-
Notifications
You must be signed in to change notification settings - Fork 57
/
Copy pathvault.yaml
139 lines (136 loc) · 3.54 KB
/
vault.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
apiVersion: v1
kind: Service
metadata:
name: vault
spec:
clusterIP: None
ports:
- name: http
port: 8200
- name: server
port: 8201
selector:
app: vault
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: vault
labels:
app: vault
spec:
serviceName: "vault"
selector:
matchLabels:
app: vault
replicas: 2
template:
metadata:
labels:
app: vault
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- vault
topologyKey: kubernetes.io/hostname
initContainers:
- name: config
image: busybox
env:
- name: GCS_BUCKET_NAME
valueFrom:
configMapKeyRef:
name: vault
key: gcs-bucket-name
command: ["/bin/sh", "-c"]
args:
- |
cat > /etc/vault/config/vault.hcl <<EOF
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/etc/vault/tls/vault.pem"
tls_key_file = "/etc/vault/tls/vault-key.pem"
tls_min_version = "tls12"
}
storage "gcs" {
bucket = "${GCS_BUCKET_NAME}"
ha_enabled = "true"
}
ui = true
EOF
volumeMounts:
- name: vault-config
mountPath: /etc/vault/config
containers:
- name: vault-init
image: gcr.io/hightowerlabs/vault-init
imagePullPolicy: Always
env:
- name: CHECK_INTERVAL
value: "10"
- name: GCS_BUCKET_NAME
valueFrom:
configMapKeyRef:
name: vault
key: gcs-bucket-name
- name: "KMS_KEY_ID"
valueFrom:
configMapKeyRef:
name: vault
key: kms-key-id
- name: vault
image: "vault:1.7.1"
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: "status.podIP"
- name: "VAULT_API_ADDR"
valueFrom:
configMapKeyRef:
name: vault
key: api-addr
- name: "VAULT_CLUSTER_ADDR"
value: "https://$(POD_IP):8201"
args:
- "server"
- "-config=/etc/vault/config/vault.hcl"
ports:
- name: http
containerPort: 8200
protocol: "TCP"
- name: server
containerPort: 8201
protocol: "TCP"
readinessProbe:
httpGet:
path: "/v1/sys/health?standbyok=true"
port: 8200
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: "500m"
memory: "1Gi"
securityContext:
capabilities:
add:
- IPC_LOCK
volumeMounts:
- name: vault-config
mountPath: /etc/vault/config
- name: vault-tls
mountPath: /etc/vault/tls
volumes:
- name: vault-config
emptyDir: {}
- name: vault-tls
secret:
secretName: vault