diff --git a/vault/values.yaml b/vault/values.yaml index b0eca95..5e42ce1 100644 --- a/vault/values.yaml +++ b/vault/values.yaml @@ -1,149 +1,59 @@ vault: - # Available parameters and their default values for the Vault chart. global: - # enabled is the master enabled switch. Setting this to true or false - # will enable or disable all the components within this chart by default. enabled: true - - # Image pull secret to use for registry authentication. - # Alternatively, the value may be specified as an array of strings. imagePullSecrets: [] - # imagePullSecrets: - # - name: image-pull-secret - - # TLS for end-to-end encrypted transport tlsDisable: true - - # External vault server address for the injector and CSI provider to use. - # Setting this will disable deployment of a vault server. externalVaultAddr: "" - - # If deploying to OpenShift openshift: false - # Create PodSecurityPolicy for pods - psp: - enable: false - # Annotation for PodSecurityPolicy. - # This is a multi-line templated string map, and can also be set as YAML. - annotations: | - seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default - apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default - apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - serverTelemetry: - # Enable integration with the Prometheus Operator - # See the top level serverTelemetry section below before enabling this feature. prometheusOperator: false injector: - # True if you want to enable vault agent injection. - # @default: global.enabled enabled: "-" - replicas: 1 - - # Configures the port the injector should listen on port: 8080 - # If multiple replicas are specified, by default a leader will be determined - # so that only one injector attempts to create TLS certificates. leaderElector: enabled: true - # If true, will enable a node exporter metrics endpoint at /metrics. metrics: enabled: false - # Deprecated: Please use global.externalVaultAddr instead. externalVaultAddr: "" - # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" - tag: "1.0.1" - pullPolicy: IfNotPresent + pullPolicy: Always - # agentImage sets the repo and tag of the Vault image to use for the Vault Agent - # containers. This should be set to the official Vault image. Vault 1.3.1+ is - # required. agentImage: repository: "hashicorp/vault" - tag: "1.12.0" - # The default values for the injected Vault Agent containers. agentDefaults: - # For more information on configuring resources, see the K8s documentation: - # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ cpuRequest: "250m" memLimit: "128Mi" memRequest: "64Mi" - # Default template type for secrets when no custom template is specified. - # Possible values include: "json" and "map". template: "map" - # Default values within Agent's template_config stanza. templateConfig: exitOnRetryFailure: true staticSecretRenderInterval: "" - # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" - # Configures the log verbosity of the injector. - # Supported log levels include: trace, debug, info, warn, error logLevel: "info" - # Configures the log format of the injector. Supported log formats: "standard", "json". logFormat: "standard" - # Configures all Vault Agent sidecars to revoke their token when shutting down revokeOnShutdown: false webhook: - # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the - # API Version of the WebHook. - # To block pod creation while the webhook is unavailable, set the policy to `Fail` below. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy - # failurePolicy: Ignore - - # matchPolicy specifies the approach to accepting changes based on the rules of - # the MutatingWebhookConfiguration. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy - # for more details. - # matchPolicy: Exact - - # timeoutSeconds is the amount of seconds before the webhook request will be ignored - # or fails. - # If it is ignored or fails depends on the failurePolicy - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts - # for more details. - # timeoutSeconds: 30 - - # namespaceSelector is the selector for restricting the webhook to only - # specific namespaces. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector - # for more details. - # Example: - # namespaceSelector: - # matchLabels: - # sidecar-injector: enabled namespaceSelector: {} - - # objectSelector is the selector for restricting the webhook to only - # specific labels. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector - # for more details. - # Example: - # objectSelector: - # matchLabels: - # vault-sidecar-injector: enabled objectSelector: | matchExpressions: - key: app.kubernetes.io/name @@ -151,95 +61,33 @@ vault: values: - {{ template "vault.name" . }}-agent-injector - # Extra annotations to attach to the webhook annotations: {} - # Deprecated: please use 'webhook.failurePolicy' instead - # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the - # API Version of the WebHook. - # To block pod creation while webhook is unavailable, set the policy to `Fail` below. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy - # failurePolicy: Ignore - # Deprecated: please use 'webhook.namespaceSelector' instead - # namespaceSelector is the selector for restricting the webhook to only - # specific namespaces. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector - # for more details. - # Example: - # namespaceSelector: - # matchLabels: - # sidecar-injector: enabled namespaceSelector: {} - # Deprecated: please use 'webhook.objectSelector' instead - # objectSelector is the selector for restricting the webhook to only - # specific labels. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector - # for more details. - # Example: - # objectSelector: - # matchLabels: - # vault-sidecar-injector: enabled objectSelector: {} - - # Deprecated: please use 'webhook.annotations' instead - # Extra annotations to attach to the webhook webhookAnnotations: {} certs: - # secretName is the name of the secret that has the TLS certificate and - # private key to serve the injector webhook. If this is null, then the - # injector will default to its automatic management mode that will assign - # a service account to the injector to generate its own certificates. secretName: null - - # caBundle is a base64-encoded PEM-encoded certificate bundle for the CA - # that signed the TLS certificate that the webhook serves. This must be set - # if secretName is non-null unless an external service like cert-manager is - # keeping the caBundle updated. caBundle: "" - - # certName and keyName are the names of the files within the secret for - # the TLS cert and private key, respectively. These have reasonable - # defaults but can be customized if necessary. certName: tls.crt keyName: tls.key - # Security context for the pod template and the injector container - # The default pod securityContext is: - # runAsNonRoot: true - # runAsGroup: {{ .Values.injector.gid | default 1000 }} - # runAsUser: {{ .Values.injector.uid | default 100 }} - # fsGroup: {{ .Values.injector.gid | default 1000 }} - # and for container is - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - ALL securityContext: pod: {} container: {} - resources: {} - # resources: - # requests: - # memory: 256Mi - # cpu: 250m - # limits: - # memory: 256Mi - # cpu: 250m + resources: + requests: + memory: 256Mi + cpu: 250m + limits: + memory: 256Mi - # extraEnvironmentVars is a list of extra environment variables to set in the - # injector deployment. extraEnvironmentVars: {} - # KUBERNETES_SERVICE_HOST: kubernetes.default.svc - - # Affinity Settings for injector pods - # This can either be a multi-line string or YAML matching the PodSpec's affinity field. - # Commenting out or setting as empty the affinity variable, will allow - # deployment of multiple replicas to single node services such as Minikube. affinity: | podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -250,58 +98,27 @@ vault: component: webhook topologyKey: kubernetes.io/hostname - # Topology settings for injector pods - # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - # This should be either a multi-line string or YAML matching the topologySpreadConstraints array - # in a PodSpec. topologySpreadConstraints: [] - # Toleration Settings for injector pods - # This should be either a multi-line string or YAML matching the Toleration array - # in a PodSpec. tolerations: [] - # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map. - # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - # Example: - # nodeSelector: - # beta.kubernetes.io/arch: amd64 nodeSelector: {} - # Priority class for injector pods priorityClassName: "" - # Extra annotations to attach to the injector pods - # This can either be YAML or a YAML-formatted multi-line templated string map - # of the annotations to apply to the injector pods annotations: {} - # Extra labels to attach to the agent-injector - # This should be a YAML map of the labels to apply to the injector extraLabels: {} - # Should the injector pods run on the host network (useful when using - # an alternate CNI in EKS) hostNetwork: false - # Injector service specific config service: - # Extra annotations to attach to the injector service annotations: {} - # Injector serviceAccount specific config serviceAccount: - # Extra annotations to attach to the injector serviceAccount annotations: {} - # A disruption budget limits the number of pods of a replicated application - # that are down simultaneously from voluntary disruptions podDisruptionBudget: {} - # podDisruptionBudget: - # maxUnavailable: 1 - - # strategy for updating the deployment. This can be a multi-line string or a - # YAML map. strategy: {} # strategy: | # rollingUpdate: @@ -334,7 +151,7 @@ vault: repository: "hashicorp/vault" tag: "1.12.0" # Overrides the default Image Pull Policy - pullPolicy: IfNotPresent + pullPolicy: Always # Configure the Update Strategy Type for the StatefulSet # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies @@ -362,20 +179,12 @@ vault: # If deployment is on OpenShift, the following block is ignored. # In order to expose the service, use the route section below ingress: - enabled: false + enabled: true labels: {} # traffic: external - annotations: {} - # | - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - # or - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - - # Optionally use ingressClassName instead of deprecated annotation. - # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation - ingressClassName: "" + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + ingressClassName: "nginx" # As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases. # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values. @@ -395,13 +204,11 @@ vault: # name: ssl-redirect # port: # number: use-annotation - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local + tls: + - hosts: + - bitwarden.durp.info + secretName: bitwarden-tls - # OpenShift only - create a route to expose the service - # By default the created route will be of type passthrough route: enabled: false