developer-guy/cr.yaml

## cr.yaml
apiVersion: "vault.banzaicloud.com/v1alpha1"
kind: "Vault"
metadata:
  name: "vault"
spec:
  size: 1
  image: vault:1.6.2
  # specify a custom bank-vaults image with bankVaultsImage:
  # bankVaultsImage: ghcr.io/banzaicloud/bank-vaults:latest

  # Common annotations for all created resources
  annotations:
    common/annotation: "true"

  # Vault Pods , Services and TLS Secret annotations
  vaultAnnotations:
    type/instance: "vault"

  # Vault Configurer Pods and Services annotations
  vaultConfigurerAnnotations:
    type/instance: "vaultconfigurer"

  # Vault Pods , Services and TLS Secret labels
  vaultLabels:
    example.com/log-format: "json"

  # Vault Configurer Pods and Services labels
  vaultConfigurerLabels:
    example.com/log-format: "string"

  # Support for affinity Rules, same as in PodSpec
  # affinity:
  #   nodeAffinity:
  #     requiredDuringSchedulingIgnoredDuringExecution:
  #       nodeSelectorTerms:
  #       - matchExpressions:
  #         - key : "node-role.kubernetes.io/your_role"
  #           operator: In
  #           values: ["true"]

  # Support for pod nodeSelector rules to control which nodes can be chosen to run
  # the given pods
  # nodeSelector:
  #   "node-role.kubernetes.io/your_role": "true"

  # Support for node tolerations that work together with node taints to control
  # the pods that can like on a node
  # tolerations:
  # - effect: NoSchedule
  #   key: node-role.kubernetes.io/your_role
  #   operator: Equal
  #   value: "true"

  # Specify the ServiceAccount where the Vault Pod and the Bank-Vaults configurer/unsealer is running
  serviceAccount: vault

  # Specify the Service's type where the Vault Service is exposed
  # Please note that some Ingress controllers like https://github.com/kubernetes/ingress-gce
  # forces you to expose your Service on a NodePort
  serviceType: ClusterIP

  # Specify existing secret contains TLS certificate (accepted secret type: kubernetes.io/tls)
  # If it is set, generating certificate will be disabled
  # existingTlsSecretName: selfsigned-cert-tls

  # Specify threshold for renewing certificates. Valid time units are "ns", "us", "ms", "s", "m", "h".
  # tlsExpiryThreshold: 168h

  # Request an Ingress controller with the default configuration
  ingress:
    # Specify Ingress object annotations here, if TLS is enabled (which is by default)
    # the operator will add NGINX, Traefik and HAProxy Ingress compatible annotations
    # to support TLS backends
    annotations: {}
    # Override the default Ingress specification here
    # This follows the same format as the standard Kubernetes Ingress
    # See: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#ingressspec-v1beta1-extensions
    spec: {}

  # Use local disk to store Vault file data, see config section.
  volumes:
    - name: vault-file
      persistentVolumeClaim:
        claimName: vault-file

  volumeMounts:
    - name: vault-file
      mountPath: /vault/file

  # Support for distributing the generated CA certificate Secret to other namespaces.
  # Define a list of namespaces or use ["*"] for all namespaces.
  caNamespaces:
    - "vswh"

  # Describe where you would like to store the Vault unseal keys and root token.
  unsealConfig:
    options:
      # The preFlightChecks flag enables unseal and root token storage tests
      # This is true by default
      preFlightChecks: true
    kubernetes:
      secretNamespace: default

  # A YAML representation of a final vault config file.
  # See https://www.vaultproject.io/docs/configuration/ for more information.
  config:
    storage:
      file:
        path: "${ .Env.VAULT_STORAGE_FILE }" # An example how Vault config environment interpolation can be used
    listener:
      tcp:
        address: "0.0.0.0:8200"
        # Uncommenting the following line and deleting tls_cert_file and tls_key_file disables TLS
        # tls_disable: true
        tls_cert_file: /vault/tls/server.crt
        tls_key_file: /vault/tls/server.key
    telemetry:
      statsd_address: localhost:9125
    ui: true

  # See: https://banzaicloud.com/docs/bank-vaults/cli-tool/#example-external-vault-configuration
  # The repository also contains a lot examples in the deploy/ and operator/deploy directories.
  externalConfig:
    policies:
      - name: allow_secrets
        rules: path "secret/*" {
          capabilities = ["create", "read", "update", "delete", "list"]
          }
      - name: allow_pki
        rules: path "pki/*" {
          capabilities = ["create", "read", "update", "delete", "list"]
          }
    auth:
      - type: kubernetes
        roles:
          # Allow every pod in the default namespace to use the secret kv store
          - name: default
            bound_service_account_names: ["default", "vault-secrets-webhook", "vault"]
            bound_service_account_namespaces: ["default", "vswh"]
            policies: ["allow_secrets", "allow_pki"]
            ttl: 1h

    secrets:
      - path: secret
        type: kv
        description: General secrets.
        options:
          version: 2

      - type: pki
        description: Vault PKI Backend
        config:
          default_lease_ttl: 168h
          max_lease_ttl: 720h
        configuration:
          config:
          - name: urls
            issuing_certificates: https://vault.default:8200/v1/pki/ca
            crl_distribution_points: https://vault.default:8200/v1/pki/crl
          root/generate:
          - name: internal
            common_name: vault.default
          roles:
          - name: default
            allowed_domains: localhost,pod,svc,default
            allow_subdomains: true
            generate_lease: true
            ttl: 1m

    # Allows writing some secrets to Vault (useful for development purposes).
    # See https://www.vaultproject.io/docs/secrets/kv/index.html for more information.
    startupSecrets:
      - type: kv
        path: secret/data/accounts/aws
        data:
          data:
            AWS_ACCESS_KEY_ID: secretId
            AWS_SECRET_ACCESS_KEY: s3cr3t
      - type: kv
        path: secret/data/dockerrepo
        data:
          data:
            DOCKER_REPO_USER: dockerrepouser
            DOCKER_REPO_PASSWORD: dockerrepopassword
      - type: kv
        path: secret/data/mysql
        data:
          data:
            MYSQL_ROOT_PASSWORD: s3cr3t
            MYSQL_PASSWORD: 3xtr3ms3cr3t

  vaultEnvsConfig:
    - name: VAULT_LOG_LEVEL
      value: debug
    - name: VAULT_STORAGE_FILE
      value: "/vault/file"

  # If you are using a custom certificate and are setting the hostname in a custom way
  # sidecarEnvsConfig:
  #   - name: VAULT_ADDR
  #     value: https://vault.local:8200

  # # https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
  # vaultPodSpec:
  #   hostAliases:
  #   - ip: "127.0.0.1"
  #     hostnames:
  #     - "vault.local"

  # It is possible to override the Vault container directly:
  # vaultContainerSpec:
  #   lifecycle:
  #     postStart:
  #       exec:
  #         command:
  #              - setcap cap_ipc_lock=+ep /vault/plugins/orchestrate

  # Marks presence of Istio, which influences things like port namings
  istioEnabled: false

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: vault-file
spec:
  # https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1
  # storageClassName: ""
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi

# ---
# apiVersion: v1
# kind: PersistentVolume
# metadata:
#   name: vault-file
# spec:
#   capacity:
#     storage: 1Gi
#   accessModes:
#   - ReadWriteOnce
#   persistentVolumeReclaimPolicy: Recycle
#   hostPath:
#     path: /vault/file
	apiVersion: "vault.banzaicloud.com/v1alpha1"
	kind: "Vault"
	metadata:
	name: "vault"
	spec:
	size: 1
	image: vault:1.6.2
	# specify a custom bank-vaults image with bankVaultsImage:
	# bankVaultsImage: ghcr.io/banzaicloud/bank-vaults:latest

	# Common annotations for all created resources
	annotations:
	common/annotation: "true"

	# Vault Pods , Services and TLS Secret annotations
	vaultAnnotations:
	type/instance: "vault"

	# Vault Configurer Pods and Services annotations
	vaultConfigurerAnnotations:
	type/instance: "vaultconfigurer"

	# Vault Pods , Services and TLS Secret labels
	vaultLabels:
	example.com/log-format: "json"

	# Vault Configurer Pods and Services labels
	vaultConfigurerLabels:
	example.com/log-format: "string"

	# Support for affinity Rules, same as in PodSpec
	# affinity:
	# nodeAffinity:
	# requiredDuringSchedulingIgnoredDuringExecution:
	# nodeSelectorTerms:
	# - matchExpressions:
	# - key : "node-role.kubernetes.io/your_role"
	# operator: In
	# values: ["true"]

	# Support for pod nodeSelector rules to control which nodes can be chosen to run
	# the given pods
	# nodeSelector:
	# "node-role.kubernetes.io/your_role": "true"

	# Support for node tolerations that work together with node taints to control
	# the pods that can like on a node
	# tolerations:
	# - effect: NoSchedule
	# key: node-role.kubernetes.io/your_role
	# operator: Equal
	# value: "true"

	# Specify the ServiceAccount where the Vault Pod and the Bank-Vaults configurer/unsealer is running
	serviceAccount: vault

	# Specify the Service's type where the Vault Service is exposed
	# Please note that some Ingress controllers like https://github.com/kubernetes/ingress-gce
	# forces you to expose your Service on a NodePort
	serviceType: ClusterIP

	# Specify existing secret contains TLS certificate (accepted secret type: kubernetes.io/tls)
	# If it is set, generating certificate will be disabled
	# existingTlsSecretName: selfsigned-cert-tls

	# Specify threshold for renewing certificates. Valid time units are "ns", "us", "ms", "s", "m", "h".
	# tlsExpiryThreshold: 168h

	# Request an Ingress controller with the default configuration
	ingress:
	# Specify Ingress object annotations here, if TLS is enabled (which is by default)
	# the operator will add NGINX, Traefik and HAProxy Ingress compatible annotations
	# to support TLS backends
	annotations: {}
	# Override the default Ingress specification here
	# This follows the same format as the standard Kubernetes Ingress
	# See: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#ingressspec-v1beta1-extensions
	spec: {}

	# Use local disk to store Vault file data, see config section.
	volumes:
	- name: vault-file
	persistentVolumeClaim:
	claimName: vault-file

	volumeMounts:
	- name: vault-file
	mountPath: /vault/file

	# Support for distributing the generated CA certificate Secret to other namespaces.
	# Define a list of namespaces or use ["*"] for all namespaces.
	caNamespaces:
	- "vswh"

	# Describe where you would like to store the Vault unseal keys and root token.
	unsealConfig:
	options:
	# The preFlightChecks flag enables unseal and root token storage tests
	# This is true by default
	preFlightChecks: true
	kubernetes:
	secretNamespace: default

	# A YAML representation of a final vault config file.
	# See https://www.vaultproject.io/docs/configuration/ for more information.
	config:
	storage:
	file:
	path: "${ .Env.VAULT_STORAGE_FILE }" # An example how Vault config environment interpolation can be used
	listener:
	tcp:
	address: "0.0.0.0:8200"
	# Uncommenting the following line and deleting tls_cert_file and tls_key_file disables TLS
	# tls_disable: true
	tls_cert_file: /vault/tls/server.crt
	tls_key_file: /vault/tls/server.key
	telemetry:
	statsd_address: localhost:9125
	ui: true

	# See: https://banzaicloud.com/docs/bank-vaults/cli-tool/#example-external-vault-configuration
	# The repository also contains a lot examples in the deploy/ and operator/deploy directories.
	externalConfig:
	policies:
	- name: allow_secrets
	rules: path "secret/*" {
	capabilities = ["create", "read", "update", "delete", "list"]
	}
	- name: allow_pki
	rules: path "pki/*" {
	capabilities = ["create", "read", "update", "delete", "list"]
	}
	auth:
	- type: kubernetes
	roles:
	# Allow every pod in the default namespace to use the secret kv store
	- name: default
	bound_service_account_names: ["default", "vault-secrets-webhook", "vault"]
	bound_service_account_namespaces: ["default", "vswh"]
	policies: ["allow_secrets", "allow_pki"]
	ttl: 1h

	secrets:
	- path: secret
	type: kv
	description: General secrets.
	options:
	version: 2

	- type: pki
	description: Vault PKI Backend
	config:
	default_lease_ttl: 168h
	max_lease_ttl: 720h
	configuration:
	config:
	- name: urls
	issuing_certificates: https://vault.default:8200/v1/pki/ca
	crl_distribution_points: https://vault.default:8200/v1/pki/crl
	root/generate:
	- name: internal
	common_name: vault.default
	roles:
	- name: default
	allowed_domains: localhost,pod,svc,default
	allow_subdomains: true
	generate_lease: true
	ttl: 1m

	# Allows writing some secrets to Vault (useful for development purposes).
	# See https://www.vaultproject.io/docs/secrets/kv/index.html for more information.
	startupSecrets:
	- type: kv
	path: secret/data/accounts/aws
	data:
	data:
	AWS_ACCESS_KEY_ID: secretId
	AWS_SECRET_ACCESS_KEY: s3cr3t
	- type: kv
	path: secret/data/dockerrepo
	data:
	data:
	DOCKER_REPO_USER: dockerrepouser
	DOCKER_REPO_PASSWORD: dockerrepopassword
	- type: kv
	path: secret/data/mysql
	data:
	data:
	MYSQL_ROOT_PASSWORD: s3cr3t
	MYSQL_PASSWORD: 3xtr3ms3cr3t

	vaultEnvsConfig:
	- name: VAULT_LOG_LEVEL
	value: debug
	- name: VAULT_STORAGE_FILE
	value: "/vault/file"

	# If you are using a custom certificate and are setting the hostname in a custom way
	# sidecarEnvsConfig:
	# - name: VAULT_ADDR
	# value: https://vault.local:8200

	# # https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
	# vaultPodSpec:
	# hostAliases:
	# - ip: "127.0.0.1"
	# hostnames:
	# - "vault.local"

	# It is possible to override the Vault container directly:
	# vaultContainerSpec:
	# lifecycle:
	# postStart:
	# exec:
	# command:
	# - setcap cap_ipc_lock=+ep /vault/plugins/orchestrate

	# Marks presence of Istio, which influences things like port namings
	istioEnabled: false

	---
	apiVersion: v1
	kind: PersistentVolumeClaim
	metadata:
	name: vault-file
	spec:
	# https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1
	# storageClassName: ""
	accessModes:
	- ReadWriteOnce
	resources:
	requests:
	storage: 1Gi

	# ---
	# apiVersion: v1
	# kind: PersistentVolume
	# metadata:
	# name: vault-file
	# spec:
	# capacity:
	# storage: 1Gi
	# accessModes:
	# - ReadWriteOnce
	# persistentVolumeReclaimPolicy: Recycle
	# hostPath:
	# path: /vault/file