vaultaris /docs

Kubernetes

Deploy Vaultaris on Kubernetes using the official Helm chart or plain manifests.

Prerequisites

  • Kubernetes ≥ 1.26
  • Helm ≥ 3.12 (for Helm chart method)
  • A PostgreSQL instance accessible from the cluster
  • A Redis instance accessible from the cluster (recommended)

Helm chart

Add the Vaultaris Helm repository:

helm repo add vaultaris https://rustlanges.github.io/vaultaris
helm repo update

Install with minimal configuration:

helm install vaultaris vaultaris/vaultaris \
  --namespace vaultaris \
  --create-namespace \
  --set config.databaseUrl="postgres://vaultaris:pass@postgres.default.svc:5432/vaultaris" \
  --set config.jwtSecret="$(openssl rand -hex 32)" \
  --set config.encryptionKey="$(openssl rand -hex 16)" \
  --set config.externalUrl="https://auth.example.com"

Values reference

# values.yaml
replicaCount: 2

image:
  repository: ghcr.io/rustlanges/vaultaris
  tag: "0.8.0"
  pullPolicy: IfNotPresent

config:
  databaseUrl: ""           # required
  jwtSecret: ""             # required
  encryptionKey: ""         # required
  externalUrl: ""           # required
  redisUrl: ""              # optional, enables distributed rate limiting
  emailEnabled: false
  smtpHost: ""
  smtpUsername: ""
  smtpPassword: ""
  geoipDatabasePath: ""     # mount a .mmdb file and set this path

service:
  type: ClusterIP
  port: 8080

ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
    - host: auth.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: vaultaris-tls
      hosts:
        - auth.example.com

resources:
  requests:
    cpu: 100m
    memory: 128Mi
  limits:
    cpu: 500m
    memory: 512Mi

autoscaling:
  enabled: false
  minReplicas: 2
  maxReplicas: 10
  targetCPUUtilizationPercentage: 70

postgresql:
  enabled: true   # installs Bitnami PostgreSQL subchart
  auth:
    database: vaultaris
    username: vaultaris
    password: ""  # auto-generated if empty

redis:
  enabled: true   # installs Bitnami Redis subchart

Plain Kubernetes manifests

Secret

apiVersion: v1
kind: Secret
metadata:
  name: vaultaris-secrets
  namespace: vaultaris
stringData:
  DATABASE_URL: "postgres://vaultaris:pass@postgres:5432/vaultaris"
  JWT_SECRET: "your-secret-here"
  ENCRYPTION_KEY: "your-key-here"
  SMTP_PASSWORD: "your-smtp-pass"

Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: vaultaris
  namespace: vaultaris
spec:
  replicas: 2
  selector:
    matchLabels:
      app: vaultaris
  template:
    metadata:
      labels:
        app: vaultaris
    spec:
      containers:
        - name: vaultaris
          image: ghcr.io/rustlanges/vaultaris:0.8.0
          ports:
            - containerPort: 8080
          envFrom:
            - secretRef:
                name: vaultaris-secrets
          env:
            - name: EXTERNAL_URL
              value: "https://auth.example.com"
            - name: REDIS_URL
              value: "redis://redis:6379"
            - name: EMAIL_ENABLED
              value: "true"
            - name: SMTP_HOST
              value: "smtp.sendgrid.net"
            - name: SMTP_USERNAME
              value: "apikey"
          livenessProbe:
            httpGet:
              path: /health
              port: 8080
            initialDelaySeconds: 10
            periodSeconds: 15
          readinessProbe:
            httpGet:
              path: /health
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 10
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 512Mi

Service & Ingress

apiVersion: v1
kind: Service
metadata:
  name: vaultaris
  namespace: vaultaris
spec:
  selector:
    app: vaultaris
  ports:
    - port: 8080
      targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: vaultaris
  namespace: vaultaris
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  ingressClassName: nginx
  tls:
    - hosts: [auth.example.com]
      secretName: vaultaris-tls
  rules:
    - host: auth.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: vaultaris
                port:
                  number: 8080

HorizontalPodAutoscaler

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: vaultaris
  namespace: vaultaris
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: vaultaris
  minReplicas: 2
  maxReplicas: 10
  metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 70

GeoIP database

Mount the MaxMind database as a ConfigMap or volume:

# In the Deployment container spec:
volumeMounts:
  - name: geoip
    mountPath: /data
    readOnly: true
env:
  - name: GEOIP_DATABASE_PATH
    value: /data/GeoLite2-Country.mmdb
volumes:
  - name: geoip
    persistentVolumeClaim:
      claimName: geoip-pvc

Update the database weekly using a CronJob that runs geoipupdate and writes to the shared volume.