vault: enroll audit-vault-0 in pvc-autoresizer (10Gi limit)

audit-vault-0 fills steadily with raft audit logs; without autoresizer annotations it hits the 2Gi ceiling and Vault stalls on writes (PVAutoExpanding alert was firing at 81% used). The Vault Helm chart copies server.auditStorage.annotations onto the PVC at create time. Live PVC already has the annotations applied via kubectl annotate; this just keeps TF in sync. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-10 20:01:06 +00:00 · 2026-05-10 20:01:06 +00:00 · ee47197f3b
commit ee47197f3b
parent 0fdadcc3dd
1 changed files with 8 additions and 0 deletions
--- a/stacks/vault/main.tf
+++ b/stacks/vault/main.tf
@ -63,6 +63,14 @@ resource "helm_release" "vault" {
        enabled      = true
        size         = "2Gi"
        storageClass = "proxmox-lvm-encrypted" # Migrated 2026-04-25 from nfs-proxmox
+        # Vault audit logs grow unbounded per request; let pvc-autoresizer
+        # expand the volume up to 10Gi rather than ride a stuck-Pending
+        # vault-0 the moment the PVC fills.
+        annotations = {
+          "resize.topolvm.io/threshold"     = "10%"
+          "resize.topolvm.io/increase"      = "100%"
+          "resize.topolvm.io/storage_limit" = "10Gi"
+        }
      }

      standalone = { enabled = false }