freezer/mareshq-gitops-legacy
Archived
1
0
Fork 0
Code Activity
This repository has been archived on 2025-08-23. You can view files and clone it, but you cannot make any changes to it's state, such as pushing and creating new issues, pull requests or comments.
mareshq-gitops-legacy/clusters/cherry/apps/vault.yaml

138 lines
4 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cherry-vault
namespace: argocd
spec:
project: infrastructure
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: vault
source:
chart: vault
repoURL: https://helm.releases.hashicorp.com
targetRevision: 0.25.0
helm:
releaseName: vault
valuesObject:
global:
enabled: true
tlsDisable: false
injector:
enabled: true
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 256Mi
cpu: 250m
server:
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/server-snippet: |
proxy_ssl_verify off;
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
pathType: Prefix
tls:
- secretName: vault-ingress-tls
hosts:
- vault.mareshq.com
hosts:
- host: vault.mareshq.com
paths:
- /
extraEnvironmentVars:
VAULT_CACERT: /vault/userconfig/server-ca/ca.crt
extraVolumes:
type: secret
name: server-tls
type: secret
name: server-ca
resources:
requests:
memory: 512Mi
cpu: 400m
limits:
memory: 1Gi
cpu: 400m
readinessProbe:
enabled: true
path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
livenessProbe:
enabled: true
path: "/v1/sys/health?standbyok=true"
initialDelaySeconds: 60
auditStorage:
enabled: true
size: 5Gi
dataStorage:
enabled: true
size: 5Gi
standalone:
enabled: false
ha:
enabled: true
replicas: 3
disruptionBudget:
enabled: true
raft:
enabled: true
setNodeId: true
config: |
ui = true
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/server-tls/tls.crt"
tls_key_file = "/vault/userconfig/server-tls/tls.key"
tls_client_ca_file = "/vault/userconfig/server-ca/tls-combined.pem"
}
storage "raft" {
path = "/vault/data"
retry_join {
leader_api_addr = "https://vault-0.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/server-ca/ca.crt"
leader_client_cert_file = "/vault/userconfig/server-tls/tls.crt"
leader_client_key_file = "/vault/userconfig/server-tls/tls.key"
}
retry_join {
leader_api_addr = "https://vault-1.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/server-ca/ca.crt"
leader_client_cert_file = "/vault/userconfig/server-tls/tls.crt"
leader_client_key_file = "/vault/userconfig/server-tls/tls.key"
}
retry_join {
leader_api_addr = "https://vault-2.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/server-ca/ca.crt"
leader_client_cert_file = "/vault/userconfig/server-tls/tls.crt"
leader_client_key_file = "/vault/userconfig/server-tls/tls.key"
}
}
service_registration "kubernetes" {}
View git blame Copy permalink