DeveloperDurp/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update cert

Browse Source
This commit is contained in:
DeveloperDurp
2025-01-16 05:33:47 -06:00
parent b6fa1079b6
commit 4c2e87944c
1 changed files with 22 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
infra/vault/values.yaml
View File

@@ -11,6 +11,8 @@ vault:
cpu: 250m cpu: 250m
server: server:
image:
repository: "hashicorp/vault"
# These Resource Limits are in line with node requirements in the # These Resource Limits are in line with node requirements in the
# Vault Reference Architecture for a Small Cluster # Vault Reference Architecture for a Small Cluster
#resources: #resources:
@@ -34,17 +36,18 @@ vault:
# extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
# used to include variables required for auto-unseal. # used to include variables required for auto-unseal.
extraEnvironmentVars: extraEnvironmentVars:
VAULT_CACERT: /vault/userconfig/tls-ca/ca.crt VAULT_CACERT: /vault/userconfig/vault-server-tls/vault.ca
# extraVolumes is a list of extra volumes to mount. These will be exposed volumes:
# to Vault in the path `/vault/userconfig/<name>/`. - name: userconfig-vault-server-tls
extraVolumes: secret:
- type: secret defaultMode: 420
name: tls-server secretName: vault-server-tls
- type: secret
name: tls-ca volumeMounts:
- type: secret - mountPath: /vault/userconfig/vault-server-tls
name: kms-creds name: userconfig-vault-server-tls
readOnly: true
# This configures the Vault Statefulset to create a PVC for audit logs. # This configures the Vault Statefulset to create a PVC for audit logs.
# See https://www.vaultproject.io/docs/audit/index.html to know more # See https://www.vaultproject.io/docs/audit/index.html to know more
@@ -68,23 +71,24 @@ vault:
listener "tcp" { listener "tcp" {
address = "[::]:8200" address = "[::]:8200"
cluster_address = "[::]:8201" cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/tls-server/tls.crt" tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
tls_key_file = "/vault/userconfig/tls-server/tls.key" tls_key_file = "/vault/userconfig/vault-server-tls/vault.key"
tls_client_ca_file = "/vault/userconfig/vault-server-tls/vault.ca"
} }
storage "raft" { storage "raft" {
path = "/vault/data" path = "/vault/data"
retry_join { retry_join {
leader_api_addr = "https://vault-0.vault-internal:8200" leader_api_addr = "https://vault-0.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt" leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt" leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
leader_client_key_file = "/vault/userconfig/tls-server/tls.key" leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.ca"
} }
retry_join { retry_join {
leader_api_addr = "https://vault-1.vault-internal:8200" leader_api_addr = "https://vault-1.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt" leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt" leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
leader_client_key_file = "/vault/userconfig/tls-server/tls.key" leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.ca"
} }
} }