feat: initial raft setup and pvc for raft data

services/vault/03-volume-claims.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vault-raft-data-pvc
+  namespace: vault
+spec:
+  storageClassName: longhorn-locality-retain
+  resources:
+    requests:
+      storage: 10Gi
+  accessModes:
+    - ReadOnlyMany # Raft will serve as integrated storage and so its purpose is to be made avilable to more than one node

services/vault/vault-operator-prod-values.yaml

@@ -1,7 +1,7 @@
 defaultVaultConnection:
   enabled: true
   address: "http://vault.vault.svc.cluster.local:8200"
-  skipTLSVerify: false
+  skipTLSVerify: true
 controller:
   manager:
     clientCache:

services/vault/vault-prod-values.yaml

@@ -1,34 +1,48 @@
 #https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration
-# global:
-#   tlsDisable: true
 server:
   dev:
     enabled: false
   logLevel: debug
 ui:
   enabled: true
-  serviceType: "LoadBalancer"
-  externalPort: 8200
+  serviceType: "ClusterIP"
+  externalPort: 80
 
-ha:
-  enabled: true
-  raft:
-    enabled: true
-    config: |
-      storage "raft" {
-        path    = "./vault/raft_storage"
-      }
-
-      listener "tcp" {
-        address     = "127.0.0.1:8200"
-      }
+volumes:
+  - name: vault-data
+    persistentVolumeClaim:
+      claimName: vault-raft-data-pvc
 
-      api_addr = "http://127.0.0.1:8200"
-      cluster_addr = "https://127.0.0.1:8201"
+volumeMounts:
+  - mountPath: /opt/vault/raft
+    name: vault-data
 
-dataStorage:
+ha:
   enabled: true
-  storageClass: "longhorn-locality-retain"
+  config: |
+    disable_mlock = true # avoids out of memory errors by blocking swapping of its virtual pages
+    
+    listener "tcp" {
+      address = "0.0.0.0:8200"
+      tls_cert_file      = "/opt/vault/tls/vault-cert.pem"
+      tls_key_file       = "/opt/vault/tls/vault-key.pem"
+      tls_client_ca_file = "/opt/vault/tls/vault-ca.pem" # certificate of the CA root
+    }
+
+    storage "raft" {
+      path    = "/opt/vault/raft"
 
+      #retry_join {
+      #  leader_tls_servername   = "vault"
+      #  leader_api_addr         = "https://0.0.0.0:8200"
+      #  leader_ca_cert_file     = "/opt/vault/tls/vault-ca.pem"
+      #  leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
+      #   leader_client_key_file  = "/opt/vault/tls/vault-key.pem"
+      #}
+    }
+  raft:
+    enabled: true
+    replicas: 3
+
 injector:
   enabled: "false"