tyriis · jazzlyn · Jan 28, 2025 · Jan 28, 2025 · Jan 28, 2025
diff --git a/kubernetes/talos-flux/apps/secops/kustomization.yaml b/kubernetes/talos-flux/apps/secops/kustomization.yaml
@@ -6,3 +6,4 @@ resources:
   - ./namespace.yaml
   - ./vault-auth.yaml
   - ./external-secrets/flux-sync.yaml
+  - ./vault/flux-sync.yaml
diff --git a/kubernetes/talos-flux/apps/secops/vault/app/helm-release.yaml b/kubernetes/talos-flux/apps/secops/vault/app/helm-release.yaml
@@ -0,0 +1,165 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: vault
+spec:
+  driftDetection:
+    mode: enabled
+  interval: 15m
+  chart:
+    spec:
+      chart: vault
+      version: 0.29.1
+      sourceRef:
+        kind: HelmRepository
+        name: hashicorp-charts
+        namespace: flux-system
+  maxHistory: 5
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+
+  # valuesFrom:
+  #   # Injected by init-job
+  #   - targetPath: server.extraEnvironmentVars.VAULT_TOKEN
+  #     kind: Secret
+  #     name: vault-tokens
+  #     optional: true
+  #     valuesKey: vault_root_token
+  # https://artifacthub.io/packages/helm/hashicorp/vault/?modal=values
+  values:
+    global:
+      enabled: true
+
+    injector:
+      metrics:
+        enabled: true
+      logFormat: "json"
+      resources: {} # TODO
+
+    server:
+      resources:
+        requests:
+          cpu: 250m
+          memory: 256Mi
+      updateStrategyType: "OnDelete"
+      logLevel: "info"
+      logFormat: "json"
+      extraLabels:
+        reloader.stakater.com/auto: "true"
+      ingress:
+        enabled: true
+        ingressClassName: nginx
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-staging
+          kubernetes.io/tls-acme: "true"
+          nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+          nginx.ingress.kubernetes.io/ssl-redirect: "true"
+        hosts:
+          - host: &host test-vault.techtales.io
+            paths: []
+        tls:
+          - hosts:
+              - *host
+            secretName: vault-tls
+      dataStorage:
+        enabled: true
+        size: 1Gi
+        mountPath: /vault/data
+        storageClass: ceph-block
+      auditStorage:
+        enabled: true
+        size: 1Gi
+        mountPath: /vault/audit
+        storageClass: ceph-block
+      extraEnvironmentVars:
+        # VAULT_TOKEN: ${SECRET_VAULT_TOKEN}
+        TZ: ${SETTING_TZ}
+      #   GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-vault-unseal/serviceaccount.json
+      # extraVolumes:
+      #   - type: secret
+      #     name: kms-vault-unseal
+      #     path: /vault/userconfig
+      ha:
+        enabled: true
+        replicas: 1
+        config: |
+          # api_addr = "http://127.0.0.1:8200"
+          # cluster_addr = "https://127.0.0.1:8201"
+          disable_mlock = true
+          ui = true
+          # seal "gcpckms" {
+          #   disabled    = "false"
+          #   project     = "techtales"
+          #   region      = "europe-west3"
+          #   key_ring    = "home-infra"
+          #   crypto_key  = "vault-unseal"
+          # }
+          listener "tcp" {
+            tls_disable = 1
+            address = "[::]:8200"
+            cluster_address = "[::]:8201"
+            telemetry {
+              unauthenticated_metrics_access = "true"
+            }
+          }
+          storage "file" {
+            path = "/vault/data"
+          }
+          # storage "raft" {
+          #   path = "/vault/data"
+          #   # retry_join {
+          #   #   leader_api_addr = "http://vault-0.vault-internal:8200"
+          #   # }
+          # }
+          service_registration "kubernetes" {}
+
+    ui:
+      enabled: true
+      publishNotReadyAddresses: true
+      # The service should only contain selectors for active Vault pod
+      activeVaultPodOnly: true
+      serviceType: "ClusterIP"
+      serviceNodePort: null
+      externalPort: 8200
+      targetPort: 8200
+
+    # Vault is able to collect and publish various runtime metrics.
+    # Enabling this feature requires setting adding `telemetry{}` stanza to
+    # the Vault configuration. There are a few examples included in the `config` sections above.
+    #
+    # For more information see:
+    # https://www.vaultproject.io/docs/configuration/telemetry
+    # https://www.vaultproject.io/docs/internals/telemetry
+    # serverTelemetry:
+    #   # Enable integration with the Prometheus Operator
+    #   prometheusOperator: true
+    #   # Enable support for the Prometheus Operator. Currently, this chart does not support
+    #   serviceMonitor:
+    #     # Enable deployment of the Vault Server ServiceMonitor CustomResource.
+    #     enabled: true
+    #   prometheusRules:
+    #     enabled: true
+    #     rules:
+    #       - alert: vault-HighResponseTime
+    #         annotations:
+    #           message: The response time of Vault is over 500ms on average over the last 5 minutes.
+    #         expr: vault_core_handle_request{quantile="0.5", namespace="vault-system"} > 500
+    #         for: 5m
+    #         labels:
+    #           severity: warning
+    #       - alert: vault-HighResponseTime
+    #         annotations:
+    #           message: The response time of Vault is over 1s on average over the last 5 minutes.
+    #         expr: vault_core_handle_request{quantile="0.5", namespace="vault-system"} > 1000
+    #         for: 5m
+    #         labels:
+    #           severity: critical
diff --git a/kubernetes/talos-flux/apps/secops/vault/app/kustomization.yaml b/kubernetes/talos-flux/apps/secops/vault/app/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-release.yaml
diff --git a/kubernetes/talos-flux/apps/secops/vault/flux-sync.yaml b/kubernetes/talos-flux/apps/secops/vault/flux-sync.yaml
@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: vault
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  interval: 10m
+  path: ./kubernetes/talos-flux/apps/secops/vault/app
+  prune: false
+  sourceRef:
+    kind: GitRepository
+    name: home-ops
+  wait: true
+  targetNamespace: secops