From ee47197f3b10f648abb0ff88a214c8ce4c70440c Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sun, 10 May 2026 20:01:06 +0000
Subject: [PATCH] vault: enroll audit-vault-0 in pvc-autoresizer (10Gi limit)

audit-vault-0 fills steadily with raft audit logs; without autoresizer
annotations it hits the 2Gi ceiling and Vault stalls on writes
(PVAutoExpanding alert was firing at 81% used). The Vault Helm chart
copies server.auditStorage.annotations onto the PVC at create time.

Live PVC already has the annotations applied via kubectl annotate;
this just keeps TF in sync.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 stacks/vault/main.tf | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/stacks/vault/main.tf b/stacks/vault/main.tf
index e09e1532..83114e7d 100644
--- a/stacks/vault/main.tf
+++ b/stacks/vault/main.tf
@@ -63,6 +63,14 @@ resource "helm_release" "vault" {
         enabled      = true
         size         = "2Gi"
         storageClass = "proxmox-lvm-encrypted" # Migrated 2026-04-25 from nfs-proxmox
+        # Vault audit logs grow unbounded per request; let pvc-autoresizer
+        # expand the volume up to 10Gi rather than ride a stuck-Pending
+        # vault-0 the moment the PVC fills.
+        annotations = {
+          "resize.topolvm.io/threshold"     = "10%"
+          "resize.topolvm.io/increase"      = "100%"
+          "resize.topolvm.io/storage_limit" = "10Gi"
+        }
       }
 
       standalone = { enabled = false }