Add transit Vault for autounseal

2026-06-08 11:35:56 +03:00 · 2026-06-08 11:35:56 +03:00 · 7722998805
commit 7722998805
parent 10b6ef51c3
8 changed files with 74 additions and 2 deletions
--- a/clusters/yc-infra-prod/infrastructure/kustomization.yaml
+++ b/clusters/yc-infra-prod/infrastructure/kustomization.yaml
@ -1,8 +1,16 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ../../../infrastructure/vault-unseal
  - ../../../infrastructure/vault
 patches:
+  - path: ./patches/vault-unseal.yaml
+    target:
+      group: helm.toolkit.fluxcd.io
+      version: v2
+      kind: HelmRelease
+      name: vault-unseal
+      namespace: vault-unseal
  - path: ./patches/vault.yaml
    target:
      group: helm.toolkit.fluxcd.io
--- a/clusters/yc-infra-prod/infrastructure/patches/vault-unseal.yaml
+++ b/clusters/yc-infra-prod/infrastructure/patches/vault-unseal.yaml
@ -0,0 +1,22 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: vault-unseal
+  namespace: vault-unseal
+spec:
+  interval: 5m
+  timeout: 15m
+  values:
+    global:
+      namespace: vault-unseal
+    autounseal:
+      enabled: false
+    backup:
+      enabled: false
+    injector:
+      enabled: false
+    server:
+      ha:
+        replicas: 3
+      dataStorage:
+        size: 10Gi
--- a/clusters/yc-infra-prod/infrastructure/patches/vault.yaml
+++ b/clusters/yc-infra-prod/infrastructure/patches/vault.yaml
@ -4,14 +4,18 @@ metadata:
  name: vault
  namespace: vault
 spec:
+  dependsOn:
+    - name: vault-unseal
+      namespace: vault-unseal
  interval: 5m
  timeout: 15m
  values:
    global:
      namespace: vault
    autounseal:
+      enabled: true
      transit:
-        address: "https://vault-unseal.infra.sarex.io"
+        address: "http://vault-unseal-vault-contour.vault-unseal.svc:8200"
        keyName: "vault-infra-prod"
        mountPath: "transit/"
        tlsSkipVerify: false
--- a/infrastructure/vault-unseal/base/helmrelease.yaml
+++ b/infrastructure/vault-unseal/base/helmrelease.yaml
@ -0,0 +1,22 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: vault-unseal
+  namespace: vault-unseal
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: vault-contour
+      version: "0.2.1"
+      sourceRef:
+        kind: HelmRepository
+        name: yc-oci-charts
+        namespace: flux-system
+      interval: 10m
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
--- a/infrastructure/vault-unseal/base/kustomization.yaml
+++ b/infrastructure/vault-unseal/base/kustomization.yaml
@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: vault-unseal
+resources:
+  - helmrelease.yaml
+  - namespace.yaml
--- a/infrastructure/vault-unseal/base/namespace.yaml
+++ b/infrastructure/vault-unseal/base/namespace.yaml
@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault-unseal
+  labels:
+    istio-injection: enabled
--- a/infrastructure/vault-unseal/kustomization.yaml
+++ b/infrastructure/vault-unseal/kustomization.yaml
@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - base
--- a/infrastructure/vault/base/helmrelease.yaml
+++ b/infrastructure/vault/base/helmrelease.yaml
@ -8,7 +8,7 @@ spec:
  chart:
    spec:
      chart: vault-contour
-      version: "0.2.0"
+      version: "0.2.1"
      sourceRef:
        kind: HelmRepository
        name: yc-oci-charts