»Highly Available Vault Cluster with Consul
Important Note: This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
The below values.yaml
can be used to set up a five server Vault cluster using
Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal.
server: extraEnvironmentVars: GOOGLE_REGION: global GOOGLE_PROJECT: myproject GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json extraVolumes: - type: secret name: my-gcp-iam affinity: | podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app: {{ template "vault.name" . }} release: "{{ .Release.Name }}" component: server topologyKey: kubernetes.io/hostname service: enabled: true ha: enabled: true replicas: 5 config: | ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" } storage "consul" { path = "vault" address = "HOST_IP:8500" } seal "gcpckms" { project = "myproject" region = "global" key_ring = "vault-unseal-kr" crypto_key = "vault-unseal-key" } service_registration "kubernetes" {}
server: extraEnvironmentVars: GOOGLE_REGION: global GOOGLE_PROJECT: myproject GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json
extraVolumes: - type: secret name: my-gcp-iam
affinity: | podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app: {{ template "vault.name" . }} release: "{{ .Release.Name }}" component: server topologyKey: kubernetes.io/hostname
service: enabled: true
ha: enabled: true replicas: 5
config: | ui = true
listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" }
storage "consul" { path = "vault" address = "HOST_IP:8500" }
seal "gcpckms" { project = "myproject" region = "global" key_ring = "vault-unseal-kr" crypto_key = "vault-unseal-key" }
service_registration "kubernetes" {}