FEAT(postgresql): configure vault

- to use externalsecret for postgresq... - Add ExternalSecret to pull vault config from Vault itself - Add RBAC for vault token reviewer (kubernetes auth) - Update helm-values to mount secret as config - Connection string is now stored in Vault, not in git
2025-12-31 02:10:03 +09:00
parent db24350909
commit 207351a932
4 changed files with 67 additions and 20 deletions
--- a/vault/external-secret.yaml
+++ b/vault/external-secret.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-config
+  namespace: vault
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: vault-config-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: extraconfig-from-values.hcl
+      remoteRef:
+        key: secret/data/vault/config
+        property: extraconfig-from-values.hcl
--- a/vault/helm-values.yaml
+++ b/vault/helm-values.yaml
@@ -12,27 +12,34 @@ server:
  dev:
    enabled: false

-  # Standalone mode with file storage
+  # Standalone 비활성화 (HA 사용)
  standalone:
+    enabled: false
+
+  # HA 설정 - PostgreSQL storage (config from External Secret)
+  ha:
    enabled: true
-    config: |
-      ui = true
+    replicas: 3
+    raft:
+      enabled: false

-      listener "tcp" {
-        tls_disable = 1
-        address = "[::]:8200"
-        cluster_address = "[::]:8201"
-      }
+  # PVC 비활성화 (PostgreSQL 사용)
+  dataStorage:
+    enabled: false

-      storage "file" {
-        path = "/vault/data"
-      }
+  # Config from External Secret
+  volumes:
+    - name: vault-config-secret
+      secret:
+        secretName: vault-config-secret

-      # Prometheus metrics
-      telemetry {
-        prometheus_retention_time = "30s"
-        disable_hostname = true
-      }
+  volumeMounts:
+    - name: vault-config-secret
+      mountPath: /vault/userconfig
+      readOnly: true
+
+  # Extra args to use config from secret
+  extraArgs: "-config=/vault/userconfig/extraconfig-from-values.hcl"

  # 리소스 제한
  resources:
@@ -57,10 +64,6 @@ server:
        hosts:
          - vault0213.kro.kr

-  # HA 비활성화 (단일 인스턴스)
-  ha:
-    enabled: false
-
  # 서비스 타입
  service:
    enabled: true
--- a/vault/kustomization.yaml
+++ b/vault/kustomization.yaml
@@ -2,3 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - cluster-secret-store.yaml
+- external-secret.yaml
+- rbac.yaml
--- a/vault/rbac.yaml
+++ b/vault/rbac.yaml
@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:auth-delegator
+rules:
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: vault-token-reviewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: vault
+    namespace: vault