apiVersion: "vault.banzaicloud.com/v1alpha1"
kind: "Vault"
metadata:
name: "vault"
labels:
app.kubernetes.io/name: vault
vault_cr: vault
spec:
size: 3
image: hashicorp/vault:1.14.1
# Common annotations for all created resources
annotations:
common/annotation: "true"
# Vault Pods , Services and TLS Secret annotations
vaultAnnotations:
type/instance: "vault"
# Vault Configurer Pods and Services annotations
vaultConfigurerAnnotations:
type/instance: "vaultconfigurer"
# Vault Pods , Services and TLS Secret labels
vaultLabels:
example.com/log-format: "json"
# Vault Configurer Pods and Services labels
vaultConfigurerLabels:
example.com/log-format: "string"
# Support for affinity Rules
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key : "node-role.kubernetes.io/your_role"
# operator: In
# values: ["true"]
# Support for pod nodeSelector rules to control which nodes can be chosen to run
# the given pods
# nodeSelector:
# "node-role.kubernetes.io/your_role": "true"
# Support for node tolerations that work together with node taints to control
# the pods that can like on a node
# tolerations:
# - effect: NoSchedule
# key: node-role.kubernetes.io/your_role
# operator: Equal
# value: "true"
# Specify the ServiceAccount where the Vault Pod and the Bank-Vaults configurer/unsealer is running
serviceAccount: vault
# Specify the Service's type where the Vault Service is exposed
# Please note that some Ingress controllers like https://github.com/kubernetes/ingress-gce
# forces you to expose your Service on a NodePort
serviceType: ClusterIP
# Request an Ingress controller with the default configuration
ingress:
# Specify Ingress object annotations here, if TLS is enabled (which is by default)
# the operator will add NGINX, Traefik and HAProxy Ingress compatible annotations
# to support TLS backends
annotations: {}
# Override the default Ingress specification here
# This follows the same format as the standard Kubernetes Ingress
# See: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#ingressspec-v1beta1-extensions
spec: {}
# In some cases, you have to set permissions for the raft directory.
# For example in the case of using a local kind cluster, uncomment the lines below.
# vaultInitContainers:
# - name: raft-permission
# image: busybox
# command:
# - /bin/sh
# - -c
# - |
# chown -R 100:1000 /vault/file
# volumeMounts:
# - name: vault-raft
# mountPath: /vault/file
# Use local disk to store Vault raft data, see config section.
volumeClaimTemplates:
- metadata:
name: vault-raft
spec:
# https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1
# storageClassName: ""
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi
volumeMounts:
- name: vault-raft
mountPath: /vault/file
# Add Velero fsfreeze sidecar container and supporting hook annotations to Vault Pods:
# https://velero.io/docs/v1.2.0/hooks/
veleroEnabled: true
# Support for distributing the generated CA certificate Secret to other namespaces.
# Define a list of namespaces or use ["*"] for all namespaces.
caNamespaces:
- "vswh"
# Describe where you would like to store the Vault unseal keys and root token.
unsealConfig:
options:
# The preFlightChecks flag enables unseal and root token storage tests
# This is true by default
preFlightChecks: true
# The storeRootToken flag enables storing of root token in chosen storage
# This is true by default
storeRootToken: true
# The secretShares represents the total number of unseal key shares
# This is 5 by default
secretShares: 5
# The secretThreshold represents the minimum number of shares required to reconstruct the unseal key
# This is 3 by default
secretThreshold: 3
kubernetes:
secretNamespace: default
# A YAML representation of a final vault config file.
# See https://www.vaultproject.io/docs/configuration/ for more information.
config:
storage:
raft:
path: "/vault/file"
listener:
tcp:
address: "0.0.0.0:8200"
tls_cert_file: /vault/tls/server.crt
tls_key_file: /vault/tls/server.key
api_addr: https://vault.default:8200
cluster_addr: "https://${.Env.POD_NAME}:8201"
ui: true
statsdDisabled: true
serviceRegistrationEnabled: true
resources:
# A YAML representation of resource ResourceRequirements for vault container
# Detail can reference: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container
vault:
limits:
memory: "512Mi"
cpu: "200m"
requests:
memory: "256Mi"
cpu: "100m"
# See: https://banzaicloud.com/docs/bank-vaults/cli-tool/#example-external-vault-configuration
# The repository also contains a lot examples in the test/deploy and operator/deploy directories.
externalConfig:
policies:
- name: allow_secrets
rules: path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
auth:
- type: kubernetes
roles:
# Allow every pod in the default namespace to use the secret kv store
- name: default
bound_service_account_names: ["default", "vault-secrets-webhook"]
bound_service_account_namespaces: ["default", "vswh"]
policies: allow_secrets
ttl: 1h
secrets:
- path: secret
type: kv
description: General secrets.
options:
version: 2
# Allows writing some secrets to Vault (useful for development purposes).
# See https://www.vaultproject.io/docs/secrets/kv/index.html for more information.
startupSecrets:
- type: kv
path: secret/data/accounts/aws
data:
data:
AWS_ACCESS_KEY_ID: secretId
AWS_SECRET_ACCESS_KEY: s3cr3t
- type: kv
path: secret/data/dockerrepo
data:
data:
DOCKER_REPO_USER: dockerrepouser
DOCKER_REPO_PASSWORD: dockerrepopassword
- type: kv
path: secret/data/mysql
data:
data:
MYSQL_ROOT_PASSWORD: s3cr3t
vaultEnvsConfig:
- name: VAULT_LOG_LEVEL
value: debug