add hashicorp vault helm [ci skip]

2025-11-30 15:55:47 +00:00 · 2025-11-30 15:55:47 +00:00 · 1e8e855b51
commit 1e8e855b51
parent c93b1ab901
3 changed files with 32 additions and 23 deletions
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@ -280,10 +280,10 @@ module "privatebin" {
  depends_on = [null_resource.core_services]
 }

-# module "vault" {
-#   source          = "./vault"
-#   tls_secret_name = var.tls_secret_name
-# }
+module "vault" {
+  source          = "./vault"
+  tls_secret_name = var.tls_secret_name
+}

 module "reloader" {
  source = "./reloader"
--- a/modules/kubernetes/vault/chart_values.tpl
+++ b/modules/kubernetes/vault/chart_values.tpl
@ -1,24 +1,23 @@
+global:
+  namespace: "vault"
+  image:
+    repository: "hashicorp/vault-k8s"
+    tag: "1.7.0"
+  agentImage:
+    repository: "hashicorp/vault"
+    tag: "1.20.4"
 injector:
  metrics:
    enabled: true
 server:
+  image:
+    repository: "hashicorp/vault"
+    tag: "1.20.4"
  enabled: true
  volumes:
    - name: data
      emptyDir: {}
  ingress:
-    enabled: true
-    annotations:
-      "kubernetes.io/ingress.class": "nginx"
-      "nginx.ingress.kubernetes.io/auth-tls-verify-client": "on"
-      "nginx.ingress.kubernetes.io/auth-tls-secret": "default/ca-secret"
-    hosts:
-      - host: "${host}"
-        paths:
-          - /
-    tls:
-      - secretName: ${tls_secret_name}
-        hosts:
-            - "${host}"
+    enabled: false
 ui:
  enabled: true
--- a/modules/kubernetes/vault/main.tf
+++ b/modules/kubernetes/vault/main.tf
@ -17,7 +17,7 @@ module "tls_secret" {

 resource "kubernetes_persistent_volume" "vault_data" {
  metadata {
-    name = "vauld-data-pv"
+    name = "vault-data-pv"
  }
  spec {
    capacity = {
@ -25,11 +25,9 @@ resource "kubernetes_persistent_volume" "vault_data" {
    }
    access_modes = ["ReadWriteOnce"]
    persistent_volume_source {
-      iscsi {
-        target_portal = "iscsi.viktorbarzin.lan:3260"
-        iqn           = "iqn.2020-12.lan.viktorbarzin:storage:vault"
-        lun           = 0
-        fs_type       = "ext4"
+      nfs {
+        server = "10.0.10.15"
+        path   = "/mnt/main/vault"
      }
    }
  }
@ -44,4 +42,16 @@ resource "helm_release" "prometheus" {
  chart      = "vault"

  values = [templatefile("${path.module}/chart_values.tpl", { host = var.host, tls_secret_name = var.tls_secret_name })]
+
+  depends_on = [kubernetes_persistent_volume.vault_data]
+}
+
+module "ingress" {
+  source          = "../ingress_factory"
+  namespace       = "vault"
+  name            = "vault"
+  service_name    = "vault-ui"
+  port            = 8200
+  tls_secret_name = var.tls_secret_name
+  protected       = true
 }