»Highly Available Vault Cluster with Consul

Important Note: This chart is not compatible with Helm 2. Please use Helm 3.6+ with this chart.

Compatibility information: As of Consul 1.14.0, Consul on Kubernetes uses Consul Dataplane by default instead of client agents. Vault does not currently support Consul Dataplane. Please follow the Consul 1.14.0 upgrade guide to ensure that your Consul on Kubernetes deployment continues to use client agents.

The below values.yaml can be used to set up a five server Vault cluster using Consul as a highly available storage backend, Google Cloud KMS for Auto Unseal.

server:
  extraEnvironmentVars:
    GOOGLE_REGION: global
    GOOGLE_PROJECT: myproject
    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/my-gcp-iam/myproject-creds.json

  volumes:
    - name: userconfig-my-gcp-iam
      secret:
        defaultMode: 420
        secretName: my-gcp-iam

  volumeMounts:
    - mountPath: /vault/userconfig/my-gcp-iam
      name: userconfig-my-gcp-iam
      readOnly: true

  affinity: |
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchLabels:
              app: {{ template "vault.name" . }}
              release: "{{ .Release.Name }}"
              component: server
          topologyKey: kubernetes.io/hostname

  service:
    enabled: true

  ha:
    enabled: true
    replicas: 5

    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }

      storage "consul" {
        path = "vault"
        address = "HOST_IP:8500"
      }

      seal "gcpckms" {
         project     = "myproject"
         region      = "global"
         key_ring    = "vault-unseal-kr"
         crypto_key  = "vault-unseal-key"
      }

      service_registration "kubernetes" {}