update

2025-01-15 06:15:44 -06:00
parent f5ceac3ec1
commit b6fa1079b6
1 changed files with 84 additions and 13 deletions
--- a/infra/vault/values.yaml
+++ b/infra/vault/values.yaml
@@ -1,25 +1,96 @@
 vault:
-  server:
-    image:
-      repository: "hashicorp/vault"
-      pullPolicy: Always
+  global:
+    enabled: true
+    tlsDisable: false
+    resources:
+      requests:
+        memory: 256Mi
+        cpu: 250m
+      limits:
+        memory: 256Mi
+        cpu: 250m
  
-    affinity: ""
+  server:
+    # These Resource Limits are in line with node requirements in the
+    # Vault Reference Architecture for a Small Cluster
+    #resources:
+    #  requests:
+    #    memory: 8Gi
+    #    cpu: 2000m
+    #  limits:
+    #    memory: 16Gi
+    #    cpu: 2000m
+  
+    # For HA configuration and because we need to manually init the vault,
+    # we need to define custom readiness/liveness Probe settings
+    readinessProbe:
+      enabled: true
+      path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
+    livenessProbe:
+      enabled: true
+      path: "/v1/sys/health?standbyok=true"
+      initialDelaySeconds: 60
+  
+    # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
+    # used to include variables required for auto-unseal.
+    extraEnvironmentVars:
+      VAULT_CACERT: /vault/userconfig/tls-ca/ca.crt
+  
+    # extraVolumes is a list of extra volumes to mount. These will be exposed
+    # to Vault in the path `/vault/userconfig/<name>/`.
+    extraVolumes:
+      - type: secret
+        name: tls-server
+      - type: secret
+        name: tls-ca
+      - type: secret
+        name: kms-creds
+  
+    # This configures the Vault Statefulset to create a PVC for audit logs.
+    # See https://www.vaultproject.io/docs/audit/index.html to know more
+    auditStorage:
+      enabled: true
+  
+    standalone:
+      enabled: false
+  
+    # Run Vault in "HA" mode.
    ha:
      enabled: true
      replicas: 3
      raft:
        enabled: true
        setNodeId: true
-        config: |
-          cluster_name = "vault-integrated-storage"
-          storage "raft" {
-              path    = "/vault/data/"
-          }
  
+        config: |
+          ui = true
+          cluster_name = "vault-integrated-storage"
          listener "tcp" {
            address = "[::]:8200"
            cluster_address = "[::]:8201"
-              tls_disable = "true"
+            tls_cert_file = "/vault/userconfig/tls-server/tls.crt"
+            tls_key_file = "/vault/userconfig/tls-server/tls.key"
          }
-          service_registration "kubernetes" {}
+  
+          storage "raft" {
+            path = "/vault/data"
+            retry_join {
+              leader_api_addr = "https://vault-0.vault-internal:8200"
+              leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
+              leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
+              leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
+            }
+            retry_join {
+              leader_api_addr = "https://vault-1.vault-internal:8200"
+              leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
+              leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
+              leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
+            }
+          } 
+  
+  # Vault UI
+  ui:
+    enabled: true
+    serviceType: "LoadBalancer"
+    serviceNodePort: null
+    externalPort: 8200