Refactor noble cluster configurations by removing deprecated Argo CD application management files and transitioning to a streamlined Ansible-driven installation approach. Update kustomization.yaml files to reflect the new structure, ensuring clarity on resource management. Introduce new namespaces and configurations for cert-manager, external-secrets, and logging components, enhancing the overall deployment process. Add detailed README.md documentation for each component to guide users through the setup and management of the noble lab environment.

2026-03-28 17:02:50 -04:00
parent 41841abc84
commit 90fd8fb8a6
59 changed files with 28 additions and 38 deletions
--- a/clusters/noble/bootstrap/vault/unseal-cronjob.yaml
+++ b/clusters/noble/bootstrap/vault/unseal-cronjob.yaml
@@ -0,0 +1,63 @@
+# Optional lab auto-unseal: applies after Vault is initialized and Secret `vault-unseal-key` exists.
+#
+# 1) vault operator init -key-shares=1 -key-threshold=1  (lab only — single key)
+# 2) kubectl -n vault create secret generic vault-unseal-key --from-literal=key='YOUR_UNSEAL_KEY'
+# 3) kubectl apply -f clusters/noble/apps/vault/unseal-cronjob.yaml
+#
+# OSS Vault has no Kubernetes/KMS seal; this CronJob runs vault operator unseal when the server is sealed.
+# Protect the Secret with RBAC; prefer cloud KMS auto-unseal for real environments.
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: vault-auto-unseal
+  namespace: vault
+spec:
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 3
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 100
+            runAsGroup: 1000
+            seccompProfile:
+              type: RuntimeDefault
+          containers:
+            - name: unseal
+              image: hashicorp/vault:1.21.2
+              imagePullPolicy: IfNotPresent
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
+              env:
+                - name: VAULT_ADDR
+                  value: http://vault.vault.svc:8200
+              command:
+                - /bin/sh
+                - -ec
+                - |
+                  test -f /secrets/key || exit 0
+                  status="$(vault status -format=json 2>/dev/null || true)"
+                  echo "$status" | grep -q '"initialized":true' || exit 0
+                  echo "$status" | grep -q '"sealed":false' && exit 0
+                  vault operator unseal "$(cat /secrets/key)"
+              volumeMounts:
+                - name: unseal
+                  mountPath: /secrets
+                  readOnly: true
+          volumes:
+            - name: unseal
+              secret:
+                secretName: vault-unseal-key
+                optional: true
+                items:
+                  - key: key
+                    path: key