From eefa81744c5d1f3a4602a4cd51af8fd93cd6a933 Mon Sep 17 00:00:00 2001
From: Vojtech Mares <iam@vojtechmares.com>
Date: Sun, 1 Oct 2023 14:11:02 +0200
Subject: [PATCH] refactor(cherry/vault): use cert-manager issued CA and
 certificates to provide in-cluster TLS with trusted CA

---
 clusters/cherry/apps/vault.yaml | 57 ++++++++++++++++++++++++++++++---
 1 file changed, 53 insertions(+), 4 deletions(-)

diff --git a/clusters/cherry/apps/vault.yaml b/clusters/cherry/apps/vault.yaml
index c7fcce6..f7ff146 100644
--- a/clusters/cherry/apps/vault.yaml
+++ b/clusters/cherry/apps/vault.yaml
@@ -23,7 +23,7 @@ spec:
       valuesObject:
         global:
           enabled: true
-          tlsDisable: true
+          tlsDisable: false
 
         injector:
           enabled: true
@@ -41,9 +41,12 @@ spec:
             ingressClassName: nginx
             annotations:
               cert-manager.io/cluster-issuer: letsencrypt-prod
+              nginx.ingress.kubernetes.io/server-snippet: |
+                proxy_ssl_verify off;
+              nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
             pathType: Prefix
             tls:
-              - secretName: vault-tls
+              - secretName: vault-ingress-tls
                 hosts:
                   - vault.mareshq.com
             hosts:
@@ -51,6 +54,15 @@ spec:
                 paths:
                   - /
 
+          extraEnvironmentVars:
+            VAULT_CACERT: /vault/userconfig/server-ca/ca.crt
+
+          extraVolumes:
+            – type: secret
+              name: server-tls
+            – type: secret
+              name: server-ca
+
           resources:
             requests:
               memory: 512Mi
@@ -81,9 +93,46 @@ spec:
           ha:
             enabled: true
             replicas: 3
+            disruptionBudget:
+              enabled: true
+
             raft:
               enabled: true
               setNodeId: true
 
-            disruptionBudget:
-              enabled: true
+              config: |
+                ui = true
+
+                listener "tcp" {
+                  address = "[::]:8200"
+                  cluster_address = "[::]:8201"
+                  tls_cert_file = "/vault/userconfig/server-tls/tls.crt"
+                  tls_key_file = "/vault/userconfig/server-tls/tls.key"
+                  tls_client_ca_file = "/vault/userconfig/server-ca/tls-combined.pem"
+                }
+
+                storage "raft" {
+                  path = "/vault/data"
+                    retry_join {
+                    leader_api_addr = "https://vault-0.vault-internal:8200"
+                    leader_ca_cert_file = "/vault/userconfig/server-ca/ca.crt"
+                    leader_client_cert_file = "/vault/userconfig/server-tls/tls.crt"
+                    leader_client_key_file = "/vault/userconfig/server-tls/tls.key"
+                  }
+
+                  retry_join {
+                    leader_api_addr = "https://vault-1.vault-internal:8200"
+                    leader_ca_cert_file = "/vault/userconfig/server-ca/ca.crt"
+                    leader_client_cert_file = "/vault/userconfig/server-tls/tls.crt"
+                    leader_client_key_file = "/vault/userconfig/server-tls/tls.key"
+                  }
+
+                  retry_join {
+                    leader_api_addr = "https://vault-2.vault-internal:8200"
+                    leader_ca_cert_file = "/vault/userconfig/server-ca/ca.crt"
+                    leader_client_cert_file = "/vault/userconfig/server-tls/tls.crt"
+                    leader_client_key_file = "/vault/userconfig/server-tls/tls.key"
+                  }
+                }
+
+                service_registration "kubernetes" {}