add vault

This commit is contained in:
Joseph Hanson 2024-09-10 20:00:42 -05:00
parent 91032819a6
commit 7c6a2a4202
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
6 changed files with 189 additions and 33 deletions

View file

@ -7,3 +7,4 @@ resources:
- ./namespace.yaml - ./namespace.yaml
# Flux-Kustomizations # Flux-Kustomizations
- ./external-secrets/ks.yaml - ./external-secrets/ks.yaml
- ./vault/ks.yaml

View file

@ -0,0 +1,119 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: vault
spec:
interval: 30m
chart:
spec:
chart: vault
version: 0.28.1
sourceRef:
kind: HelmRepository
name: hashicorp
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
strategy: rollback
values:
server:
image:
repository: "hashicorp/vault"
tag: "1.17.2"
logLevel: "info"
logFormat: "json"
ingress:
enabled: true
ingressClassName: internal-nginx
hosts:
- host: &host "{{ .Release.Name }}.jahanson.tech"
paths:
- path: /
service:
identifier: app
port: http
tls:
- hosts:
- *host
service:
type: "ClusterIP"
port: &internalPort 8200
targetPort: &port 80
# off until it's online for the first time
readinessProbe:
enabled: true
# If you need to use a http path instead of the default exec
# path: /v1/sys/health?standbyok=true
# Port number on which readinessProbe will be checked.
port: *port
# These are defaults but explicitly set here for clarity.
dataStorage:
size: 10Gi
mountPath: /vault/data
storageClass: ceph-block
auditStorage:
enabled: true
size: 10Gi
mountPath: /vault/audit
storageClass: ceph-block
# We want high availability. If standalone is true it sets the storage backend to file
# and the max replicas can only be 1.
standalone:
enabled: false
ha:
enabled: true
# maxUnavailable will default to (n/2)-1 where n is the number of replicas
# so if you have 6 replicas, maxUnavailable will be 2 unless you set it specifically.
replicas: 6
clusterAddr: "http://vault.security.svc.cluster.local:8201"
config: ""
raft:
enabled: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
# For prometheus!
telemetry {
unauthenticated_metrics_access = "true"
}
}
storage "raft" {
path = "/vault/data"
}
service_registration "kubernetes" {}
statefulSet:
securityContext:
pod:
runAsUser: 568
runAsGroup: 568
runAsNonRoot: true
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups: [10000]
container:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- "ALL"
ui:
enabled: true
publishNotReadyAddresses: true
# The service should only contain selectors for active Vault pod
activeVaultPodOnly: true
serviceType: "LoadBalancer"
externalPort: *internalPort
targetPort: *port

View file

@ -0,0 +1,7 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: security
resources:
- ./helmrelease.yaml

View file

@ -0,0 +1,17 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: vault
namespace: flux-system
spec:
interval: 10m
path: "./kubernetes/apps/security/vault/app"
prune: true
sourceRef:
kind: GitRepository
name: theshire
wait: false
dependsOn:
- name: rook-ceph-cluster

View file

@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: hashicorp
namespace: flux-system
spec:
interval: 30m
timeout: 3m
url: https://helm.releases.hashicorp.com

View file

@ -3,36 +3,37 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- angelnu.yaml - angelnu.yaml
- authentik.yaml - authentik.yaml
- backube.yaml - backube.yaml
- bjw-s.yaml - bjw-s.yaml
- cilium.yaml - cilium.yaml
- coredns.yaml - coredns.yaml
- crowdsec.yaml - crowdsec.yaml
- crunchydata.yaml - crunchydata.yaml
- democratic-csi.yaml - democratic-csi.yaml
- descheduler.yaml - descheduler.yaml
- dragonflydb.yaml - dragonflydb.yaml
- elastic.yaml - elastic.yaml
- emqx.yaml - emqx.yaml
- external-secrets.yaml - external-secrets.yaml
- fairwinds.yaml - fairwinds.yaml
- grafana.yaml - grafana.yaml
- hetzner.yaml - hashicorp.yaml
- ingress-nginx.yaml - hetzner.yaml
- intel.yaml - ingress-nginx.yaml
- jetstack.yaml - intel.yaml
- kubernetes-sigs-external-dns.yaml - jetstack.yaml
- kubernetes-sigs-metrics-server.yaml - kubernetes-sigs-external-dns.yaml
- kubernetes-sigs-nfd.yaml - kubernetes-sigs-metrics-server.yaml
- kyverno.yaml - kubernetes-sigs-nfd.yaml
- nvidia.yaml - kyverno.yaml
- openebs.yaml - nvidia.yaml
- piraeus.yaml - openebs.yaml
- postfinance.yaml - piraeus.yaml
- prometheus-community.yaml - postfinance.yaml
- rook-ceph.yaml - prometheus-community.yaml
- spegel-org.yaml - rook-ceph.yaml
- stakater.yaml - spegel-org.yaml
- stevehipwell.yaml - stakater.yaml
- stevehipwell.yaml