vault: global: enabled: true tlsDisable: true psp: enable: false serverTelemetry: prometheusOperator: true injector: enabled: false server: enabled: true image: repository: hashicorp/vault tag: 1.18.5 updateStrategyType: "RollingUpdate" logLevel: debug logFormat: standard resources: requests: cpu: 50m memory: 512Mi ingress: enabled: false route: enabled: false authDelegator: enabled: false readinessProbe: enabled: true port: 8200 livenessProbe: enabled: false volumes: - name: vault-nfs-storage-backup persistentVolumeClaim: claimName: vault-nfs-storage-backup volumeMounts: - mountPath: /opt/backups/ name: vault-nfs-storage-backup readOnly: false affinity: | podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/name: {{ template "vault.name" . }} app.kubernetes.io/instance: "{{ .Release.Name }}" component: server topologyKey: kubernetes.io/hostname networkPolicy: enabled: false service: enabled: true active: enabled: true standby: enabled: false type: ClusterIP port: 8200 targetPort: 8200 dataStorage: enabled: true size: 1Gi mountPath: "/vault/data" accessMode: ReadWriteOnce auditStorage: enabled: false size: 5Gi mountPath: "/vault/audit" accessMode: ReadWriteOnce dev: enabled: false standalone: enabled: false ha: enabled: true replicas: 3 raft: enabled: true config: | ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" telemetry { unauthenticated_metrics_access = "true" } } storage "raft" { path = "/vault/data" retry_join { leader_api_addr = "http://vault-0.vault-internal:8200" } retry_join { leader_api_addr = "http://vault-1.vault-internal:8200" } retry_join { leader_api_addr = "http://vault-2.vault-internal:8200" } } service_registration "kubernetes" {} telemetry { prometheus_retention_time = "30s" disable_hostname = true } disruptionBudget: enabled: true maxUnavailable: null serviceAccount: create: true serviceDiscovery: enabled: true hostNetwork: false ui: enabled: true publishNotReadyAddresses: true activeVaultPodOnly: false serviceType: "ClusterIP" serviceNodePort: null externalPort: 8200 targetPort: 8200 csi: enabled: false serverTelemetry: serviceMonitor: enabled: true interval: 30s scrapeTimeout: 10s prometheusRules: enabled: true rules: - alert: vault-HighResponseTime annotations: message: The response time of Vault is over 500ms on average over the last 5 minutes. expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 for: 5m labels: severity: warning - alert: vault-HighResponseTime annotations: message: The response time of Vault is over 1s on average over the last 5 minutes. expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 for: 5m labels: severity: critical # snapshot: # global: # fullnameOverride: vault-snapshot # controllers: # snapshot: # type: cronjob # cronjob: # suspend: false # concurrencyPolicy: Forbid # timeZone: US/Central # schedule: 0 4 * * * # startingDeadlineSeconds: 90 # successfulJobsHistory: 3 # failedJobsHistory: 3 # backoffLimit: 3 # parallelism: 1 # initContainers: # snapshot: # image: # repository: hashicorp/vault # tag: 1.18.5 # pullPolicy: IfNotPresent # command: # - /bin/ash # args: # - -ec # - | # apk add --no-cache jq; # export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token); # vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap; # cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; # cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap; # envFrom: # - secretRef: # name: vault-snapshot-agent-token # env: # - name: VAULT_ADDR # value: http://vault-active.vault.svc.cluster.local:8200 # resources: # requests: # cpu: 10m # memory: 64Mi # containers: # backup: # image: # repository: d3fk/s3cmd # tag: latest@sha256:4bdc8e5817cbdd048e6dc487f42e3d96a6b58af69b4be6f256de5e2416da90e9 # pullPolicy: IfNotPresent # command: # - /bin/sh # args: # - -ec # - | # s3cmd put --no-check-md5 --no-check-certificate /opt/backup/vault-snapshot-s3.snap s3://vault-backups-bcc1e1433e0ce4be526561cb/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; # rm -f /opt/backup/vault-snapshot-s3.snap; # envFrom: # - secretRef: # name: vault-snapshot-s3 # resources: # requests: # cpu: 10m # memory: 64Mi # serviceAccount: # create: true # persistence: # config: # existingClaim: vault-nfs-storage-backup # advancedMounts: # snapshot: # snapshot: # - path: /opt/backup # readOnly: false # backup: # - path: /opt/backup # readOnly: false # s3cmd-config: # enabled: true # type: secret # name: vault-s3cmd-config # advancedMounts: # snapshot: # backup: # - path: /root/.s3cfg # readOnly: true # mountPropagation: None # subPath: .s3cfg # unseal: # global: # fullnameOverride: vault-unseal # controllers: # unseal-1: # type: deployment # replicas: 1 # strategy: Recreate # revisionHistoryLimit: 3 # containers: # main: # image: # repository: ghcr.io/lrstanley/vault-unseal # tag: 0.7.0 # pullPolicy: IfNotPresent # envFrom: # - secretRef: # name: vault-unseal-config-1 # resources: # requests: # cpu: 10m # memory: 24Mi # unseal-2: # type: deployment # replicas: 1 # strategy: Recreate # revisionHistoryLimit: 3 # containers: # main: # image: # repository: ghcr.io/lrstanley/vault-unseal # tag: 0.7.0 # pullPolicy: IfNotPresent # envFrom: # - secretRef: # name: vault-unseal-config-2 # resources: # requests: # cpu: 10m # memory: 24Mi # unseal-3: # type: deployment # replicas: 1 # strategy: Recreate # revisionHistoryLimit: 3 # containers: # main: # image: # repository: ghcr.io/lrstanley/vault-unseal # tag: 0.7.0 # pullPolicy: IfNotPresent # envFrom: # - secretRef: # name: vault-unseal-config-3 # resources: # requests: # cpu: 10m # memory: 24Mi # serviceAccount: # create: true