DeveloperDurp/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update vault

Browse Source
This commit is contained in:
DeveloperDurp
2022-11-09 17:36:53 -06:00
parent cbe700552d
commit 1c5c8e1837
1 changed files with 369 additions and 369 deletions
Download Patch File Download Diff File Expand all files Collapse all files

738
vault/values.yaml
View File

@@ -1,369 +1,369 @@
vault: #vault:
#
# Available parameters and their default values for the Vault chart. # # Available parameters and their default values for the Vault chart.
#
global: # global:
# enabled is the master enabled switch. Setting this to true or false # # enabled is the master enabled switch. Setting this to true or false
# will enable or disable all the components within this chart by default. # # will enable or disable all the components within this chart by default.
enabled: true # enabled: true
# Image pull secret to use for registry authentication. # # Image pull secret to use for registry authentication.
imagePullSecrets: [] # imagePullSecrets: []
# imagePullSecrets: # # imagePullSecrets:
# - name: image-pull-secret # # - name: image-pull-secret
# TLS for end-to-end encrypted transport # # TLS for end-to-end encrypted transport
tlsDisable: true # tlsDisable: true
#
injector: # injector:
# True if you want to enable vault agent injection. # # True if you want to enable vault agent injection.
enabled: true # enabled: true
#
# External vault server address for the injector to use. Setting this will # # External vault server address for the injector to use. Setting this will
# disable deployment of a vault server along with the injector. # # disable deployment of a vault server along with the injector.
externalVaultAddr: "" # externalVaultAddr: ""
#
# image sets the repo and tag of the vault-k8s image to use for the injector. # # image sets the repo and tag of the vault-k8s image to use for the injector.
image: # image:
repository: "hashicorp/vault-k8s" # repository: "hashicorp/vault-k8s"
tag: "0.2.0" # tag: "0.2.0"
pullPolicy: always # pullPolicy: always
#
# agentImage sets the repo and tag of the Vault image to use for the Vault Agent # # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
# containers. This should be set to the official Vault image. Vault 1.3.1+ is # # containers. This should be set to the official Vault image. Vault 1.3.1+ is
# required. # # required.
agentImage: # agentImage:
repository: "vault" # repository: "vault"
tag: "1.3.2" # tag: "1.3.2"
#
# namespaceSelector is the selector for restricting the webhook to only # # namespaceSelector is the selector for restricting the webhook to only
# specific namespaces. This should be set to a multiline string. # # specific namespaces. This should be set to a multiline string.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector # # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
# for more details. # # for more details.
# Example: # # Example:
# namespaceSelector: | # # namespaceSelector: |
# matchLabels: # # matchLabels:
# sidecar-injector: enabled # # sidecar-injector: enabled
namespaceSelector: {} # namespaceSelector: {}
#
certs: # certs:
# secretName is the name of the secret that has the TLS certificate and # # secretName is the name of the secret that has the TLS certificate and
# private key to serve the injector webhook. If this is null, then the # # private key to serve the injector webhook. If this is null, then the
# injector will default to its automatic management mode that will assign # # injector will default to its automatic management mode that will assign
# a service account to the injector to generate its own certificates. # # a service account to the injector to generate its own certificates.
secretName: null # secretName: null
#
# caBundle is a base64-encoded PEM-encoded certificate bundle for the # # caBundle is a base64-encoded PEM-encoded certificate bundle for the
# CA that signed the TLS certificate that the webhook serves. This must # # CA that signed the TLS certificate that the webhook serves. This must
# be set if secretName is non-null. # # be set if secretName is non-null.
caBundle: "" # caBundle: ""
#
# certName and keyName are the names of the files within the secret for # # certName and keyName are the names of the files within the secret for
# the TLS cert and private key, respectively. These have reasonable # # the TLS cert and private key, respectively. These have reasonable
# defaults but can be customized if necessary. # # defaults but can be customized if necessary.
certName: tls.crt # certName: tls.crt
keyName: tls.key # keyName: tls.key
#
resources: {} # resources: {}
# resources: # # resources:
# requests: # # requests:
# memory: 256Mi # # memory: 256Mi
# cpu: 250m # # cpu: 250m
# limits: # # limits:
# memory: 256Mi # # memory: 256Mi
# cpu: 250m # # cpu: 250m
#
server: # server:
# Resource requests, limits, etc. for the server cluster placement. This # # Resource requests, limits, etc. for the server cluster placement. This
# should map directly to the value of the resources field for a PodSpec. # # should map directly to the value of the resources field for a PodSpec.
# By default no direct resource request is made. # # By default no direct resource request is made.
#
image: # image:
repository: "vault" # repository: "vault"
tag: "1.3.2" # tag: "1.3.2"
# Overrides the default Image Pull Policy # # Overrides the default Image Pull Policy
pullPolicy: IfNotPresent # pullPolicy: IfNotPresent
#
# Configure the Update Strategy Type for the StatefulSet # # Configure the Update Strategy Type for the StatefulSet
# See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies # # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
updateStrategyType: "OnDelete" # updateStrategyType: "OnDelete"
#
resources: # resources:
# resources: # # resources:
# requests: # # requests:
# memory: 256Mi # # memory: 256Mi
# cpu: 250m # # cpu: 250m
# limits: # # limits:
# memory: 256Mi # # memory: 256Mi
# cpu: 250m # # cpu: 250m
#
# Ingress allows ingress services to be created to allow external access # # Ingress allows ingress services to be created to allow external access
# from Kubernetes to access Vault pods. # # from Kubernetes to access Vault pods.
ingress: # ingress:
enabled: false # enabled: false
labels: {} # labels: {}
# traffic: external # # traffic: external
annotations: {} # annotations: {}
# kubernetes.io/ingress.class: nginx # # kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true" # # kubernetes.io/tls-acme: "true"
hosts: # hosts:
- host: chart-example.local # - host: chart-example.local
paths: [] # paths: []
#
tls: [] # tls: []
# - secretName: chart-example-tls # # - secretName: chart-example-tls
# hosts: # # hosts:
# - chart-example.local # # - chart-example.local
#
#
# authDelegator enables a cluster role binding to be attached to the service # # authDelegator enables a cluster role binding to be attached to the service
# account. This cluster role binding can be used to setup Kubernetes auth # # account. This cluster role binding can be used to setup Kubernetes auth
# method. https://www.vaultproject.io/docs/auth/kubernetes.html # # method. https://www.vaultproject.io/docs/auth/kubernetes.html
authDelegator: # authDelegator:
enabled: true # enabled: true
#
# extraContainers is a list of sidecar containers. Specified as a raw YAML string. # # extraContainers is a list of sidecar containers. Specified as a raw YAML string.
extraContainers: null # extraContainers: null
#
# shareProcessNamespace enables process namespace sharing between Vault and the extraContainers # # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
# This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation # # This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation
shareProcessNamespace: false # shareProcessNamespace: false
#
# extraArgs is a string containing additional Vault server arguments. # # extraArgs is a string containing additional Vault server arguments.
extraArgs: "" # extraArgs: ""
#
# Used to define custom readinessProbe settings # # Used to define custom readinessProbe settings
readinessProbe: # readinessProbe:
enabled: true # enabled: true
# If you need to use a http path instead of the default exec # # If you need to use a http path instead of the default exec
# path: /v1/sys/health?standbyok=true # # path: /v1/sys/health?standbyok=true
# Used to enable a livenessProbe for the pods # # Used to enable a livenessProbe for the pods
livenessProbe: # livenessProbe:
enabled: false # enabled: false
path: "/v1/sys/health?standbyok=true" # path: "/v1/sys/health?standbyok=true"
initialDelaySeconds: 60 # initialDelaySeconds: 60
#
# Used to set the sleep time during the preStop step # # Used to set the sleep time during the preStop step
preStopSleepSeconds: 5 # preStopSleepSeconds: 5
#
# extraEnvironmentVars is a list of extra enviroment variables to set with the stateful set. These could be # # extraEnvironmentVars is a list of extra enviroment variables to set with the stateful set. These could be
# used to include variables required for auto-unseal. # # used to include variables required for auto-unseal.
extraEnvironmentVars: {} # extraEnvironmentVars: {}
# GOOGLE_REGION: global # # GOOGLE_REGION: global
# GOOGLE_PROJECT: myproject # # GOOGLE_PROJECT: myproject
# GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json # # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
#
# extraSecretEnvironmentVars is a list of extra enviroment variables to set with the stateful set. # # extraSecretEnvironmentVars is a list of extra enviroment variables to set with the stateful set.
# These variables take value from existing Secret objects. # # These variables take value from existing Secret objects.
extraSecretEnvironmentVars: [] # extraSecretEnvironmentVars: []
# - envName: AWS_SECRET_ACCESS_KEY # # - envName: AWS_SECRET_ACCESS_KEY
# secretName: vault # # secretName: vault
# secretKey: AWS_SECRET_ACCESS_KEY # # secretKey: AWS_SECRET_ACCESS_KEY
#
# extraVolumes is a list of extra volumes to mount. These will be exposed # # extraVolumes is a list of extra volumes to mount. These will be exposed
# to Vault in the path `/vault/userconfig/<name>/`. The value below is # # to Vault in the path `/vault/userconfig/<name>/`. The value below is
# an array of objects, examples are shown below. # # an array of objects, examples are shown below.
extraVolumes: [] # extraVolumes: []
# - type: secret (or "configMap") # # - type: secret (or "configMap")
# name: my-secret # # name: my-secret
# path: null # default is `/vault/userconfig` # # path: null # default is `/vault/userconfig`
#
# Affinity Settings # # Affinity Settings
# Commenting out or setting as empty the affinity variable, will allow # # Commenting out or setting as empty the affinity variable, will allow
# deployment to single node services such as Minikube # # deployment to single node services such as Minikube
affinity: | # affinity: |
podAntiAffinity: # podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution: # requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector: # - labelSelector:
matchLabels: # matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }} # app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: "{{ .Release.Name }}" # app.kubernetes.io/instance: "{{ .Release.Name }}"
component: server # component: server
topologyKey: kubernetes.io/hostname # topologyKey: kubernetes.io/hostname
#
# Toleration Settings for server pods # # Toleration Settings for server pods
# This should be a multi-line string matching the Toleration array # # This should be a multi-line string matching the Toleration array
# in a PodSpec. # # in a PodSpec.
tolerations: {} # tolerations: {}
#
# nodeSelector labels for server pod assignment, formatted as a muli-line string. # # nodeSelector labels for server pod assignment, formatted as a muli-line string.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector # # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example: # # Example:
# nodeSelector: | # # nodeSelector: |
# beta.kubernetes.io/arch: amd64 # # beta.kubernetes.io/arch: amd64
nodeSelector: {} # nodeSelector: {}
#
# Extra labels to attach to the server pods # # Extra labels to attach to the server pods
# This should be a multi-line string mapping directly to the a map of # # This should be a multi-line string mapping directly to the a map of
# the labels to apply to the server pods # # the labels to apply to the server pods
extraLabels: {} # extraLabels: {}
#
# Extra annotations to attach to the server pods # # Extra annotations to attach to the server pods
# This should be a multi-line string mapping directly to the a map of # # This should be a multi-line string mapping directly to the a map of
# the annotations to apply to the server pods # # the annotations to apply to the server pods
annotations: {} # annotations: {}
#
# Enables a headless service to be used by the Vault Statefulset # # Enables a headless service to be used by the Vault Statefulset
service: # service:
enabled: true # enabled: true
# clusterIP controls whether a Cluster IP address is attached to the # # clusterIP controls whether a Cluster IP address is attached to the
# Vault service within Kubernetes. By default the Vault service will # # Vault service within Kubernetes. By default the Vault service will
# be given a Cluster IP address, set to None to disable. When disabled # # be given a Cluster IP address, set to None to disable. When disabled
# Kubernetes will create a "headless" service. Headless services can be # # Kubernetes will create a "headless" service. Headless services can be
# used to communicate with pods directly through DNS instead of a round robin # # used to communicate with pods directly through DNS instead of a round robin
# load balancer. # # load balancer.
# clusterIP: None # # clusterIP: None
#
# Configures the service type for the main Vault service. Can be ClusterIP # # Configures the service type for the main Vault service. Can be ClusterIP
# or NodePort. # # or NodePort.
#type: ClusterIP # #type: ClusterIP
#
# If type is set to "NodePort", a specific nodePort value can be configured, # # If type is set to "NodePort", a specific nodePort value can be configured,
# will be random if left blank. # # will be random if left blank.
#nodePort: 30000 # #nodePort: 30000
#
# Port on which Vault server is listening # # Port on which Vault server is listening
port: 8200 # port: 8200
# Target port to which the service should be mapped to # # Target port to which the service should be mapped to
targetPort: 8200 # targetPort: 8200
# Extra annotations for the service definition # # Extra annotations for the service definition
annotations: {} # annotations: {}
#
# This configures the Vault Statefulset to create a PVC for data # # This configures the Vault Statefulset to create a PVC for data
# storage when using the file backend. # # storage when using the file backend.
# See https://www.vaultproject.io/docs/configuration/storage/index.html to know more # # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more
dataStorage: # dataStorage:
enabled: true # enabled: true
# Size of the PVC created # # Size of the PVC created
size: 10Gi # size: 10Gi
# Name of the storage class to use. If null it will use the # # Name of the storage class to use. If null it will use the
# configured default Storage Class. # # configured default Storage Class.
storageClass: null # storageClass: null
# Access Mode of the storage device being used for the PVC # # Access Mode of the storage device being used for the PVC
accessMode: ReadWriteOnce # accessMode: ReadWriteOnce
#
# This configures the Vault Statefulset to create a PVC for audit # # This configures the Vault Statefulset to create a PVC for audit
# logs. Once Vault is deployed, initialized and unseal, Vault must # # logs. Once Vault is deployed, initialized and unseal, Vault must
# be configured to use this for audit logs. This will be mounted to # # be configured to use this for audit logs. This will be mounted to
# /vault/audit # # /vault/audit
# See https://www.vaultproject.io/docs/audit/index.html to know more # # See https://www.vaultproject.io/docs/audit/index.html to know more
auditStorage: # auditStorage:
enabled: false # enabled: false
# Size of the PVC created # # Size of the PVC created
size: 10Gi # size: 10Gi
# Name of the storage class to use. If null it will use the # # Name of the storage class to use. If null it will use the
# configured default Storage Class. # # configured default Storage Class.
storageClass: null # storageClass: null
# Access Mode of the storage device being used for the PVC # # Access Mode of the storage device being used for the PVC
accessMode: ReadWriteOnce # accessMode: ReadWriteOnce
#
# Run Vault in "dev" mode. This requires no further setup, no state management, # # Run Vault in "dev" mode. This requires no further setup, no state management,
# and no initialization. This is useful for experimenting with Vault without # # and no initialization. This is useful for experimenting with Vault without
# needing to unseal, store keys, et. al. All data is lost on restart - do not # # needing to unseal, store keys, et. al. All data is lost on restart - do not
# use dev mode for anything other than experimenting. # # use dev mode for anything other than experimenting.
# See https://www.vaultproject.io/docs/concepts/dev-server.html to know more # # See https://www.vaultproject.io/docs/concepts/dev-server.html to know more
dev: # dev:
enabled: false # enabled: false
#
# Run Vault in "standalone" mode. This is the default mode that will deploy if # # Run Vault in "standalone" mode. This is the default mode that will deploy if
# no arguments are given to helm. This requires a PVC for data storage to use # # no arguments are given to helm. This requires a PVC for data storage to use
# the "file" backend. This mode is not highly available and should not be scaled # # the "file" backend. This mode is not highly available and should not be scaled
# past a single replica. # # past a single replica.
standalone: # standalone:
enabled: "-" # enabled: "-"
#
# config is a raw string of default configuration when using a Stateful # # config is a raw string of default configuration when using a Stateful
# deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data # # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
# and store data there. This is only used when using a Replica count of 1, and # # and store data there. This is only used when using a Replica count of 1, and
# using a stateful set. This should be HCL. # # using a stateful set. This should be HCL.
config: | # config: |
ui = true # ui = true
#
listener "tcp" { # listener "tcp" {
tls_disable = 1 # tls_disable = 1
address = "[::]:8200" # address = "[::]:8200"
cluster_address = "[::]:8201" # cluster_address = "[::]:8201"
} # }
storage "file" { # storage "file" {
path = "/vault/data" # path = "/vault/data"
} # }
#
# Example configuration for using auto-unseal, using Google Cloud KMS. The # # Example configuration for using auto-unseal, using Google Cloud KMS. The
# GKMS keys must already exist, and the cluster must have a service account # # GKMS keys must already exist, and the cluster must have a service account
# that is authorized to access GCP KMS. # # that is authorized to access GCP KMS.
#seal "gcpckms" { # #seal "gcpckms" {
# project = "vault-helm-dev" # # project = "vault-helm-dev"
# region = "global" # # region = "global"
# key_ring = "vault-helm-unseal-kr" # # key_ring = "vault-helm-unseal-kr"
# crypto_key = "vault-helm-unseal-key" # # crypto_key = "vault-helm-unseal-key"
#} # #}
#
# Run Vault in "HA" mode. There are no storage requirements unless audit log # # Run Vault in "HA" mode. There are no storage requirements unless audit log
# persistence is required. In HA mode Vault will configure itself to use Consul # # persistence is required. In HA mode Vault will configure itself to use Consul
# for its storage backend. The default configuration provided will work the Consul # # for its storage backend. The default configuration provided will work the Consul
# Helm project by default. It is possible to manually configure Vault to use a # # Helm project by default. It is possible to manually configure Vault to use a
# different HA backend. # # different HA backend.
ha: # ha:
enabled: false # enabled: false
replicas: 3 # replicas: 3
#
# config is a raw string of default configuration when using a Stateful # # config is a raw string of default configuration when using a Stateful
# deployment. Default is to use a Consul for its HA storage backend. # # deployment. Default is to use a Consul for its HA storage backend.
# This should be HCL. # # This should be HCL.
config: | # config: |
ui = true # ui = true
#
listener "tcp" { # listener "tcp" {
tls_disable = 1 # tls_disable = 1
address = "[::]:8200" # address = "[::]:8200"
cluster_address = "[::]:8201" # cluster_address = "[::]:8201"
} # }
storage "consul" { # storage "consul" {
path = "vault" # path = "vault"
address = "HOST_IP:8500" # address = "HOST_IP:8500"
} # }
#
# Example configuration for using auto-unseal, using Google Cloud KMS. The # # Example configuration for using auto-unseal, using Google Cloud KMS. The
# GKMS keys must already exist, and the cluster must have a service account # # GKMS keys must already exist, and the cluster must have a service account
# that is authorized to access GCP KMS. # # that is authorized to access GCP KMS.
#seal "gcpckms" { # #seal "gcpckms" {
# project = "vault-helm-dev-246514" # # project = "vault-helm-dev-246514"
# region = "global" # # region = "global"
# key_ring = "vault-helm-unseal-kr" # # key_ring = "vault-helm-unseal-kr"
# crypto_key = "vault-helm-unseal-key" # # crypto_key = "vault-helm-unseal-key"
#} # #}
#
# A disruption budget limits the number of pods of a replicated application # # A disruption budget limits the number of pods of a replicated application
# that are down simultaneously from voluntary disruptions # # that are down simultaneously from voluntary disruptions
disruptionBudget: # disruptionBudget:
enabled: true # enabled: true
#
# maxUnavailable will default to (n/2)-1 where n is the number of # # maxUnavailable will default to (n/2)-1 where n is the number of
# replicas. If you'd like a custom value, you can specify an override here. # # replicas. If you'd like a custom value, you can specify an override here.
maxUnavailable: null # maxUnavailable: null
#
# Definition of the serviceAccount used to run Vault. # # Definition of the serviceAccount used to run Vault.
serviceAccount: # serviceAccount:
annotations: {} # annotations: {}
#
# Vault UI # # Vault UI
ui: # ui:
# True if you want to create a Service entry for the Vault UI. # # True if you want to create a Service entry for the Vault UI.
# # #
# serviceType can be used to control the type of service created. For # # serviceType can be used to control the type of service created. For
# example, setting this to "LoadBalancer" will create an external load # # example, setting this to "LoadBalancer" will create an external load
# balancer (for supported K8S installations) to access the UI. # # balancer (for supported K8S installations) to access the UI.
enabled: false # enabled: false
serviceType: "ClusterIP" # serviceType: "ClusterIP"
serviceNodePort: null # serviceNodePort: null
externalPort: 8200 # externalPort: 8200
#
# loadBalancerSourceRanges: # # loadBalancerSourceRanges:
# - 10.0.0.0/16 # # - 10.0.0.0/16
# - 1.78.23.3/32 # # - 1.78.23.3/32
#
# loadBalancerIP: # # loadBalancerIP:
#
# Extra annotations to attach to the ui service # # Extra annotations to attach to the ui service
# This should be a multi-line string mapping directly to the a map of # # This should be a multi-line string mapping directly to the a map of
# the annotations to apply to the ui service # # the annotations to apply to the ui service
annotations: {} # annotations: {}
#