add auto unseal, replicas 3

This commit is contained in:
Joseph Hanson 2024-09-11 00:16:07 -05:00
parent 6995f60582
commit 15b67972c4
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
3 changed files with 41 additions and 5 deletions

View file

@ -0,0 +1,27 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault
namespace: security
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: vault-secret
creationPolicy: Owner
data:
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
key: vault
property: AWS_SECRET_ACCESS_KEY
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
key: vault
property: AWS_ACCESS_KEY_ID
- secretKey: VAULT_AWSKMS_SEAL_KEY_ID
remoteRef:
key: vault
property: VAULT_AWSKMS_SEAL_KEY_ID

View file

@ -53,6 +53,16 @@ spec:
VAULT_ADDR: "http://127.0.0.1:8200" VAULT_ADDR: "http://127.0.0.1:8200"
VAULT_API_ADDR: "http://$(POD_IP):8200" VAULT_API_ADDR: "http://$(POD_IP):8200"
VAULT_CLUSTER_ADDR: "http://$(POD_IP):8201" VAULT_CLUSTER_ADDR: "http://$(POD_IP):8201"
extraSecretEnvironmentVars:
- envName: AWS_SECRET_ACCESS_KEY
secretName: vault-secret
secretKey: AWS_SECRET_ACCESS_KEY
- envName: AWS_ACCESS_KEY_ID
secretName: vault-secret
secretKey: AWS_ACCESS_KEY_ID
- envName: VAULT_AWSKMS_SEAL_KEY_ID
secretName: vault-secret
secretKey: VAULT_AWSKMS_SEAL_KEY_ID
# These are defaults but explicitly set here for clarity. # These are defaults but explicitly set here for clarity.
dataStorage: dataStorage:
size: 4Gi size: 4Gi
@ -71,7 +81,7 @@ spec:
enabled: true enabled: true
# maxUnavailable will default to (n/2)-1 where n is the number of replicas # maxUnavailable will default to (n/2)-1 where n is the number of replicas
# so if you have 6 replicas, maxUnavailable will be 2 unless you set it specifically. # so if you have 6 replicas, maxUnavailable will be 2 unless you set it specifically.
replicas: 6 replicas: 3
# clusterAddr: "https://vault-active.security.svc.cluster.local:8201" # clusterAddr: "https://vault-active.security.svc.cluster.local:8201"
config: "" config: ""
raft: raft:
@ -97,10 +107,8 @@ spec:
} }
} }
seal "kubernetes" { seal "awskms" {
secret_name = "vault-unseal-keys" region = "us-east-2"
secret_namespace = "security"
key_names = ["key1", "key2", "key3"]
} }
service_registration "kubernetes" {} service_registration "kubernetes" {}

View file

@ -4,4 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: security namespace: security
resources: resources:
- ./externalsecret.yaml
- ./helmrelease.yaml - ./helmrelease.yaml