vault: global: enabled: true tlsDisable: true psp: enable: false serverTelemetry: prometheusOperator: true injector: enabled: false server: enabled: true image: repository: hashicorp/vault tag: 1.20.0 updateStrategyType: "RollingUpdate" logLevel: debug logFormat: standard resources: requests: cpu: 50m memory: 512Mi ingress: enabled: false route: enabled: false authDelegator: enabled: false readinessProbe: enabled: true port: 8200 livenessProbe: enabled: false volumes: - name: vault-nfs-storage-backup persistentVolumeClaim: claimName: vault-nfs-storage-backup volumeMounts: - mountPath: /opt/backups/ name: vault-nfs-storage-backup readOnly: false affinity: | podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/name: {{ template "vault.name" . }} app.kubernetes.io/instance: "{{ .Release.Name }}" component: server topologyKey: kubernetes.io/hostname networkPolicy: enabled: false service: enabled: true active: enabled: true standby: enabled: false type: ClusterIP port: 8200 targetPort: 8200 dataStorage: enabled: true size: 1Gi mountPath: "/vault/data" accessMode: ReadWriteOnce auditStorage: enabled: false size: 5Gi mountPath: "/vault/audit" accessMode: ReadWriteOnce dev: enabled: false standalone: enabled: false ha: enabled: true replicas: 3 raft: enabled: true config: | ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" telemetry { unauthenticated_metrics_access = "true" } } storage "raft" { path = "/vault/data" retry_join { leader_api_addr = "http://vault-0.vault-internal:8200" } retry_join { leader_api_addr = "http://vault-1.vault-internal:8200" } retry_join { leader_api_addr = "http://vault-2.vault-internal:8200" } } service_registration "kubernetes" {} telemetry { prometheus_retention_time = "30s" disable_hostname = true } disruptionBudget: enabled: true maxUnavailable: null serviceAccount: create: true serviceDiscovery: enabled: true hostNetwork: false ui: enabled: true publishNotReadyAddresses: true activeVaultPodOnly: false serviceType: "ClusterIP" serviceNodePort: null externalPort: 8200 targetPort: 8200 csi: enabled: false serverTelemetry: serviceMonitor: enabled: true interval: 30s scrapeTimeout: 10s prometheusRules: enabled: true rules: - alert: vault-HighResponseTime annotations: message: The response time of Vault is over 500ms on average over the last 5 minutes. expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 for: 5m labels: severity: warning - alert: vault-HighResponseTime annotations: message: The response time of Vault is over 1s on average over the last 5 minutes. expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 for: 5m labels: severity: critical snapshot: global: fullnameOverride: vault-snapshot controllers: snapshot: type: cronjob cronjob: suspend: false concurrencyPolicy: Forbid timeZone: US/Central schedule: 0 4 * * * startingDeadlineSeconds: 90 successfulJobsHistory: 3 failedJobsHistory: 3 backoffLimit: 3 parallelism: 1 initContainers: snapshot: image: repository: hashicorp/vault tag: 1.20.0 pullPolicy: IfNotPresent command: - /bin/ash args: - -ec - | apk add --no-cache jq; echo ">> Running Vault snapshot" export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token); vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap; cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap; echo ">> Completed Vault snapshot" envFrom: - secretRef: name: vault-snapshot-agent-token env: - name: VAULT_ADDR value: http://vault-active.vault.svc.cluster.local:8200 resources: requests: cpu: 10m memory: 64Mi containers: s3-backup: image: repository: d3fk/s3cmd tag: latest@sha256:dacbd4baa0c66df934e96a9325b9e34563c2ab8e4dd0fe9fd1bd9793d53fb606 pullPolicy: IfNotPresent command: - /bin/sh args: - -ec - | echo ">> Running S3 backup for Vault snapshot" s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/vault-snapshot-s3.snap ${BUCKET}/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; rm -f /opt/backup/vault-snapshot-s3.snap; echo ">> Completed S3 backup for Vault snapshot" env: - name: BUCKET valueFrom: secretKeyRef: name: vault-s3cmd-config key: BUCKET resources: requests: cpu: 100m memory: 128Mi s3-prune: image: repository: d3fk/s3cmd tag: latest@sha256:dacbd4baa0c66df934e96a9325b9e34563c2ab8e4dd0fe9fd1bd9793d53fb606 pullPolicy: IfNotPresent command: - /bin/sh args: - -ec - | export MONTH_AGO=$(date -d @$(( $(date +%s) - 2592000 )) +%Y-%m-%d\ %H:%M:%S); export TIME_RANGE="$MONTH_AGO" echo ">> Running S3 prune for Vault snapshot repository" echo ">> Backups prior to '$TIME_RANGE' will be removed" echo ">> File list:" s3cmd ls -v ${BUCKET}/cl01tl/cl01tl-vault-snapshots/ echo ">> Deleting ..." s3cmd ls -v ${BUCKET}/cl01tl/cl01tl-vault-snapshots/ | awk -v month_ago="$MONTH_AGO" '$1 < month_ago {print $4}' | while read file; do s3cmd del -v "$file"; done; echo ">> Completed S3 prune for Vault snapshot repository" env: - name: BUCKET valueFrom: secretKeyRef: name: vault-s3cmd-config key: BUCKET resources: requests: cpu: 100m memory: 128Mi persistence: config: existingClaim: vault-nfs-storage-backup advancedMounts: snapshot: snapshot: - path: /opt/backup readOnly: false s3-backup: - path: /opt/backup readOnly: false s3cmd-config: enabled: true type: secret name: vault-s3cmd-config advancedMounts: snapshot: s3-backup: - path: /root/.s3cfg readOnly: true mountPropagation: None subPath: .s3cfg s3-prune: - path: /root/.s3cfg readOnly: true mountPropagation: None subPath: .s3cfg unseal: global: fullnameOverride: vault-unseal controllers: unseal-1: type: deployment replicas: 1 strategy: Recreate revisionHistoryLimit: 3 containers: main: image: repository: ghcr.io/lrstanley/vault-unseal tag: 0.7.2 pullPolicy: IfNotPresent envFrom: - secretRef: name: vault-unseal-config-1 resources: requests: cpu: 10m memory: 24Mi unseal-2: type: deployment replicas: 1 strategy: Recreate revisionHistoryLimit: 3 containers: main: image: repository: ghcr.io/lrstanley/vault-unseal tag: 0.7.2 pullPolicy: IfNotPresent envFrom: - secretRef: name: vault-unseal-config-2 resources: requests: cpu: 10m memory: 24Mi unseal-3: type: deployment replicas: 1 strategy: Recreate revisionHistoryLimit: 3 containers: main: image: repository: ghcr.io/lrstanley/vault-unseal tag: 0.7.2 pullPolicy: IfNotPresent envFrom: - secretRef: name: vault-unseal-config-3 resources: requests: cpu: 10m memory: 24Mi