add vault
This commit is contained in:
parent
91032819a6
commit
7c6a2a4202
6 changed files with 189 additions and 33 deletions
|
@ -7,3 +7,4 @@ resources:
|
|||
- ./namespace.yaml
|
||||
# Flux-Kustomizations
|
||||
- ./external-secrets/ks.yaml
|
||||
- ./vault/ks.yaml
|
||||
|
|
119
kubernetes/apps/security/vault/app/helmrelease.yaml
Normal file
119
kubernetes/apps/security/vault/app/helmrelease.yaml
Normal file
|
@ -0,0 +1,119 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: vault
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: vault
|
||||
version: 0.28.1
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: hashicorp
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
retries: 3
|
||||
strategy: rollback
|
||||
values:
|
||||
server:
|
||||
image:
|
||||
repository: "hashicorp/vault"
|
||||
tag: "1.17.2"
|
||||
logLevel: "info"
|
||||
logFormat: "json"
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: internal-nginx
|
||||
hosts:
|
||||
- host: &host "{{ .Release.Name }}.jahanson.tech"
|
||||
paths:
|
||||
- path: /
|
||||
service:
|
||||
identifier: app
|
||||
port: http
|
||||
tls:
|
||||
- hosts:
|
||||
- *host
|
||||
service:
|
||||
type: "ClusterIP"
|
||||
port: &internalPort 8200
|
||||
targetPort: &port 80
|
||||
# off until it's online for the first time
|
||||
readinessProbe:
|
||||
enabled: true
|
||||
# If you need to use a http path instead of the default exec
|
||||
# path: /v1/sys/health?standbyok=true
|
||||
# Port number on which readinessProbe will be checked.
|
||||
port: *port
|
||||
# These are defaults but explicitly set here for clarity.
|
||||
dataStorage:
|
||||
size: 10Gi
|
||||
mountPath: /vault/data
|
||||
storageClass: ceph-block
|
||||
auditStorage:
|
||||
enabled: true
|
||||
size: 10Gi
|
||||
mountPath: /vault/audit
|
||||
storageClass: ceph-block
|
||||
# We want high availability. If standalone is true it sets the storage backend to file
|
||||
# and the max replicas can only be 1.
|
||||
standalone:
|
||||
enabled: false
|
||||
ha:
|
||||
enabled: true
|
||||
# maxUnavailable will default to (n/2)-1 where n is the number of replicas
|
||||
# so if you have 6 replicas, maxUnavailable will be 2 unless you set it specifically.
|
||||
replicas: 6
|
||||
clusterAddr: "http://vault.security.svc.cluster.local:8201"
|
||||
config: ""
|
||||
raft:
|
||||
enabled: true
|
||||
config: |
|
||||
ui = true
|
||||
|
||||
listener "tcp" {
|
||||
tls_disable = 1
|
||||
address = "[::]:8200"
|
||||
cluster_address = "[::]:8201"
|
||||
# For prometheus!
|
||||
telemetry {
|
||||
unauthenticated_metrics_access = "true"
|
||||
}
|
||||
}
|
||||
|
||||
storage "raft" {
|
||||
path = "/vault/data"
|
||||
}
|
||||
|
||||
service_registration "kubernetes" {}
|
||||
statefulSet:
|
||||
securityContext:
|
||||
pod:
|
||||
runAsUser: 568
|
||||
runAsGroup: 568
|
||||
runAsNonRoot: true
|
||||
fsGroup: 568
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
supplementalGroups: [10000]
|
||||
container:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
ui:
|
||||
enabled: true
|
||||
publishNotReadyAddresses: true
|
||||
# The service should only contain selectors for active Vault pod
|
||||
activeVaultPodOnly: true
|
||||
serviceType: "LoadBalancer"
|
||||
externalPort: *internalPort
|
||||
targetPort: *port
|
7
kubernetes/apps/security/vault/app/kustomization.yaml
Normal file
7
kubernetes/apps/security/vault/app/kustomization.yaml
Normal file
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
namespace: security
|
||||
resources:
|
||||
- ./helmrelease.yaml
|
17
kubernetes/apps/security/vault/ks.yaml
Normal file
17
kubernetes/apps/security/vault/ks.yaml
Normal file
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 10m
|
||||
path: "./kubernetes/apps/security/vault/app"
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: theshire
|
||||
wait: false
|
||||
dependsOn:
|
||||
- name: rook-ceph-cluster
|
11
kubernetes/flux/repositories/helm/hashicorp.yaml
Normal file
11
kubernetes/flux/repositories/helm/hashicorp.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
|
||||
apiVersion: source.toolkit.fluxcd.io/v1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: hashicorp
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 3m
|
||||
url: https://helm.releases.hashicorp.com
|
|
@ -3,36 +3,37 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- angelnu.yaml
|
||||
- authentik.yaml
|
||||
- backube.yaml
|
||||
- bjw-s.yaml
|
||||
- cilium.yaml
|
||||
- coredns.yaml
|
||||
- crowdsec.yaml
|
||||
- crunchydata.yaml
|
||||
- democratic-csi.yaml
|
||||
- descheduler.yaml
|
||||
- dragonflydb.yaml
|
||||
- elastic.yaml
|
||||
- emqx.yaml
|
||||
- external-secrets.yaml
|
||||
- fairwinds.yaml
|
||||
- grafana.yaml
|
||||
- hetzner.yaml
|
||||
- ingress-nginx.yaml
|
||||
- intel.yaml
|
||||
- jetstack.yaml
|
||||
- kubernetes-sigs-external-dns.yaml
|
||||
- kubernetes-sigs-metrics-server.yaml
|
||||
- kubernetes-sigs-nfd.yaml
|
||||
- kyverno.yaml
|
||||
- nvidia.yaml
|
||||
- openebs.yaml
|
||||
- piraeus.yaml
|
||||
- postfinance.yaml
|
||||
- prometheus-community.yaml
|
||||
- rook-ceph.yaml
|
||||
- spegel-org.yaml
|
||||
- stakater.yaml
|
||||
- stevehipwell.yaml
|
||||
- angelnu.yaml
|
||||
- authentik.yaml
|
||||
- backube.yaml
|
||||
- bjw-s.yaml
|
||||
- cilium.yaml
|
||||
- coredns.yaml
|
||||
- crowdsec.yaml
|
||||
- crunchydata.yaml
|
||||
- democratic-csi.yaml
|
||||
- descheduler.yaml
|
||||
- dragonflydb.yaml
|
||||
- elastic.yaml
|
||||
- emqx.yaml
|
||||
- external-secrets.yaml
|
||||
- fairwinds.yaml
|
||||
- grafana.yaml
|
||||
- hashicorp.yaml
|
||||
- hetzner.yaml
|
||||
- ingress-nginx.yaml
|
||||
- intel.yaml
|
||||
- jetstack.yaml
|
||||
- kubernetes-sigs-external-dns.yaml
|
||||
- kubernetes-sigs-metrics-server.yaml
|
||||
- kubernetes-sigs-nfd.yaml
|
||||
- kyverno.yaml
|
||||
- nvidia.yaml
|
||||
- openebs.yaml
|
||||
- piraeus.yaml
|
||||
- postfinance.yaml
|
||||
- prometheus-community.yaml
|
||||
- rook-ceph.yaml
|
||||
- spegel-org.yaml
|
||||
- stakater.yaml
|
||||
- stevehipwell.yaml
|
||||
|
|
Loading…
Reference in a new issue