khuedoan.com / cloudlab
this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: migrate Vault cluster to flux in staging

Khue Doan 04d10022 d2f9c479

+148
+8
platform/staging/app-template.yaml
··· 1 + apiVersion: source.toolkit.fluxcd.io/v1 2 + kind: HelmRepository 3 + metadata: 4 + name: app-template 5 + namespace: flux-system 6 + spec: 7 + type: oci 8 + url: oci://docker.io/khuedoan
+140
platform/staging/vault.yaml
··· 47 47 values: 48 48 env: 49 49 VAULT_ADDR: http://vault-cluster.vault.svc.cluster.local:8200 50 + --- 51 + apiVersion: helm.toolkit.fluxcd.io/v2 52 + kind: HelmRelease 53 + metadata: 54 + name: vault 55 + namespace: flux-system 56 + spec: 57 + interval: 30m 58 + releaseName: vault 59 + targetNamespace: vault 60 + install: 61 + createNamespace: true 62 + chart: 63 + spec: 64 + chart: app-template 65 + version: 4.6.0 66 + sourceRef: 67 + kind: HelmRepository 68 + name: app-template 69 + values: 70 + persistence: 71 + data: 72 + accessMode: ReadWriteOnce 73 + size: 2Gi 74 + rawResources: 75 + cluster: 76 + apiVersion: vault.banzaicloud.com/v1alpha1 77 + kind: Vault 78 + spec: 79 + spec: 80 + config: 81 + listener: 82 + tcp: 83 + address: 0.0.0.0:8200 84 + tls_disable: true 85 + storage: 86 + file: 87 + path: /vault/data 88 + ui: true 89 + externalConfig: 90 + auth: 91 + - roles: 92 + - bound_service_account_names: 93 + - '*' 94 + bound_service_account_namespaces: 95 + - '*' 96 + name: default 97 + policies: 98 + - allow_secrets 99 + ttl: 1h 100 + type: kubernetes 101 + policies: 102 + - name: allow_secrets 103 + rules: | 104 + # TODO optimize this 105 + path "secret/*" { 106 + capabilities = ["create", "read", "update", "delete", "list"] 107 + } 108 + secrets: 109 + - options: 110 + version: 2 111 + path: secret 112 + type: kv 113 + image: docker.io/hashicorp/vault:1.20.2 114 + ingress: 115 + annotations: 116 + cert-manager.io/cluster-issuer: letsencrypt-prod 117 + spec: 118 + ingressClassName: nginx 119 + rules: 120 + - host: vault.cloudlab.khuedoan.com 121 + http: 122 + paths: 123 + - backend: 124 + service: 125 + name: vault-cluster 126 + port: 127 + number: 8200 128 + path: / 129 + pathType: Prefix 130 + tls: 131 + - hosts: 132 + - vault.cloudlab.khuedoan.com 133 + secretName: vault-tls-certificate 134 + serviceAccount: vault 135 + size: 1 136 + unsealConfig: 137 + kubernetes: 138 + secretNamespace: '{{ .Release.Namespace }}' 139 + volumeMounts: 140 + - mountPath: /vault/data 141 + name: vault-data 142 + volumes: 143 + - name: vault-data 144 + persistentVolumeClaim: 145 + claimName: vault-data 146 + rbac: 147 + bindings: 148 + cluster: 149 + forceRename: vault 150 + roleRef: 151 + apiGroup: rbac.authorization.k8s.io 152 + kind: ClusterRole 153 + name: system:auth-delegator 154 + subjects: 155 + - kind: ServiceAccount 156 + name: vault 157 + namespace: '{{ .Release.Namespace }}' 158 + type: ClusterRoleBinding 159 + namespace: 160 + forceRename: vault 161 + roleRef: 162 + apiGroup: rbac.authorization.k8s.io 163 + kind: Role 164 + name: vault 165 + subjects: 166 + - kind: ServiceAccount 167 + name: vault 168 + namespace: '{{ .Release.Namespace }}' 169 + type: RoleBinding 170 + roles: 171 + vault: 172 + rules: 173 + - apiGroups: 174 + - "" 175 + resources: 176 + - secrets 177 + verbs: 178 + - '*' 179 + - apiGroups: 180 + - "" 181 + resources: 182 + - pods 183 + verbs: 184 + - get 185 + - update 186 + - patch 187 + type: Role 188 + serviceAccount: 189 + vault: {}