From 5d29e8b6571c473619597414668e88ec7a5c2eda Mon Sep 17 00:00:00 2001
From: Vojtech Mares <iam@vojtechmares.com>
Date: Sun, 1 Oct 2023 15:22:05 +0200
Subject: [PATCH] refactor(cherry/vault): drop internal tls

---
 clusters/cherry/apps/vault.yaml | 58 +++------------------------------
 1 file changed, 5 insertions(+), 53 deletions(-)

diff --git a/clusters/cherry/apps/vault.yaml b/clusters/cherry/apps/vault.yaml
index d497f7d..9561e9b 100644
--- a/clusters/cherry/apps/vault.yaml
+++ b/clusters/cherry/apps/vault.yaml
@@ -3,6 +3,8 @@ kind: Application
 metadata:
   name: cherry-vault
   namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
 spec:
   project: infrastructure
   syncPolicy:
@@ -23,7 +25,7 @@ spec:
       valuesObject:
         global:
           enabled: true
-          tlsDisable: false
+          tlsDisable: true
 
         injector:
           enabled: false
@@ -34,9 +36,6 @@ spec:
             ingressClassName: nginx
             annotations:
               cert-manager.io/cluster-issuer: letsencrypt-prod
-              nginx.ingress.kubernetes.io/server-snippet: |
-                proxy_ssl_verify off;
-              nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
             pathType: Prefix
             tls:
               - secretName: vault-ingress-tls
@@ -47,15 +46,6 @@ spec:
                 paths:
                   - /
 
-          extraEnvironmentVars:
-            VAULT_CACERT: /vault/userconfig/server-ca/ca.crt
-
-          extraVolumes:
-            - type: secret
-              name: server-tls
-            - type: secret
-              name: server-ca
-
           resources:
             requests:
               memory: 512Mi
@@ -74,11 +64,11 @@ spec:
 
           auditStorage:
             enabled: true
-            size: 5Gi
+            size: 1Gi
 
           dataStorage:
             enabled: true
-            size: 5Gi
+            size: 1Gi
 
           standalone:
             enabled: false
@@ -92,41 +82,3 @@ spec:
             raft:
               enabled: true
               setNodeId: true
-
-              config: |
-                ui = true
-
-                listener "tcp" {
-                  address = "[::]:8200"
-                  cluster_address = "[::]:8201"
-                  tls_cert_file = "/vault/userconfig/server-tls/tls.crt"
-                  tls_key_file = "/vault/userconfig/server-tls/tls.key"
-                  tls_client_ca_file = "/vault/userconfig/server-ca/tls-combined.pem"
-                }
-
-                storage "raft" {
-                  path = "/vault/data"
-
-                  retry_join {
-                    leader_api_addr = "https://vault-0.vault-internal:8200"
-                    leader_ca_cert_file = "/vault/userconfig/server-ca/ca.crt"
-                    leader_client_cert_file = "/vault/userconfig/server-tls/tls.crt"
-                    leader_client_key_file = "/vault/userconfig/server-tls/tls.key"
-                  }
-
-                  retry_join {
-                    leader_api_addr = "https://vault-1.vault-internal:8200"
-                    leader_ca_cert_file = "/vault/userconfig/server-ca/ca.crt"
-                    leader_client_cert_file = "/vault/userconfig/server-tls/tls.crt"
-                    leader_client_key_file = "/vault/userconfig/server-tls/tls.key"
-                  }
-
-                  retry_join {
-                    leader_api_addr = "https://vault-2.vault-internal:8200"
-                    leader_ca_cert_file = "/vault/userconfig/server-ca/ca.crt"
-                    leader_client_cert_file = "/vault/userconfig/server-tls/tls.crt"
-                    leader_client_key_file = "/vault/userconfig/server-tls/tls.key"
-                  }
-                }
-
-                service_registration "kubernetes" {}