diff --git a/vault/justfile b/vault/justfile index 7cc9f59..0475347 100644 --- a/vault/justfile +++ b/vault/justfile @@ -1,7 +1,7 @@ set fallback := true export K8S_VAULT_NAMESPACE := env("K8S_VAULT_NAMESPACE", "vault") -export VAULT_CHART_VERSION := env("VAULT_CHART_VERSION", "0.29.1") +export VAULT_CHART_VERSION := env("VAULT_CHART_VERSION", "0.31.0") export VAULT_HOST := env("VAULT_HOST", "") export VAULT_ADDR := "https://" + VAULT_HOST export VAULT_DEBUG := env("VAULT_DEBUG", "false") @@ -77,6 +77,10 @@ install: check-env set -eu just create-namespace just add-helm-repo + + kubectl label namespace ${K8S_VAULT_NAMESPACE} \ + pod-security.kubernetes.io/enforce=restricted --overwrite + gomplate -f vault-values.gomplate.yaml -o vault-values.yaml helm upgrade --cleanup-on-fail --install vault hashicorp/vault \ --version ${VAULT_CHART_VERSION} -n ${K8S_VAULT_NAMESPACE} --wait -f vault-values.yaml diff --git a/vault/vault-values.gomplate.yaml b/vault/vault-values.gomplate.yaml index 8de3118..d486878 100644 --- a/vault/vault-values.gomplate.yaml +++ b/vault/vault-values.gomplate.yaml @@ -1,4 +1,17 @@ injector: + securityContext: + pod: + runAsNonRoot: true + runAsUser: 100 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault + container: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL resources: requests: cpu: 50m @@ -8,24 +21,23 @@ injector: memory: 128Mi csi: - enabled: true - agent: - resources: - requests: - cpu: 50m - memory: 128Mi - limits: - cpu: 50m - memory: 128Mi - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - cpu: 50m - memory: 128Mi + enabled: false server: + statefulSet: + securityContext: + pod: + runAsNonRoot: true + runAsUser: 100 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault + container: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL resources: requests: cpu: 50m