vault ha as ingress

vault-ha-ing.yaml

global:
  enabled: true

injector:
  enabled: false

server:
  enabled: true
  logging: debug

  dataStorage:
    enabled: true
    size: 1Gi
  extraEnvironmentVars:
    VAULT_ADDR: "https://127.0.0.1:8200"
    VAULT_SKIP_VERIFY: "true"
  extraSecretEnvironmentVars:  ## only needed if you want to enable ldap auth
    - envName: VAULT_LDAP_BINDPASS
      secretName: vault-ldap-creds
      secretKey: bindpass      
  volumes:
      - name: ldap-config ## only needed if you want to enable ldap auth
        configMap:
          name: ldap-group-users-policies
      - name: poststart-script
        configMap:
          name: vault-poststart-script         
      - name: tls-secret
        secret:
          secretName: vault-tls-secret  # Will be created by cert-manager           
  volumeMounts:
      - name: ldap-config
        mountPath: /vault/user-config   
      - name: poststart-script
        mountPath: /vault/scripts           
      - name: tls-secret
        mountPath: /vault/tls        
  # Ingress allows ingress services to be created to allow external access
  # from Kubernetes to access Vault pods.
  # If deployment is on OpenShift, the following block is ignored.
  # In order to expose the service, use the route section below
  ingress:
    enabled: true
    annotations: 
      cert-manager.io/cluster-issuer: selfsigned ## cert-manager must be preinstalled in the cluster. Also check and match the cluster issuer name
      kubernetes.io/tls-acme: "true"   
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    ingressClassName: "nginx"
    pathType: Prefix

    # When HA mode is enabled and K8s service registration is being used,
    # configure the ingress to point to the Vault active service.
    activeService: true
    hosts:
      - host: "vault-myorg.com"
        paths: []
    ## Extra paths to prepend to the host configuration. This is useful when working with annotation based services.
    extraPaths: []
    tls:
     - secretName: vault-tls-secret # Cert-manager will populate this secret with the TLS certificate and key
       hosts:
         - "vault-myorg.com" ## or whatever you want
         - "vault-ing-0.vault-ing-internal" ## replace with your release name, it should be in this format {{ .Release.Name }}-0.{{ .Release.Name }}-internal
         - "vault-ing-1.vault-ing-internal" ## replace with your release name, it should be in this format {{ .Release.Name }}-0.{{ .Release.Name }}-internal
         - "vault-ing-2.vault-ing-internal" ## replace with your release name, it should be in this format {{ .Release.Name }}-0.{{ .Release.Name }}-internal               

  # hostAliases is a list of aliases to be added to /etc/hosts. Specified as a YAML list.
  hostAliases:
  - ip: 127.0.0.1
    hostnames:
      - localhost
 
  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: true
      config: |
        ui = true
        cluster_name = "{{ .Release.Name }}"
        listener "tcp" {
          address     = "[::]:8200"
          cluster_address = "[::]:8201"
          tls_cert_file = "/vault/tls/tls.crt"
          tls_key_file = "/vault/tls/tls.key"
          tls_disable = 0  # Enable TLS
        }
         
        storage "raft" {
          path = "/vault/data"
            retry_join {
              leader_api_addr = "https://{{ .Release.Name }}-0.{{ .Release.Name }}-internal:8200"
              leader_ca_cert_file = "/vault/tls/tls.crt"
            }
            retry_join {
              leader_api_addr = "https://{{ .Release.Name }}-1.{{ .Release.Name }}-internal:8200"
              leader_ca_cert_file = "/vault/tls/tls.crt"
            }
            retry_join {
              leader_api_addr = "https://{{ .Release.Name }}-2.{{ .Release.Name }}-internal:8200"
              leader_ca_cert_file = "/vault/tls/tls.crt"
            }
        }
        
        service_registration "kubernetes" {}

ui:
  enabled: true