Pin Vault to Europa and move to nfs

peter-mein-mollie · peter-mein-mollie · commit f2d63715e684 · 2022-11-09T15:16:00.000+01:00
diff --git a/platform/vault/files/generate-secrets/config.yaml b/platform/vault/files/generate-secrets/config.yaml
@@ -18,3 +18,21 @@
     - key: password
       length: 32
       special: true
+
+- path: pihole/admin
+  data:
+    - key: password
+      length: 32
+      special: true
+
+- path: mariadb/admin
+  data:
+    - key: password
+      length: 32
+      special: true
+
+- path: postgres/admin
+  data:
+    - key: password
+      length: 32
+      special: true
diff --git a/platform/vault/templates/cr.yaml b/platform/vault/templates/cr.yaml
@@ -40,8 +40,8 @@ spec:
 
   # Support for pod nodeSelector rules to control which nodes can be chosen to run
   # the given pods
-  # nodeSelector:
-  #   "node-role.kubernetes.io/your_role": "true"
+  nodeSelector:
+     "kubernetes.io/hostname": "europa"
 
   # Support for node tolerations that work together with node taints to control
   # the pods that can like on a node
@@ -260,7 +260,7 @@ kind: PersistentVolumeClaim
 metadata:
   name: vault-file
 spec:
-  storageClassName: longhorn
+  storageClassName: nfs
   accessModes:
     - ReadWriteOnce
   resources:
diff --git a/platform/vault/values.yaml b/platform/vault/values.yaml
@@ -0,0 +1,99 @@
+vault-operator:
+    # Default values for vault-operator.
+  # This is a YAML-formatted file.
+  # Declare variables to be passed into your templates.
+
+  replicaCount: 1
+
+  image:
+    bankVaultsRepository: ghcr.io/banzaicloud/bank-vaults
+    repository: ghcr.io/banzaicloud/vault-operator
+    # tag: ""
+    pullPolicy: IfNotPresent
+    imagePullSecrets: []  # global.imagePullSecrets is also supported
+
+  service:
+    name: ""
+    type: ClusterIP
+    externalPort: 80
+    internalPort: 8080
+    annotations: {}
+
+  nameOverride: ""
+  fullnameOverride: ""
+
+  crdAnnotations: {}
+
+  # The namespace where the operator watches for vault CRD objects, if not defined
+  # all namespaces are watched
+  watchNamespace: ""
+  syncPeriod: "1m"
+
+  labels: {}
+    #  team: banzai
+
+  podLabels: {}
+    #  team: banzai
+
+  podAnnotations: {}
+    #  team: banzai
+
+  resources:
+    limits:
+      cpu: 100m
+      memory: 256Mi
+    requests:
+      cpu: 100m
+      memory: 128Mi
+
+  affinity: {}
+
+  # # if tolerations are used inside cluster, define tolerations as well
+  tolerations: []
+  #   - effect: NoSchedule
+  #     key: node_role
+  #     operator: Equal
+  #     value: custom_worker
+
+  # # If needed, define nodeSelector for vault operator
+  nodeSelector:
+    "kubernetes.io/hostname": "europa"
+
+  podSecurityContext: {}
+
+  securityContext: {}
+
+  ## Assign a PriorityClassName to pods if set
+  priorityClassName: ""
+
+  terminationGracePeriodSeconds: 10
+
+  livenessProbe:
+    initialDelaySeconds: 60
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 1
+  readinessProbe:
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 1
+
+  psp:
+    enabled: false
+    vaultSA: "vault"
+
+  serviceAccount:
+    # Specifies whether a service account should be created
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template
+    name: ""
+  monitoring:
+    # Create a Vault Operator ServiceMonitor object
+    serviceMonitor:
+      enabled: false
+      additionalLabels: {}
+      metricRelabelings: []
+      relabelings: []
