diff --git a/clusters/yc-infra-prod/infrastructure/kustomization.yaml b/clusters/yc-infra-prod/infrastructure/kustomization.yaml index b741fc9..2b0b943 100644 --- a/clusters/yc-infra-prod/infrastructure/kustomization.yaml +++ b/clusters/yc-infra-prod/infrastructure/kustomization.yaml @@ -1,8 +1,16 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ../../../infrastructure/vault-unseal - ../../../infrastructure/vault patches: + - path: ./patches/vault-unseal.yaml + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + name: vault-unseal + namespace: vault-unseal - path: ./patches/vault.yaml target: group: helm.toolkit.fluxcd.io diff --git a/clusters/yc-infra-prod/infrastructure/patches/vault-unseal.yaml b/clusters/yc-infra-prod/infrastructure/patches/vault-unseal.yaml new file mode 100644 index 0000000..494586f --- /dev/null +++ b/clusters/yc-infra-prod/infrastructure/patches/vault-unseal.yaml @@ -0,0 +1,22 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: vault-unseal + namespace: vault-unseal +spec: + interval: 5m + timeout: 15m + values: + global: + namespace: vault-unseal + autounseal: + enabled: false + backup: + enabled: false + injector: + enabled: false + server: + ha: + replicas: 3 + dataStorage: + size: 10Gi diff --git a/clusters/yc-infra-prod/infrastructure/patches/vault.yaml b/clusters/yc-infra-prod/infrastructure/patches/vault.yaml index 77a8daa..c804b3e 100644 --- a/clusters/yc-infra-prod/infrastructure/patches/vault.yaml +++ b/clusters/yc-infra-prod/infrastructure/patches/vault.yaml @@ -4,14 +4,18 @@ metadata: name: vault namespace: vault spec: + dependsOn: + - name: vault-unseal + namespace: vault-unseal interval: 5m timeout: 15m values: global: namespace: vault autounseal: + enabled: true transit: - address: "https://vault-unseal.infra.sarex.io" + address: "http://vault-unseal-vault-contour.vault-unseal.svc:8200" keyName: "vault-infra-prod" mountPath: "transit/" tlsSkipVerify: false diff --git a/infrastructure/vault-unseal/base/helmrelease.yaml b/infrastructure/vault-unseal/base/helmrelease.yaml new file mode 100644 index 0000000..0c4243c --- /dev/null +++ b/infrastructure/vault-unseal/base/helmrelease.yaml @@ -0,0 +1,22 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: vault-unseal + namespace: vault-unseal +spec: + interval: 10m + chart: + spec: + chart: vault-contour + version: "0.2.1" + sourceRef: + kind: HelmRepository + name: yc-oci-charts + namespace: flux-system + interval: 10m + install: + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 diff --git a/infrastructure/vault-unseal/base/kustomization.yaml b/infrastructure/vault-unseal/base/kustomization.yaml new file mode 100644 index 0000000..ef35ed5 --- /dev/null +++ b/infrastructure/vault-unseal/base/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: vault-unseal +resources: + - helmrelease.yaml + - namespace.yaml diff --git a/infrastructure/vault-unseal/base/namespace.yaml b/infrastructure/vault-unseal/base/namespace.yaml new file mode 100644 index 0000000..1ed2ce1 --- /dev/null +++ b/infrastructure/vault-unseal/base/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: vault-unseal + labels: + istio-injection: enabled diff --git a/infrastructure/vault-unseal/kustomization.yaml b/infrastructure/vault-unseal/kustomization.yaml new file mode 100644 index 0000000..85dcd9d --- /dev/null +++ b/infrastructure/vault-unseal/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - base diff --git a/infrastructure/vault/base/helmrelease.yaml b/infrastructure/vault/base/helmrelease.yaml index 3bdf75c..06d41b7 100644 --- a/infrastructure/vault/base/helmrelease.yaml +++ b/infrastructure/vault/base/helmrelease.yaml @@ -8,7 +8,7 @@ spec: chart: spec: chart: vault-contour - version: "0.2.0" + version: "0.2.1" sourceRef: kind: HelmRepository name: yc-oci-charts