From 4c2e87944c8de720861669f0d15acc9fca1ace41 Mon Sep 17 00:00:00 2001
From: DeveloperDurp <DeveloperDurp@durp.info>
Date: Thu, 16 Jan 2025 05:33:47 -0600
Subject: [PATCH] update cert

---
 infra/vault/values.yaml | 40 ++++++++++++++++++++++------------------
 1 file changed, 22 insertions(+), 18 deletions(-)

diff --git a/infra/vault/values.yaml b/infra/vault/values.yaml
index 30247f6..aa14869 100644
--- a/infra/vault/values.yaml
+++ b/infra/vault/values.yaml
@@ -11,6 +11,8 @@ vault:
         cpu: 250m
   
   server:
+    image:
+      repository: "hashicorp/vault"
     # These Resource Limits are in line with node requirements in the
     # Vault Reference Architecture for a Small Cluster
     #resources:
@@ -34,17 +36,18 @@ vault:
     # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
     # used to include variables required for auto-unseal.
     extraEnvironmentVars:
-      VAULT_CACERT: /vault/userconfig/tls-ca/ca.crt
+      VAULT_CACERT: /vault/userconfig/vault-server-tls/vault.ca
   
-    # extraVolumes is a list of extra volumes to mount. These will be exposed
-    # to Vault in the path `/vault/userconfig/<name>/`.
-    extraVolumes:
-      - type: secret
-        name: tls-server
-      - type: secret
-        name: tls-ca
-      - type: secret
-        name: kms-creds
+    volumes:
+      - name: userconfig-vault-server-tls
+        secret:
+          defaultMode: 420
+          secretName: vault-server-tls 
+
+    volumeMounts:
+      - mountPath: /vault/userconfig/vault-server-tls
+        name: userconfig-vault-server-tls
+        readOnly: true
   
     # This configures the Vault Statefulset to create a PVC for audit logs.
     # See https://www.vaultproject.io/docs/audit/index.html to know more
@@ -68,23 +71,24 @@ vault:
           listener "tcp" {
             address = "[::]:8200"
             cluster_address = "[::]:8201"
-            tls_cert_file = "/vault/userconfig/tls-server/tls.crt"
-            tls_key_file = "/vault/userconfig/tls-server/tls.key"
+            tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
+            tls_key_file  = "/vault/userconfig/vault-server-tls/vault.key"
+            tls_client_ca_file = "/vault/userconfig/vault-server-tls/vault.ca"
           }
   
           storage "raft" {
             path = "/vault/data"
             retry_join {
               leader_api_addr = "https://vault-0.vault-internal:8200"
-              leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
-              leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
-              leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
+              leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
+              leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
+              leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.ca"
             }
             retry_join {
               leader_api_addr = "https://vault-1.vault-internal:8200"
-              leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
-              leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
-              leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
+              leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
+              leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
+              leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.ca"
             }
           }