vault: global: enabled: true tlsDisable: true psp: enable: false serverTelemetry: prometheusOperator: true injector: enabled: false server: enabled: true image: repository: hashicorp/vault tag: 1.18.4 updateStrategyType: "RollingUpdate" logLevel: debug logFormat: standard resources: requests: cpu: 50m memory: 512Mi ingress: enabled: true annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" cert-manager.io/cluster-issuer: letsencrypt-issuer ingressClassName: traefik pathType: Prefix activeService: true hosts: - host: vault.alexlebens.net paths: - / tls: - secretName: vault-tls-secret hosts: - vault.alexlebens.net route: enabled: false authDelegator: enabled: false readinessProbe: enabled: true port: 8200 livenessProbe: enabled: false volumes: - name: vault-nfs-storage-backup persistentVolumeClaim: claimName: vault-nfs-storage-backup volumeMounts: - mountPath: /opt/backups/ name: vault-nfs-storage-backup readOnly: false affinity: | podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/name: {{ template "vault.name" . }} app.kubernetes.io/instance: "{{ .Release.Name }}" component: server topologyKey: kubernetes.io/hostname networkPolicy: enabled: false service: enabled: true active: enabled: true standby: enabled: false type: ClusterIP port: 8200 targetPort: 8200 dataStorage: enabled: true size: 1Gi mountPath: "/vault/data" accessMode: ReadWriteOnce auditStorage: enabled: false size: 5Gi mountPath: "/vault/audit" accessMode: ReadWriteOnce dev: enabled: false standalone: enabled: false ha: enabled: true replicas: 3 raft: enabled: true config: | ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" telemetry { unauthenticated_metrics_access = "true" } } storage "raft" { path = "/vault/data" retry_join { leader_api_addr = "http://vault-0.vault-internal:8200" } retry_join { leader_api_addr = "http://vault-1.vault-internal:8200" } retry_join { leader_api_addr = "http://vault-2.vault-internal:8200" } } service_registration "kubernetes" {} telemetry { prometheus_retention_time = "30s" disable_hostname = true } disruptionBudget: enabled: true maxUnavailable: null serviceAccount: create: true serviceDiscovery: enabled: true hostNetwork: false ui: enabled: true publishNotReadyAddresses: true activeVaultPodOnly: false serviceType: "ClusterIP" serviceNodePort: null externalPort: 8200 targetPort: 8200 csi: enabled: false serverTelemetry: serviceMonitor: enabled: true interval: 30s scrapeTimeout: 10s prometheusRules: enabled: true rules: - alert: vault-HighResponseTime annotations: message: The response time of Vault is over 500ms on average over the last 5 minutes. expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 for: 5m labels: severity: warning - alert: vault-HighResponseTime annotations: message: The response time of Vault is over 1s on average over the last 5 minutes. expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 for: 5m labels: severity: critical snapshot: global: fullnameOverride: vault-snapshot controllers: snapshot: type: cronjob cronjob: suspend: false concurrencyPolicy: Forbid timeZone: US/Central schedule: 0 4 * * * startingDeadlineSeconds: 90 successfulJobsHistory: 3 failedJobsHistory: 3 backoffLimit: 3 parallelism: 1 initContainers: snapshot: image: repository: hashicorp/vault tag: 1.18.4 pullPolicy: IfNotPresent command: - /bin/ash args: - -ec - | apk add --no-cache jq; export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token); vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap; cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap; envFrom: - secretRef: name: vault-snapshot-agent-token env: - name: VAULT_ADDR value: http://vault-active.vault.svc.cluster.local:8200 resources: requests: cpu: 10m memory: 64Mi containers: backup: image: repository: d3fk/s3cmd tag: latest@sha256:4bdc8e5817cbdd048e6dc487f42e3d96a6b58af69b4be6f256de5e2416da90e9 pullPolicy: IfNotPresent command: - /bin/sh args: - -ec - | s3cmd put --no-check-md5 --no-check-certificate /opt/backup/vault-snapshot-s3.snap s3://vault-backups-bcc1e1433e0ce4be526561cb/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; rm -f /opt/backup/vault-snapshot-s3.snap; envFrom: - secretRef: name: vault-snapshot-s3 resources: requests: cpu: 10m memory: 64Mi serviceAccount: create: true persistence: config: existingClaim: vault-nfs-storage-backup advancedMounts: snapshot: snapshot: - path: /opt/backup readOnly: false backup: - path: /opt/backup readOnly: false s3cmd-config: enabled: true type: secret name: vault-s3cmd-config advancedMounts: snapshot: backup: - path: /root/.s3cfg readOnly: true mountPropagation: None subPath: .s3cfg unseal: global: fullnameOverride: vault-unseal controllers: unseal-1: type: deployment replicas: 1 strategy: Recreate revisionHistoryLimit: 3 containers: main: image: repository: ghcr.io/lrstanley/vault-unseal tag: 0.7.0 pullPolicy: IfNotPresent envFrom: - secretRef: name: vault-unseal-config-1 resources: requests: cpu: 10m memory: 24Mi unseal-2: type: deployment replicas: 1 strategy: Recreate revisionHistoryLimit: 3 containers: main: image: repository: ghcr.io/lrstanley/vault-unseal tag: 0.7.0 pullPolicy: IfNotPresent envFrom: - secretRef: name: vault-unseal-config-2 resources: requests: cpu: 10m memory: 24Mi unseal-3: type: deployment replicas: 1 strategy: Recreate revisionHistoryLimit: 3 containers: main: image: repository: ghcr.io/lrstanley/vault-unseal tag: 0.7.0 pullPolicy: IfNotPresent envFrom: - secretRef: name: vault-unseal-config-3 resources: requests: cpu: 10m memory: 24Mi serviceAccount: create: true