Highly available Vault cluster with Consul
Important Note: This chart is not compatible with Helm 2. Please use Helm 3.6+ with this chart.
Compatibility information: As of Consul 1.14.0, Consul on Kubernetes uses Consul Dataplane by default instead of client agents. Vault does not currently support Consul Dataplane. Please follow the Consul 1.14.0 upgrade guide to ensure that your Consul on Kubernetes deployment continues to use client agents.
The below values.yaml
can be used to set up a five server Vault cluster using
Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal.
server: extraEnvironmentVars: GOOGLE_REGION: global GOOGLE_PROJECT: myproject GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json volumes: - name: userconfig-my-gcp-iam secret: defaultMode: 420 secretName: my-gcp-iam volumeMounts: - mountPath: /vault/userconfig/my-gcp-iam name: userconfig-my-gcp-iam readOnly: true affinity: | podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app: {{ template "vault.name" . }} release: "{{ .Release.Name }}" component: server topologyKey: kubernetes.io/hostname service: enabled: true ha: enabled: true replicas: 5 config: | ui = true listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" } storage "consul" { path = "vault" address = "HOST_IP:8500" } seal "gcpckms" { project = "myproject" region = "global" key_ring = "vault-unseal-kr" crypto_key = "vault-unseal-key" } service_registration "kubernetes" {}