Add Helm instructions for Vault

2 files changed, 54 insertions, 0 deletions

diff --git a/kubernetes/namespaces/vault/README.md b/kubernetes/namespaces/vault/README.md
new file mode 100644
index 0000000..5965862
--- /dev/null
+++ b/kubernetes/namespaces/vault/README.md
@@ -0,0 +1,29 @@
+# Vault
+
+We deploy an instance of [HashiCorp
+Vault](https://developer.hashicorp.com/vault) to store various types of secret
+data used on the cluster.
+
+We use it to issue X509 certificates for mutual TLS setups.
+
+As well as this, the Helm chart used allows for secret injection based on the
+annotations present in pods deployed to the cluster. See more
+[here](https://developer.hashicorp.com/vault/docs/platform/k8s/injector)
+
+# Setup
+
+1. Add the Helm repository for HashiCorp:
+
+``` sh
+$ helm repo add hashicorp https://helm.releases.hashicorp.com
+"hashicorp" has been added to your repositories
+```
+
+2. Install Vault to the `vault` namespace using the following command:
+
+``` sh
+$ helm install --create-namespace vault hashicorp/vault --namespace vault
+...
+```
+
+3. Voila, Vault is deployed in the `vault` namespace.
diff --git a/kubernetes/namespaces/vault/ingress.yaml b/kubernetes/namespaces/vault/ingress.yaml
new file mode 100644
index 0000000..7e42525
--- /dev/null
+++ b/kubernetes/namespaces/vault/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle"
+    nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+  name: vault
+  namespace: vault
+spec:
+  tls:
+  - hosts:
+      - "*.pydis.wtf"
+    secretName: pydis.wtf-tls
+  rules:
+  - host: vault.pydis.wtf
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: vault
+            port:
+              number: 8200