Refactor noble cluster configurations by removing deprecated Argo CD application management files and transitioning to a streamlined Ansible-driven installation approach. Update kustomization.yaml files to reflect the new structure, ensuring clarity on resource management. Introduce new namespaces and configurations for cert-manager, external-secrets, and logging components, enhancing the overall deployment process. Add detailed README.md documentation for each component to guide users through the setup and management of the noble lab environment.

2026-03-28 17:02:50 -04:00
parent 41841abc84
commit 90fd8fb8a6
59 changed files with 28 additions and 38 deletions
--- a/clusters/noble/bootstrap/vault/values.yaml
+++ b/clusters/noble/bootstrap/vault/values.yaml
@@ -0,0 +1,62 @@
+# HashiCorp Vault — noble (standalone, file storage on Longhorn; TLS disabled on listener for in-cluster HTTP).
+#
+# helm repo add hashicorp https://helm.releases.hashicorp.com
+# helm repo update
+# kubectl apply -f clusters/noble/apps/vault/namespace.yaml
+# helm upgrade --install vault hashicorp/vault -n vault \
+#   --version 0.32.0 -f clusters/noble/apps/vault/values.yaml --wait --timeout 15m
+#
+# Post-install: initialize, store unseal key in Secret, apply optional unseal CronJob — see README.md
+#
+global:
+  tlsDisable: true
+
+injector:
+  enabled: true
+
+server:
+  enabled: true
+  dataStorage:
+    enabled: true
+    size: 10Gi
+    storageClass: longhorn
+    accessMode: ReadWriteOnce
+  ha:
+    enabled: false
+  standalone:
+    enabled: true
+    config: |
+      ui = true
+
+      listener "tcp" {
+        tls_disable = 1
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+      }
+
+      storage "file" {
+        path = "/vault/data"
+      }
+
+  # Allow pod Ready before init/unseal so Helm --wait succeeds (see Vault /v1/sys/health docs).
+  readinessProbe:
+    enabled: true
+    path: "/v1/sys/health?uninitcode=204&sealedcode=204&standbyok=true"
+    port: 8200
+
+  # LAN: TLS terminates at Traefik + cert-manager; listener stays HTTP (global.tlsDisable).
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - host: vault.apps.noble.lab.pcenicni.dev
+        paths: []
+    tls:
+      - secretName: vault-apps-noble-tls
+        hosts:
+          - vault.apps.noble.lab.pcenicni.dev
+
+ui:
+  enabled: true