139 lines
4.1 KiB
YAML
139 lines
4.1 KiB
YAML
vault:
|
|
global:
|
|
enabled: true
|
|
tlsDisable: true
|
|
resources:
|
|
requests:
|
|
memory: 256Mi
|
|
cpu: 250m
|
|
limits:
|
|
memory: 256Mi
|
|
cpu: 250m
|
|
|
|
server:
|
|
image:
|
|
repository: "hashicorp/vault"
|
|
# These Resource Limits are in line with node requirements in the
|
|
# Vault Reference Architecture for a Small Cluster
|
|
#resources:
|
|
# requests:
|
|
# memory: 8Gi
|
|
# cpu: 2000m
|
|
# limits:
|
|
# memory: 16Gi
|
|
# cpu: 2000m
|
|
|
|
# For HA configuration and because we need to manually init the vault,
|
|
# we need to define custom readiness/liveness Probe settings
|
|
readinessProbe:
|
|
enabled: true
|
|
path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
|
|
livenessProbe:
|
|
enabled: true
|
|
path: "/v1/sys/health?standbyok=true"
|
|
initialDelaySeconds: 60
|
|
|
|
# extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
|
|
# used to include variables required for auto-unseal.
|
|
extraEnvironmentVars:
|
|
VAULT_CACERT: /vault/userconfig/vault-server-tls/vault.ca
|
|
|
|
extraSecretEnvironmentVars:
|
|
- envName: VAULT_TOKEN
|
|
secretName: autounseal
|
|
secretKey: VAULT_TOKEN
|
|
|
|
volumes:
|
|
- name: userconfig-vault-server-tls
|
|
secret:
|
|
defaultMode: 420
|
|
secretName: vault-server-tls
|
|
|
|
volumeMounts:
|
|
- mountPath: /vault/userconfig/vault-server-tls
|
|
name: userconfig-vault-server-tls
|
|
readOnly: true
|
|
|
|
# This configures the Vault Statefulset to create a PVC for audit logs.
|
|
# See https://www.vaultproject.io/docs/audit/index.html to know more
|
|
auditStorage:
|
|
enabled: true
|
|
|
|
standalone:
|
|
enabled: false
|
|
|
|
config: |
|
|
disable_mlock = true
|
|
ui = true
|
|
listener "tcp" {
|
|
address = "[::]:8200"
|
|
cluster_address = "[::]:8201"
|
|
}
|
|
|
|
seal "transit" {
|
|
address = "http://192.168.20.253:8201"
|
|
disable_renewal = "false"
|
|
key_name = "autounseal"
|
|
mount_path = "transit/"
|
|
tls_skip_verify = "true"
|
|
}
|
|
|
|
storage "raft" {
|
|
path = "/vault/data"
|
|
}
|
|
|
|
# Run Vault in "HA" mode.
|
|
ha:
|
|
enabled: true
|
|
replicas: 3
|
|
raft:
|
|
enabled: true
|
|
setNodeId: true
|
|
|
|
config: |
|
|
ui = true
|
|
cluster_name = "vault-integrated-storage"
|
|
listener "tcp" {
|
|
address = "[::]:8200"
|
|
cluster_address = "[::]:8201"
|
|
tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
|
|
tls_key_file = "/vault/userconfig/vault-server-tls/vault.key"
|
|
}
|
|
|
|
seal "transit" {
|
|
address = "http://192.168.20.253:8201"
|
|
disable_renewal = "false"
|
|
key_name = "autounseal"
|
|
mount_path = "transit/"
|
|
tls_skip_verify = "true"
|
|
}
|
|
|
|
storage "raft" {
|
|
path = "/vault/data"
|
|
retry_join {
|
|
leader_api_addr = "http://vault-0.vault-internal:8200"
|
|
leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
|
|
leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
|
|
leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key"
|
|
}
|
|
retry_join {
|
|
leader_api_addr = "http://vault-1.vault-internal:8200"
|
|
leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
|
|
leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
|
|
leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key"
|
|
}
|
|
retry_join {
|
|
leader_api_addr = "http://vault-2.vault-internal:8200"
|
|
leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
|
|
leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
|
|
leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key"
|
|
}
|
|
}
|
|
|
|
# Vault UI
|
|
ui:
|
|
enabled: true
|
|
serviceType: "LoadBalancer"
|
|
serviceNodePort: null
|
|
externalPort: 8200
|