add vault
This commit is contained in:
parent
91032819a6
commit
7c6a2a4202
6 changed files with 189 additions and 33 deletions
|
@ -7,3 +7,4 @@ resources:
|
||||||
- ./namespace.yaml
|
- ./namespace.yaml
|
||||||
# Flux-Kustomizations
|
# Flux-Kustomizations
|
||||||
- ./external-secrets/ks.yaml
|
- ./external-secrets/ks.yaml
|
||||||
|
- ./vault/ks.yaml
|
||||||
|
|
119
kubernetes/apps/security/vault/app/helmrelease.yaml
Normal file
119
kubernetes/apps/security/vault/app/helmrelease.yaml
Normal file
|
@ -0,0 +1,119 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: vault
|
||||||
|
spec:
|
||||||
|
interval: 30m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: vault
|
||||||
|
version: 0.28.1
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: hashicorp
|
||||||
|
namespace: flux-system
|
||||||
|
install:
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
upgrade:
|
||||||
|
cleanupOnFail: true
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
strategy: rollback
|
||||||
|
values:
|
||||||
|
server:
|
||||||
|
image:
|
||||||
|
repository: "hashicorp/vault"
|
||||||
|
tag: "1.17.2"
|
||||||
|
logLevel: "info"
|
||||||
|
logFormat: "json"
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
ingressClassName: internal-nginx
|
||||||
|
hosts:
|
||||||
|
- host: &host "{{ .Release.Name }}.jahanson.tech"
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
service:
|
||||||
|
identifier: app
|
||||||
|
port: http
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- *host
|
||||||
|
service:
|
||||||
|
type: "ClusterIP"
|
||||||
|
port: &internalPort 8200
|
||||||
|
targetPort: &port 80
|
||||||
|
# off until it's online for the first time
|
||||||
|
readinessProbe:
|
||||||
|
enabled: true
|
||||||
|
# If you need to use a http path instead of the default exec
|
||||||
|
# path: /v1/sys/health?standbyok=true
|
||||||
|
# Port number on which readinessProbe will be checked.
|
||||||
|
port: *port
|
||||||
|
# These are defaults but explicitly set here for clarity.
|
||||||
|
dataStorage:
|
||||||
|
size: 10Gi
|
||||||
|
mountPath: /vault/data
|
||||||
|
storageClass: ceph-block
|
||||||
|
auditStorage:
|
||||||
|
enabled: true
|
||||||
|
size: 10Gi
|
||||||
|
mountPath: /vault/audit
|
||||||
|
storageClass: ceph-block
|
||||||
|
# We want high availability. If standalone is true it sets the storage backend to file
|
||||||
|
# and the max replicas can only be 1.
|
||||||
|
standalone:
|
||||||
|
enabled: false
|
||||||
|
ha:
|
||||||
|
enabled: true
|
||||||
|
# maxUnavailable will default to (n/2)-1 where n is the number of replicas
|
||||||
|
# so if you have 6 replicas, maxUnavailable will be 2 unless you set it specifically.
|
||||||
|
replicas: 6
|
||||||
|
clusterAddr: "http://vault.security.svc.cluster.local:8201"
|
||||||
|
config: ""
|
||||||
|
raft:
|
||||||
|
enabled: true
|
||||||
|
config: |
|
||||||
|
ui = true
|
||||||
|
|
||||||
|
listener "tcp" {
|
||||||
|
tls_disable = 1
|
||||||
|
address = "[::]:8200"
|
||||||
|
cluster_address = "[::]:8201"
|
||||||
|
# For prometheus!
|
||||||
|
telemetry {
|
||||||
|
unauthenticated_metrics_access = "true"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
storage "raft" {
|
||||||
|
path = "/vault/data"
|
||||||
|
}
|
||||||
|
|
||||||
|
service_registration "kubernetes" {}
|
||||||
|
statefulSet:
|
||||||
|
securityContext:
|
||||||
|
pod:
|
||||||
|
runAsUser: 568
|
||||||
|
runAsGroup: 568
|
||||||
|
runAsNonRoot: true
|
||||||
|
fsGroup: 568
|
||||||
|
fsGroupChangePolicy: OnRootMismatch
|
||||||
|
supplementalGroups: [10000]
|
||||||
|
container:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
ui:
|
||||||
|
enabled: true
|
||||||
|
publishNotReadyAddresses: true
|
||||||
|
# The service should only contain selectors for active Vault pod
|
||||||
|
activeVaultPodOnly: true
|
||||||
|
serviceType: "LoadBalancer"
|
||||||
|
externalPort: *internalPort
|
||||||
|
targetPort: *port
|
7
kubernetes/apps/security/vault/app/kustomization.yaml
Normal file
7
kubernetes/apps/security/vault/app/kustomization.yaml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
namespace: security
|
||||||
|
resources:
|
||||||
|
- ./helmrelease.yaml
|
17
kubernetes/apps/security/vault/ks.yaml
Normal file
17
kubernetes/apps/security/vault/ks.yaml
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
|
||||||
|
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||||
|
kind: Kustomization
|
||||||
|
metadata:
|
||||||
|
name: vault
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
interval: 10m
|
||||||
|
path: "./kubernetes/apps/security/vault/app"
|
||||||
|
prune: true
|
||||||
|
sourceRef:
|
||||||
|
kind: GitRepository
|
||||||
|
name: theshire
|
||||||
|
wait: false
|
||||||
|
dependsOn:
|
||||||
|
- name: rook-ceph-cluster
|
11
kubernetes/flux/repositories/helm/hashicorp.yaml
Normal file
11
kubernetes/flux/repositories/helm/hashicorp.yaml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
|
||||||
|
apiVersion: source.toolkit.fluxcd.io/v1
|
||||||
|
kind: HelmRepository
|
||||||
|
metadata:
|
||||||
|
name: hashicorp
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
interval: 30m
|
||||||
|
timeout: 3m
|
||||||
|
url: https://helm.releases.hashicorp.com
|
|
@ -3,36 +3,37 @@
|
||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
kind: Kustomization
|
kind: Kustomization
|
||||||
resources:
|
resources:
|
||||||
- angelnu.yaml
|
- angelnu.yaml
|
||||||
- authentik.yaml
|
- authentik.yaml
|
||||||
- backube.yaml
|
- backube.yaml
|
||||||
- bjw-s.yaml
|
- bjw-s.yaml
|
||||||
- cilium.yaml
|
- cilium.yaml
|
||||||
- coredns.yaml
|
- coredns.yaml
|
||||||
- crowdsec.yaml
|
- crowdsec.yaml
|
||||||
- crunchydata.yaml
|
- crunchydata.yaml
|
||||||
- democratic-csi.yaml
|
- democratic-csi.yaml
|
||||||
- descheduler.yaml
|
- descheduler.yaml
|
||||||
- dragonflydb.yaml
|
- dragonflydb.yaml
|
||||||
- elastic.yaml
|
- elastic.yaml
|
||||||
- emqx.yaml
|
- emqx.yaml
|
||||||
- external-secrets.yaml
|
- external-secrets.yaml
|
||||||
- fairwinds.yaml
|
- fairwinds.yaml
|
||||||
- grafana.yaml
|
- grafana.yaml
|
||||||
- hetzner.yaml
|
- hashicorp.yaml
|
||||||
- ingress-nginx.yaml
|
- hetzner.yaml
|
||||||
- intel.yaml
|
- ingress-nginx.yaml
|
||||||
- jetstack.yaml
|
- intel.yaml
|
||||||
- kubernetes-sigs-external-dns.yaml
|
- jetstack.yaml
|
||||||
- kubernetes-sigs-metrics-server.yaml
|
- kubernetes-sigs-external-dns.yaml
|
||||||
- kubernetes-sigs-nfd.yaml
|
- kubernetes-sigs-metrics-server.yaml
|
||||||
- kyverno.yaml
|
- kubernetes-sigs-nfd.yaml
|
||||||
- nvidia.yaml
|
- kyverno.yaml
|
||||||
- openebs.yaml
|
- nvidia.yaml
|
||||||
- piraeus.yaml
|
- openebs.yaml
|
||||||
- postfinance.yaml
|
- piraeus.yaml
|
||||||
- prometheus-community.yaml
|
- postfinance.yaml
|
||||||
- rook-ceph.yaml
|
- prometheus-community.yaml
|
||||||
- spegel-org.yaml
|
- rook-ceph.yaml
|
||||||
- stakater.yaml
|
- spegel-org.yaml
|
||||||
- stevehipwell.yaml
|
- stakater.yaml
|
||||||
|
- stevehipwell.yaml
|
||||||
|
|
Loading…
Reference in a new issue