Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
142 lines (126 sloc) 3.59 KB
apiVersion: "vault.banzaicloud.com/v1alpha1"
kind: "Vault"
metadata:
name: "vault"
spec:
size: 1
image: vault:1.1.0
bankVaultsImage: banzaicloud/bank-vaults:latest
# Specify the ServiceAccount where the Vault Pod and the Bank-Vaults configurer/unsealer is running
serviceAccount: vault
# Specify the Service's type where the Vault Service is exposed
serviceType: ClusterIP
# Use local disk to store Vault file data, see config section.
volumes:
- name: vault-file
persistentVolumeClaim:
claimName: vault-file
volumeMounts:
- name: vault-file
mountPath: /vault/file
fluentdEnabled: true
fluentdImage: banzaicloud/fluentd-s3:latest
fluentdConfig: |
<source>
@type tail
format json
keep_time_key true
time_format %iso8601
path /vault/logs/vault.log
pos_file /vault/logs/vault.log.pos
tag s3.vault.audit
</source>
<match s3.*.*>
@type s3
aws_key_id "#{ENV['AWS_ACCESS_KEY_ID']}"
aws_sec_key "#{ENV['AWS_SECRET_ACCESS_KEY']}"
s3_bucket bank-vaults
s3_region eu-west-1
path logs/
time_slice_format %Y%m%d%H
time_slice_wait 10m
utc
</match>
# Pass secret to bank-vaults environment variables.
# kubectl create secret generic aws-access-key \
# --from-literal=aws-access-key-id=$AWS_ACCESS_KEY_ID \
# --from-literal=aws-secret-access-key=$AWS_SECRET_ACCESS_KEY
envsConfig:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: aws-access-key
key: aws-access-key-id
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: aws-access-key
key: aws-secret-access-key
# Describe where you would like to store the Vault unseal keys and root token.
unsealConfig:
kubernetes:
secretNamespace: default
# A YAML representation of a final vault config file.
# See https://www.vaultproject.io/docs/configuration/ for more information.
config:
storage:
file:
path: "/vault/file"
listener:
tcp:
address: "0.0.0.0:8200"
# Uncommenting the following line and deleting tls_cert_file and tls_key_file disables TLS
# tls_disable: true
tls_cert_file: /vault/tls/server.crt
tls_key_file: /vault/tls/server.key
telemetry:
statsd_address: localhost:9125
ui: true
# See: https://github.com/banzaicloud/bank-vaults#example-external-vault-configuration for more details.
externalConfig:
policies:
- name: allow_secrets
rules: path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
auth:
- type: kubernetes
roles:
# Allow every pod in the default namespace to use the secret kv store
- name: default
bound_service_account_names: default
bound_service_account_namespaces: default
policies: allow_secrets
ttl: 1h
audit:
- type: file
description: "File based audit logging device"
options:
file_path: /vault/logs/vault.log
mode: "0640"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vault-file
spec:
# https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1
# storageClassName: ""
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
# ---
# apiVersion: v1
# kind: PersistentVolume
# metadata:
# name: vault-file
# spec:
# capacity:
# storage: 1Gi
# accessModes:
# - ReadWriteOnce
# persistentVolumeReclaimPolicy: Delete
# hostPath:
# path: /vault/file
You can’t perform that action at this time.