diff --git a/kubernetes/talos-flux/apps/secops/kustomization.yaml b/kubernetes/talos-flux/apps/secops/kustomization.yaml index 302c831d2..e7c92663f 100644 --- a/kubernetes/talos-flux/apps/secops/kustomization.yaml +++ b/kubernetes/talos-flux/apps/secops/kustomization.yaml @@ -6,3 +6,4 @@ resources: - ./namespace.yaml - ./vault-auth.yaml - ./external-secrets/flux-sync.yaml + - ./vault/flux-sync.yaml diff --git a/kubernetes/talos-flux/apps/secops/vault/app/helm-release.yaml b/kubernetes/talos-flux/apps/secops/vault/app/helm-release.yaml new file mode 100644 index 000000000..6ef585328 --- /dev/null +++ b/kubernetes/talos-flux/apps/secops/vault/app/helm-release.yaml @@ -0,0 +1,165 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: vault +spec: + driftDetection: + mode: enabled + interval: 15m + chart: + spec: + chart: vault + version: 0.29.1 + sourceRef: + kind: HelmRepository + name: hashicorp-charts + namespace: flux-system + maxHistory: 5 + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + + # valuesFrom: + # # Injected by init-job + # - targetPath: server.extraEnvironmentVars.VAULT_TOKEN + # kind: Secret + # name: vault-tokens + # optional: true + # valuesKey: vault_root_token + # https://artifacthub.io/packages/helm/hashicorp/vault/?modal=values + values: + global: + enabled: true + + injector: + metrics: + enabled: true + logFormat: "json" + resources: {} # TODO + + server: + resources: + requests: + cpu: 250m + memory: 256Mi + updateStrategyType: "OnDelete" + logLevel: "info" + logFormat: "json" + extraLabels: + reloader.stakater.com/auto: "true" + ingress: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + kubernetes.io/tls-acme: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + hosts: + - host: &host test-vault.techtales.io + paths: [] + tls: + - hosts: + - *host + secretName: vault-tls + dataStorage: + enabled: true + size: 1Gi + mountPath: /vault/data + storageClass: ceph-block + auditStorage: + enabled: true + size: 1Gi + mountPath: /vault/audit + storageClass: ceph-block + extraEnvironmentVars: + # VAULT_TOKEN: ${SECRET_VAULT_TOKEN} + TZ: ${SETTING_TZ} + # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-vault-unseal/serviceaccount.json + # extraVolumes: + # - type: secret + # name: kms-vault-unseal + # path: /vault/userconfig + ha: + enabled: true + replicas: 1 + config: | + # api_addr = "http://127.0.0.1:8200" + # cluster_addr = "https://127.0.0.1:8201" + disable_mlock = true + ui = true + # seal "gcpckms" { + # disabled = "false" + # project = "techtales" + # region = "europe-west3" + # key_ring = "home-infra" + # crypto_key = "vault-unseal" + # } + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + telemetry { + unauthenticated_metrics_access = "true" + } + } + storage "file" { + path = "/vault/data" + } + # storage "raft" { + # path = "/vault/data" + # # retry_join { + # # leader_api_addr = "http://vault-0.vault-internal:8200" + # # } + # } + service_registration "kubernetes" {} + + ui: + enabled: true + publishNotReadyAddresses: true + # The service should only contain selectors for active Vault pod + activeVaultPodOnly: true + serviceType: "ClusterIP" + serviceNodePort: null + externalPort: 8200 + targetPort: 8200 + + # Vault is able to collect and publish various runtime metrics. + # Enabling this feature requires setting adding `telemetry{}` stanza to + # the Vault configuration. There are a few examples included in the `config` sections above. + # + # For more information see: + # https://www.vaultproject.io/docs/configuration/telemetry + # https://www.vaultproject.io/docs/internals/telemetry + # serverTelemetry: + # # Enable integration with the Prometheus Operator + # prometheusOperator: true + # # Enable support for the Prometheus Operator. Currently, this chart does not support + # serviceMonitor: + # # Enable deployment of the Vault Server ServiceMonitor CustomResource. + # enabled: true + # prometheusRules: + # enabled: true + # rules: + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 500ms on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="vault-system"} > 500 + # for: 5m + # labels: + # severity: warning + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 1s on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="vault-system"} > 1000 + # for: 5m + # labels: + # severity: critical diff --git a/kubernetes/talos-flux/apps/secops/vault/app/kustomization.yaml b/kubernetes/talos-flux/apps/secops/vault/app/kustomization.yaml new file mode 100644 index 000000000..51567a423 --- /dev/null +++ b/kubernetes/talos-flux/apps/secops/vault/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helm-release.yaml diff --git a/kubernetes/talos-flux/apps/secops/vault/flux-sync.yaml b/kubernetes/talos-flux/apps/secops/vault/flux-sync.yaml new file mode 100644 index 000000000..2f0002714 --- /dev/null +++ b/kubernetes/talos-flux/apps/secops/vault/flux-sync.yaml @@ -0,0 +1,18 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: vault + namespace: flux-system + labels: + substitution.flux.home.arpa/enabled: "true" +spec: + interval: 10m + path: ./kubernetes/talos-flux/apps/secops/vault/app + prune: false + sourceRef: + kind: GitRepository + name: home-ops + wait: true + targetNamespace: secops