feat: set data storage for raft and intial raft setup

services/cert-manager/deploy-dev.sh

@@ -5,6 +5,7 @@ helm repo update
 
 kubectl apply -f $(dirname $0)/00-namespace.yaml
 
-helm upgrade --install -f $(dirname $0)/values.yaml cert-manager jetstack/cert-manager --namespace cert-manager
+helm upgrade --install -f $(dirname $0)/values.yaml cert-manager jetstack/cert-manager --version v1.14.7 --namespace cert-manager
+
+kubectl apply -f $(dirname $0)/01-cluster-issuer-dev.yaml
 
-kubectl apply -f $(dirname $0)/01-cluster-issuer-dev.yaml

services/vault/vault-operator-prod-values.yaml

@@ -1,6 +1,6 @@
 defaultVaultConnection:
   enabled: true
-  address: "http://vault.vault.svc.cluster.local:8200"
+  address: "https://vault.vault.svc.cluster.local:8200"
   skipTLSVerify: false
 controller:
   manager:

services/vault/vault-prod-values.yaml

@@ -1,34 +1,46 @@
 #https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration
-# global:
-#   tlsDisable: true
 server:
   dev:
     enabled: false
   logLevel: debug
 ui:
   enabled: true
-  serviceType: "LoadBalancer"
-  externalPort: 8200
+  serviceType: "ClusterIP"
+  externalPort: 80
 
-ha:
+dataStorage:
   enabled: true
-  raft:
-    enabled: true
-    config: |
-      storage "raft" {
-        path    = "./vault/raft_storage"
-      }
-
-      listener "tcp" {
-        address     = "127.0.0.1:8200"
-      }
-
-      api_addr = "http://127.0.0.1:8200"
-      cluster_addr = "https://127.0.0.1:8201"
+  size: 2Gi
+  storageClass: longhorn-locality-retain
+  mountPath: "opt/vault/raft"
+  accessMode: ReadWriteOnce
 
-dataStorage:
+ha:
   enabled: true
-  storageClass: "longhorn-locality-retain"
+  config: |
+    disable_mlock = true # avoids out of memory errors by blocking swapping of its virtual pages
+    
+    listener "tcp" {
+      address = "0.0.0.0:8200"
+      tls_cert_file      = "/opt/vault/tls/vault-cert.pem"
+      tls_key_file       = "/opt/vault/tls/vault-key.pem"
+      tls_client_ca_file = "/opt/vault/tls/vault-ca.pem" # certificate of the CA root
+    }
+
+    storage "raft" {
+      path    = "/opt/vault/raft"
 
+      #retry_join {
+      #  leader_tls_servername   = "vault"
+      #  leader_api_addr         = "https://0.0.0.0:8200"
+      #  leader_ca_cert_file     = "/opt/vault/tls/vault-ca.pem"
+      #  leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
+      #   leader_client_key_file  = "/opt/vault/tls/vault-key.pem"
+      #}
+    }
+  raft:
+    enabled: true
+    replicas: 3
+
 injector:
   enabled: "false"