»Highly Available Vault Cluster with Consul

The below values.yaml can be used to set up a five server Vault cluster using Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal.

server:
  extraEnvironmentVars:
    GOOGLE_REGION: global
    GOOGLE_PROJECT: myproject
    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json

  extraVolumes:
    - type: secret
      name: my-gcp-iam

  affinity: |
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchLabels:
              app: {{ template "vault.name" . }}
              release: "{{ .Release.Name }}"
              component: server
          topologyKey: kubernetes.io/hostname

  service:
    enabled: true

  ha:
    enabled: true
    replicas: 5

    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }

      storage "consul" {
        path = "vault"
        address = "HOST_IP:8500"
      }

      seal "gcpckms" {
         project     = "myproject"
         region      = "global"
         key_ring    = "vault-unseal-kr"
         crypto_key  = "vault-unseal-key"
      }

      service_registration "kubernetes" {}
server:  extraEnvironmentVars:    GOOGLE_REGION: global    GOOGLE_PROJECT: myproject    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json
  extraVolumes:    - type: secret      name: my-gcp-iam
  affinity: |    podAntiAffinity:      requiredDuringSchedulingIgnoredDuringExecution:        - labelSelector:            matchLabels:              app: {{ template "vault.name" . }}              release: "{{ .Release.Name }}"              component: server          topologyKey: kubernetes.io/hostname
  service:    enabled: true
  ha:    enabled: true    replicas: 5
    config: |      ui = true
      listener "tcp" {        tls_disable = 1        address = "[::]:8200"        cluster_address = "[::]:8201"      }
      storage "consul" {        path = "vault"        address = "HOST_IP:8500"      }
      seal "gcpckms" {         project     = "myproject"         region      = "global"         key_ring    = "vault-unseal-kr"         crypto_key  = "vault-unseal-key"      }
      service_registration "kubernetes" {}