apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: cherry-vault
  namespace: argocd
spec:
  project: infrastructure
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
  destination:
    server: https://kubernetes.default.svc
    namespace: vault
  source:
    chart: vault
    repoURL: https://helm.releases.hashicorp.com
    targetRevision: 0.25.0
    helm:
      releaseName: vault
      valuesObject:
        global:
          enabled: true
          tlsDisable: false

        injector:
          enabled: false

        server:
          ingress:
            enabled: true
            ingressClassName: nginx
            annotations:
              cert-manager.io/cluster-issuer: letsencrypt-prod
              nginx.ingress.kubernetes.io/server-snippet: |
                proxy_ssl_verify off;
              nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
            pathType: Prefix
            tls:
              - secretName: vault-ingress-tls
                hosts:
                  - vault.mareshq.com
            hosts:
              - host: vault.mareshq.com
                paths:
                  - /

          extraEnvironmentVars:
            VAULT_CACERT: /vault/userconfig/server-ca/ca.crt

          extraVolumes:
            - type: secret
              name: server-tls
            - type: secret
              name: server-ca

          resources:
            requests:
              memory: 512Mi
              cpu: 400m
            limits:
              memory: 1Gi
              cpu: 400m

          readinessProbe:
            enabled: true
            path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
          livenessProbe:
            enabled: true
            path: "/v1/sys/health?standbyok=true"
            initialDelaySeconds: 60

          auditStorage:
            enabled: true
            size: 5Gi

          dataStorage:
            enabled: true
            size: 5Gi

          standalone:
            enabled: false

          ha:
            enabled: true
            replicas: 3
            disruptionBudget:
              enabled: true

            raft:
              enabled: true
              setNodeId: true

              config: |
                ui = true

                listener "tcp" {
                  address = "[::]:8200"
                  cluster_address = "[::]:8201"
                  tls_cert_file = "/vault/userconfig/server-tls/tls.crt"
                  tls_key_file = "/vault/userconfig/server-tls/tls.key"
                  tls_client_ca_file = "/vault/userconfig/server-ca/tls-combined.pem"
                }

                storage "raft" {
                  path = "/vault/data"
                    retry_join {
                    leader_api_addr = "https://vault-0.vault-internal:8200"
                    leader_ca_cert_file = "/vault/userconfig/server-ca/ca.crt"
                    leader_client_cert_file = "/vault/userconfig/server-tls/tls.crt"
                    leader_client_key_file = "/vault/userconfig/server-tls/tls.key"
                  }

                  retry_join {
                    leader_api_addr = "https://vault-1.vault-internal:8200"
                    leader_ca_cert_file = "/vault/userconfig/server-ca/ca.crt"
                    leader_client_cert_file = "/vault/userconfig/server-tls/tls.crt"
                    leader_client_key_file = "/vault/userconfig/server-tls/tls.key"
                  }

                  retry_join {
                    leader_api_addr = "https://vault-2.vault-internal:8200"
                    leader_ca_cert_file = "/vault/userconfig/server-ca/ca.crt"
                    leader_client_cert_file = "/vault/userconfig/server-tls/tls.crt"
                    leader_client_key_file = "/vault/userconfig/server-tls/tls.key"
                  }
                }

                service_registration "kubernetes" {}