secretumvault/k8s/05-etcd.yaml

---
# etcd StatefulSet for SecretumVault storage
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: vault-etcd
  namespace: secretumvault
  labels:
    app: vault-etcd
spec:
  serviceName: vault-etcd
  replicas: 3
  selector:
    matchLabels:
      app: vault-etcd
  template:
    metadata:
      labels:
        app: vault-etcd
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "2379"
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: app
                operator: In
                values:
                - vault-etcd
            topologyKey: kubernetes.io/hostname

      containers:
      - name: etcd
        image: quay.io/coreos/etcd:v3.5.9
        imagePullPolicy: IfNotPresent

        ports:
        - name: client
          containerPort: 2379
          protocol: TCP
        - name: peer
          containerPort: 2380
          protocol: TCP

        env:
        - name: ETCD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: ETCD_INITIAL_CLUSTER_STATE
          value: "new"
        - name: ETCD_INITIAL_CLUSTER_TOKEN
          value: "etcd-cluster-vault"
        - name: ETCD_INITIAL_CLUSTER
          value: "vault-etcd-0=http://vault-etcd-0.vault-etcd:2380,vault-etcd-1=http://vault-etcd-1.vault-etcd:2380,vault-etcd-2=http://vault-etcd-2.vault-etcd:2380"
        - name: ETCD_LISTEN_CLIENT_URLS
          value: "http://0.0.0.0:2379"
        - name: ETCD_ADVERTISE_CLIENT_URLS
          value: "http://$(ETCD_NAME).vault-etcd:2379"
        - name: ETCD_LISTEN_PEER_URLS
          value: "http://0.0.0.0:2380"
        - name: ETCD_INITIAL_ADVERTISE_PEER_URLS
          value: "http://$(ETCD_NAME).vault-etcd:2380"
        - name: ETCD_AUTO_COMPACTION_RETENTION
          value: "24h"
        - name: ETCD_AUTO_COMPACTION_MODE
          value: "revision"

        volumeMounts:
        - name: data
          mountPath: /etcd-data

        livenessProbe:
          exec:
            command:
            - /bin/sh
            - -c
            - ETCDCTL_API=3 etcdctl --endpoints=http://localhost:2379 endpoint health
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 3

        readinessProbe:
          exec:
            command:
            - /bin/sh
            - -c
            - ETCDCTL_API=3 etcdctl --endpoints=http://localhost:2379 endpoint health
          initialDelaySeconds: 10
          periodSeconds: 5
          timeoutSeconds: 3
          failureThreshold: 3

        resources:
          requests:
            memory: "256Mi"
            cpu: "100m"
          limits:
            memory: "512Mi"
            cpu: "250m"

        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL

      terminationGracePeriodSeconds: 30

  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes: [ "ReadWriteOnce" ]
      resources:
        requests:
          storage: 10Gi

---
# etcd Service (headless for peer discovery)
apiVersion: v1
kind: Service
metadata:
  name: vault-etcd
  namespace: secretumvault
  labels:
    app: vault-etcd
spec:
  clusterIP: None
  selector:
    app: vault-etcd
  ports:
  - name: client
    port: 2379
    targetPort: client
  - name: peer
    port: 2380
    targetPort: peer

---
# etcd Client Service (for connecting vault)
apiVersion: v1
kind: Service
metadata:
  name: vault-etcd-client
  namespace: secretumvault
  labels:
    app: vault-etcd
spec:
  type: ClusterIP
  selector:
    app: vault-etcd
  ports:
  - name: client
    port: 2379
    targetPort: client
    protocol: TCP
chore: source code, docs and tools 2025-12-22 21:34:01 +00:00			`---`
			`# etcd StatefulSet for SecretumVault storage`
			`apiVersion: apps/v1`
			`kind: StatefulSet`
			`metadata:`
			`name: vault-etcd`
			`namespace: secretumvault`
			`labels:`
			`app: vault-etcd`
			`spec:`
			`serviceName: vault-etcd`
			`replicas: 3`
			`selector:`
			`matchLabels:`
			`app: vault-etcd`
			`template:`
			`metadata:`
			`labels:`
			`app: vault-etcd`
			`annotations:`
			`prometheus.io/scrape: "true"`
			`prometheus.io/port: "2379"`
			`spec:`
			`affinity:`
			`podAntiAffinity:`
			`requiredDuringSchedulingIgnoredDuringExecution:`
			`- labelSelector:`
			`matchExpressions:`
			`- key: app`
			`operator: In`
			`values:`
			`- vault-etcd`
			`topologyKey: kubernetes.io/hostname`

			`containers:`
			`- name: etcd`
			`image: quay.io/coreos/etcd:v3.5.9`
			`imagePullPolicy: IfNotPresent`

			`ports:`
			`- name: client`
			`containerPort: 2379`
			`protocol: TCP`
			`- name: peer`
			`containerPort: 2380`
			`protocol: TCP`

			`env:`
			`- name: ETCD_NAME`
			`valueFrom:`
			`fieldRef:`
			`fieldPath: metadata.name`
			`- name: ETCD_INITIAL_CLUSTER_STATE`
			`value: "new"`
			`- name: ETCD_INITIAL_CLUSTER_TOKEN`
			`value: "etcd-cluster-vault"`
			`- name: ETCD_INITIAL_CLUSTER`
			`value: "vault-etcd-0=http://vault-etcd-0.vault-etcd:2380,vault-etcd-1=http://vault-etcd-1.vault-etcd:2380,vault-etcd-2=http://vault-etcd-2.vault-etcd:2380"`
			`- name: ETCD_LISTEN_CLIENT_URLS`
			`value: "http://0.0.0.0:2379"`
			`- name: ETCD_ADVERTISE_CLIENT_URLS`
			`value: "http://$(ETCD_NAME).vault-etcd:2379"`
			`- name: ETCD_LISTEN_PEER_URLS`
			`value: "http://0.0.0.0:2380"`
			`- name: ETCD_INITIAL_ADVERTISE_PEER_URLS`
			`value: "http://$(ETCD_NAME).vault-etcd:2380"`
			`- name: ETCD_AUTO_COMPACTION_RETENTION`
			`value: "24h"`
			`- name: ETCD_AUTO_COMPACTION_MODE`
			`value: "revision"`

			`volumeMounts:`
			`- name: data`
			`mountPath: /etcd-data`

			`livenessProbe:`
			`exec:`
			`command:`
			`- /bin/sh`
			`- -c`
			`- ETCDCTL_API=3 etcdctl --endpoints=http://localhost:2379 endpoint health`
			`initialDelaySeconds: 30`
			`periodSeconds: 10`
			`timeoutSeconds: 5`
			`failureThreshold: 3`

			`readinessProbe:`
			`exec:`
			`command:`
			`- /bin/sh`
			`- -c`
			`- ETCDCTL_API=3 etcdctl --endpoints=http://localhost:2379 endpoint health`
			`initialDelaySeconds: 10`
			`periodSeconds: 5`
			`timeoutSeconds: 3`
			`failureThreshold: 3`

			`resources:`
			`requests:`
			`memory: "256Mi"`
			`cpu: "100m"`
			`limits:`
			`memory: "512Mi"`
			`cpu: "250m"`

			`securityContext:`
			`allowPrivilegeEscalation: false`
			`capabilities:`
			`drop:`
			`- ALL`

			`terminationGracePeriodSeconds: 30`

			`volumeClaimTemplates:`
			`- metadata:`
			`name: data`
			`spec:`
			`accessModes: [ "ReadWriteOnce" ]`
			`resources:`
			`requests:`
			`storage: 10Gi`

			`---`
			`# etcd Service (headless for peer discovery)`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: vault-etcd`
			`namespace: secretumvault`
			`labels:`
			`app: vault-etcd`
			`spec:`
			`clusterIP: None`
			`selector:`
			`app: vault-etcd`
			`ports:`
			`- name: client`
			`port: 2379`
			`targetPort: client`
			`- name: peer`
			`port: 2380`
			`targetPort: peer`

			`---`
			`# etcd Client Service (for connecting vault)`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: vault-etcd-client`
			`namespace: secretumvault`
			`labels:`
			`app: vault-etcd`
			`spec:`
			`type: ClusterIP`
			`selector:`
			`app: vault-etcd`
			`ports:`
			`- name: client`
			`port: 2379`
			`targetPort: client`
			`protocol: TCP`