get a vault server up

hashicorp/vault/server/server-clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: vault-example-server-binding
+  labels:
+    app.kubernetes.io/name: vault-example
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: vault-example
+  namespace: vault-example

hashicorp/vault/server/server-config-configmap.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vault-example-config
+  labels:
+    app.kubernetes.io/name: vault-example
+data:
+  extraconfig-from-values.hcl: |-
+    disable_mlock = true
+    ui = true
+    listener "tcp" {
+      tls_disable = 1
+      address = "[::]:8200"
+      cluster_address = "[::]:8201"
+    }
+    storage "file" {
+      path = "/vault/data"
+    }

hashicorp/vault/server/server-disruptionbudget.yaml

@@ -0,0 +1,22 @@
+# {{ template "vault.mode" . }}
+# {{- if and (and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha")) (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
+# # PodDisruptionBudget to prevent degrading the server cluster through
+# # voluntary cluster changes.
+# apiVersion: policy/v1beta1
+# kind: PodDisruptionBudget
+# metadata:
+#   name: {{ template "vault.fullname" . }}
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     helm.sh/chart: {{ include "vault.chart" . }}
+#     app.kubernetes.io/name: {{ include "vault.name" . }}
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/managed-by: {{ .Release.Service }}
+# spec:
+#   maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }}
+#   selector:
+#     matchLabels:
+#       app.kubernetes.io/name: {{ include "vault.name" . }}
+#       app.kubernetes.io/instance: {{ .Release.Name }}
+#       component: server
+# {{- end -}}

hashicorp/vault/server/server-ingress.yaml

@@ -0,0 +1,44 @@
+# {{- if .Values.server.ingress.enabled -}}
+# {{- $serviceName := include "vault.fullname" . -}}
+# {{- $servicePort := .Values.server.service.port -}}
+# apiVersion: extensions/v1beta1
+# kind: Ingress
+# metadata:
+#   name: {{ template "vault.fullname" . }}
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     helm.sh/chart: {{ include "vault.chart" . }}
+#     app.kubernetes.io/name: {{ include "vault.name" . }}
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/managed-by: {{ .Release.Service }}
+#     {{- with .Values.server.ingress.labels }}
+#       {{- toYaml . | nindent 4 }}
+#     {{- end }}
+#   {{- with .Values.server.ingress.annotations }}
+#   annotations:
+#     {{- toYaml . | nindent 4 }}
+#   {{- end }}
+# spec:
+# {{- if .Values.server.ingress.tls }}
+#   tls:
+#   {{- range .Values.server.ingress.tls }}
+#     - hosts:
+#       {{- range .hosts }}
+#         - {{ . | quote }}
+#       {{- end }}
+#       secretName: {{ .secretName }}
+#   {{- end }}
+# {{- end }}
+#   rules:
+#   {{- range .Values.server.ingress.hosts }}
+#     - host: {{ .host | quote }}
+#       http:
+#         paths:
+#         {{- range .paths }}
+#           - path: {{ . }}
+#             backend:
+#               serviceName: {{ $serviceName }}
+#               servicePort: {{ $servicePort }}
+#         {{- end }}
+#   {{- end }}
+# {{- end }}

hashicorp/vault/server/server-pv.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: vault
+  labels:
+    type: local
+spec:
+  storageClassName: manual
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: "/mnt/data"

hashicorp/vault/server/server-pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vault-claim
+spec:
+  storageClassName: manual
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

hashicorp/vault/server/server-service.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault-example
+  labels:
+    app.kubernetes.io/name: vault-example
+  annotations:
+    # This must be set in addition to publishNotReadyAddresses due
+    # to an open issue where it may not work:
+    # https://github.com/kubernetes/kubernetes/issues/58662
+    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+spec:
+  # We want the servers to become available even if they're not ready
+  # since this DNS is also used for join operations.
+  publishNotReadyAddresses: true
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+    - name: internal
+      port: 8201
+      targetPort: 8201
+  selector:
+    app.kubernetes.io/name: vault-example
+    component: server

hashicorp/vault/server/server-serviceaccount.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-example
+  labels:
+    app.kubernetes.io/name: vault-example

hashicorp/vault/server/server-statefulset.yaml

@@ -0,0 +1,133 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: vault-example
+  labels:
+    app.kubernetes.io/name: vault-example
+spec:
+  serviceName: vault-example
+  podManagementPolicy: Parallel
+  replicas: 1
+  updateStrategy:
+    type: "OnDelete"
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vault-example
+      component: server
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: vault-example
+        component: server
+    spec:
+      affinity:  
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchLabels:
+                  app.kubernetes.io/name: vault-example
+                  component: server
+              topologyKey: kubernetes.io/hostname
+      terminationGracePeriodSeconds: 10
+      serviceAccountName: vault-example      
+      shareProcessNamespace: true
+      securityContext:
+        fsGroup: 1000
+      volumes:
+        - name: config
+          configMap:
+            name: vault-example-config
+        - name: data
+          persistentVolumeClaim:
+            claimName: vault-claim
+      initContainers:
+        - name: setupperms
+          image: alpine:latest
+          command: ['sh', '-c', 'echo The app is running! && chown 100 /vault/data && ls -l /vault/']
+          volumeMounts:
+          - name: data
+            mountPath: /vault/data
+      containers:
+        - name: vault
+          securityContext:
+            runAsNonRoot: true
+            runAsGroup: 1000
+            runAsUser: 100
+            capabilities:
+              add: ["IPC_LOCK"]
+          image: vault:1.3.1
+          imagePullPolicy: IfNotPresent
+          command:
+          - "/bin/sh"
+          - "-ec"
+          args:
+          - |
+            sed -E "s/HOST_IP/${HOST_IP?}/g" /vault/config/extraconfig-from-values.hcl > /tmp/storageconfig.hcl;
+            sed -Ei "s/POD_IP/${POD_IP?}/g" /tmp/storageconfig.hcl;
+            /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl
+          env:
+            - name: HOST_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.hostIP
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: VAULT_ADDR
+              value: "http://127.0.0.1:8200"
+            - name: VAULT_API_ADDR
+              value: "http://$(POD_IP):8200"
+            - name: SKIP_CHOWN
+              value: "true"
+            - name: SKIP_SETCAP
+              value: "true"
+          volumeMounts:
+          - name: config
+            mountPath: /vault/config
+          - name: data
+            mountPath: /vault/data
+          ports:
+            - containerPort: 8200
+              name: http
+            - containerPort: 8201
+              name: internal
+            - containerPort: 8202
+              name: replication
+          readinessProbe:
+            # Check status; unsealed vault servers return 0
+            # The exit code reflects the seal status:
+            #   0 - unsealed
+            #   1 - error
+            #   2 - sealed
+            exec:
+              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
+            failureThreshold: 2
+            initialDelaySeconds: 5
+            periodSeconds: 3
+            successThreshold: 1
+            timeoutSeconds: 5
+          livenessProbe:
+            httpGet:
+              path: "/v1/sys/health?standbyok=true"
+              port: 8200
+              scheme: HTTP
+            initialDelaySeconds: 60
+            periodSeconds: 3
+            successThreshold: 1
+            timeoutSeconds: 5
+          lifecycle:
+            # Vault container doesn't receive SIGTERM from Kubernetes
+            # and after the grace period ends, Kube sends SIGKILL.  This
+            # causes issues with graceful shutdowns such as deregistering itself
+            # from Consul (zombie services).
+            preStop:
+              exec:
+                command: [
+                  "/bin/sh", "-c",
+                  # Adding a sleep here to give the pod eviction a
+                  # chance to propagate, so requests will not be made
+                  # to this pod while it's terminating
+                  "sleep 5 && kill -SIGTERM $(pidof vault)",
+                ]
+      

hashicorp/vault/server/server-storageclass.yaml

@@ -0,0 +1,6 @@
+# kind: StorageClass
+# apiVersion: storage.k8s.io/v1
+# metadata:
+#   name: local-storage
+# provisioner: kubernetes.io/no-provisioner
+# volumeBindingMode: WaitForFirstConsumer

hashicorp/vault/server/ui-service.yaml

@@ -0,0 +1,20 @@
+# Headless service for Vault server DNS entries. This service should only
+# point to Vault servers. For access to an agent, one should assume that
+# the agent is installed locally on the node and the NODE_IP should be used.
+# If the node can't run a Vault agent, then this service can be used to
+# communicate directly to a server agent.
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault-example-ui
+  labels:
+    app.kubernetes.io/name: vault-example-ui
+spec:
+  selector:
+    app.kubernetes.io/name: vault-example
+    component: server
+  publishNotReadyAddresses: true
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8200