diff --git a/vault/values.yaml b/vault/values.yaml index 6c54faf..7afee77 100644 --- a/vault/values.yaml +++ b/vault/values.yaml @@ -1,369 +1,369 @@ -vault: - - # Available parameters and their default values for the Vault chart. - - global: - # enabled is the master enabled switch. Setting this to true or false - # will enable or disable all the components within this chart by default. - enabled: true - # Image pull secret to use for registry authentication. - imagePullSecrets: [] - # imagePullSecrets: - # - name: image-pull-secret - # TLS for end-to-end encrypted transport - tlsDisable: true - - injector: - # True if you want to enable vault agent injection. - enabled: true - - # External vault server address for the injector to use. Setting this will - # disable deployment of a vault server along with the injector. - externalVaultAddr: "" - - # image sets the repo and tag of the vault-k8s image to use for the injector. - image: - repository: "hashicorp/vault-k8s" - tag: "0.2.0" - pullPolicy: always - - # agentImage sets the repo and tag of the Vault image to use for the Vault Agent - # containers. This should be set to the official Vault image. Vault 1.3.1+ is - # required. - agentImage: - repository: "vault" - tag: "1.3.2" - - # namespaceSelector is the selector for restricting the webhook to only - # specific namespaces. This should be set to a multiline string. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector - # for more details. - # Example: - # namespaceSelector: | - # matchLabels: - # sidecar-injector: enabled - namespaceSelector: {} - - certs: - # secretName is the name of the secret that has the TLS certificate and - # private key to serve the injector webhook. If this is null, then the - # injector will default to its automatic management mode that will assign - # a service account to the injector to generate its own certificates. - secretName: null - - # caBundle is a base64-encoded PEM-encoded certificate bundle for the - # CA that signed the TLS certificate that the webhook serves. This must - # be set if secretName is non-null. - caBundle: "" - - # certName and keyName are the names of the files within the secret for - # the TLS cert and private key, respectively. These have reasonable - # defaults but can be customized if necessary. - certName: tls.crt - keyName: tls.key - - resources: {} - # resources: - # requests: - # memory: 256Mi - # cpu: 250m - # limits: - # memory: 256Mi - # cpu: 250m - - server: - # Resource requests, limits, etc. for the server cluster placement. This - # should map directly to the value of the resources field for a PodSpec. - # By default no direct resource request is made. - - image: - repository: "vault" - tag: "1.3.2" - # Overrides the default Image Pull Policy - pullPolicy: IfNotPresent - - # Configure the Update Strategy Type for the StatefulSet - # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - updateStrategyType: "OnDelete" - - resources: - # resources: - # requests: - # memory: 256Mi - # cpu: 250m - # limits: - # memory: 256Mi - # cpu: 250m - - # Ingress allows ingress services to be created to allow external access - # from Kubernetes to access Vault pods. - ingress: - enabled: false - labels: {} - # traffic: external - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: [] - - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - - - # authDelegator enables a cluster role binding to be attached to the service - # account. This cluster role binding can be used to setup Kubernetes auth - # method. https://www.vaultproject.io/docs/auth/kubernetes.html - authDelegator: - enabled: true - - # extraContainers is a list of sidecar containers. Specified as a raw YAML string. - extraContainers: null - - # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers - # This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation - shareProcessNamespace: false - - # extraArgs is a string containing additional Vault server arguments. - extraArgs: "" - - # Used to define custom readinessProbe settings - readinessProbe: - enabled: true - # If you need to use a http path instead of the default exec - # path: /v1/sys/health?standbyok=true - # Used to enable a livenessProbe for the pods - livenessProbe: - enabled: false - path: "/v1/sys/health?standbyok=true" - initialDelaySeconds: 60 - - # Used to set the sleep time during the preStop step - preStopSleepSeconds: 5 - - # extraEnvironmentVars is a list of extra enviroment variables to set with the stateful set. These could be - # used to include variables required for auto-unseal. - extraEnvironmentVars: {} - # GOOGLE_REGION: global - # GOOGLE_PROJECT: myproject - # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json - - # extraSecretEnvironmentVars is a list of extra enviroment variables to set with the stateful set. - # These variables take value from existing Secret objects. - extraSecretEnvironmentVars: [] - # - envName: AWS_SECRET_ACCESS_KEY - # secretName: vault - # secretKey: AWS_SECRET_ACCESS_KEY - - # extraVolumes is a list of extra volumes to mount. These will be exposed - # to Vault in the path `/vault/userconfig//`. The value below is - # an array of objects, examples are shown below. - extraVolumes: [] - # - type: secret (or "configMap") - # name: my-secret - # path: null # default is `/vault/userconfig` - - # Affinity Settings - # Commenting out or setting as empty the affinity variable, will allow - # deployment to single node services such as Minikube - affinity: | - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} - app.kubernetes.io/instance: "{{ .Release.Name }}" - component: server - topologyKey: kubernetes.io/hostname - - # Toleration Settings for server pods - # This should be a multi-line string matching the Toleration array - # in a PodSpec. - tolerations: {} - - # nodeSelector labels for server pod assignment, formatted as a muli-line string. - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - # Example: - # nodeSelector: | - # beta.kubernetes.io/arch: amd64 - nodeSelector: {} - - # Extra labels to attach to the server pods - # This should be a multi-line string mapping directly to the a map of - # the labels to apply to the server pods - extraLabels: {} - - # Extra annotations to attach to the server pods - # This should be a multi-line string mapping directly to the a map of - # the annotations to apply to the server pods - annotations: {} - - # Enables a headless service to be used by the Vault Statefulset - service: - enabled: true - # clusterIP controls whether a Cluster IP address is attached to the - # Vault service within Kubernetes. By default the Vault service will - # be given a Cluster IP address, set to None to disable. When disabled - # Kubernetes will create a "headless" service. Headless services can be - # used to communicate with pods directly through DNS instead of a round robin - # load balancer. - # clusterIP: None - - # Configures the service type for the main Vault service. Can be ClusterIP - # or NodePort. - #type: ClusterIP - - # If type is set to "NodePort", a specific nodePort value can be configured, - # will be random if left blank. - #nodePort: 30000 - - # Port on which Vault server is listening - port: 8200 - # Target port to which the service should be mapped to - targetPort: 8200 - # Extra annotations for the service definition - annotations: {} - - # This configures the Vault Statefulset to create a PVC for data - # storage when using the file backend. - # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more - dataStorage: - enabled: true - # Size of the PVC created - size: 10Gi - # Name of the storage class to use. If null it will use the - # configured default Storage Class. - storageClass: null - # Access Mode of the storage device being used for the PVC - accessMode: ReadWriteOnce - - # This configures the Vault Statefulset to create a PVC for audit - # logs. Once Vault is deployed, initialized and unseal, Vault must - # be configured to use this for audit logs. This will be mounted to - # /vault/audit - # See https://www.vaultproject.io/docs/audit/index.html to know more - auditStorage: - enabled: false - # Size of the PVC created - size: 10Gi - # Name of the storage class to use. If null it will use the - # configured default Storage Class. - storageClass: null - # Access Mode of the storage device being used for the PVC - accessMode: ReadWriteOnce - - # Run Vault in "dev" mode. This requires no further setup, no state management, - # and no initialization. This is useful for experimenting with Vault without - # needing to unseal, store keys, et. al. All data is lost on restart - do not - # use dev mode for anything other than experimenting. - # See https://www.vaultproject.io/docs/concepts/dev-server.html to know more - dev: - enabled: false - - # Run Vault in "standalone" mode. This is the default mode that will deploy if - # no arguments are given to helm. This requires a PVC for data storage to use - # the "file" backend. This mode is not highly available and should not be scaled - # past a single replica. - standalone: - enabled: "-" - - # config is a raw string of default configuration when using a Stateful - # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data - # and store data there. This is only used when using a Replica count of 1, and - # using a stateful set. This should be HCL. - config: | - ui = true - - listener "tcp" { - tls_disable = 1 - address = "[::]:8200" - cluster_address = "[::]:8201" - } - storage "file" { - path = "/vault/data" - } - - # Example configuration for using auto-unseal, using Google Cloud KMS. The - # GKMS keys must already exist, and the cluster must have a service account - # that is authorized to access GCP KMS. - #seal "gcpckms" { - # project = "vault-helm-dev" - # region = "global" - # key_ring = "vault-helm-unseal-kr" - # crypto_key = "vault-helm-unseal-key" - #} - - # Run Vault in "HA" mode. There are no storage requirements unless audit log - # persistence is required. In HA mode Vault will configure itself to use Consul - # for its storage backend. The default configuration provided will work the Consul - # Helm project by default. It is possible to manually configure Vault to use a - # different HA backend. - ha: - enabled: false - replicas: 3 - - # config is a raw string of default configuration when using a Stateful - # deployment. Default is to use a Consul for its HA storage backend. - # This should be HCL. - config: | - ui = true - - listener "tcp" { - tls_disable = 1 - address = "[::]:8200" - cluster_address = "[::]:8201" - } - storage "consul" { - path = "vault" - address = "HOST_IP:8500" - } - - # Example configuration for using auto-unseal, using Google Cloud KMS. The - # GKMS keys must already exist, and the cluster must have a service account - # that is authorized to access GCP KMS. - #seal "gcpckms" { - # project = "vault-helm-dev-246514" - # region = "global" - # key_ring = "vault-helm-unseal-kr" - # crypto_key = "vault-helm-unseal-key" - #} - - # A disruption budget limits the number of pods of a replicated application - # that are down simultaneously from voluntary disruptions - disruptionBudget: - enabled: true - - # maxUnavailable will default to (n/2)-1 where n is the number of - # replicas. If you'd like a custom value, you can specify an override here. - maxUnavailable: null - - # Definition of the serviceAccount used to run Vault. - serviceAccount: - annotations: {} - - # Vault UI - ui: - # True if you want to create a Service entry for the Vault UI. - # - # serviceType can be used to control the type of service created. For - # example, setting this to "LoadBalancer" will create an external load - # balancer (for supported K8S installations) to access the UI. - enabled: false - serviceType: "ClusterIP" - serviceNodePort: null - externalPort: 8200 - - # loadBalancerSourceRanges: - # - 10.0.0.0/16 - # - 1.78.23.3/32 - - # loadBalancerIP: - - # Extra annotations to attach to the ui service - # This should be a multi-line string mapping directly to the a map of - # the annotations to apply to the ui service - annotations: {} - \ No newline at end of file +#vault: +# +# # Available parameters and their default values for the Vault chart. +# +# global: +# # enabled is the master enabled switch. Setting this to true or false +# # will enable or disable all the components within this chart by default. +# enabled: true +# # Image pull secret to use for registry authentication. +# imagePullSecrets: [] +# # imagePullSecrets: +# # - name: image-pull-secret +# # TLS for end-to-end encrypted transport +# tlsDisable: true +# +# injector: +# # True if you want to enable vault agent injection. +# enabled: true +# +# # External vault server address for the injector to use. Setting this will +# # disable deployment of a vault server along with the injector. +# externalVaultAddr: "" +# +# # image sets the repo and tag of the vault-k8s image to use for the injector. +# image: +# repository: "hashicorp/vault-k8s" +# tag: "0.2.0" +# pullPolicy: always +# +# # agentImage sets the repo and tag of the Vault image to use for the Vault Agent +# # containers. This should be set to the official Vault image. Vault 1.3.1+ is +# # required. +# agentImage: +# repository: "vault" +# tag: "1.3.2" +# +# # namespaceSelector is the selector for restricting the webhook to only +# # specific namespaces. This should be set to a multiline string. +# # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector +# # for more details. +# # Example: +# # namespaceSelector: | +# # matchLabels: +# # sidecar-injector: enabled +# namespaceSelector: {} +# +# certs: +# # secretName is the name of the secret that has the TLS certificate and +# # private key to serve the injector webhook. If this is null, then the +# # injector will default to its automatic management mode that will assign +# # a service account to the injector to generate its own certificates. +# secretName: null +# +# # caBundle is a base64-encoded PEM-encoded certificate bundle for the +# # CA that signed the TLS certificate that the webhook serves. This must +# # be set if secretName is non-null. +# caBundle: "" +# +# # certName and keyName are the names of the files within the secret for +# # the TLS cert and private key, respectively. These have reasonable +# # defaults but can be customized if necessary. +# certName: tls.crt +# keyName: tls.key +# +# resources: {} +# # resources: +# # requests: +# # memory: 256Mi +# # cpu: 250m +# # limits: +# # memory: 256Mi +# # cpu: 250m +# +# server: +# # Resource requests, limits, etc. for the server cluster placement. This +# # should map directly to the value of the resources field for a PodSpec. +# # By default no direct resource request is made. +# +# image: +# repository: "vault" +# tag: "1.3.2" +# # Overrides the default Image Pull Policy +# pullPolicy: IfNotPresent +# +# # Configure the Update Strategy Type for the StatefulSet +# # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +# updateStrategyType: "OnDelete" +# +# resources: +# # resources: +# # requests: +# # memory: 256Mi +# # cpu: 250m +# # limits: +# # memory: 256Mi +# # cpu: 250m +# +# # Ingress allows ingress services to be created to allow external access +# # from Kubernetes to access Vault pods. +# ingress: +# enabled: false +# labels: {} +# # traffic: external +# annotations: {} +# # kubernetes.io/ingress.class: nginx +# # kubernetes.io/tls-acme: "true" +# hosts: +# - host: chart-example.local +# paths: [] +# +# tls: [] +# # - secretName: chart-example-tls +# # hosts: +# # - chart-example.local +# +# +# # authDelegator enables a cluster role binding to be attached to the service +# # account. This cluster role binding can be used to setup Kubernetes auth +# # method. https://www.vaultproject.io/docs/auth/kubernetes.html +# authDelegator: +# enabled: true +# +# # extraContainers is a list of sidecar containers. Specified as a raw YAML string. +# extraContainers: null +# +# # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers +# # This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation +# shareProcessNamespace: false +# +# # extraArgs is a string containing additional Vault server arguments. +# extraArgs: "" +# +# # Used to define custom readinessProbe settings +# readinessProbe: +# enabled: true +# # If you need to use a http path instead of the default exec +# # path: /v1/sys/health?standbyok=true +# # Used to enable a livenessProbe for the pods +# livenessProbe: +# enabled: false +# path: "/v1/sys/health?standbyok=true" +# initialDelaySeconds: 60 +# +# # Used to set the sleep time during the preStop step +# preStopSleepSeconds: 5 +# +# # extraEnvironmentVars is a list of extra enviroment variables to set with the stateful set. These could be +# # used to include variables required for auto-unseal. +# extraEnvironmentVars: {} +# # GOOGLE_REGION: global +# # GOOGLE_PROJECT: myproject +# # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json +# +# # extraSecretEnvironmentVars is a list of extra enviroment variables to set with the stateful set. +# # These variables take value from existing Secret objects. +# extraSecretEnvironmentVars: [] +# # - envName: AWS_SECRET_ACCESS_KEY +# # secretName: vault +# # secretKey: AWS_SECRET_ACCESS_KEY +# +# # extraVolumes is a list of extra volumes to mount. These will be exposed +# # to Vault in the path `/vault/userconfig//`. The value below is +# # an array of objects, examples are shown below. +# extraVolumes: [] +# # - type: secret (or "configMap") +# # name: my-secret +# # path: null # default is `/vault/userconfig` +# +# # Affinity Settings +# # Commenting out or setting as empty the affinity variable, will allow +# # deployment to single node services such as Minikube +# affinity: | +# podAntiAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# - labelSelector: +# matchLabels: +# app.kubernetes.io/name: {{ template "vault.name" . }} +# app.kubernetes.io/instance: "{{ .Release.Name }}" +# component: server +# topologyKey: kubernetes.io/hostname +# +# # Toleration Settings for server pods +# # This should be a multi-line string matching the Toleration array +# # in a PodSpec. +# tolerations: {} +# +# # nodeSelector labels for server pod assignment, formatted as a muli-line string. +# # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector +# # Example: +# # nodeSelector: | +# # beta.kubernetes.io/arch: amd64 +# nodeSelector: {} +# +# # Extra labels to attach to the server pods +# # This should be a multi-line string mapping directly to the a map of +# # the labels to apply to the server pods +# extraLabels: {} +# +# # Extra annotations to attach to the server pods +# # This should be a multi-line string mapping directly to the a map of +# # the annotations to apply to the server pods +# annotations: {} +# +# # Enables a headless service to be used by the Vault Statefulset +# service: +# enabled: true +# # clusterIP controls whether a Cluster IP address is attached to the +# # Vault service within Kubernetes. By default the Vault service will +# # be given a Cluster IP address, set to None to disable. When disabled +# # Kubernetes will create a "headless" service. Headless services can be +# # used to communicate with pods directly through DNS instead of a round robin +# # load balancer. +# # clusterIP: None +# +# # Configures the service type for the main Vault service. Can be ClusterIP +# # or NodePort. +# #type: ClusterIP +# +# # If type is set to "NodePort", a specific nodePort value can be configured, +# # will be random if left blank. +# #nodePort: 30000 +# +# # Port on which Vault server is listening +# port: 8200 +# # Target port to which the service should be mapped to +# targetPort: 8200 +# # Extra annotations for the service definition +# annotations: {} +# +# # This configures the Vault Statefulset to create a PVC for data +# # storage when using the file backend. +# # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more +# dataStorage: +# enabled: true +# # Size of the PVC created +# size: 10Gi +# # Name of the storage class to use. If null it will use the +# # configured default Storage Class. +# storageClass: null +# # Access Mode of the storage device being used for the PVC +# accessMode: ReadWriteOnce +# +# # This configures the Vault Statefulset to create a PVC for audit +# # logs. Once Vault is deployed, initialized and unseal, Vault must +# # be configured to use this for audit logs. This will be mounted to +# # /vault/audit +# # See https://www.vaultproject.io/docs/audit/index.html to know more +# auditStorage: +# enabled: false +# # Size of the PVC created +# size: 10Gi +# # Name of the storage class to use. If null it will use the +# # configured default Storage Class. +# storageClass: null +# # Access Mode of the storage device being used for the PVC +# accessMode: ReadWriteOnce +# +# # Run Vault in "dev" mode. This requires no further setup, no state management, +# # and no initialization. This is useful for experimenting with Vault without +# # needing to unseal, store keys, et. al. All data is lost on restart - do not +# # use dev mode for anything other than experimenting. +# # See https://www.vaultproject.io/docs/concepts/dev-server.html to know more +# dev: +# enabled: false +# +# # Run Vault in "standalone" mode. This is the default mode that will deploy if +# # no arguments are given to helm. This requires a PVC for data storage to use +# # the "file" backend. This mode is not highly available and should not be scaled +# # past a single replica. +# standalone: +# enabled: "-" +# +# # config is a raw string of default configuration when using a Stateful +# # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data +# # and store data there. This is only used when using a Replica count of 1, and +# # using a stateful set. This should be HCL. +# config: | +# ui = true +# +# listener "tcp" { +# tls_disable = 1 +# address = "[::]:8200" +# cluster_address = "[::]:8201" +# } +# storage "file" { +# path = "/vault/data" +# } +# +# # Example configuration for using auto-unseal, using Google Cloud KMS. The +# # GKMS keys must already exist, and the cluster must have a service account +# # that is authorized to access GCP KMS. +# #seal "gcpckms" { +# # project = "vault-helm-dev" +# # region = "global" +# # key_ring = "vault-helm-unseal-kr" +# # crypto_key = "vault-helm-unseal-key" +# #} +# +# # Run Vault in "HA" mode. There are no storage requirements unless audit log +# # persistence is required. In HA mode Vault will configure itself to use Consul +# # for its storage backend. The default configuration provided will work the Consul +# # Helm project by default. It is possible to manually configure Vault to use a +# # different HA backend. +# ha: +# enabled: false +# replicas: 3 +# +# # config is a raw string of default configuration when using a Stateful +# # deployment. Default is to use a Consul for its HA storage backend. +# # This should be HCL. +# config: | +# ui = true +# +# listener "tcp" { +# tls_disable = 1 +# address = "[::]:8200" +# cluster_address = "[::]:8201" +# } +# storage "consul" { +# path = "vault" +# address = "HOST_IP:8500" +# } +# +# # Example configuration for using auto-unseal, using Google Cloud KMS. The +# # GKMS keys must already exist, and the cluster must have a service account +# # that is authorized to access GCP KMS. +# #seal "gcpckms" { +# # project = "vault-helm-dev-246514" +# # region = "global" +# # key_ring = "vault-helm-unseal-kr" +# # crypto_key = "vault-helm-unseal-key" +# #} +# +# # A disruption budget limits the number of pods of a replicated application +# # that are down simultaneously from voluntary disruptions +# disruptionBudget: +# enabled: true +# +# # maxUnavailable will default to (n/2)-1 where n is the number of +# # replicas. If you'd like a custom value, you can specify an override here. +# maxUnavailable: null +# +# # Definition of the serviceAccount used to run Vault. +# serviceAccount: +# annotations: {} +# +# # Vault UI +# ui: +# # True if you want to create a Service entry for the Vault UI. +# # +# # serviceType can be used to control the type of service created. For +# # example, setting this to "LoadBalancer" will create an external load +# # balancer (for supported K8S installations) to access the UI. +# enabled: false +# serviceType: "ClusterIP" +# serviceNodePort: null +# externalPort: 8200 +# +# # loadBalancerSourceRanges: +# # - 10.0.0.0/16 +# # - 1.78.23.3/32 +# +# # loadBalancerIP: +# +# # Extra annotations to attach to the ui service +# # This should be a multi-line string mapping directly to the a map of +# # the annotations to apply to the ui service +# annotations: {} +#