Update CLUSTER-BUILD.md to reflect the current state of the Talos cluster, detailing progress through Phase D (observability) and advancements in Phase E (secrets). Include updates on Sealed Secrets, External Secrets Operator, and Vault configurations, along with deployment instructions and next steps for Kubernetes auth and ClusterSecretStore integration. Mark relevant tasks as completed and outline remaining objectives for future phases.

2026-03-28 01:17:22 -04:00
parent d2b52f3518
commit a5e624f542
12 changed files with 454 additions and 5 deletions
--- a/clusters/noble/apps/vault/unseal-cronjob.yaml
+++ b/clusters/noble/apps/vault/unseal-cronjob.yaml
@@ -0,0 +1,63 @@
+# Optional lab auto-unseal: applies after Vault is initialized and Secret `vault-unseal-key` exists.
+#
+# 1) vault operator init -key-shares=1 -key-threshold=1  (lab only — single key)
+# 2) kubectl -n vault create secret generic vault-unseal-key --from-literal=key='YOUR_UNSEAL_KEY'
+# 3) kubectl apply -f clusters/noble/apps/vault/unseal-cronjob.yaml
+#
+# OSS Vault has no Kubernetes/KMS seal; this CronJob runs vault operator unseal when the server is sealed.
+# Protect the Secret with RBAC; prefer cloud KMS auto-unseal for real environments.
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: vault-auto-unseal
+  namespace: vault
+spec:
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 3
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 100
+            runAsGroup: 1000
+            seccompProfile:
+              type: RuntimeDefault
+          containers:
+            - name: unseal
+              image: hashicorp/vault:1.21.2
+              imagePullPolicy: IfNotPresent
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
+              env:
+                - name: VAULT_ADDR
+                  value: http://vault.vault.svc:8200
+              command:
+                - /bin/sh
+                - -ec
+                - |
+                  test -f /secrets/key || exit 0
+                  status="$(vault status -format=json 2>/dev/null || true)"
+                  echo "$status" | grep -q '"initialized":true' || exit 0
+                  echo "$status" | grep -q '"sealed":false' && exit 0
+                  vault operator unseal "$(cat /secrets/key)"
+              volumeMounts:
+                - name: unseal
+                  mountPath: /secrets
+                  readOnly: true
+          volumes:
+            - name: unseal
+              secret:
+                secretName: vault-unseal-key
+                optional: true
+                items:
+                  - key: key
+                    path: key