault-standby.yaml b/clusters/cl01tl/manifests/vault/Service-vault-standby.yaml deleted file mode 100644 index ba770a818..000000000 --- a/clusters/cl01tl/manifests/vault/Service-vault-standby.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: vault-standby - namespace: vault - labels: - helm.sh/chart: vault-0.32.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - annotations: -spec: - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - component: server - vault-active: "false" diff --git a/clusters/cl01tl/manifests/vault/Service-vault.yaml b/clusters/cl01tl/manifests/vault/Service-vault.yaml deleted file mode 100644 index 6d138f331..000000000 --- a/clusters/cl01tl/manifests/vault/Service-vault.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: vault - namespace: vault - labels: - helm.sh/chart: vault-0.32.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - annotations: -spec: - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - component: server diff --git a/clusters/cl01tl/manifests/vault/ServiceAccount-vault-snapshot.yaml b/clusters/cl01tl/manifests/vault/ServiceAccount-vault-snapshot.yaml deleted file mode 100644 index 00c35d408..000000000 --- a/clusters/cl01tl/manifests/vault/ServiceAccount-vault-snapshot.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault-snapshot - labels: - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: vault - helm.sh/chart: snapshot-5.0.1 - namespace: vault diff --git a/clusters/cl01tl/manifests/vault/ServiceAccount-vault-unseal.yaml b/clusters/cl01tl/manifests/vault/ServiceAccount-vault-unseal.yaml deleted file mode 100644 index 6428ebf27..000000000 --- a/clusters/cl01tl/manifests/vault/ServiceAccount-vault-unseal.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault-unseal - labels: - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: vault - helm.sh/chart: unseal-5.0.1 - namespace: vault diff --git a/clusters/cl01tl/manifests/vault/ServiceAccount-vault.yaml b/clusters/cl01tl/manifests/vault/ServiceAccount-vault.yaml deleted file mode 100644 index 4fde6cdc6..000000000 --- a/clusters/cl01tl/manifests/vault/ServiceAccount-vault.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault - namespace: vault - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault diff --git a/clusters/cl01tl/manifests/vault/ServiceMonitor-vault.yaml b/clusters/cl01tl/manifests/vault/ServiceMonitor-vault.yaml deleted file mode 100644 index f42c2af0f..000000000 --- a/clusters/cl01tl/manifests/vault/ServiceMonitor-vault.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: vault - labels: - helm.sh/chart: vault-0.32.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - release: prometheus -spec: - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - vault-active: "true" - endpoints: - - port: http - interval: 30s - scrapeTimeout: 10s - scheme: http - path: /v1/sys/metrics - params: - format: - - prometheus - tlsConfig: - insecureSkipVerify: true - namespaceSelector: - matchNames: - - vault diff --git a/clusters/cl01tl/manifests/vault/StatefulSet-vault.yaml b/clusters/cl01tl/manifests/vault/StatefulSet-vault.yaml deleted file mode 100644 index 3a9e18f8c..000000000 --- a/clusters/cl01tl/manifests/vault/StatefulSet-vault.yaml +++ /dev/null @@ -1,151 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: vault - namespace: vault - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm -spec: - serviceName: vault-internal - podManagementPolicy: Parallel - replicas: 3 - updateStrategy: - type: RollingUpdate - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - component: server - template: - metadata: - labels: - helm.sh/chart: vault-0.32.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - component: server - annotations: - spec: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: "vault" - component: server - topologyKey: kubernetes.io/hostname - terminationGracePeriodSeconds: 10 - serviceAccountName: vault - securityContext: - runAsNonRoot: true - runAsGroup: 1000 - runAsUser: 100 - fsGroup: 1000 - hostNetwork: false - volumes: - - name: config - configMap: - name: vault-config - - name: vault-storage-backup - persistentVolumeClaim: - claimName: vault-storage-backup - - name: home - emptyDir: {} - containers: - - name: vault - resources: - requests: - cpu: 50m - memory: 512Mi - image: hashicorp/vault:2.0.1@sha256:7553550027156b8f04e81f61a98c3f53a7bce57104f2a400e2012c851f66ac19 - imagePullPolicy: IfNotPresent - command: - - "/bin/sh" - - "-ec" - args: - - "cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;\n[ -n \"${HOST_IP}\" ] && sed -Ei \"s|HOST_IP|${HOST_IP?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${POD_IP}\" ] && sed -Ei \"s|POD_IP|${POD_IP?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${HOSTNAME}\" ] && sed -Ei \"s|HOSTNAME|${HOSTNAME?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${API_ADDR}\" ] && sed -Ei \"s|API_ADDR|${API_ADDR?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${TRANSIT_ADDR}\" ] && sed -Ei \"s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${RAFT_ADDR}\" ] && sed -Ei \"s|RAFT_ADDR|${RAFT_ADDR?}|g\" /tmp/storageconfig.hcl;\n/usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl \n" - securityContext: - allowPrivilegeEscalation: false - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: VAULT_K8S_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_K8S_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: VAULT_ADDR - value: "http://127.0.0.1:8200" - - name: VAULT_API_ADDR - value: "http://$(POD_IP):8200" - - name: SKIP_CHOWN - value: "true" - - name: SKIP_SETCAP - value: "true" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_CLUSTER_ADDR - value: "https://$(HOSTNAME).vault-internal:8201" - - name: HOME - value: "/home/vault" - - name: VAULT_LOG_LEVEL - value: "debug" - - name: VAULT_LOG_FORMAT - value: "standard" - volumeMounts: - - name: data - mountPath: /vault/data - - name: config - mountPath: /vault/config - - mountPath: /opt/backups/ - name: vault-storage-backup - readOnly: false - - name: home - mountPath: /home/vault - ports: - - containerPort: 8200 - name: http - - containerPort: 8201 - name: https-internal - - containerPort: 8202 - name: http-rep - readinessProbe: - exec: - command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 3 - lifecycle: - preStop: - exec: - command: - - "/bin/sh" - - "-c" - - "sleep 5 && kill -SIGTERM $(pidof vault)" - volumeClaimTemplates: - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - storageClassName: ceph-block