Skip to content

Instantly share code, notes, and snippets.

@innovia
Last active June 16, 2020 19:19
Embed
What would you like to do?
Vault GKE Values
global:
tlsDisable: false
server:
# resources:
# requests:
# memory: 256Mi
# cpu: 250m
# limits:
# memory: 256Mi
# cpu: 250m
extraEnvironmentVars:
GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/vault-gcs/vault_gcs_key.json
extraVolumes:
- type: secret
name: vault-gcs
path: "/vault/userconfig"
- type: secret
name: vault-tls
path: "/etc/tls"
authDelegator:
enabled: true
ha:
enabled: true
# This should be HCL.
config: |
ui = true
listener "tcp" {
tls_disable = 0
tls_cert_file = "/etc/tls/vault-tls/vault.pem"
tls_key_file = "/etc/tls/vault-tls/vault-key.pem"
tls_client_ca_file = "/etc/tls/vault-tls/ca.pem"
tls_min_version = "tls12"
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "gcs" {
bucket = "GCS_BUCKET_NAME"
ha_enabled = "true"
}
# Example configuration for using auto-unseal, using Google Cloud KMS. The
# GKMS keys must already exist, and the cluster must have a service account
# that is authorized to access GCP KMS.
seal "gcpckms" {
project = "GCP_PROJECT"
region = "global"
key_ring = "vault-helm-unseal-kr"
crypto_key = "vault-helm-unseal-key"
}
# Exposing VAULT UI to a GCP loadbalancer WITH IAP Backend config
# 1. create the backend config https://cloud.google.com/iap/docs/enabling-kubernetes-howto
# 2. create a Google Managed Certificate https://cloud.google.com/load-balancing/docs/ssl-certificates
# 3. create static global ip "gcloud compute addresses create vault-ui --global"
# and set the loadBalancerIP below
# 4. create a DNS entry for that IP - and update the host in the ingress section below
# 5. uncomment the section below
# 6. install
# -------------------------------------
# readinessProbe:
# enabled: true
# path: /v1/sys/health?standbyok=true
# ui:
# enabled: true
# serviceType: "NodePort"
# externalPort: 443
# loadBalancerIP: "LOAD_BALANCER_IP"
# service:
# clusterIP: {}
# type: NodePort
# annotations:
# cloud.google.com/app-protocols: '{"http":"HTTPS"}'
# beta.cloud.google.com/backend-config: '{"ports": {"http":"config-default"}}'
# ingress:
# enabled: true
# labels: {}
# # traffic: external
# annotations:
# # must be global static ip not regional!
# kubernetes.io/ingress.global-static-ip-name: "vault-ui"
# #the controller will only create rules for port 443 based on the TLS section.
# kubernetes.io/ingress.allow-http: "false"
# # represents the specific pre-shared SSL certificate for the Ingress controller to use.
# networking.gke.io/managed-certificates: "vault-ui-certificate"
# # kubernetes.io/tls-acme: "true"
# hosts:
# - host: vault.domain.com
# paths:
# - /*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment