DeveloperDurp/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update vault

Browse Source
This commit is contained in:
DeveloperDurp
2022-11-09 18:18:42 -06:00
parent 48bf5bd258
commit 9ab8d0e088
1 changed files with 16 additions and 209 deletions
Download Patch File Download Diff File Expand all files Collapse all files

225
vault/values.yaml
View File

@@ -1,149 +1,59 @@
vault:
# Available parameters and their default values for the Vault chart.
global:
# enabled is the master enabled switch. Setting this to true or false
# will enable or disable all the components within this chart by default.
enabled: true
# Image pull secret to use for registry authentication.
# Alternatively, the value may be specified as an array of strings.
imagePullSecrets: []
# imagePullSecrets:
# - name: image-pull-secret
# TLS for end-to-end encrypted transport
tlsDisable: true
# External vault server address for the injector and CSI provider to use.
# Setting this will disable deployment of a vault server.
externalVaultAddr: ""
# If deploying to OpenShift
openshift: false
# Create PodSecurityPolicy for pods
psp:
enable: false
# Annotation for PodSecurityPolicy.
# This is a multi-line templated string map, and can also be set as YAML.
annotations: |
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
serverTelemetry:
# Enable integration with the Prometheus Operator
# See the top level serverTelemetry section below before enabling this feature.
prometheusOperator: false
injector:
# True if you want to enable vault agent injection.
# @default: global.enabled
enabled: "-"
replicas: 1
# Configures the port the injector should listen on
port: 8080
# If multiple replicas are specified, by default a leader will be determined
# so that only one injector attempts to create TLS certificates.
leaderElector:
enabled: true
# If true, will enable a node exporter metrics endpoint at /metrics.
metrics:
enabled: false
# Deprecated: Please use global.externalVaultAddr instead.
externalVaultAddr: ""
# image sets the repo and tag of the vault-k8s image to use for the injector.
image:
repository: "hashicorp/vault-k8s"
tag: "1.0.1"
pullPolicy: IfNotPresent
pullPolicy: Always
# agentImage sets the repo and tag of the Vault image to use for the Vault Agent
# containers. This should be set to the official Vault image. Vault 1.3.1+ is
# required.
agentImage:
repository: "hashicorp/vault"
tag: "1.12.0"
# The default values for the injected Vault Agent containers.
agentDefaults:
# For more information on configuring resources, see the K8s documentation:
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
cpuRequest: "250m"
memLimit: "128Mi"
memRequest: "64Mi"
# Default template type for secrets when no custom template is specified.
# Possible values include: "json" and "map".
template: "map"
# Default values within Agent's template_config stanza.
templateConfig:
exitOnRetryFailure: true
staticSecretRenderInterval: ""
# Mount Path of the Vault Kubernetes Auth Method.
authPath: "auth/kubernetes"
# Configures the log verbosity of the injector.
# Supported log levels include: trace, debug, info, warn, error
logLevel: "info"
# Configures the log format of the injector. Supported log formats: "standard", "json".
logFormat: "standard"
# Configures all Vault Agent sidecars to revoke their token when shutting down
revokeOnShutdown: false
webhook:
# Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
# API Version of the WebHook.
# To block pod creation while the webhook is unavailable, set the policy to `Fail` below.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
#
failurePolicy: Ignore
# matchPolicy specifies the approach to accepting changes based on the rules of
# the MutatingWebhookConfiguration.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy
# for more details.
#
matchPolicy: Exact
# timeoutSeconds is the amount of seconds before the webhook request will be ignored
# or fails.
# If it is ignored or fails depends on the failurePolicy
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts
# for more details.
#
timeoutSeconds: 30
# namespaceSelector is the selector for restricting the webhook to only
# specific namespaces.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
# for more details.
# Example:
# namespaceSelector:
# matchLabels:
# sidecar-injector: enabled
namespaceSelector: {}
# objectSelector is the selector for restricting the webhook to only
# specific labels.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
# for more details.
# Example:
# objectSelector:
# matchLabels:
# vault-sidecar-injector: enabled
objectSelector: |
matchExpressions:
- key: app.kubernetes.io/name
@@ -151,95 +61,33 @@ vault:
values:
- {{ template "vault.name" . }}-agent-injector
# Extra annotations to attach to the webhook
annotations: {}
# Deprecated: please use 'webhook.failurePolicy' instead
# Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
# API Version of the WebHook.
# To block pod creation while webhook is unavailable, set the policy to `Fail` below.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
#
failurePolicy: Ignore
# Deprecated: please use 'webhook.namespaceSelector' instead
# namespaceSelector is the selector for restricting the webhook to only
# specific namespaces.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
# for more details.
# Example:
# namespaceSelector:
# matchLabels:
# sidecar-injector: enabled
namespaceSelector: {}
# Deprecated: please use 'webhook.objectSelector' instead
# objectSelector is the selector for restricting the webhook to only
# specific labels.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
# for more details.
# Example:
# objectSelector:
# matchLabels:
# vault-sidecar-injector: enabled
objectSelector: {}
# Deprecated: please use 'webhook.annotations' instead
# Extra annotations to attach to the webhook
webhookAnnotations: {}
certs:
# secretName is the name of the secret that has the TLS certificate and
# private key to serve the injector webhook. If this is null, then the
# injector will default to its automatic management mode that will assign
# a service account to the injector to generate its own certificates.
secretName: null
# caBundle is a base64-encoded PEM-encoded certificate bundle for the CA
# that signed the TLS certificate that the webhook serves. This must be set
# if secretName is non-null unless an external service like cert-manager is
# keeping the caBundle updated.
caBundle: ""
# certName and keyName are the names of the files within the secret for
# the TLS cert and private key, respectively. These have reasonable
# defaults but can be customized if necessary.
certName: tls.crt
keyName: tls.key
# Security context for the pod template and the injector container
# The default pod securityContext is:
# runAsNonRoot: true
# runAsGroup: {{ .Values.injector.gid | default 1000 }}
# runAsUser: {{ .Values.injector.uid | default 100 }}
# fsGroup: {{ .Values.injector.gid | default 1000 }}
# and for container is
# allowPrivilegeEscalation: false
# capabilities:
# drop:
# - ALL
securityContext:
pod: {}
container: {}
resources: {}
# resources:
# requests:
# memory: 256Mi
# cpu: 250m
# limits:
# memory: 256Mi
# cpu: 250m
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 256Mi
# extraEnvironmentVars is a list of extra environment variables to set in the
# injector deployment.
extraEnvironmentVars: {}
# KUBERNETES_SERVICE_HOST: kubernetes.default.svc
# Affinity Settings for injector pods
# This can either be a multi-line string or YAML matching the PodSpec's affinity field.
# Commenting out or setting as empty the affinity variable, will allow
# deployment of multiple replicas to single node services such as Minikube.
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
@@ -250,58 +98,27 @@ vault:
component: webhook
topologyKey: kubernetes.io/hostname
# Topology settings for injector pods
# ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
# This should be either a multi-line string or YAML matching the topologySpreadConstraints array
# in a PodSpec.
topologySpreadConstraints: []
# Toleration Settings for injector pods
# This should be either a multi-line string or YAML matching the Toleration array
# in a PodSpec.
tolerations: []
# nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example:
# nodeSelector:
# beta.kubernetes.io/arch: amd64
nodeSelector: {}
# Priority class for injector pods
priorityClassName: ""
# Extra annotations to attach to the injector pods
# This can either be YAML or a YAML-formatted multi-line templated string map
# of the annotations to apply to the injector pods
annotations: {}
# Extra labels to attach to the agent-injector
# This should be a YAML map of the labels to apply to the injector
extraLabels: {}
# Should the injector pods run on the host network (useful when using
# an alternate CNI in EKS)
hostNetwork: false
# Injector service specific config
service:
# Extra annotations to attach to the injector service
annotations: {}
# Injector serviceAccount specific config
serviceAccount:
# Extra annotations to attach to the injector serviceAccount
annotations: {}
# A disruption budget limits the number of pods of a replicated application
# that are down simultaneously from voluntary disruptions
podDisruptionBudget: {}
# podDisruptionBudget:
# maxUnavailable: 1
# strategy for updating the deployment. This can be a multi-line string or a
# YAML map.
strategy: {}
# strategy: |
# rollingUpdate:
@@ -334,7 +151,7 @@ vault:
repository: "hashicorp/vault"
tag: "1.12.0"
# Overrides the default Image Pull Policy
pullPolicy: IfNotPresent
pullPolicy: Always
# Configure the Update Strategy Type for the StatefulSet
# See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
@@ -362,20 +179,12 @@ vault:
# If deployment is on OpenShift, the following block is ignored.
# In order to expose the service, use the route section below
ingress:
enabled: false
enabled: true
labels: {}
# traffic: external
annotations: {}
# |
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# or
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# Optionally use ingressClassName instead of deprecated annotation.
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation
ingressClassName: ""
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
ingressClassName: "nginx"
# As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases.
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values.
@@ -395,13 +204,11 @@ vault:
# name: ssl-redirect
# port:
# number: use-annotation
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
tls:
- hosts:
- bitwarden.durp.info
secretName: bitwarden-tls
# OpenShift only - create a route to expose the service
# By default the created route will be of type passthrough
route:
enabled: false