devth · March 29, 2017 16:14 · Mar 29, 2017
diff --git a/vault-statefulset.yaml b/vault-statefulset.yaml
@@ -0,0 +1,84 @@
+---
+apiVersion: apps/v1beta1
+kind: StatefulSet
+metadata:
+  name: {{.Chart.Name}}
+spec:
+  serviceName: {{.Chart.Name}}-headless
+  replicas: {{.Values.vault.replicas}}
+  template:
+    metadata:
+      labels:
+        app: {{.Chart.Name}}
+        tier: {{.Values.tier}}
+    spec:
+      terminationGracePeriodSeconds: 10
+
+      containers:
+        - name: {{.Chart.Name}}
+          # TODO why doesn't this work?
+          securityContext:
+            capabilities:
+              add:
+                - IPC_LOCK
+
+          # readinessProbe ensure traffic is only sent to a pod which is
+          # initialized and unsealed.
+          # even if the pod receives traffic and is not active, it can forward
+          # traffice to the active pod. 
+          # https://www.vaultproject.io/docs/concepts/ha.html
+          # https://www.vaultproject.io/api/system/health.html
+          readinessProbe:
+            httpGet:
+              path: /v1/sys/health?standbyok=true
+              port: 8200
+              scheme: HTTPS
+
+          image: vault:0.7.0
+          args: ["server", "-config", "/vault-config/vault.hcl"]
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            # Build up a VAULT_REDIRECT_ADDR from other previously-defined env
+            # vars. NOTE: an alternative would be to dynamically build the
+            # vault.hcl in an init container.
+            - name: VAULT_REDIRECT_ADDR
+              # try to use the simple dns
+              value: "https://$(POD_NAME).{{.Chart.Name}}-headless:8200"
+              # this is the full domain if simple doesn't work
+              # value: "https://$(POD_NAME).{{.Chart.Name}}-headless.$(POD_NAMESPACE).svc.cluster.local:8200"
+            - name: VAULT_CAPATH
+              value: /ca-chain
+            # TODO re-enable setcap when we figure out IPC_LOCK not working
+            # issue
+            - name: SKIP_SETCAP
+              value: "true"
+          volumeMounts:
+            - name: vault-config
+              mountPath: /vault-config
+            - name: vault-tls
+              mountPath: /vault-tls
+            - name: ca-chain
+              mountPath: /ca-chain
+          ports:
+            - containerPort: 8200
+              name: vault-port
+            - containerPort: 8201
+              name: cluster-port
+
+      volumes:
+        - name: vault-config
+          configMap:
+            name: vault-config
+        - name: vault-tls
+          secret:
+            secretName: vault-tls
+        - name: ca-chain
+          secret:
+            secretName: ca-chain