feat(vault): add test vault

[jazzlyn]

No description provided.

[tyriis-automation]

🦙 MegaLinter status: ✅ SUCCESS

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
✅ EDITORCONFIG	editorconfig-checker	4		0	0.02s
✅ REPOSITORY	gitleaks	yes		no	2.9s
✅ YAML	prettier	4		0	0.42s
✅ YAML	yamllint	4		0	0.39s

See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by OX Security

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[tyriis-automation]

--- kubernetes/talos-flux/apps Kustomization: flux-system/apps-sync Kustomization: flux-system/vault

+++ kubernetes/talos-flux/apps Kustomization: flux-system/apps-sync Kustomization: flux-system/vault

@@ -0,0 +1,30 @@

+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: apps-sync
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+    substitution.flux.home.arpa/enabled: 'true'
+  name: vault
+  namespace: flux-system
+spec:
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  interval: 10m
+  path: ./kubernetes/talos-flux/apps/secops/vault/app
+  postBuild:
+    substituteFrom:
+    - kind: ConfigMap
+      name: cluster-settings
+    - kind: Secret
+      name: cluster-secrets
+  prune: false
+  sourceRef:
+    kind: GitRepository
+    name: home-ops
+  targetNamespace: secops
+  wait: true
+
--- kubernetes/talos-flux/apps/secops/vault/app Kustomization: flux-system/vault HelmRelease: secops/vault

+++ kubernetes/talos-flux/apps/secops/vault/app Kustomization: flux-system/vault HelmRelease: secops/vault

@@ -0,0 +1,118 @@

+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: vault
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: vault
+  namespace: secops
+spec:
+  chart:
+    spec:
+      chart: vault
+      sourceRef:
+        kind: HelmRepository
+        name: hashicorp-charts
+        namespace: flux-system
+      version: 0.29.1
+  driftDetection:
+    mode: enabled
+  install:
+    remediation:
+      retries: 3
+  interval: 15m
+  maxHistory: 5
+  uninstall:
+    keepHistory: false
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  values:
+    global:
+      enabled: true
+    injector:
+      logFormat: json
+      metrics:
+        enabled: true
+      resources: {}
+    server:
+      auditStorage:
+        enabled: true
+        mountPath: /vault/audit
+        size: 1Gi
+        storageClass: ceph-block
+      dataStorage:
+        enabled: true
+        mountPath: /vault/data
+        size: 1Gi
+        storageClass: ceph-block
+      extraEnvironmentVars:
+        TZ: Europe/Vienna
+      extraLabels:
+        reloader.stakater.com/auto: 'true'
+      ha:
+        config: |
+          # api_addr = "http://127.0.0.1:8200"
+          # cluster_addr = "https://127.0.0.1:8201"
+          disable_mlock = true
+          ui = true
+          # seal "gcpckms" {
+          #   disabled    = "false"
+          #   project     = "techtales"
+          #   region      = "europe-west3"
+          #   key_ring    = "home-infra"
+          #   crypto_key  = "vault-unseal"
+          # }
+          listener "tcp" {
+            tls_disable = 1
+            address = "[::]:8200"
+            cluster_address = "[::]:8201"
+            telemetry {
+              unauthenticated_metrics_access = "true"
+            }
+          }
+          storage "file" {
+            path = "/vault/data"
+          }
+          # storage "raft" {
+          #   path = "/vault/data"
+          #   # retry_join {
+          #   #   leader_api_addr = "http://vault-0.vault-internal:8200"
+          #   # }
+          # }
+          service_registration "kubernetes" {}
+        enabled: true
+        replicas: 1
+      ingress:
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-staging
+          kubernetes.io/tls-acme: 'true'
+          nginx.ingress.kubernetes.io/force-ssl-redirect: 'true'
+          nginx.ingress.kubernetes.io/ssl-redirect: 'true'
+        enabled: true
+        hosts:
+        - host: test-vault.techtales.io
+          paths: []
+        ingressClassName: nginx
+        tls:
+        - hosts:
+          - test-vault.techtales.io
+          secretName: vault-tls
+      logFormat: json
+      logLevel: info
+      resources:
+        requests:
+          cpu: 250m
+          memory: 256Mi
+      updateStrategyType: OnDelete
+    ui:
+      activeVaultPodOnly: true
+      enabled: true
+      externalPort: 8200
+      publishNotReadyAddresses: true
+      serviceNodePort: null
+      serviceType: ClusterIP
+      targetPort: 8200
+

[tyriis-automation]

--- HelmRelease: secops/vault PodDisruptionBudget: secops/vault

+++ HelmRelease: secops/vault PodDisruptionBudget: secops/vault

@@ -0,0 +1,18 @@

+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: vault
+  namespace: secops
+  labels:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+spec:
+  maxUnavailable: 0
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vault
+      app.kubernetes.io/instance: vault
+      component: server
+
--- HelmRelease: secops/vault ServiceAccount: secops/vault-agent-injector

+++ HelmRelease: secops/vault ServiceAccount: secops/vault-agent-injector

@@ -0,0 +1,11 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-agent-injector
+  namespace: secops
+  labels:
+    app.kubernetes.io/name: vault-agent-injector
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+
--- HelmRelease: secops/vault ServiceAccount: secops/vault

+++ HelmRelease: secops/vault ServiceAccount: secops/vault

@@ -0,0 +1,11 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+  namespace: secops
+  labels:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+
--- HelmRelease: secops/vault ConfigMap: secops/vault-config

+++ HelmRelease: secops/vault ConfigMap: secops/vault-config

@@ -0,0 +1,44 @@

+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vault-config
+  namespace: secops
+  labels:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+data:
+  extraconfig-from-values.hcl: |-
+    # api_addr = "http://127.0.0.1:8200"
+    # cluster_addr = "https://127.0.0.1:8201"
+    disable_mlock = true
+    ui = true
+    # seal "gcpckms" {
+    #   disabled    = "false"
+    #   project     = "techtales"
+    #   region      = "europe-west3"
+    #   key_ring    = "home-infra"
+    #   crypto_key  = "vault-unseal"
+    # }
+    listener "tcp" {
+      tls_disable = 1
+      address = "[::]:8200"
+      cluster_address = "[::]:8201"
+      telemetry {
+        unauthenticated_metrics_access = "true"
+      }
+    }
+    storage "file" {
+      path = "/vault/data"
+    }
+    # storage "raft" {
+    #   path = "/vault/data"
+    #   # retry_join {
+    #   #   leader_api_addr = "http://vault-0.vault-internal:8200"
+    #   # }
+    # }
+    service_registration "kubernetes" {}
+
+    disable_mlock = true
+
--- HelmRelease: secops/vault ClusterRole: secops/vault-agent-injector-clusterrole

+++ HelmRelease: secops/vault ClusterRole: secops/vault-agent-injector-clusterrole

@@ -0,0 +1,20 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vault-agent-injector-clusterrole
+  labels:
+    app.kubernetes.io/name: vault-agent-injector
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+
--- HelmRelease: secops/vault ClusterRoleBinding: secops/vault-agent-injector-binding

+++ HelmRelease: secops/vault ClusterRoleBinding: secops/vault-agent-injector-binding

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: vault-agent-injector-binding
+  labels:
+    app.kubernetes.io/name: vault-agent-injector
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: vault-agent-injector-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: vault-agent-injector
+  namespace: secops
+
--- HelmRelease: secops/vault ClusterRoleBinding: secops/vault-server-binding

+++ HelmRelease: secops/vault ClusterRoleBinding: secops/vault-server-binding

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: vault-server-binding
+  labels:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: vault
+  namespace: secops
+
--- HelmRelease: secops/vault Role: secops/vault-discovery-role

+++ HelmRelease: secops/vault Role: secops/vault-discovery-role

@@ -0,0 +1,22 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: secops
+  name: vault-discovery-role
+  labels:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - get
+  - watch
+  - list
+  - update
+  - patch
+
--- HelmRelease: secops/vault RoleBinding: secops/vault-discovery-rolebinding

+++ HelmRelease: secops/vault RoleBinding: secops/vault-discovery-rolebinding

@@ -0,0 +1,19 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vault-discovery-rolebinding
+  namespace: secops
+  labels:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: vault-discovery-role
+subjects:
+- kind: ServiceAccount
+  name: vault
+  namespace: secops
+
--- HelmRelease: secops/vault Service: secops/vault-agent-injector-svc

+++ HelmRelease: secops/vault Service: secops/vault-agent-injector-svc

@@ -0,0 +1,20 @@

+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault-agent-injector-svc
+  namespace: secops
+  labels:
+    app.kubernetes.io/name: vault-agent-injector
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+spec:
+  ports:
+  - name: https
+    port: 443
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/name: vault-agent-injector
+    app.kubernetes.io/instance: vault
+    component: webhook
+
--- HelmRelease: secops/vault Service: secops/vault-active

+++ HelmRelease: secops/vault Service: secops/vault-active

@@ -0,0 +1,26 @@

+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault-active
+  namespace: secops
+  labels:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+    vault-active: 'true'
+spec:
+  publishNotReadyAddresses: true
+  ports:
+  - name: http
+    port: 8200
+    targetPort: 8200
+  - name: https-internal
+    port: 8201
+    targetPort: 8201
+  selector:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    component: server
+    vault-active: 'true'
+
--- HelmRelease: secops/vault Service: secops/vault-standby

+++ HelmRelease: secops/vault Service: secops/vault-standby

@@ -0,0 +1,25 @@

+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault-standby
+  namespace: secops
+  labels:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+spec:
+  publishNotReadyAddresses: true
+  ports:
+  - name: http
+    port: 8200
+    targetPort: 8200
+  - name: https-internal
+    port: 8201
+    targetPort: 8201
+  selector:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    component: server
+    vault-active: 'false'
+
--- HelmRelease: secops/vault Service: secops/vault-internal

+++ HelmRelease: secops/vault Service: secops/vault-internal

@@ -0,0 +1,26 @@

+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault-internal
+  namespace: secops
+  labels:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+    vault-internal: 'true'
+spec:
+  clusterIP: None
+  publishNotReadyAddresses: true
+  ports:
+  - name: http
+    port: 8200
+    targetPort: 8200
+  - name: https-internal
+    port: 8201
+    targetPort: 8201
+  selector:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    component: server
+
--- HelmRelease: secops/vault Service: secops/vault

+++ HelmRelease: secops/vault Service: secops/vault

@@ -0,0 +1,24 @@

+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault
+  namespace: secops
+  labels:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+spec:
+  publishNotReadyAddresses: true
+  ports:
+  - name: http
+    port: 8200
+    targetPort: 8200
+  - name: https-internal
+    port: 8201
+    targetPort: 8201
+  selector:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    component: server
+
--- HelmRelease: secops/vault Service: secops/vault-ui

+++ HelmRelease: secops/vault Service: secops/vault-ui

@@ -0,0 +1,23 @@

+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault-ui
+  namespace: secops
+  labels:
+    app.kubernetes.io/name: vault-ui
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+spec:
+  selector:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    component: server
+    vault-active: 'true'
+  publishNotReadyAddresses: true
+  ports:
+  - name: http
+    port: 8200
+    targetPort: 8200
+  type: ClusterIP
+
--- HelmRelease: secops/vault Deployment: secops/vault-agent-injector

+++ HelmRelease: secops/vault Deployment: secops/vault-agent-injector

@@ -0,0 +1,121 @@

+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vault-agent-injector
+  namespace: secops
+  labels:
+    app.kubernetes.io/name: vault-agent-injector
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+    component: webhook
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vault-agent-injector
+      app.kubernetes.io/instance: vault
+      component: webhook
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: vault-agent-injector
+        app.kubernetes.io/instance: vault
+        component: webhook
+    spec:
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+                app.kubernetes.io/name: vault-agent-injector
+                app.kubernetes.io/instance: vault
+                component: webhook
+            topologyKey: kubernetes.io/hostname
+      serviceAccountName: vault-agent-injector
+      securityContext:
+        runAsNonRoot: true
+        runAsGroup: 1000
+        runAsUser: 100
+        fsGroup: 1000
+      hostNetwork: false
+      containers:
+      - name: sidecar-injector
+        image: hashicorp/vault-k8s:1.5.0
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+        env:
+        - name: AGENT_INJECT_LISTEN
+          value: :8080
+        - name: AGENT_INJECT_LOG_LEVEL
+          value: info
+        - name: AGENT_INJECT_VAULT_ADDR
+          value: http://vault.secops.svc:8200
+        - name: AGENT_INJECT_VAULT_AUTH_PATH
+          value: auth/kubernetes
+        - name: AGENT_INJECT_VAULT_IMAGE
+          value: hashicorp/vault:1.18.1
+        - name: AGENT_INJECT_TLS_AUTO
+          value: vault-agent-injector-cfg
+        - name: AGENT_INJECT_TLS_AUTO_HOSTS
+          value: vault-agent-injector-svc,vault-agent-injector-svc.secops,vault-agent-injector-svc.secops.svc
+        - name: AGENT_INJECT_LOG_FORMAT
+          value: json
+        - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN
+          value: 'false'
+        - name: AGENT_INJECT_TELEMETRY_PATH
+          value: /metrics
+        - name: AGENT_INJECT_CPU_REQUEST
+          value: 250m
+        - name: AGENT_INJECT_CPU_LIMIT
+          value: 500m
+        - name: AGENT_INJECT_MEM_REQUEST
+          value: 64Mi
+        - name: AGENT_INJECT_MEM_LIMIT
+          value: 128Mi
+        - name: AGENT_INJECT_DEFAULT_TEMPLATE
+          value: map
+        - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE
+          value: 'true'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        args:
+        - agent-inject
+        - 2>&1
+        livenessProbe:
+          httpGet:
+            path: /health/ready
+            port: 8080
+            scheme: HTTPS
+          failureThreshold: 2
+          initialDelaySeconds: 5
+          periodSeconds: 2
+          successThreshold: 1
+          timeoutSeconds: 5
+        readinessProbe:
+          httpGet:
+            path: /health/ready
+            port: 8080
+            scheme: HTTPS
+          failureThreshold: 2
+          initialDelaySeconds: 5
+          periodSeconds: 2
+          successThreshold: 1
+          timeoutSeconds: 5
+        startupProbe:
+          httpGet:
+            path: /health/ready
+            port: 8080
+            scheme: HTTPS
+          failureThreshold: 12
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 5
+
--- HelmRelease: secops/vault StatefulSet: secops/vault

+++ HelmRelease: secops/vault StatefulSet: secops/vault

@@ -0,0 +1,158 @@

+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: vault
+  namespace: secops
+  labels:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+spec:
+  serviceName: vault-internal
+  podManagementPolicy: Parallel
+  replicas: 1
+  updateStrategy:
+    type: OnDelete
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vault
+      app.kubernetes.io/instance: vault
+      component: server
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: vault
+        app.kubernetes.io/instance: vault
+        component: server
+        reloader.stakater.com/auto: 'true'
+      annotations: null
+    spec:
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+                app.kubernetes.io/name: vault
+                app.kubernetes.io/instance: vault
+                component: server
+            topologyKey: kubernetes.io/hostname
+      terminationGracePeriodSeconds: 10
+      serviceAccountName: vault
+      securityContext:
+        runAsNonRoot: true
+        runAsGroup: 1000
+        runAsUser: 100
+        fsGroup: 1000
+      hostNetwork: false
+      volumes:
+      - name: config
+        configMap:
+          name: vault-config
+      - name: home
+        emptyDir: {}
+      containers:
+      - name: vault
+        resources:
+          requests:
+            cpu: 250m
+            memory: 256Mi
+        image: hashicorp/vault:1.18.1
+        imagePullPolicy: IfNotPresent
+        command:
+        - /bin/sh
+        - -ec
+        args:
+        - "cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;\n\
+          [ -n \"${HOST_IP}\" ] && sed -Ei \"s|HOST_IP|${HOST_IP?}|g\" /tmp/storageconfig.hcl;\n\
+          [ -n \"${POD_IP}\" ] && sed -Ei \"s|POD_IP|${POD_IP?}|g\" /tmp/storageconfig.hcl;\n\
+          [ -n \"${HOSTNAME}\" ] && sed -Ei \"s|HOSTNAME|${HOSTNAME?}|g\" /tmp/storageconfig.hcl;\n\
+          [ -n \"${API_ADDR}\" ] && sed -Ei \"s|API_ADDR|${API_ADDR?}|g\" /tmp/storageconfig.hcl;\n\
+          [ -n \"${TRANSIT_ADDR}\" ] && sed -Ei \"s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g\"\
+          \ /tmp/storageconfig.hcl;\n[ -n \"${RAFT_ADDR}\" ] && sed -Ei \"s|RAFT_ADDR|${RAFT_ADDR?}|g\"\
+          \ /tmp/storageconfig.hcl;\n/usr/local/bin/docker-entrypoint.sh vault server\
+          \ -config=/tmp/storageconfig.hcl \n"
+        securityContext:
+          allowPrivilegeEscalation: false
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: VAULT_K8S_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: VAULT_K8S_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: VAULT_ADDR
+          value: http://127.0.0.1:8200
+        - name: VAULT_API_ADDR
+          value: http://$(POD_IP):8200
+        - name: SKIP_CHOWN
+          value: 'true'
+        - name: SKIP_SETCAP
+          value: 'true'
+        - name: HOSTNAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: VAULT_CLUSTER_ADDR
+          value: https://$(HOSTNAME).vault-internal:8201
+        - name: HOME
+          value: /home/vault
+        - name: VAULT_LOG_LEVEL
+          value: info
+        - name: VAULT_LOG_FORMAT
+          value: json
+        - name: TZ
+          value: Europe/Vienna
+        volumeMounts:
+        - name: audit
+          mountPath: /vault/audit
+        - name: config
+          mountPath: /vault/config
+        - name: home
+          mountPath: /home/vault
+        ports:
+        - containerPort: 8200
+          name: http
+        - containerPort: 8201
+          name: https-internal
+        - containerPort: 8202
+          name: http-rep
+        readinessProbe:
+          exec:
+            command:
+            - /bin/sh
+            - -ec
+            - vault status -tls-skip-verify
+          failureThreshold: 2
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 3
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /bin/sh
+              - -c
+              - sleep 5 && kill -SIGTERM $(pidof vault)
+  volumeClaimTemplates:
+  - metadata:
+      name: audit
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 1Gi
+      storageClassName: ceph-block
+
--- HelmRelease: secops/vault Ingress: secops/vault

+++ HelmRelease: secops/vault Ingress: secops/vault

@@ -0,0 +1,33 @@

+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: vault
+  namespace: secops
+  labels:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-staging
+    kubernetes.io/tls-acme: 'true'
+    nginx.ingress.kubernetes.io/force-ssl-redirect: 'true'
+    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
+spec:
+  tls:
+  - hosts:
+    - test-vault.techtales.io
+    secretName: vault-tls
+  ingressClassName: nginx
+  rules:
+  - host: test-vault.techtales.io
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: vault-active
+            port:
+              number: 8200
+
--- HelmRelease: secops/vault MutatingWebhookConfiguration: secops/vault-agent-injector-cfg

+++ HelmRelease: secops/vault MutatingWebhookConfiguration: secops/vault-agent-injector-cfg

@@ -0,0 +1,41 @@

+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: vault-agent-injector-cfg
+  labels:
+    app.kubernetes.io/name: vault-agent-injector
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/managed-by: Helm
+webhooks:
+- name: vault.hashicorp.com
+  failurePolicy: Ignore
+  matchPolicy: Exact
+  sideEffects: None
+  timeoutSeconds: 30
+  admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: vault-agent-injector-svc
+      namespace: secops
+      path: /mutate
+    caBundle: ''
+  rules:
+  - operations:
+    - CREATE
+    apiGroups:
+    - ''
+    apiVersions:
+    - v1
+    resources:
+    - pods
+    scope: Namespaced
+  objectSelector:
+    matchExpressions:
+    - key: app.kubernetes.io/name
+      operator: NotIn
+      values:
+      - vault-agent-injector
+