this repo has no description
feat: reinstall Vault with Bank-Vaults operator
Change-Id: I38542e88ad19e670ca7fb4b78b01d49194d1ff3c
+183
+183
infra/.modules/bootstrap/vault.tf
+183
infra/.modules/bootstrap/vault.tf
···
1
+
resource "kubectl_manifest" "vault_operator" {
2
+
server_side_apply = true
3
+
yaml_body = yamlencode({
4
+
apiVersion = "argoproj.io/v1alpha1"
5
+
kind = "Application"
6
+
metadata = {
7
+
name = "vault-operator"
8
+
namespace = helm_release.argocd.namespace
9
+
finalizers = ["resources-finalizer.argocd.argoproj.io"]
10
+
labels = local.common_labels
11
+
}
12
+
spec = {
13
+
project = "default"
14
+
destination = {
15
+
name = "in-cluster"
16
+
namespace = "vault"
17
+
}
18
+
syncPolicy = local.sync_policy
19
+
source = {
20
+
repoURL = "ghcr.io"
21
+
chart = "bank-vaults/helm-charts/vault-operator"
22
+
targetRevision = "1.23.0"
23
+
}
24
+
}
25
+
})
26
+
}
27
+
28
+
resource "kubectl_manifest" "vault" {
29
+
server_side_apply = true
30
+
yaml_body = yamlencode({
31
+
apiVersion = "argoproj.io/v1alpha1"
32
+
kind = "Application"
33
+
metadata = {
34
+
name = "vault"
35
+
namespace = helm_release.argocd.namespace
36
+
finalizers = ["resources-finalizer.argocd.argoproj.io"]
37
+
labels = local.common_labels
38
+
}
39
+
spec = {
40
+
project = "default"
41
+
destination = {
42
+
name = "in-cluster"
43
+
namespace = "vault"
44
+
}
45
+
syncPolicy = local.sync_policy
46
+
source = {
47
+
repoURL = "https://bjw-s-labs.github.io/helm-charts"
48
+
chart = "app-template"
49
+
targetRevision = "3.7.3"
50
+
helm = {
51
+
valuesObject = {
52
+
rawResources = {
53
+
cluster = {
54
+
apiVersion = "vault.banzaicloud.com/v1alpha1"
55
+
kind = "Vault"
56
+
spec = {
57
+
spec = {
58
+
size = 1
59
+
image = "docker.io/hashicorp/vault:1.20.2"
60
+
serviceAccount = "vault"
61
+
config = {
62
+
storage = {
63
+
file = {
64
+
path = "/vault/data"
65
+
}
66
+
}
67
+
listener = {
68
+
tcp = {
69
+
address = "0.0.0.0:8200"
70
+
tls_disable = true
71
+
}
72
+
}
73
+
ui = true
74
+
}
75
+
unsealConfig = {
76
+
kubernetes = {
77
+
secretNamespace = "{{ .Release.Namespace }}"
78
+
}
79
+
}
80
+
volumes = [{
81
+
name = "vault-data"
82
+
persistentVolumeClaim : {
83
+
claimName : "vault-data"
84
+
}
85
+
}]
86
+
volumeMounts : [{
87
+
name = "vault-data"
88
+
mountPath = "/vault/data"
89
+
}]
90
+
ingress = {
91
+
annotations = {
92
+
"cert-manager.io/cluster-issuer" = "letsencrypt-prod"
93
+
}
94
+
spec = {
95
+
ingressClassName = "nginx"
96
+
rules = [{
97
+
host = "vault.${var.cluster_domain}"
98
+
http = {
99
+
paths = [{
100
+
backend = {
101
+
service = {
102
+
name = "vault-cluster"
103
+
port = {
104
+
"number" = 8200
105
+
}
106
+
}
107
+
}
108
+
path = "/"
109
+
pathType = "Prefix"
110
+
}]
111
+
}
112
+
}]
113
+
tls = [{
114
+
hosts = ["vault.${var.cluster_domain}"]
115
+
secretName = "vault-tls-certificate"
116
+
}]
117
+
}
118
+
}
119
+
}
120
+
}
121
+
}
122
+
}
123
+
serviceAccount = {
124
+
create = true
125
+
}
126
+
rbac = {
127
+
roles = {
128
+
vault = {
129
+
type = "Role"
130
+
rules = [{
131
+
apiGroups = [""]
132
+
resources = ["secrets"]
133
+
verbs = ["*"]
134
+
}, {
135
+
apiGroups = [""]
136
+
resources = ["pods"]
137
+
verbs = ["get", "update", "patch"]
138
+
}]
139
+
}
140
+
}
141
+
bindings = {
142
+
namespace = {
143
+
forceRename = "vault"
144
+
type = "RoleBinding"
145
+
roleRef = {
146
+
apiGroup = "rbac.authorization.k8s.io"
147
+
kind = "Role"
148
+
name = "vault"
149
+
}
150
+
subjects = [{
151
+
kind = "ServiceAccount"
152
+
namespace = "{{ .Release.Namespace }}"
153
+
name = "vault"
154
+
}]
155
+
}
156
+
cluster = {
157
+
forceRename = "vault"
158
+
type = "ClusterRoleBinding"
159
+
roleRef = {
160
+
apiGroup = "rbac.authorization.k8s.io"
161
+
kind = "ClusterRole"
162
+
name = "system:auth-delegator"
163
+
}
164
+
subjects = [{
165
+
kind = "ServiceAccount"
166
+
namespace = "{{ .Release.Namespace }}"
167
+
name = "vault"
168
+
}]
169
+
}
170
+
}
171
+
}
172
+
persistence = {
173
+
data = {
174
+
accessMode = "ReadWriteOnce"
175
+
size = "2Gi"
176
+
}
177
+
}
178
+
}
179
+
}
180
+
}
181
+
}
182
+
})
183
+
}