Murat ÖZDEMİR
508363fc75
Remove vault-transit service entirely. Each vault node now auto-unseals at startup by reading the Shamir unseal key from a Docker secret managed by vault-bootstrap.sh. Eliminates the transit token expiry failure mode and removes the vault_transit node-pinning requirement. Changes: - docker-stack-vault.yml: remove vault-transit service, vault_transit_config, vault-transit-data-vl, transit_master_token / vault_transit_unseal_key secrets; add vault_unseal_key secret; rewrite vault entrypoint to background start + poll + auto-unseal loop - vault-template-v1.json, vault-template-v2.json: remove seal.transit block - vault-template-transit.json: deleted (vault-transit is gone) - vault-bootstrap.sh: full rewrite — node-agnostic run_vault() helper (docker exec fallback to docker run over overlay network), 7-step Shamir flow with SKIP_DEPLOY support and early-exit when vault is already healthy - deploy-prod.yml: replace BE-Forecast deploy with vault stack deploy + bootstrap (SKIP_DEPLOY=true) + cluster health check
28 lines
661 B
JSON
28 lines
661 B
JSON
{
|
|
"storage": {
|
|
"raft": {
|
|
"path": "/vault/file",
|
|
"node_id": "HOSTNAME_PLACEHOLDER",
|
|
"retry_join": [
|
|
{
|
|
"leader_api_addr": "https://vault.iklim.co:8200",
|
|
"tls_skip_verify": true
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"listener": {
|
|
"tcp": {
|
|
"address": "0.0.0.0:8200",
|
|
"cluster_address": "0.0.0.0:8201",
|
|
"tls_disable": 0,
|
|
"tls_cert_file": "/vault/certs/STAR.iklim.co.full.crt",
|
|
"tls_key_file": "/vault/certs/STAR.iklim.co_key.pem"
|
|
}
|
|
},
|
|
"api_addr": "https://HOSTNAME_PLACEHOLDER:8200",
|
|
"cluster_addr": "https://HOSTNAME_PLACEHOLDER:8201",
|
|
"disable_mlock": true,
|
|
"ui": true
|
|
}
|