Initial code commit + initial automation stuff + etc...

2025-12-18 22:23:37 -06:00 · 2025-12-18 22:23:37 -06:00 · f40cbdf6dd
commit f40cbdf6dd
parent 6f24ea7563
12 changed files with 462 additions and 1 deletions
--- a/templates/vault-creds-persistant-volume-claim.yaml
+++ b/templates/vault-creds-persistant-volume-claim.yaml
@ -0,0 +1,15 @@
+{{- if .Values.vault.create.enabled -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Release.Name }}-vault-creds
+  labels:
+    app: {{ .Release.Name }}-vault
+spec:
+  storageClassName: vault-role-vars-rook-cephfs
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 512Mi
+{{- end -}}
--- a/templates/vault-hashicorp-secret.yaml
+++ b/templates/vault-hashicorp-secret.yaml
@ -0,0 +1,24 @@
+{{- if and (.Values.vault.enabled) (eq .Values.vault.type "hashicorp") -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-vault-secret
+type: opaque
+data:
+  {{- if .Values.vault.create.enabled }}
+  # Because we create the Hashicorp Vault instance as part of the Helm chart, 
+  # we can use the name of the created resource (utilizing k8s built-in container connections) 
+  # to connect to the Vault instance without having to hard-code the Vault name.
+  vault-name: {{ printf "%s-vault" .Release.Name | b64enc }}
+  # Because we create the Hashicorp Vault instance as part of the Helm chart,
+  # We know the port that the Vault instance is running on.
+  vault-port: {{ printf "%d" 80 | b64enc }}
+  {{- else }}
+  # Because the Vault wasn't created as part of the Helm chart,
+  # we need the deployer to specify the name of the Vault instance to connect to.
+  vault-name: {{ .Values.vault.vaultName | b64enc }}
+  # Because the Vault wasn't created as part of the Helm chart,
+  # we need the deployer to specify the port that the Vault instance is running on.
+  vault-port: {{ .Values.vault.vaultPort | b64enc }}
+  {{- end }}
+{{- end -}}
--- a/templates/vault-ingress.yaml
+++ b/templates/vault-ingress.yaml
@ -0,0 +1,21 @@
+{{- if .Values.vault.create.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}-vault-ingress
+  labels:
+    app: {{ .Release.Name }}-vault
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: {{ .Values.vault.create.ingress.host }}
+      http:
+        paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: {{ .Release.Name }}-vault
+              port:
+                number: 80
+{{- end -}}
--- a/templates/vault-keyvault-secret.yaml
+++ b/templates/vault-keyvault-secret.yaml
@ -0,0 +1,12 @@
+{{- if and (.Values.vault.enabled) (eq .Values.vault.type "azure") -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-vault-secret
+type: opaque
+data:
+  client-id: {{ .Values.vault.clientId | b64enc }}
+  client-secret: {{ .Values.vault.clientSecret | b64enc}}
+  name: {{ .Values.vault.vaultName | b64enc }}
+  tenant-id: {{ .Values.vault.tenantId | b64enc }}
+{{- end -}}
--- a/templates/vault-role-vars-persistant-volume-claim.yaml
+++ b/templates/vault-role-vars-persistant-volume-claim.yaml
@ -0,0 +1,15 @@
+{{- if .Values.vault.create.enabled -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Release.Name }}-vault-role-vars
+  labels:
+    app: {{ .Release.Name }}-vault
+spec:
+  storageClassName: vault-role-vars-rook-cephfs
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 512Mi
+{{- end -}}
--- a/templates/vault-service.yaml
+++ b/templates/vault-service.yaml
@ -0,0 +1,22 @@
+{{- if .Values.vault.create.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-vault
+  labels:
+    app: {{ .Release.Name }}-vault
+spec:
+  selector:
+    app: {{ .Release.Name }}-vault
+  ports:
+    {{- if .Values.vault.create.snapshotServer.enabled }}
+    - name: custom-snapshot-server
+      protocol: TCP
+      port: {{ .Values.vault.create.snapshotServer.externalPort }}
+      targetPort: {{ .Values.vault.create.snapshotServer.internalPort }}
+    {{- end }}
+    - name: http
+      protocol: TCP
+      port: 80
+      targetPort: 8200
+{{- end -}}
--- a/templates/vault-snapshot-server-configmap.yaml
+++ b/templates/vault-snapshot-server-configmap.yaml
@ -0,0 +1,8 @@
+{{- if .Values.vault.create.snapshotServer.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-vault-snapshot-config
+data:
+  port: {{ .Values.vault.create.snapshotServer.externalPort | quote }}
+{{- end -}}
--- a/templates/vault-statefulset.yaml
+++ b/templates/vault-statefulset.yaml
@ -0,0 +1,78 @@
+{{- if and (.Values.vault.create.enabled) (eq .Values.vault.type "hashicorp") -}}
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ .Release.Name }}-vault
+  labels:
+    app: {{ .Release.Name }}-vault
+spec:
+  serviceName: {{ .Release.Name }}-vault
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-vault
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-vault
+    spec:
+      # Because the Vault process runs with a non-root user inside the container,
+      # we need to set the fsGroup to ensure that the mounted volumes have the correct permissions
+      securityContext:
+        fsGroup: 1000
+      containers:
+      - name: {{ .Release.Name }}-vault
+        image: {{ .Values.vault.create.image.repository }}:{{ .Values.vault.create.image.tag }}
+        ports:
+        - containerPort: 8200
+        - containerPort: 8201
+        {{- if .Values.vault.create.snapshotServer.enabled }}
+        - containerPort: {{ .Values.vault.create.snapshotServer.internalPort }}
+        {{- end }}
+        env:
+        - name: VAULT_ADDR
+          value: http://0.0.0.0:8200
+        - name: ROLE_ID_SECRET_NAME
+          value: USER_PASSWORD_DEFAULT_VAULT_ROLE_ID
+        - name: SECRET_ID_SECRET_NAME
+          value: USER_PASSWORD_DEFAULT_VAULT_SECRET_ID
+        {{- if .Values.vault.create.snapshotServer.enabled }}
+        - name: SNAPSHOT_SERVER_PORT
+          value: {{ .Values.vault.create.snapshotServer.internalPort | quote }}
+        {{- end }}
+        volumeMounts:
+        - name: vault-data
+          mountPath: /vault/data
+        - name: vault-log
+          mountPath: /vault/logs
+        - name: vault-creds
+          mountPath: /vault/creds
+        - name: vault-role-vars
+          mountPath: /role_vars
+        capAdd:
+        - IPC_LOCK
+      volumes:
+      - name: vault-log
+        emptyDir: {}
+      - name: vault-creds
+        {{- if .Values.vault.create.snapshotServer.enabled }}
+        persistentVolumeClaim:
+          claimName: {{ .Release.Name }}-vault-creds
+        {{- else }}
+        emptyDir: {}
+        {{- end }}
+      - name: vault-role-vars
+        persistentVolumeClaim:
+          claimName: {{ .Release.Name }}-vault-role-vars
+  # To have data consistency across pod restarts, we use a volume claim template
+  # We do this instead of a static PVC because we require less control and it's easier to manage
+  volumeClaimTemplates:
+  - metadata:
+      name: vault-data
+    spec:
+      storageClassName: rook-ceph-block
+      accessModes: [ "ReadWriteOnce" ]
+      resources:
+        requests:
+          storage: 2Gi
+{{- end -}}