sarex/iac
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add transit Vault for autounseal

Browse Source
This commit is contained in:
Kochetkov S 2026-06-08 11:35:56 +03:00
parent 10b6ef51c3
commit 7722998805
8 changed files with 74 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
clusters/yc-infra-prod/infrastructure/kustomization.yaml
View File

@ -1,8 +1,16 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ../../../infrastructure/vault-unseal
- ../../../infrastructure/vault - ../../../infrastructure/vault
patches: patches:
- path: ./patches/vault-unseal.yaml
target:
group: helm.toolkit.fluxcd.io
version: v2
kind: HelmRelease
name: vault-unseal
namespace: vault-unseal
- path: ./patches/vault.yaml - path: ./patches/vault.yaml
target: target:
group: helm.toolkit.fluxcd.io group: helm.toolkit.fluxcd.io

22
clusters/yc-infra-prod/infrastructure/patches/vault-unseal.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: vault-unseal
namespace: vault-unseal
spec:
interval: 5m
timeout: 15m
values:
global:
namespace: vault-unseal
autounseal:
enabled: false
backup:
enabled: false
injector:
enabled: false
server:
ha:
replicas: 3
dataStorage:
size: 10Gi

6
clusters/yc-infra-prod/infrastructure/patches/vault.yaml
View File

@ -4,14 +4,18 @@ metadata:
name: vault name: vault
namespace: vault namespace: vault
spec: spec:
dependsOn:
- name: vault-unseal
namespace: vault-unseal
interval: 5m interval: 5m
timeout: 15m timeout: 15m
values: values:
global: global:
namespace: vault namespace: vault
autounseal: autounseal:
enabled: true
transit: transit:
address: "https://vault-unseal.infra.sarex.io" address: "http://vault-unseal-vault-contour.vault-unseal.svc:8200"
keyName: "vault-infra-prod" keyName: "vault-infra-prod"
mountPath: "transit/" mountPath: "transit/"
tlsSkipVerify: false tlsSkipVerify: false

22
infrastructure/vault-unseal/base/helmrelease.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: vault-unseal
namespace: vault-unseal
spec:
interval: 10m
chart:
spec:
chart: vault-contour
version: "0.2.1"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3

6
infrastructure/vault-unseal/base/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: vault-unseal
resources:
- helmrelease.yaml
- namespace.yaml

6
infrastructure/vault-unseal/base/namespace.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: vault-unseal
labels:
istio-injection: enabled

4
infrastructure/vault-unseal/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- base

2
infrastructure/vault/base/helmrelease.yaml
View File

@ -8,7 +8,7 @@ spec:
chart: chart:
spec: spec:
chart: vault-contour chart: vault-contour
version: "0.2.0" version: "0.2.1"
sourceRef: sourceRef:
kind: HelmRepository kind: HelmRepository
name: yc-oci-charts name: yc-oci-charts