Vault private ingress

vault/helm/vault/Chart.lock

@@ -3,4 +3,4 @@ dependencies:
   repository: https://helm.releases.hashicorp.com
   version: 0.19.0
 digest: sha256:4a17178a3797d0264a0234d95ab0797ca60c746e180eb0737e0794698a088604
-generated: "2022-04-21T11:05:44.601066434+01:00"
+generated: "2022-11-15T17:09:32.126513+02:00"

vault/helm/vault/runbooks/scaling-manual.xml

@@ -0,0 +1,105 @@
+<root gap='medium'>
+    <box pad='small' gap='medium' direction='row' align='center'>
+        <button label='Scale' action='scale' primary='true' headline='true' />
+        <box direction='row' align='center' gap='small'>
+            <box gap='small' align='center'>
+                <timeseries datasource="vault-web-cpu" label="Vault Web CPU Usage" />
+                <text size='small'>You should set a requests to
+                    roughly correspond to 80% regular utilization</text>
+                <text size='small'>Normally a CPU limit is not required</text>
+            </box>
+            <box gap='small' align='center'>
+                <timeseries datasource="vault-web-memory" label="Vault Web Memory Usage" />
+                <text size='small'>You should set a requests to
+                    roughly correspond to 80% regular utilization</text>
+                <text size='small'>A memory limit should be set to avoid resource starvation</text>
+            </box>
+        </box>
+        <box gap='xsmall'>
+            <box gap='xsmall'>
+                <input placeholder="250m" label='Vault Web CPU Request' name='vault-web-cpu'>
+                    <valueFrom
+                            datasource="vault"
+                            doc="kubernetes.raw"
+                            path="spec.template.spec.containers[0].resources.requests.cpu" />
+                </input>
+                <input placeholder="1Gi" label='Vault Web Memory Request' name='vault-web-memory'>
+                    <valueFrom
+                            datasource="vault"
+                            doc="kubernetes.raw"
+                            path="spec.template.spec.containers[0].resources.requests.memory" />
+                </input>
+            </box>
+            <box gap='xsmall'>
+                <input placeholder="250m" label='Vault Web CPU Limit' name='vault-web-cpu-limit'>
+                    <valueFrom
+                            datasource="vault"
+                            doc="kubernetes.raw"
+                            path="spec.template.spec.containers[0].resources.limits.cpu" />
+                </input>
+                <input placeholder="1Gi" label='Vault Web Memory Limit' name='vault-web-memory-limit'>
+                    <valueFrom
+                            datasource="vault"
+                            doc="kubernetes.raw"
+                            path="spec.template.spec.containers[0].resources.limits.memory" />
+                </input>
+            </box>
+        </box>
+    </box>
+    <box pad='small' gap='medium' direction='row' align='center'>
+        <box direction='row' align='center' gap='small'>
+            <box gap='small' align='center'>
+                <timeseries datasource="vault-injector-cpu" label="Vault Injector CPU Usage" />
+                <text size='small'>You should set a requests to
+                    roughly correspond to 80% regular utilization</text>
+                <text size='small'>Normally a CPU limit is not required</text>
+            </box>
+            <box gap='small' align='center'>
+                <timeseries datasource="vault-injector-memory" label="Vault Injector Memory Usage" />
+                <text size='small'>You should set a requests to
+                    roughly correspond to 80% regular utilization</text>
+                <text size='small'>A memory limit should be set to avoid resource starvation</text>
+            </box>
+        </box>
+        <box gap='xsmall'>
+            <box gap='xsmall'>
+                <input placeholder="250m" label='Vault Injector  CPU Request' name='vault-injector-cpu'>
+                    <valueFrom
+                            datasource="vault-injector"
+                            doc="kubernetes.raw"
+                            path="spec.template.spec.containers[0].resources.requests.cpu" />
+                </input>
+                <input placeholder="1Gi" label='Vault Injector Memory Request' name='vault-injector-memory'>
+                    <valueFrom
+                            datasource="vault-injector"
+                            doc="kubernetes.raw"
+                            path="spec.template.spec.containers[0].resources.requests.memory" />
+                </input>
+            </box>
+            <box gap='xsmall'>
+                <input placeholder="250m" label='Vault Injector CPU Limit' name='vault-injector-cpu-limit'>
+                    <valueFrom
+                            datasource="vault-injector"
+                            doc="kubernetes.raw"
+                            path="spec.template.spec.containers[0].resources.limits.cpu" />
+                </input>
+                <input placeholder="1Gi" label='Vault Injector Memory Limit' name='vault-injector-memory-limit'>
+                    <valueFrom
+                            datasource="vault-injector"
+                            doc="kubernetes.raw"
+                            path="spec.template.spec.containers[0].resources.limits.memory" />
+                </input>
+                <input placeholder="1" label='Vault Injector Replicas' name='vault-injector-replicas'>
+                    <valueFrom
+                            datasource="vault-injector"
+                            doc="kubernetes.raw"
+                            path="spec.replicas" />
+                </input>
+            </box>
+        </box>
+    </box>
+    <box width='100%' gap='small'>
+        <text size='small'>Be sure to scale your Vault components within the capacity of your nodes.</text>
+        <text size='small'>By default this is a maximum of 8 CPU and 32 Gi memory.</text>
+    </box>
+</root>

vault/helm/vault/templates/runbooks.yaml

@@ -0,0 +1,119 @@
+apiVersion: platform.plural.sh/v1alpha1
+kind: Runbook
+metadata:
+  name: scaling-manual
+  labels:
+    platform.plural.sh/pinned: 'true'
+{{ include "vault-plural.labels" . | indent 4 }}
+spec:
+  name: Vault Scaling
+  description: overview of how to optimally scale your Vault cluster
+  display: |-
+{{ .Files.Get "runbooks/scaling-manual.xml" | indent 4 }}
+  datasources:
+  - name: vault-web-cpu
+    type: prometheus
+    prometheus:
+      format: cpu
+      legend: $pod
+      query: sum(rate(container_cpu_usage_seconds_total{namespace="{{ .Release.Namespace }}",pod=~"vault-[0-9]"}[5m])) by (pod)
+  - name: vault-web-memory
+    type: prometheus
+    prometheus:
+      format: memory
+      legend: $pod
+      query: sum(container_memory_working_set_bytes{namespace="{{ .Release.Namespace }}",pod=~"vault-[0-9]"}) by (pod)
+  - name: vault-injector-cpu
+    type: prometheus
+    prometheus:
+      format: cpu
+      legend: $pod
+      query: sum(rate(container_cpu_usage_seconds_total{namespace="{{ .Release.Namespace }}",pod=~"vault-agent-injector.+"}[5m])) by (pod)
+  - name: vault-injector-memory
+    type: prometheus
+    prometheus:
+      format: memory
+      legend: $pod
+      query: sum(container_memory_working_set_bytes{namespace="{{ .Release.Namespace }}",pod=~"vault-agent-injector.+"}) by (pod)
+  - name: vault
+    type: kubernetes
+    kubernetes:
+      resource: statefulset
+      name: vault
+  - name: vault-injector
+    type: kubernetes
+    kubernetes:
+      resource: deployment
+      name: vault-agent-injector
+  - name: nodes
+    type: nodes
+  actions:
+  - name: scale
+    action: config
+    redirectTo: '/'
+    configuration:
+      updates:
+        - path:
+            - chatwoot
+            - chatwoot
+            - web
+            - resources
+            - requests
+            - cpu
+          valueFrom: chatwoot-web-cpu
+        - path:
+            - chatwoot
+            - chatwoot
+            - web
+            - resources
+            - requests
+            - memory
+          valueFrom: chatwoot-web-memory
+        - path:
+            - chatwoot
+            - chatwoot
+            - web
+            - resources
+            - limits
+            - cpu
+          valueFrom: chatwoot-web-cpu-limit
+        - path:
+            - chatwoot
+            - chatwoot
+            - web
+            - resources
+            - limits
+            - memory
+          valueFrom: chatwoot-web-memory-limit
+        - path:
+            - chatwoot
+            - chatwoot
+            - worker
+            - resources
+            - requests
+            - cpu
+          valueFrom: chatwoot-worker-cpu
+        - path:
+            - chatwoot
+            - chatwoot
+            - worker
+            - resources
+            - requests
+            - memory
+          valueFrom: chatwoot-worker-memory
+        - path:
+            - chatwoot
+            - chatwoot
+            - worker
+            - resources
+            - limits
+            - cpu
+          valueFrom: chatwoot-worker-cpu-limit
+        - path:
+            - chatwoot
+            - chatwoot
+            - worker
+            - resources
+            - limits
+            - memory
+          valueFrom: chatwoot-worker-memory-limit

vault/helm/vault/values.yaml

@@ -2,11 +2,12 @@ vault:
   injector:
     resources:
       requests:
-        memory: 256Mi
-        cpu: 250m
+        memory: 32Mi
+        cpu: 0.1m
       limits:
-        memory: 256Mi
-
+        cpu: 0.2m
+        memory: 48Mi
+
   server:
     image:
       repository: "davidspek/vault"
@@ -18,10 +19,11 @@ vault:
     # Reference Architecture for a Small Cluster
     resources:
       requests:
-        memory: 1Gi
-        cpu: 500m
+        memory: 64Mi
+        cpu: 0.1m
       limits:
-        memory: 16Gi
+        cpu: 0.2m
+        memory: 96Mi
 
     volumes:
     - name: policies
@@ -52,7 +54,16 @@ vault:
 
     standalone:
       enabled: false
-
+
+    ingress:
+      enabled: true
+      internalClassName: nginx
+      annotations:
+        kubernetes.io/tls-acme: "true"
+        cert-manager.io/cluster-issuer: letsencrypt-prod
+        nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+        nginx.ingress.kubernetes.io/use-regex: "true"
+
     # Run Vault in HA mode.
     ha:
       enabled: true
@@ -105,6 +116,7 @@ vault:
     serviceType: ClusterIP
     serviceNodePort: null
     externalPort: 8200
+
 
     # For Added Security, edit the below
     #loadBalancerSourceRanges:
@@ -116,4 +128,4 @@ envSecret: {}
 oidc:
   enabled: false
   redirectHostname: ""
-  adminEmail: ""
+  adminEmail: ""

vault/helm/vault/values.yaml.tpl

@@ -37,13 +37,9 @@ vault:
     {{- end }}
 
     ingress:
-      enabled: true
-      annotations:
-        kubernetes.io/tls-acme: "true"
-        cert-manager.io/cluster-issuer: letsencrypt-prod
-        nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-        nginx.ingress.kubernetes.io/use-regex: "true"
-      ingressClassName: {{ dedupe . "vault.vault.server.ingress.ingressClassName" "nginx" }}
+      {{- if .Values.exposePrivate }}
+      ingressClassName: internal-nginx
+      {{- end }}
       hosts:
       - host: {{ .Values.hostname }}
         paths: []

vault/plural/recipes/vault-aws.yaml

@@ -18,6 +18,10 @@ sections:
   - name: hostname
     documentation: FQDN to use for your Vault installation
     type: DOMAIN
+  - name: exposePrivate
+    documentation: Should vault only be exposed on the internal network?
+    type: BOOL
+    default: true
   items:
   - type: TERRAFORM
     name: aws