Skip to content

Instantly share code, notes, and snippets.

@todd-dsm

todd-dsm/override-values-tls.yaml

Last active April 25, 2023 07:05
Show Gist options
  • Save todd-dsm/58238de8755961d103a787fedbee6f45 to your computer and use it in GitHub Desktop.
Save todd-dsm/58238de8755961d103a787fedbee6f45 to your computer and use it in GitHub Desktop.
Download ZIP
vault ui definition; exposes the ui on 443 AND requires TLS for private COMMS; this is still raw
Raw
override-values-tls.yaml
# Vault Helm Chart Value Overrides
global:
enabled: true
tlsDisable: false
#injector:
# enabled: true
# # Use the Enterprise Image
# image:
# repository: "hashicorp/vault-enterprise"
# tag: "1.5.0_ent"
#
# resources:
# requests:
# memory: 256Mi
# cpu: 250m
# limits:
# memory: 256Mi
# cpu: 250m
server:
# Use the Enterprise Image
# image:
# repository: "hashicorp/vault-enterprise"
# tag: "1.5.0_ent"
# These Resource Limits are in line with node requirements in the
# Vault Reference Architecture for a Small Cluster
# resources:
# requests:
# memory: 8Gi
# cpu: 2000m
# limits:
# memory: 16Gi
# cpu: 2000m
# For HA configuration and because we need to manually init the vault,
# we need to define custom readiness/liveness Probe settings
readinessProbe:
httpGet:
enabled: true
port: 8200
scheme: HTTPS
path: "/v1/sys/health?standbycode=204&sealedcode=204&uninitcode=204"
livenessProbe:
httpGet:
enabled: true
port: 8200
scheme: HTTPS
path: "/v1/sys/health?standbyok=true"
initialDelaySeconds: 60
# extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
# used to include variables required for auto-unseal.
extraEnvironmentVars:
VAULT_CACERT: /vault/userconfig/tls-ca/tls.crt
# extraVolumes is a list of extra volumes to mount. These will be exposed
# to Vault in the path '/vault/userconfig/<name>/'.
extraVolumes:
- type: secret
name: tls-server
- type: secret
name: tls-ca
# - type: secret
# name: kms-creds
# This configures the Vault StatefulSet to create a PVC for audit logs.
# See https://www.vaultproject.io/docs/audit/index.html to know more
auditStorage:
enabled: true
standalone:
enabled: false
# Run Vault in "HA" mode.
ha:
enabled: true
replicas: 3
raft:
enabled: true
setNodeId: true
config: |
ui = true
api_addr = "https://0.0.0.0:8200/"
cluster_addr = "https://0.0.0.0:8201/"
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/tls-server/tls.crt"
tls_key_file = "/vault/userconfig/tls-server/tls.key"
tls_ca_cert_file = "/vault/userconfig/tls-ca/tls.crt"
telemetry {
unauthenticated_metrics_access = true
}
}
storage "raft" {
path = "/vault/data"
retry_join {
leader_api_addr = "https://vault-0.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/tls.crt"
leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
}
retry_join {
leader_api_addr = "https://vault-1.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/tls.crt"
leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
}
retry_join {
leader_api_addr = "https://vault-2.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/tls.crt"
leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
}
}
service_registration "kubernetes" {}
# Example configuration for using auto-unseal, using AWS KMS
seal "awskms" {
region = "us-east-1"
kms_key_id = "631234ee-6f5b-0101-912b-d75fa1234376"
endpoint = ""
}
# Vault UI
ui:
enabled: true
serviceType: "LoadBalancer"
serviceNodePort: null
externalPort: '443'
annotations:
external-dns.alpha.kubernetes.io/hostname: vault.domain.tld.
external-dns.alpha.kubernetes.io/ttl: '60'
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: '443'
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:010101010101:certificate/15123481-1234-4e2e-ace0-672012348b44
service.beta.kubernetes.io/aws-load-balancer-security-policy: ELBSecurityPolicy-TLS-1-2-2017-01
# additional-resource-tags (below) causes the LB to not be created
#service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: Name='vault',AppGroup='project-name',Environment='prod',Product='HashiCorp Vault',service='vault-ui'
@todd-dsm
Copy link
Author

todd-dsm commented Oct 16, 2020
edited
Loading

Additional annotations

    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 8200
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{.Values.aws_elb_cert}}
    service.beta.kubernetes.io/aws-load-balancer-security-policy: ELBSecurityPolicy-TLS-1-2-2017-01 (LB > Listeners > Cipher)
    service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: Name={{.Values.name}},appgroup={{.Values.name}},Application={{.Values.name}},Environment={{.Values.environment}},environment={{.Values.environment}},Productname={{.Values.name}},productname={{.Values.name}},service={{.Values.name}}

The aws-load-balancer-security-policy still isn't working yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment