alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 3 Actions 1 Activity
Files
5ca176e682b4c1f24cf697c6d989ef5bebec064d
infrastructure/clusters/cl01tl/manifests/vault/vault.yaml

1223 lines
33 KiB
YAML
Raw Blame History

---
# Source: vault/charts/vault/templates/server-disruptionbudget.yaml
# PodDisruptionBudget to prevent degrading the server cluster through
# voluntary cluster changes.
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: vault
namespace: vault
labels:
helm.sh/chart: vault-0.31.0
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
spec:
maxUnavailable: 1
selector:
matchLabels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
component: server
---
# Source: vault/charts/vault/templates/server-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault
namespace: vault
labels:
helm.sh/chart: vault-0.31.0
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
---
# Source: vault/charts/vault/templates/server-config-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-config
namespace: vault
labels:
helm.sh/chart: vault-0.31.0
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
data:
extraconfig-from-values.hcl: |-
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
telemetry {
unauthenticated_metrics_access = "true"
}
}
storage "raft" {
path = "/vault/data"
retry_join {
leader_api_addr = "http://vault-0.vault-internal:8200"
}
retry_join {
leader_api_addr = "http://vault-1.vault-internal:8200"
}
retry_join {
leader_api_addr = "http://vault-2.vault-internal:8200"
}
}
service_registration "kubernetes" {}
telemetry {
prometheus_retention_time = "30s"
disable_hostname = true
}
disable_mlock = true
---
# Source: vault/templates/persistent-volume-claim.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vault-nfs-storage-backup
namespace: vault
labels:
app.kubernetes.io/name: vault-nfs-storage-backup
app.kubernetes.io/instance: vault
app.kubernetes.io/part-of: vault
spec:
volumeMode: Filesystem
storageClassName: nfs-client
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
# Source: vault/charts/vault/templates/server-discovery-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: vault
name: vault-discovery-role
labels:
helm.sh/chart: vault-0.31.0
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "update", "patch"]
---
# Source: vault/charts/vault/templates/server-discovery-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: vault-discovery-rolebinding
namespace: vault
labels:
helm.sh/chart: vault-0.31.0
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: vault-discovery-role
subjects:
- kind: ServiceAccount
name: vault
namespace: vault
---
# Source: vault/charts/vault/templates/server-ha-active-service.yaml
# Service for active Vault pod
apiVersion: v1
kind: Service
metadata:
name: vault-active
namespace: vault
labels:
helm.sh/chart: vault-0.31.0
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
vault-active: "true"
annotations:
spec:
type: ClusterIP
publishNotReadyAddresses: true
ports:
- name: http
port: 8200
targetPort: 8200
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
component: server
vault-active: "true"
---
# Source: vault/charts/vault/templates/server-headless-service.yaml
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
name: vault-internal
namespace: vault
labels:
helm.sh/chart: vault-0.31.0
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
vault-internal: "true"
annotations:
spec:
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: "http"
port: 8200
targetPort: 8200
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
component: server
---
# Source: vault/charts/vault/templates/server-service.yaml
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
name: vault
namespace: vault
labels:
helm.sh/chart: vault-0.31.0
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
annotations:
spec:
type: ClusterIP
# We want the servers to become available even if they're not ready
# since this DNS is also used for join operations.
publishNotReadyAddresses: true
ports:
- name: http
port: 8200
targetPort: 8200
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
component: server
---
# Source: vault/charts/vault/templates/ui-service.yaml
apiVersion: v1
kind: Service
metadata:
name: vault-ui
namespace: vault
labels:
helm.sh/chart: vault-0.31.0
app.kubernetes.io/name: vault-ui
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
spec:
selector:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
component: server
publishNotReadyAddresses: true
ports:
- name: http
port: 8200
targetPort: 8200
type: ClusterIP
---
# Source: vault/charts/unseal/templates/common.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vault-unseal-unseal-1
labels:
app.kubernetes.io/controller: unseal-1
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vault
helm.sh/chart: unseal-4.4.0
namespace: vault
spec:
revisionHistoryLimit: 3
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/controller: unseal-1
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
template:
metadata:
labels:
app.kubernetes.io/controller: unseal-1
app.kubernetes.io/instance: vault
app.kubernetes.io/name: vault
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- envFrom:
- secretRef:
name: vault-unseal-config-1
image: ghcr.io/lrstanley/vault-unseal:0.7.2
imagePullPolicy: IfNotPresent
name: main
resources:
requests:
cpu: 10m
memory: 24Mi
---
# Source: vault/charts/unseal/templates/common.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: vault-unseal-unseal-2
labels:
app.kubernetes.io/controller: unseal-2
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vault
helm.sh/chart: unseal-4.4.0
namespace: vault
spec:
revisionHistoryLimit: 3
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/controller: unseal-2
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
template:
metadata:
labels:
app.kubernetes.io/controller: unseal-2
app.kubernetes.io/instance: vault
app.kubernetes.io/name: vault
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- envFrom:
- secretRef:
name: vault-unseal-config-2
image: ghcr.io/lrstanley/vault-unseal:0.7.2
imagePullPolicy: IfNotPresent
name: main
resources:
requests:
cpu: 10m
memory: 24Mi
---
# Source: vault/charts/unseal/templates/common.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: vault-unseal-unseal-3
labels:
app.kubernetes.io/controller: unseal-3
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vault
helm.sh/chart: unseal-4.4.0
namespace: vault
spec:
revisionHistoryLimit: 3
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/controller: unseal-3
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
template:
metadata:
labels:
app.kubernetes.io/controller: unseal-3
app.kubernetes.io/instance: vault
app.kubernetes.io/name: vault
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- envFrom:
- secretRef:
name: vault-unseal-config-3
image: ghcr.io/lrstanley/vault-unseal:0.7.2
imagePullPolicy: IfNotPresent
name: main
resources:
requests:
cpu: 10m
memory: 24Mi
---
# Source: vault/charts/vault/templates/server-statefulset.yaml
# StatefulSet to run the actual vault server cluster.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
spec:
serviceName: vault-internal
podManagementPolicy: Parallel
replicas: 3
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
component: server
template:
metadata:
labels:
helm.sh/chart: vault-0.31.0
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
component: server
annotations:
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: "vault"
component: server
topologyKey: kubernetes.io/hostname
terminationGracePeriodSeconds: 10
serviceAccountName: vault
securityContext:
runAsNonRoot: true
runAsGroup: 1000
runAsUser: 100
fsGroup: 1000
hostNetwork: false
volumes:
- name: config
configMap:
name: vault-config
- name: vault-nfs-storage-backup
persistentVolumeClaim:
claimName: vault-nfs-storage-backup
- name: home
emptyDir: {}
containers:
- name: vault
resources:
requests:
cpu: 50m
memory: 512Mi
image: hashicorp/vault:1.21.1
imagePullPolicy: IfNotPresent
command:
- "/bin/sh"
- "-ec"
args:
- |
cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
[ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
[ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
/usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl
securityContext:
allowPrivilegeEscalation: false
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: VAULT_K8S_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: VAULT_K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: VAULT_ADDR
value: "http://127.0.0.1:8200"
- name: VAULT_API_ADDR
value: "http://$(POD_IP):8200"
- name: SKIP_CHOWN
value: "true"
- name: SKIP_SETCAP
value: "true"
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: VAULT_CLUSTER_ADDR
value: "https://$(HOSTNAME).vault-internal:8201"
- name: HOME
value: "/home/vault"
- name: VAULT_LOG_LEVEL
value: "debug"
- name: VAULT_LOG_FORMAT
value: "standard"
volumeMounts:
- name: data
mountPath: /vault/data
- name: config
mountPath: /vault/config
- mountPath: /opt/backups/
name: vault-nfs-storage-backup
readOnly: false
- name: home
mountPath: /home/vault
ports:
- containerPort: 8200
name: http
- containerPort: 8201
name: https-internal
- containerPort: 8202
name: http-rep
readinessProbe:
# Check status; unsealed vault servers return 0
# The exit code reflects the seal status:
# 0 - unsealed
# 1 - error
# 2 - sealed
exec:
command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
lifecycle:
# Vault container doesn't receive SIGTERM from Kubernetes
# and after the grace period ends, Kube sends SIGKILL. This
# causes issues with graceful shutdowns such as deregistering itself
# from Consul (zombie services).
preStop:
exec:
command:
- "/bin/sh"
- "-c"
# Adding a sleep here to give the pod eviction a
# chance to propagate, so requests will not be made
# to this pod while it's terminating
- "sleep 5 && kill -SIGTERM $(pidof vault)"
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
# Source: vault/charts/snapshot/templates/common.yaml
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: vault-snapshot
labels:
app.kubernetes.io/controller: snapshot
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vault
helm.sh/chart: snapshot-4.4.0
namespace: vault
spec:
suspend: false
concurrencyPolicy: Forbid
startingDeadlineSeconds: 90
timeZone: US/Central
schedule: "0 4 * * *"
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
parallelism: 1
backoffLimit: 3
template:
metadata:
labels:
app.kubernetes.io/controller: snapshot
app.kubernetes.io/instance: vault
app.kubernetes.io/name: vault
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
restartPolicy: Never
initContainers:
- args:
- -ec
- |
apk add --no-cache jq;
echo ">> Running Vault snapshot"
export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap;
cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap;
echo ">> Completed Vault snapshot"
command:
- /bin/ash
env:
- name: VAULT_ADDR
value: http://vault-active.vault.svc.cluster.local:8200
envFrom:
- secretRef:
name: vault-snapshot-agent-token
image: hashicorp/vault:1.21.1
imagePullPolicy: IfNotPresent
name: snapshot
resources:
requests:
cpu: 10m
memory: 64Mi
volumeMounts:
- mountPath: /opt/backup
name: config
containers:
- args:
- -ec
- |
echo ">> Running S3 backup for Vault snapshot"
s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/vault-snapshot-s3.snap ${BUCKET}/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
rm -f /opt/backup/vault-snapshot-s3.snap;
echo ">> Completed S3 backup for Vault snapshot"
command:
- /bin/sh
env:
- name: BUCKET
valueFrom:
secretKeyRef:
key: BUCKET
name: vault-s3cmd-config
image: d3fk/s3cmd:latest@sha256:7bdbd33bb3d044884598898b9e9b383385759fbd6ebf52888700bd9b0e0fab91
imagePullPolicy: IfNotPresent
name: s3-backup
resources:
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- mountPath: /opt/backup
name: config
- mountPath: /root/.s3cfg
mountPropagation: None
name: s3cmd-config
readOnly: true
subPath: .s3cfg
volumes:
- name: config
persistentVolumeClaim:
claimName: vault-nfs-storage-backup
- name: s3cmd-config
secret:
secretName: vault-s3cmd-config
---
# Source: vault/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vault-tailscale
namespace: vault
labels:
app.kubernetes.io/name: vault-tailscale
app.kubernetes.io/instance: vault
app.kubernetes.io/part-of: vault
tailscale.com/proxy-class: no-metrics
annotations:
tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
spec:
ingressClassName: tailscale
tls:
- hosts:
- vault-cl01tl
secretName: vault-cl01tl
rules:
- host: vault-cl01tl
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: vault-active
port:
number: 8200
---
# Source: vault/templates/external-secret.yaml
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: vault-snapshot-agent-token
namespace: vault
labels:
app.kubernetes.io/name: vault-snapshot-agent-token
app.kubernetes.io/instance: vault
app.kubernetes.io/part-of: vault
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: VAULT_APPROLE_ROLE_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/snapshot
metadataPolicy: None
property: VAULT_APPROLE_ROLE_ID
- secretKey: VAULT_APPROLE_SECRET_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/snapshot
metadataPolicy: None
property: VAULT_APPROLE_SECRET_ID
---
# Source: vault/templates/external-secret.yaml
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: vault-s3cmd-config
namespace: vault
labels:
app.kubernetes.io/name: vault-s3cmd-config
app.kubernetes.io/instance: vault
app.kubernetes.io/part-of: vault
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: .s3cfg
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/vault-backup
metadataPolicy: None
property: s3cfg
- secretKey: BUCKET
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/vault-backup
metadataPolicy: None
property: BUCKET
---
# Source: vault/templates/external-secret.yaml
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: vault-unseal-config-1
namespace: vault
labels:
app.kubernetes.io/name: vault-unseal-config-1
app.kubernetes.io/instance: vault
app.kubernetes.io/part-of: vault
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: ENVIRONMENT
- secretKey: CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: CHECK_INTERVAL
- secretKey: MAX_CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: MAX_CHECK_INTERVAL
- secretKey: NODES
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: NODES
- secretKey: TLS_SKIP_VERIFY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: TLS_SKIP_VERIFY
- secretKey: TOKENS
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: TOKENS
- secretKey: EMAIL_ENABLED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: EMAIL_ENABLED
- secretKey: NOTIFY_MAX_ELAPSED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: NOTIFY_MAX_ELAPSED
- secretKey: NOTIFY_QUEUE_DELAY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: NOTIFY_QUEUE_DELAY
---
# Source: vault/templates/external-secret.yaml
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: vault-unseal-config-2
namespace: vault
labels:
app.kubernetes.io/name: vault-unseal-config-2
app.kubernetes.io/instance: vault
app.kubernetes.io/part-of: vault
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: ENVIRONMENT
- secretKey: CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: CHECK_INTERVAL
- secretKey: MAX_CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: MAX_CHECK_INTERVAL
- secretKey: NODES
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: NODES
- secretKey: TLS_SKIP_VERIFY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: TLS_SKIP_VERIFY
- secretKey: TOKENS
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: TOKENS
- secretKey: EMAIL_ENABLED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: EMAIL_ENABLED
- secretKey: NOTIFY_MAX_ELAPSED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: NOTIFY_MAX_ELAPSED
- secretKey: NOTIFY_QUEUE_DELAY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: NOTIFY_QUEUE_DELAY
---
# Source: vault/templates/external-secret.yaml
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: vault-unseal-config-3
namespace: vault
labels:
app.kubernetes.io/name: vault-unseal-config-3
app.kubernetes.io/instance: vault
app.kubernetes.io/part-of: vault
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: ENVIRONMENT
- secretKey: CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: CHECK_INTERVAL
- secretKey: MAX_CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: MAX_CHECK_INTERVAL
- secretKey: NODES
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: NODES
- secretKey: TLS_SKIP_VERIFY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: TLS_SKIP_VERIFY
- secretKey: TOKENS
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: TOKENS
- secretKey: EMAIL_ENABLED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: EMAIL_ENABLED
- secretKey: NOTIFY_MAX_ELAPSED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: NOTIFY_MAX_ELAPSED
- secretKey: NOTIFY_QUEUE_DELAY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: NOTIFY_QUEUE_DELAY
---
# Source: vault/templates/external-secret.yaml
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: vault-token
namespace: vault
labels:
app.kubernetes.io/name: vault-token
app.kubernetes.io/instance: vault
app.kubernetes.io/part-of: vault
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: token
- secretKey: unseal_key_1
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_1
- secretKey: unseal_key_2
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_2
- secretKey: unseal_key_3
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_3
- secretKey: unseal_key_4
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_4
- secretKey: unseal_key_5
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_5
---
# Source: vault/templates/http-route.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-vault
namespace: vault
labels:
app.kubernetes.io/name: http-route-vault
app.kubernetes.io/instance: vault
app.kubernetes.io/part-of: vault
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- vault.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: vault-active
port: 8200
weight: 100
---
# Source: vault/charts/vault/templates/prometheus-prometheusrules.yaml
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: vault
labels:
helm.sh/chart: vault-0.31.0
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
release: prometheus
spec:
groups:
- name: vault
rules:
- alert: vault-HighResponseTime
annotations:
message: The response time of Vault is over 500ms on average over the last 5 minutes.
expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
for: 5m
labels:
severity: warning
- alert: vault-HighResponseTime
annotations:
message: The response time of Vault is over 1s on average over the last 5 minutes.
expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
for: 5m
labels:
severity: critical
---
# Source: vault/charts/vault/templates/prometheus-servicemonitor.yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: vault
labels:
helm.sh/chart: vault-0.31.0
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
release: prometheus
spec:
selector:
matchLabels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault
vault-active: "true"
endpoints:
- port: http
interval: 30s
scrapeTimeout: 10s
scheme: http
path: /v1/sys/metrics
params:
format:
- prometheus
tlsConfig:
insecureSkipVerify: true
namespaceSelector:
matchNames:
- vault
---
# Source: vault/charts/vault/templates/tests/server-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: vault-server-test
namespace: vault
annotations:
"helm.sh/hook": test
spec:
containers:
- name: vault-server-test
image: hashicorp/vault:1.21.1
imagePullPolicy: IfNotPresent
env:
- name: VAULT_ADDR
value: http://vault.vault.svc:8200
command:
- /bin/sh
- -c
- |
echo "Checking for sealed info in 'vault status' output"
ATTEMPTS=10
n=0
until [ "$n" -ge $ATTEMPTS ]
do
echo "Attempt" $n...
vault status -format yaml | grep -E '^sealed: (true|false)' && break
n=$((n+1))
sleep 5
done
if [ $n -ge $ATTEMPTS ]; then
echo "timed out looking for sealed info in 'vault status' output"
exit 1
fi
exit 0
volumeMounts:
- mountPath: /opt/backups/
name: vault-nfs-storage-backup
readOnly: false
volumes:
- name: vault-nfs-storage-backup
persistentVolumeClaim:
claimName: vault-nfs-storage-backup
restartPolicy: Never
Reference in New Issue View Git Blame Copy Permalink