Add Vault Helm charts for otcinfra2 production deployment

- upstream/vault: Chart.yaml, VAULT_KUBECTL_COMMANDS.md, values-otcinfra2.yaml
- local/vault: NetworkPolicy (improved allowedConsumers design), unsealer RBAC,
  helpers template, values-otcinfra2.yaml
- All files identical to preprod except values files and networkpolicy template
  (improved: unified allowedConsumers, removed broad label selector,
  removed allowExternalIPs)

Author: LukasCuperDT

.gitignore

@@ -20,3 +20,4 @@ test_inventory
 doc/source/_svg
 data/backups
 .vscode/
+.pre-commit-config.yaml

kubernetes/helm_charts/local/vault/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: vault-additional-manifests
+description: A custom Helm chart with additional Vault manifests (NetworkPolicy, etc.)
+type: application
+version: 1.0.0
+appVersion: "1.0.0"

kubernetes/helm_charts/local/vault/templates/_helpers.tpl

@@ -0,0 +1,21 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "vault-additional.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "vault-additional.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "vault-additional.labels" -}}
+helm.sh/chart: {{ include "vault-additional.chart" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}

kubernetes/helm_charts/local/vault/templates/networkpolicy.yaml

@@ -0,0 +1,89 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: vault-network-policy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "vault-additional.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    {{- with .Values.networkPolicy.podSelector }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # Allow Vault-to-Vault communication (raft/cluster)
+    - from:
+        - podSelector:
+            {{- with .Values.networkPolicy.podSelector }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+      ports:
+        - port: {{ .Values.networkPolicy.vaultPort }}
+          protocol: TCP
+        - port: {{ .Values.networkPolicy.clusterPort }}
+          protocol: TCP
+    # Allow from explicitly listed namespaces (with optional pod selector)
+    {{- range .Values.networkPolicy.allowedConsumers }}
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .namespace }}
+          {{- if .podSelector }}
+          podSelector:
+            matchLabels:
+              {{- toYaml .podSelector | nindent 14 }}
+          {{- end }}
+      ports:
+        - port: {{ $.Values.networkPolicy.vaultPort }}
+          protocol: TCP
+    {{- end }}
+    {{- if .Values.networkPolicy.allowIngress.enabled }}
+    # Allow ingress controller (for remote cluster vault-agent access via LB)
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Values.networkPolicy.allowIngress.namespace }}
+          podSelector:
+            matchLabels:
+              {{- toYaml .Values.networkPolicy.allowIngress.podSelector | nindent 14 }}
+      ports:
+        - port: {{ .Values.networkPolicy.vaultPort }}
+          protocol: TCP
+    {{- end }}
+  egress:
+    # Vault to Vault (raft replication)
+    - to:
+        - podSelector:
+            {{- with .Values.networkPolicy.podSelector }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+      ports:
+        - port: {{ .Values.networkPolicy.vaultPort }}
+          protocol: TCP
+        - port: {{ .Values.networkPolicy.clusterPort }}
+          protocol: TCP
+    # DNS resolution
+    - to:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              k8s-app: coredns
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+    # Allow egress to Kubernetes API (for K8s auth)
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+      ports:
+        - port: 443
+          protocol: TCP
+        - port: 6443
+          protocol: TCP
+{{- end }}

kubernetes/helm_charts/local/vault/templates/unsealer-rbac.yaml

@@ -0,0 +1,31 @@
+{{- if .Values.unsealer.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-unsealer-role
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "vault-additional.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["{{ .Values.unsealer.secretName }}"]
+  verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-unsealer-rolebinding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "vault-additional.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-unsealer-role
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.unsealer.serviceAccountName }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

kubernetes/helm_charts/local/vault/values-prod.yaml

@@ -0,0 +1,80 @@
+# Vault additional manifests configuration for otcinfra2 (production)
+# This chart provides supplementary resources not available in upstream Vault Helm chart
+#
+# NetworkPolicy: deny-all by default, only explicitly listed consumers can reach Vault.
+# Remote clusters (otcinfra1, otcci) access Vault via ingress-nginx.
+
+networkPolicy:
+  enabled: true
+
+  # Pod selector for Vault pods
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: vault
+
+  # Explicit list of namespaces/pods allowed to connect to Vault on port 8200.
+  # Each entry creates a separate ingress rule. All unlisted namespaces are denied.
+  allowedConsumers:
+    # ArgoCD repo-server — runs argocd-vault-plugin for secret injection
+    - namespace: argocd
+      podSelector:
+        app.kubernetes.io/name: argocd-repo-server
+
+    # Backstage — vault-agent sidecar (auth/kubernetes_otcinfra2)
+    - namespace: backstage
+
+    # Circle Partner Navigator — vault-agent sidecar (auth/kubernetes_otcinfra2)
+    - namespace: circle-partner-navigator
+
+    # Dependency Track — vault-agent sidecar for postgres secrets (auth/kubernetes_otcinfra2)
+    - namespace: dependencytrack
+
+    # Eyes on Docs — vault-agent sidecar (auth/kubernetes_otcinfra2)
+    - namespace: eyes-on-docs
+
+    # mCaptcha — vault-agent sidecar (auth/kubernetes_otcinfra2)
+    - namespace: mcaptcha
+
+    # Prometheus — scrape Vault /v1/sys/metrics
+    - namespace: monitoring
+      podSelector:
+        app.kubernetes.io/name: prometheus
+
+  # Ingress controller — required for remote clusters to reach Vault via LB
+  # Remote consumers:
+  #   otcinfra1: anubis, docsportal, swift-proxy, umami (auth/kubernetes_otcinfra1)
+  #   otcci:    zuul (auth/kubernetes_otcci)
+  allowIngress:
+    enabled: true
+    namespace: default
+    podSelector:
+      app.kubernetes.io/name: ingress-nginx
+
+  # Vault API port
+  vaultPort: 8200
+
+  # Vault cluster port (for raft replication)
+  clusterPort: 8201
+
+# Auto-unseal configuration
+# The unsealer sidecar watches for sealed state and auto-unseals using K8s secret
+#
+# Required secret format (vault-unseal-keys in vault namespace):
+# Create the secret with unseal keys from 'vault operator init':
+#
+#   kubectl -n vault create secret generic vault-unseal-keys \
+#     --from-literal=vault-root=<root-token> \
+#     --from-literal=vault-unseal-0=<key1> \
+#     --from-literal=vault-unseal-1=<key2> \
+#     --from-literal=vault-unseal-2=<key3> \
+#     --from-literal=vault-unseal-3=<key4> \
+#     --from-literal=vault-unseal-4=<key5>
+#
+# See: https://bank-vaults.dev/docs/unseal-keys/
+
+# Unsealer RBAC - grants access to the vault-unseal-keys secret
+unsealer:
+  enabled: true
+  secretName: vault-unseal-keys
+  # The upstream vault chart creates ServiceAccount named after the release
+  serviceAccountName: vault

kubernetes/helm_charts/upstream/vault/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+name: vault
+description: HashiCorp Vault for OTC preprod environment
+version: 0.1.0
+dependencies:
+  - name: vault
+    version: "0.30.0"
+    repository: "https://helm.releases.hashicorp.com"