DeveloperDurp/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
DeveloperDurp
2025-01-15 06:15:44 -06:00
parent f5ceac3ec1
commit b6fa1079b6
1 changed files with 84 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
infra/vault/values.yaml
View File

@@ -1,25 +1,96 @@
vault: vault:
server: global:
image: enabled: true
repository: "hashicorp/vault" tlsDisable: false
pullPolicy: Always resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 256Mi
cpu: 250m
affinity: "" server:
# These Resource Limits are in line with node requirements in the
# Vault Reference Architecture for a Small Cluster
#resources:
# requests:
# memory: 8Gi
# cpu: 2000m
# limits:
# memory: 16Gi
# cpu: 2000m
# For HA configuration and because we need to manually init the vault,
# we need to define custom readiness/liveness Probe settings
readinessProbe:
enabled: true
path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
livenessProbe:
enabled: true
path: "/v1/sys/health?standbyok=true"
initialDelaySeconds: 60
# extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
# used to include variables required for auto-unseal.
extraEnvironmentVars:
VAULT_CACERT: /vault/userconfig/tls-ca/ca.crt
# extraVolumes is a list of extra volumes to mount. These will be exposed
# to Vault in the path `/vault/userconfig/<name>/`.
extraVolumes:
- type: secret
name: tls-server
- type: secret
name: tls-ca
- type: secret
name: kms-creds
# This configures the Vault Statefulset to create a PVC for audit logs.
# See https://www.vaultproject.io/docs/audit/index.html to know more
auditStorage:
enabled: true
standalone:
enabled: false
# Run Vault in "HA" mode.
ha: ha:
enabled: true enabled: true
replicas: 3 replicas: 3
raft: raft:
enabled: true enabled: true
setNodeId: true setNodeId: true
config: | config: |
ui = true
cluster_name = "vault-integrated-storage" cluster_name = "vault-integrated-storage"
storage "raft" { listener "tcp" {
path = "/vault/data/" address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/tls-server/tls.crt"
tls_key_file = "/vault/userconfig/tls-server/tls.key"
} }
listener "tcp" { storage "raft" {
address = "[::]:8200" path = "/vault/data"
cluster_address = "[::]:8201" retry_join {
tls_disable = "true" leader_api_addr = "https://vault-0.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
}
retry_join {
leader_api_addr = "https://vault-1.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
}
} }
service_registration "kubernetes" {}
# Vault UI
ui:
enabled: true
serviceType: "LoadBalancer"
serviceNodePort: null
externalPort: 8200