From c8f945034e73be3f258187645515b588402329e3 Mon Sep 17 00:00:00 2001 From: Mayne0213 Date: Sat, 27 Dec 2025 23:52:40 +0900 Subject: [PATCH] REFACTOR(postgresql): change vault from dev - to production mode with P... - Disabled dev mode - Added standalone mode with PostgreSQL storage backend - Connected to postgresql-cnpg cluster (vault database) - Added environment variable for PostgreSQL password from secret - Increased resource limits (cpu: 100m, memory: 256Mi) --- vault/helm-values/vault.yaml | 45 +++++++++++++++++++++++++------- vault/kustomization.yaml | 1 + vault/vault-postgres-secret.yaml | 21 +++++++++++++++ 3 files changed, 58 insertions(+), 9 deletions(-) create mode 100644 vault/vault-postgres-secret.yaml diff --git a/vault/helm-values/vault.yaml b/vault/helm-values/vault.yaml index 28cce1b..fa8ad94 100644 --- a/vault/helm-values/vault.yaml +++ b/vault/helm-values/vault.yaml @@ -7,20 +7,47 @@ global: server: enabled: true - - # Dev 모드 (시작하기 쉽게, 나중에 production 모드로 변경 가능) + + # Production 모드 - PostgreSQL backend 사용 dev: + enabled: false + + # Standalone mode with PostgreSQL backend + standalone: enabled: true - devRootToken: "root" # 초기 root 토큰 (나중에 변경 권장) - + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + } + + storage "postgresql" { + connection_url = "postgres://vault:${VAULT_POSTGRES_PASSWORD}@postgresql-cnpg-rw.postgresql-cnpg.svc.cluster.local:5432/vault?sslmode=disable" + } + + # Optional: Enable Prometheus metrics + telemetry { + prometheus_retention_time = "30s" + disable_hostname = true + } + + # Environment variables from secrets + extraSecretEnvironmentVars: + - envName: VAULT_POSTGRES_PASSWORD + secretName: vault-postgres-password + secretKey: password + # 리소스 제한 resources: requests: - cpu: 50m - memory: 128Mi + cpu: 100m + memory: 256Mi limits: memory: 512Mi - + # Ingress 설정 ingress: enabled: true @@ -33,11 +60,11 @@ server: - secretName: vault-tls hosts: - vault0213.kro.kr - + # 고가용성 비활성화 (단일 인스턴스) ha: enabled: false - + # 서비스 타입 service: enabled: true diff --git a/vault/kustomization.yaml b/vault/kustomization.yaml index 0ceedfe..cefc105 100644 --- a/vault/kustomization.yaml +++ b/vault/kustomization.yaml @@ -9,4 +9,5 @@ resources: # External Secrets integration # ServiceAccount is managed by external-secrets Helm chart - cluster-secret-store.yaml + - vault-postgres-secret.yaml # vault-config-job.yaml은 삭제됨 (민감한 정보 포함으로 인해 .md 파일로 대체) \ No newline at end of file diff --git a/vault/vault-postgres-secret.yaml b/vault/vault-postgres-secret.yaml new file mode 100644 index 0000000..10f0824 --- /dev/null +++ b/vault/vault-postgres-secret.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-postgres-password + namespace: vault +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: vault-backend + target: + name: vault-postgres-password + creationPolicy: Owner + template: + data: + password: "{{ .password }}" + data: + - secretKey: password + remoteRef: + key: databases/postgresql-cnpg + property: VAULT_PASSWORD