devth/vault-statefulset.yaml

## vault-statefulset.yaml
---
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
  name: {{.Chart.Name}}
spec:
  serviceName: {{.Chart.Name}}-headless
  replicas: {{.Values.vault.replicas}}
  template:
    metadata:
      labels:
        app: {{.Chart.Name}}
        tier: {{.Values.tier}}
    spec:
      terminationGracePeriodSeconds: 10

      containers:
        - name: {{.Chart.Name}}
          # TODO why doesn't this work?
          securityContext:
            capabilities:
              add:
                - IPC_LOCK

          # readinessProbe ensure traffic is only sent to a pod which is
          # initialized and unsealed.
          # even if the pod receives traffic and is not active, it can forward
          # traffice to the active pod.
          # https://www.vaultproject.io/docs/concepts/ha.html
          # https://www.vaultproject.io/api/system/health.html
          readinessProbe:
            httpGet:
              path: /v1/sys/health?standbyok=true
              port: 8200
              scheme: HTTPS

          image: vault:0.7.0
          args: ["server", "-config", "/vault-config/vault.hcl"]
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            # Build up a VAULT_REDIRECT_ADDR from other previously-defined env
            # vars. NOTE: an alternative would be to dynamically build the
            # vault.hcl in an init container.
            - name: VAULT_REDIRECT_ADDR
              # try to use the simple dns
              value: "https://$(POD_NAME).{{.Chart.Name}}-headless:8200"
              # this is the full domain if simple doesn't work
              # value: "https://$(POD_NAME).{{.Chart.Name}}-headless.$(POD_NAMESPACE).svc.cluster.local:8200"
            - name: VAULT_CAPATH
              value: /ca-chain
            # TODO re-enable setcap when we figure out IPC_LOCK not working
            # issue
            - name: SKIP_SETCAP
              value: "true"
          volumeMounts:
            - name: vault-config
              mountPath: /vault-config
            - name: vault-tls
              mountPath: /vault-tls
            - name: ca-chain
              mountPath: /ca-chain
          ports:
            - containerPort: 8200
              name: vault-port
            - containerPort: 8201
              name: cluster-port

      volumes:
        - name: vault-config
          configMap:
            name: vault-config
        - name: vault-tls
          secret:
            secretName: vault-tls
        - name: ca-chain
          secret:
            secretName: ca-chain
	---
	apiVersion: apps/v1beta1
	kind: StatefulSet
	metadata:
	name: {{.Chart.Name}}
	spec:
	serviceName: {{.Chart.Name}}-headless
	replicas: {{.Values.vault.replicas}}
	template:
	metadata:
	labels:
	app: {{.Chart.Name}}
	tier: {{.Values.tier}}
	spec:
	terminationGracePeriodSeconds: 10

	containers:
	- name: {{.Chart.Name}}
	# TODO why doesn't this work?
	securityContext:
	capabilities:
	add:
	- IPC_LOCK

	# readinessProbe ensure traffic is only sent to a pod which is
	# initialized and unsealed.
	# even if the pod receives traffic and is not active, it can forward
	# traffice to the active pod.
	# https://www.vaultproject.io/docs/concepts/ha.html
	# https://www.vaultproject.io/api/system/health.html
	readinessProbe:
	httpGet:
	path: /v1/sys/health?standbyok=true
	port: 8200
	scheme: HTTPS

	image: vault:0.7.0
	args: ["server", "-config", "/vault-config/vault.hcl"]
	env:
	- name: POD_NAME
	valueFrom:
	fieldRef:
	fieldPath: metadata.name
	- name: POD_NAMESPACE
	valueFrom:
	fieldRef:
	fieldPath: metadata.namespace
	# Build up a VAULT_REDIRECT_ADDR from other previously-defined env
	# vars. NOTE: an alternative would be to dynamically build the
	# vault.hcl in an init container.
	- name: VAULT_REDIRECT_ADDR
	# try to use the simple dns
	value: "https://$(POD_NAME).{{.Chart.Name}}-headless:8200"
	# this is the full domain if simple doesn't work
	# value: "https://$(POD_NAME).{{.Chart.Name}}-headless.$(POD_NAMESPACE).svc.cluster.local:8200"
	- name: VAULT_CAPATH
	value: /ca-chain
	# TODO re-enable setcap when we figure out IPC_LOCK not working
	# issue
	- name: SKIP_SETCAP
	value: "true"
	volumeMounts:
	- name: vault-config
	mountPath: /vault-config
	- name: vault-tls
	mountPath: /vault-tls
	- name: ca-chain
	mountPath: /ca-chain
	ports:
	- containerPort: 8200
	name: vault-port
	- containerPort: 8201
	name: cluster-port

	volumes:
	- name: vault-config
	configMap:
	name: vault-config
	- name: vault-tls
	secret:
	secretName: vault-tls
	- name: ca-chain
	secret:
	secretName: ca-chain