63 lines
1.6 KiB
YAML
63 lines
1.6 KiB
YAML
# HashiCorp Vault — noble (standalone, file storage on Longhorn; TLS disabled on listener for in-cluster HTTP).
|
|
#
|
|
# helm repo add hashicorp https://helm.releases.hashicorp.com
|
|
# helm repo update
|
|
# kubectl apply -f clusters/noble/apps/vault/namespace.yaml
|
|
# helm upgrade --install vault hashicorp/vault -n vault \
|
|
# --version 0.32.0 -f clusters/noble/apps/vault/values.yaml --wait --timeout 15m
|
|
#
|
|
# Post-install: initialize, store unseal key in Secret, apply optional unseal CronJob — see README.md
|
|
#
|
|
global:
|
|
tlsDisable: true
|
|
|
|
injector:
|
|
enabled: true
|
|
|
|
server:
|
|
enabled: true
|
|
dataStorage:
|
|
enabled: true
|
|
size: 10Gi
|
|
storageClass: longhorn
|
|
accessMode: ReadWriteOnce
|
|
ha:
|
|
enabled: false
|
|
standalone:
|
|
enabled: true
|
|
config: |
|
|
ui = true
|
|
|
|
listener "tcp" {
|
|
tls_disable = 1
|
|
address = "[::]:8200"
|
|
cluster_address = "[::]:8201"
|
|
}
|
|
|
|
storage "file" {
|
|
path = "/vault/data"
|
|
}
|
|
|
|
# Allow pod Ready before init/unseal so Helm --wait succeeds (see Vault /v1/sys/health docs).
|
|
readinessProbe:
|
|
enabled: true
|
|
path: "/v1/sys/health?uninitcode=204&sealedcode=204&standbyok=true"
|
|
port: 8200
|
|
|
|
# LAN: TLS terminates at Traefik + cert-manager; listener stays HTTP (global.tlsDisable).
|
|
ingress:
|
|
enabled: true
|
|
ingressClassName: traefik
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
hosts:
|
|
- host: vault.apps.noble.lab.pcenicni.dev
|
|
paths: []
|
|
tls:
|
|
- secretName: vault-apps-noble-tls
|
|
hosts:
|
|
- vault.apps.noble.lab.pcenicni.dev
|
|
|
|
ui:
|
|
enabled: true
|