alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 7 Actions Packages Projects Releases Wiki Activity
Files
b6b52c3e2a3e95caa3fb18370cd89cd38b4ce7dd
infrastructure/clusters/cl01tl/platform/vault/values.yaml
Alex Lebens 5ec03b72cf
All checks were successful
lint-test-helm / helm-lint (push) Successful in 8s
Details
renovate / renovate (push) Successful in 46s
Details
fix secret name
2025-07-09 17:50:35 -05:00

340 lines
9.5 KiB
YAML
Raw Blame History

vault:
global:
enabled: true
tlsDisable: true
psp:
enable: false
serverTelemetry:
prometheusOperator: true
injector:
enabled: false
server:
enabled: true
image:
repository: hashicorp/vault
tag: 1.20.0
updateStrategyType: "RollingUpdate"
logLevel: debug
logFormat: standard
resources:
requests:
cpu: 50m
memory: 512Mi
ingress:
enabled: false
route:
enabled: false
authDelegator:
enabled: false
readinessProbe:
enabled: true
port: 8200
livenessProbe:
enabled: false
volumes:
- name: vault-nfs-storage-backup
persistentVolumeClaim:
claimName: vault-nfs-storage-backup
volumeMounts:
- mountPath: /opt/backups/
name: vault-nfs-storage-backup
readOnly: false
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: "{{ .Release.Name }}"
component: server
topologyKey: kubernetes.io/hostname
networkPolicy:
enabled: false
service:
enabled: true
active:
enabled: true
standby:
enabled: false
type: ClusterIP
port: 8200
targetPort: 8200
dataStorage:
enabled: true
size: 1Gi
mountPath: "/vault/data"
accessMode: ReadWriteOnce
auditStorage:
enabled: false
size: 5Gi
mountPath: "/vault/audit"
accessMode: ReadWriteOnce
dev:
enabled: false
standalone:
enabled: false
ha:
enabled: true
replicas: 3
raft:
enabled: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
telemetry {
unauthenticated_metrics_access = "true"
}
}
storage "raft" {
path = "/vault/data"
retry_join {
leader_api_addr = "http://vault-0.vault-internal:8200"
}
retry_join {
leader_api_addr = "http://vault-1.vault-internal:8200"
}
retry_join {
leader_api_addr = "http://vault-2.vault-internal:8200"
}
}
service_registration "kubernetes" {}
telemetry {
prometheus_retention_time = "30s"
disable_hostname = true
}
disruptionBudget:
enabled: true
maxUnavailable: null
serviceAccount:
create: true
serviceDiscovery:
enabled: true
hostNetwork: false
ui:
enabled: true
publishNotReadyAddresses: true
activeVaultPodOnly: false
serviceType: "ClusterIP"
serviceNodePort: null
externalPort: 8200
targetPort: 8200
csi:
enabled: false
serverTelemetry:
serviceMonitor:
enabled: true
interval: 30s
scrapeTimeout: 10s
prometheusRules:
enabled: true
rules:
- alert: vault-HighResponseTime
annotations:
message: The response time of Vault is over 500ms on average over the last 5 minutes.
expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
for: 5m
labels:
severity: warning
- alert: vault-HighResponseTime
annotations:
message: The response time of Vault is over 1s on average over the last 5 minutes.
expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
for: 5m
labels:
severity: critical
snapshot:
global:
fullnameOverride: vault-snapshot
controllers:
snapshot:
type: cronjob
cronjob:
suspend: false
concurrencyPolicy: Forbid
timeZone: US/Central
schedule: 0 4 * * *
startingDeadlineSeconds: 90
successfulJobsHistory: 3
failedJobsHistory: 3
backoffLimit: 3
parallelism: 1
initContainers:
snapshot:
image:
repository: hashicorp/vault
tag: 1.20.0
pullPolicy: IfNotPresent
command:
- /bin/ash
args:
- -ec
- |
apk add --no-cache jq;
echo ">> Running Vault snapshot"
export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap;
cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap;
echo ">> Completed Vault snapshot"
envFrom:
- secretRef:
name: vault-snapshot-agent-token
env:
- name: VAULT_ADDR
value: http://vault-active.vault.svc.cluster.local:8200
resources:
requests:
cpu: 10m
memory: 64Mi
containers:
s3-backup:
image:
repository: d3fk/s3cmd
tag: latest@sha256:dacbd4baa0c66df934e96a9325b9e34563c2ab8e4dd0fe9fd1bd9793d53fb606
pullPolicy: IfNotPresent
command:
- /bin/sh
args:
- -ec
- |
echo ">> Running S3 backup for Vault snapshot"
s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/vault-snapshot-s3.snap ${BUCKET}/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
rm -f /opt/backup/vault-snapshot-s3.snap;
echo ">> Completed S3 backup for Vault snapshot"
env:
- name: BUCKET
valueFrom:
secretKeyRef:
name: vault-s3cmd-config
key: BUCKET
resources:
requests:
cpu: 100m
memory: 128Mi
s3-prune:
image:
repository: d3fk/s3cmd
tag: latest@sha256:dacbd4baa0c66df934e96a9325b9e34563c2ab8e4dd0fe9fd1bd9793d53fb606
pullPolicy: IfNotPresent
command:
- /bin/sh
args:
- -ec
- |
export MONTH_AGO=$(date -d @$(( $(date +%s) - 2592000 )) +%Y-%m-%d\ %H:%M:%S);
export TIME_RANGE="$MONTH_AGO"
echo ">> Running S3 prune for Vault snapshot repository"
echo ">> Backups prior to '$TIME_RANGE' will be removed"
echo ">> File list:"
s3cmd ls -v ${BUCKET}/cl01tl/cl01tl-vault-snapshots/
echo ">> Deleting ..."
s3cmd ls -v ${BUCKET}/cl01tl/cl01tl-vault-snapshots/ |
awk -v month_ago="$MONTH_AGO" '$1 < month_ago {print $4}' |
while read file;
do s3cmd del -v "$file";
done;
echo ">> Completed S3 prune for Vault snapshot repository"
env:
- name: BUCKET
valueFrom:
secretKeyRef:
name: vault-s3cmd-config
key: BUCKET
resources:
requests:
cpu: 100m
memory: 128Mi
persistence:
config:
existingClaim: vault-nfs-storage-backup
advancedMounts:
snapshot:
snapshot:
- path: /opt/backup
readOnly: false
s3-backup:
- path: /opt/backup
readOnly: false
s3cmd-config:
enabled: true
type: secret
name: vault-s3cmd-config
advancedMounts:
snapshot:
s3-backup:
- path: /root/.s3cfg
readOnly: true
mountPropagation: None
subPath: .s3cfg
s3-prune:
- path: /root/.s3cfg
readOnly: true
mountPropagation: None
subPath: .s3cfg
unseal:
global:
fullnameOverride: vault-unseal
controllers:
unseal-1:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/lrstanley/vault-unseal
tag: 0.7.2
pullPolicy: IfNotPresent
envFrom:
- secretRef:
name: vault-unseal-config-1
resources:
requests:
cpu: 10m
memory: 24Mi
unseal-2:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/lrstanley/vault-unseal
tag: 0.7.2
pullPolicy: IfNotPresent
envFrom:
- secretRef:
name: vault-unseal-config-2
resources:
requests:
cpu: 10m
memory: 24Mi
unseal-3:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/lrstanley/vault-unseal
tag: 0.7.2
pullPolicy: IfNotPresent
envFrom:
- secretRef:
name: vault-unseal-config-3
resources:
requests:
cpu: 10m
memory: 24Mi
Reference in New Issue View Git Blame Copy Permalink