search

rickardgranberg / terraform-provider-vaultoperator

Terraform Provider for Vault Operator operations
Mozilla Public License 2.0
19 stars 11 forks source link

FEAT: support vault operator raft join #16

Open ElfoLiNk opened 1 year ago

ElfoLiNk commented 1 year ago

After operator init would be good to support something for raft join

kubectl exec -ti vault-1 -n vault -- vault operator raft join http://vault-0.vault-internal:8200
venkatamutyala commented 1 year ago

I was able to get my vault pods to join automatically after being initialized.

See if this helps. I am using the vault helm chart from hashicorp v0.23.0


        # Vault Helm Chart Value Overrides
        global:
          enabled: true
          tlsDisable: false
        ui:
          enabled: true

        server:
          image:
            tag: 1.12.3
          ingress:
              activeService: false
              annotations: 
                kubernetes.io/ingress.class: internal-ingress-nginx
                nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
              enabled: true
              hosts: 
                - host: vault.{{ .Values.captain_domain }}

          extraEnvironmentVars:
            VAULT_CACERT: /vault/userconfig/vault-tls/ca.crt
            VAULT_TLSCERT: /vault/userconfig/vault-tls/tls.crt
            VAULT_TLSKEY: /vault/userconfig/vault-tls/tls.key
          # extraVolumes is a list of extra volumes to mount. These will be exposed
          # to Vault in the path `/vault/userconfig/<name>/`.
          extraVolumes:
            - type: secret
              name: vault-tls
          standalone:
            enabled: false
          # Run Vault in "HA" mode.
          ha:
            enabled: true
            replicas: 3
            raft:
                enabled: true
                setNodeId: true
                config: |
                  ui = true
                  listener "tcp" {
                    address = "0.0.0.0:8200"
                    cluster_address = "0.0.0.0:8201"
                    tls_cert_file = "/vault/userconfig/vault-tls/tls.crt"
                    tls_key_file  = "/vault/userconfig/vault-tls/tls.key"
                    tls_client_ca_file = "/vault/userconfig/vault-tls/ca.crt"
                    tls_min_version = "tls12"
                    telemetry {
                      unauthenticated_metrics_access = true
                    }
                  }
                  storage "raft" {
                    path = "/vault/data"
                    retry_join {
                      auto_join = "provider=k8s label_selector=\"component=server,app.kubernetes.io/name=vault\" namespace=\"vault\" "
                      leader_tls_servername = "vault-active.vault.svc.cluster.local"
                      leader_client_cert_file = "/vault/userconfig/vault-tls/tls.crt"
                      leader_client_key_file = "/vault/userconfig/vault-tls/tls.key"
                      leader_ca_cert_file = "/vault/userconfig/vault-tls/ca.crt"
                    }
                    autopilot {
                      cleanup_dead_servers = "true"
                      last_contact_threshold = "200ms"
                      last_contact_failure_threshold = "10m"
                      max_trailing_logs = 250000
                      min_quorum = 5
                      server_stabilization_time = "10s"
                    }
                  }

                  telemetry {
                      disable_hostname = true
                      prometheus_retention_time = "30s"
                      enable_hostname_label = true
                  }
                  service_registration "kubernetes" {}