FEAT(postgresql): configure vault
- to use externalsecret for postgresq... - Add ExternalSecret to pull vault config from Vault itself - Add RBAC for vault token reviewer (kubernetes auth) - Update helm-values to mount secret as config - Connection string is now stored in Vault, not in git
This commit is contained in:
18
vault/external-secret.yaml
Normal file
18
vault/external-secret.yaml
Normal file
@@ -0,0 +1,18 @@
|
|||||||
|
apiVersion: external-secrets.io/v1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: vault-config
|
||||||
|
namespace: vault
|
||||||
|
spec:
|
||||||
|
refreshInterval: 1h
|
||||||
|
secretStoreRef:
|
||||||
|
name: vault-backend
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
target:
|
||||||
|
name: vault-config-secret
|
||||||
|
creationPolicy: Owner
|
||||||
|
data:
|
||||||
|
- secretKey: extraconfig-from-values.hcl
|
||||||
|
remoteRef:
|
||||||
|
key: secret/data/vault/config
|
||||||
|
property: extraconfig-from-values.hcl
|
||||||
@@ -12,27 +12,34 @@ server:
|
|||||||
dev:
|
dev:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
# Standalone mode with file storage
|
# Standalone 비활성화 (HA 사용)
|
||||||
standalone:
|
standalone:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
# HA 설정 - PostgreSQL storage (config from External Secret)
|
||||||
|
ha:
|
||||||
enabled: true
|
enabled: true
|
||||||
config: |
|
replicas: 3
|
||||||
ui = true
|
raft:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
listener "tcp" {
|
# PVC 비활성화 (PostgreSQL 사용)
|
||||||
tls_disable = 1
|
dataStorage:
|
||||||
address = "[::]:8200"
|
enabled: false
|
||||||
cluster_address = "[::]:8201"
|
|
||||||
}
|
|
||||||
|
|
||||||
storage "file" {
|
# Config from External Secret
|
||||||
path = "/vault/data"
|
volumes:
|
||||||
}
|
- name: vault-config-secret
|
||||||
|
secret:
|
||||||
|
secretName: vault-config-secret
|
||||||
|
|
||||||
# Prometheus metrics
|
volumeMounts:
|
||||||
telemetry {
|
- name: vault-config-secret
|
||||||
prometheus_retention_time = "30s"
|
mountPath: /vault/userconfig
|
||||||
disable_hostname = true
|
readOnly: true
|
||||||
}
|
|
||||||
|
# Extra args to use config from secret
|
||||||
|
extraArgs: "-config=/vault/userconfig/extraconfig-from-values.hcl"
|
||||||
|
|
||||||
# 리소스 제한
|
# 리소스 제한
|
||||||
resources:
|
resources:
|
||||||
@@ -57,10 +64,6 @@ server:
|
|||||||
hosts:
|
hosts:
|
||||||
- vault0213.kro.kr
|
- vault0213.kro.kr
|
||||||
|
|
||||||
# HA 비활성화 (단일 인스턴스)
|
|
||||||
ha:
|
|
||||||
enabled: false
|
|
||||||
|
|
||||||
# 서비스 타입
|
# 서비스 타입
|
||||||
service:
|
service:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|||||||
@@ -2,3 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
|||||||
kind: Kustomization
|
kind: Kustomization
|
||||||
resources:
|
resources:
|
||||||
- cluster-secret-store.yaml
|
- cluster-secret-store.yaml
|
||||||
|
- external-secret.yaml
|
||||||
|
- rbac.yaml
|
||||||
|
|||||||
24
vault/rbac.yaml
Normal file
24
vault/rbac.yaml
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: system:auth-delegator
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["authentication.k8s.io"]
|
||||||
|
resources: ["tokenreviews"]
|
||||||
|
verbs: ["create"]
|
||||||
|
- apiGroups: ["authorization.k8s.io"]
|
||||||
|
resources: ["subjectaccessreviews"]
|
||||||
|
verbs: ["create"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: vault-token-reviewer
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: system:auth-delegator
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: vault
|
||||||
|
namespace: vault
|
||||||
Reference in New Issue
Block a user