--- # Source: vault/charts/vault/templates/server-disruptionbudget.yaml # PodDisruptionBudget to prevent degrading the server cluster through # voluntary cluster changes. apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: vault namespace: vault labels: helm.sh/chart: vault-0.31.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: vault app.kubernetes.io/managed-by: Helm spec: maxUnavailable: 1 selector: matchLabels: app.kubernetes.io/name: vault app.kubernetes.io/instance: vault component: server --- # Source: vault/charts/vault/templates/server-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: vault namespace: vault labels: helm.sh/chart: vault-0.31.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: vault app.kubernetes.io/managed-by: Helm --- # Source: vault/charts/vault/templates/server-config-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: vault-config namespace: vault labels: helm.sh/chart: vault-0.31.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: vault app.kubernetes.io/managed-by: Helm data: extraconfig-from-values.hcl: |- ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" telemetry { unauthenticated_metrics_access = "true" } } storage "raft" { path = "/vault/data" retry_join { leader_api_addr = "http://vault-0.vault-internal:8200" } retry_join { leader_api_addr = "http://vault-1.vault-internal:8200" } retry_join { leader_api_addr = "http://vault-2.vault-internal:8200" } } service_registration "kubernetes" {} telemetry { prometheus_retention_time = "30s" disable_hostname = true } disable_mlock = true --- # Source: vault/templates/persistent-volume-claim.yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: name: vault-nfs-storage-backup namespace: vault labels: app.kubernetes.io/name: vault-nfs-storage-backup app.kubernetes.io/instance: vault app.kubernetes.io/part-of: vault spec: volumeMode: Filesystem storageClassName: nfs-client accessModes: - ReadWriteOnce resources: requests: storage: 1Gi --- # Source: vault/charts/vault/templates/server-discovery-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: vault name: vault-discovery-role labels: helm.sh/chart: vault-0.31.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: vault app.kubernetes.io/managed-by: Helm rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list", "update", "patch"] --- # Source: vault/charts/vault/templates/server-discovery-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: vault-discovery-rolebinding namespace: vault labels: helm.sh/chart: vault-0.31.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: vault app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: vault-discovery-role subjects: - kind: ServiceAccount name: vault namespace: vault --- # Source: vault/charts/vault/templates/server-ha-active-service.yaml # Service for active Vault pod apiVersion: v1 kind: Service metadata: name: vault-active namespace: vault labels: helm.sh/chart: vault-0.31.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: vault app.kubernetes.io/managed-by: Helm vault-active: "true" annotations: spec: type: ClusterIP publishNotReadyAddresses: true ports: - name: http port: 8200 targetPort: 8200 - name: https-internal port: 8201 targetPort: 8201 selector: app.kubernetes.io/name: vault app.kubernetes.io/instance: vault component: server vault-active: "true" --- # Source: vault/charts/vault/templates/server-headless-service.yaml # Service for Vault cluster apiVersion: v1 kind: Service metadata: name: vault-internal namespace: vault labels: helm.sh/chart: vault-0.31.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: vault app.kubernetes.io/managed-by: Helm vault-internal: "true" annotations: spec: clusterIP: None publishNotReadyAddresses: true ports: - name: "http" port: 8200 targetPort: 8200 - name: https-internal port: 8201 targetPort: 8201 selector: app.kubernetes.io/name: vault app.kubernetes.io/instance: vault component: server --- # Source: vault/charts/vault/templates/server-service.yaml # Service for Vault cluster apiVersion: v1 kind: Service metadata: name: vault namespace: vault labels: helm.sh/chart: vault-0.31.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: vault app.kubernetes.io/managed-by: Helm annotations: spec: type: ClusterIP # We want the servers to become available even if they're not ready # since this DNS is also used for join operations. publishNotReadyAddresses: true ports: - name: http port: 8200 targetPort: 8200 - name: https-internal port: 8201 targetPort: 8201 selector: app.kubernetes.io/name: vault app.kubernetes.io/instance: vault component: server --- # Source: vault/charts/vault/templates/ui-service.yaml apiVersion: v1 kind: Service metadata: name: vault-ui namespace: vault labels: helm.sh/chart: vault-0.31.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: vault app.kubernetes.io/managed-by: Helm spec: selector: app.kubernetes.io/name: vault app.kubernetes.io/instance: vault component: server publishNotReadyAddresses: true ports: - name: http port: 8200 targetPort: 8200 type: ClusterIP --- # Source: vault/charts/unseal/templates/common.yaml --- apiVersion: apps/v1 kind: Deployment metadata: name: vault-unseal-unseal-1 labels: app.kubernetes.io/controller: unseal-1 app.kubernetes.io/instance: vault app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: vault helm.sh/chart: unseal-4.4.0 namespace: vault spec: revisionHistoryLimit: 3 replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/controller: unseal-1 app.kubernetes.io/name: vault app.kubernetes.io/instance: vault template: metadata: labels: app.kubernetes.io/controller: unseal-1 app.kubernetes.io/instance: vault app.kubernetes.io/name: vault spec: enableServiceLinks: false serviceAccountName: default automountServiceAccountToken: true hostIPC: false hostNetwork: false hostPID: false dnsPolicy: ClusterFirst containers: - envFrom: - secretRef: name: vault-unseal-config-1 image: ghcr.io/lrstanley/vault-unseal:0.7.2 imagePullPolicy: IfNotPresent name: main resources: requests: cpu: 10m memory: 24Mi --- # Source: vault/charts/unseal/templates/common.yaml apiVersion: apps/v1 kind: Deployment metadata: name: vault-unseal-unseal-2 labels: app.kubernetes.io/controller: unseal-2 app.kubernetes.io/instance: vault app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: vault helm.sh/chart: unseal-4.4.0 namespace: vault spec: revisionHistoryLimit: 3 replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/controller: unseal-2 app.kubernetes.io/name: vault app.kubernetes.io/instance: vault template: metadata: labels: app.kubernetes.io/controller: unseal-2 app.kubernetes.io/instance: vault app.kubernetes.io/name: vault spec: enableServiceLinks: false serviceAccountName: default automountServiceAccountToken: true hostIPC: false hostNetwork: false hostPID: false dnsPolicy: ClusterFirst containers: - envFrom: - secretRef: name: vault-unseal-config-2 image: ghcr.io/lrstanley/vault-unseal:0.7.2 imagePullPolicy: IfNotPresent name: main resources: requests: cpu: 10m memory: 24Mi --- # Source: vault/charts/unseal/templates/common.yaml apiVersion: apps/v1 kind: Deployment metadata: name: vault-unseal-unseal-3 labels: app.kubernetes.io/controller: unseal-3 app.kubernetes.io/instance: vault app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: vault helm.sh/chart: unseal-4.4.0 namespace: vault spec: revisionHistoryLimit: 3 replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/controller: unseal-3 app.kubernetes.io/name: vault app.kubernetes.io/instance: vault template: metadata: labels: app.kubernetes.io/controller: unseal-3 app.kubernetes.io/instance: vault app.kubernetes.io/name: vault spec: enableServiceLinks: false serviceAccountName: default automountServiceAccountToken: true hostIPC: false hostNetwork: false hostPID: false dnsPolicy: ClusterFirst containers: - envFrom: - secretRef: name: vault-unseal-config-3 image: ghcr.io/lrstanley/vault-unseal:0.7.2 imagePullPolicy: IfNotPresent name: main resources: requests: cpu: 10m memory: 24Mi --- # Source: vault/charts/vault/templates/server-statefulset.yaml # StatefulSet to run the actual vault server cluster. apiVersion: apps/v1 kind: StatefulSet metadata: name: vault namespace: vault labels: app.kubernetes.io/name: vault app.kubernetes.io/instance: vault app.kubernetes.io/managed-by: Helm spec: serviceName: vault-internal podManagementPolicy: Parallel replicas: 3 updateStrategy: type: RollingUpdate selector: matchLabels: app.kubernetes.io/name: vault app.kubernetes.io/instance: vault component: server template: metadata: labels: helm.sh/chart: vault-0.31.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: vault component: server annotations: spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/name: vault app.kubernetes.io/instance: "vault" component: server topologyKey: kubernetes.io/hostname terminationGracePeriodSeconds: 10 serviceAccountName: vault securityContext: runAsNonRoot: true runAsGroup: 1000 runAsUser: 100 fsGroup: 1000 hostNetwork: false volumes: - name: config configMap: name: vault-config - name: vault-nfs-storage-backup persistentVolumeClaim: claimName: vault-nfs-storage-backup - name: home emptyDir: {} containers: - name: vault resources: requests: cpu: 50m memory: 512Mi image: hashicorp/vault:1.21.1 imagePullPolicy: IfNotPresent command: - "/bin/sh" - "-ec" args: - | cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl securityContext: allowPrivilegeEscalation: false env: - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP - name: VAULT_K8S_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: VAULT_K8S_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: VAULT_ADDR value: "http://127.0.0.1:8200" - name: VAULT_API_ADDR value: "http://$(POD_IP):8200" - name: SKIP_CHOWN value: "true" - name: SKIP_SETCAP value: "true" - name: HOSTNAME valueFrom: fieldRef: fieldPath: metadata.name - name: VAULT_CLUSTER_ADDR value: "https://$(HOSTNAME).vault-internal:8201" - name: HOME value: "/home/vault" - name: VAULT_LOG_LEVEL value: "debug" - name: VAULT_LOG_FORMAT value: "standard" volumeMounts: - name: data mountPath: /vault/data - name: config mountPath: /vault/config - mountPath: /opt/backups/ name: vault-nfs-storage-backup readOnly: false - name: home mountPath: /home/vault ports: - containerPort: 8200 name: http - containerPort: 8201 name: https-internal - containerPort: 8202 name: http-rep readinessProbe: # Check status; unsealed vault servers return 0 # The exit code reflects the seal status: # 0 - unsealed # 1 - error # 2 - sealed exec: command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] failureThreshold: 2 initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 lifecycle: # Vault container doesn't receive SIGTERM from Kubernetes # and after the grace period ends, Kube sends SIGKILL. This # causes issues with graceful shutdowns such as deregistering itself # from Consul (zombie services). preStop: exec: command: - "/bin/sh" - "-c" # Adding a sleep here to give the pod eviction a # chance to propagate, so requests will not be made # to this pod while it's terminating - "sleep 5 && kill -SIGTERM $(pidof vault)" volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi --- # Source: vault/charts/snapshot/templates/common.yaml --- apiVersion: batch/v1 kind: CronJob metadata: name: vault-snapshot labels: app.kubernetes.io/controller: snapshot app.kubernetes.io/instance: vault app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: vault helm.sh/chart: snapshot-4.4.0 namespace: vault spec: suspend: false concurrencyPolicy: Forbid startingDeadlineSeconds: 90 timeZone: US/Central schedule: "0 4 * * *" successfulJobsHistoryLimit: 3 failedJobsHistoryLimit: 3 jobTemplate: spec: parallelism: 1 backoffLimit: 3 template: metadata: labels: app.kubernetes.io/controller: snapshot app.kubernetes.io/instance: vault app.kubernetes.io/name: vault spec: enableServiceLinks: false serviceAccountName: default automountServiceAccountToken: true hostIPC: false hostNetwork: false hostPID: false dnsPolicy: ClusterFirst restartPolicy: Never initContainers: - args: - -ec - | apk add --no-cache jq; echo ">> Running Vault snapshot" export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token); vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap; cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap; echo ">> Completed Vault snapshot" command: - /bin/ash env: - name: VAULT_ADDR value: http://vault-active.vault.svc.cluster.local:8200 envFrom: - secretRef: name: vault-snapshot-agent-token image: hashicorp/vault:1.21.1 imagePullPolicy: IfNotPresent name: snapshot resources: requests: cpu: 10m memory: 64Mi volumeMounts: - mountPath: /opt/backup name: config containers: - args: - -ec - | echo ">> Running S3 backup for Vault snapshot" s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/vault-snapshot-s3.snap ${BUCKET}/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; rm -f /opt/backup/vault-snapshot-s3.snap; echo ">> Completed S3 backup for Vault snapshot" command: - /bin/sh env: - name: BUCKET valueFrom: secretKeyRef: key: BUCKET name: vault-s3cmd-config image: d3fk/s3cmd:latest@sha256:7bdbd33bb3d044884598898b9e9b383385759fbd6ebf52888700bd9b0e0fab91 imagePullPolicy: IfNotPresent name: s3-backup resources: requests: cpu: 100m memory: 128Mi volumeMounts: - mountPath: /opt/backup name: config - mountPath: /root/.s3cfg mountPropagation: None name: s3cmd-config readOnly: true subPath: .s3cfg volumes: - name: config persistentVolumeClaim: claimName: vault-nfs-storage-backup - name: s3cmd-config secret: secretName: vault-s3cmd-config --- # Source: vault/templates/ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: vault-tailscale namespace: vault labels: app.kubernetes.io/name: vault-tailscale app.kubernetes.io/instance: vault app.kubernetes.io/part-of: vault tailscale.com/proxy-class: no-metrics annotations: tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" spec: ingressClassName: tailscale tls: - hosts: - vault-cl01tl secretName: vault-cl01tl rules: - host: vault-cl01tl http: paths: - path: / pathType: Prefix backend: service: name: vault-active port: number: 8200 --- # Source: vault/templates/external-secret.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: vault-snapshot-agent-token namespace: vault labels: app.kubernetes.io/name: vault-snapshot-agent-token app.kubernetes.io/instance: vault app.kubernetes.io/part-of: vault spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: VAULT_APPROLE_ROLE_ID remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/snapshot metadataPolicy: None property: VAULT_APPROLE_ROLE_ID - secretKey: VAULT_APPROLE_SECRET_ID remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/snapshot metadataPolicy: None property: VAULT_APPROLE_SECRET_ID --- # Source: vault/templates/external-secret.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: vault-s3cmd-config namespace: vault labels: app.kubernetes.io/name: vault-s3cmd-config app.kubernetes.io/instance: vault app.kubernetes.io/part-of: vault spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: .s3cfg remoteRef: conversionStrategy: Default decodingStrategy: None key: /digital-ocean/home-infra/vault-backup metadataPolicy: None property: s3cfg - secretKey: BUCKET remoteRef: conversionStrategy: Default decodingStrategy: None key: /digital-ocean/home-infra/vault-backup metadataPolicy: None property: BUCKET --- # Source: vault/templates/external-secret.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: vault-unseal-config-1 namespace: vault labels: app.kubernetes.io/name: vault-unseal-config-1 app.kubernetes.io/instance: vault app.kubernetes.io/part-of: vault spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: ENVIRONMENT remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-1 metadataPolicy: None property: ENVIRONMENT - secretKey: CHECK_INTERVAL remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-1 metadataPolicy: None property: CHECK_INTERVAL - secretKey: MAX_CHECK_INTERVAL remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-1 metadataPolicy: None property: MAX_CHECK_INTERVAL - secretKey: NODES remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-1 metadataPolicy: None property: NODES - secretKey: TLS_SKIP_VERIFY remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-1 metadataPolicy: None property: TLS_SKIP_VERIFY - secretKey: TOKENS remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-1 metadataPolicy: None property: TOKENS - secretKey: EMAIL_ENABLED remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-1 metadataPolicy: None property: EMAIL_ENABLED - secretKey: NOTIFY_MAX_ELAPSED remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-1 metadataPolicy: None property: NOTIFY_MAX_ELAPSED - secretKey: NOTIFY_QUEUE_DELAY remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-1 metadataPolicy: None property: NOTIFY_QUEUE_DELAY --- # Source: vault/templates/external-secret.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: vault-unseal-config-2 namespace: vault labels: app.kubernetes.io/name: vault-unseal-config-2 app.kubernetes.io/instance: vault app.kubernetes.io/part-of: vault spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: ENVIRONMENT remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-2 metadataPolicy: None property: ENVIRONMENT - secretKey: CHECK_INTERVAL remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-2 metadataPolicy: None property: CHECK_INTERVAL - secretKey: MAX_CHECK_INTERVAL remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-2 metadataPolicy: None property: MAX_CHECK_INTERVAL - secretKey: NODES remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-2 metadataPolicy: None property: NODES - secretKey: TLS_SKIP_VERIFY remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-2 metadataPolicy: None property: TLS_SKIP_VERIFY - secretKey: TOKENS remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-2 metadataPolicy: None property: TOKENS - secretKey: EMAIL_ENABLED remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-2 metadataPolicy: None property: EMAIL_ENABLED - secretKey: NOTIFY_MAX_ELAPSED remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-2 metadataPolicy: None property: NOTIFY_MAX_ELAPSED - secretKey: NOTIFY_QUEUE_DELAY remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-2 metadataPolicy: None property: NOTIFY_QUEUE_DELAY --- # Source: vault/templates/external-secret.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: vault-unseal-config-3 namespace: vault labels: app.kubernetes.io/name: vault-unseal-config-3 app.kubernetes.io/instance: vault app.kubernetes.io/part-of: vault spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: ENVIRONMENT remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-3 metadataPolicy: None property: ENVIRONMENT - secretKey: CHECK_INTERVAL remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-3 metadataPolicy: None property: CHECK_INTERVAL - secretKey: MAX_CHECK_INTERVAL remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-3 metadataPolicy: None property: MAX_CHECK_INTERVAL - secretKey: NODES remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-3 metadataPolicy: None property: NODES - secretKey: TLS_SKIP_VERIFY remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-3 metadataPolicy: None property: TLS_SKIP_VERIFY - secretKey: TOKENS remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-3 metadataPolicy: None property: TOKENS - secretKey: EMAIL_ENABLED remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-3 metadataPolicy: None property: EMAIL_ENABLED - secretKey: NOTIFY_MAX_ELAPSED remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-3 metadataPolicy: None property: NOTIFY_MAX_ELAPSED - secretKey: NOTIFY_QUEUE_DELAY remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/unseal/config-3 metadataPolicy: None property: NOTIFY_QUEUE_DELAY --- # Source: vault/templates/external-secret.yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: vault-token namespace: vault labels: app.kubernetes.io/name: vault-token app.kubernetes.io/instance: vault app.kubernetes.io/part-of: vault spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: token remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/token metadataPolicy: None property: token - secretKey: unseal_key_1 remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/token metadataPolicy: None property: unseal_key_1 - secretKey: unseal_key_2 remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/token metadataPolicy: None property: unseal_key_2 - secretKey: unseal_key_3 remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/token metadataPolicy: None property: unseal_key_3 - secretKey: unseal_key_4 remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/token metadataPolicy: None property: unseal_key_4 - secretKey: unseal_key_5 remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/vault/token metadataPolicy: None property: unseal_key_5 --- # Source: vault/templates/http-route.yaml apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: http-route-vault namespace: vault labels: app.kubernetes.io/name: http-route-vault app.kubernetes.io/instance: vault app.kubernetes.io/part-of: vault spec: parentRefs: - group: gateway.networking.k8s.io kind: Gateway name: traefik-gateway namespace: traefik hostnames: - vault.alexlebens.net rules: - matches: - path: type: PathPrefix value: / backendRefs: - group: '' kind: Service name: vault-active port: 8200 weight: 100 --- # Source: vault/charts/vault/templates/prometheus-prometheusrules.yaml apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: vault labels: helm.sh/chart: vault-0.31.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: vault app.kubernetes.io/managed-by: Helm release: prometheus spec: groups: - name: vault rules: - alert: vault-HighResponseTime annotations: message: The response time of Vault is over 500ms on average over the last 5 minutes. expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 for: 5m labels: severity: warning - alert: vault-HighResponseTime annotations: message: The response time of Vault is over 1s on average over the last 5 minutes. expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 for: 5m labels: severity: critical --- # Source: vault/charts/vault/templates/prometheus-servicemonitor.yaml apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: vault labels: helm.sh/chart: vault-0.31.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: vault app.kubernetes.io/managed-by: Helm release: prometheus spec: selector: matchLabels: app.kubernetes.io/name: vault app.kubernetes.io/instance: vault vault-active: "true" endpoints: - port: http interval: 30s scrapeTimeout: 10s scheme: http path: /v1/sys/metrics params: format: - prometheus tlsConfig: insecureSkipVerify: true namespaceSelector: matchNames: - vault --- # Source: vault/charts/vault/templates/tests/server-test.yaml apiVersion: v1 kind: Pod metadata: name: vault-server-test namespace: vault annotations: "helm.sh/hook": test spec: containers: - name: vault-server-test image: hashicorp/vault:1.21.1 imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR value: http://vault.vault.svc:8200 command: - /bin/sh - -c - | echo "Checking for sealed info in 'vault status' output" ATTEMPTS=10 n=0 until [ "$n" -ge $ATTEMPTS ] do echo "Attempt" $n... vault status -format yaml | grep -E '^sealed: (true|false)' && break n=$((n+1)) sleep 5 done if [ $n -ge $ATTEMPTS ]; then echo "timed out looking for sealed info in 'vault status' output" exit 1 fi exit 0 volumeMounts: - mountPath: /opt/backups/ name: vault-nfs-storage-backup readOnly: false volumes: - name: vault-nfs-storage-backup persistentVolumeClaim: claimName: vault-nfs-storage-backup restartPolicy: Never