update vault

vault/values.yaml

@@ -1,149 +1,59 @@
 vault:
-   # Available parameters and their default values for the Vault chart.
 
   global:
-    # enabled is the master enabled switch. Setting this to true or false
-    # will enable or disable all the components within this chart by default.
     enabled: true
-
-    # Image pull secret to use for registry authentication.
-    # Alternatively, the value may be specified as an array of strings.
     imagePullSecrets: []
-    # imagePullSecrets:
-    #   - name: image-pull-secret
-
-    # TLS for end-to-end encrypted transport
     tlsDisable: true
-
-    # External vault server address for the injector and CSI provider to use.
-    # Setting this will disable deployment of a vault server.
     externalVaultAddr: ""
-
-    # If deploying to OpenShift
     openshift: false
 
-    # Create PodSecurityPolicy for pods
-    psp:
-      enable: false
-      # Annotation for PodSecurityPolicy.
-      # This is a multi-line templated string map, and can also be set as YAML.
-      annotations: |
-        seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
-        apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
-        seccomp.security.alpha.kubernetes.io/defaultProfileName:  runtime/default
-        apparmor.security.beta.kubernetes.io/defaultProfileName:  runtime/default
-
     serverTelemetry:
-      # Enable integration with the Prometheus Operator
-      # See the top level serverTelemetry section below before enabling this feature.
       prometheusOperator: false
 
   injector:
-    # True if you want to enable vault agent injection.
-    # @default: global.enabled
     enabled: "-"
-
     replicas: 1
-
-    # Configures the port the injector should listen on
     port: 8080
 
-    # If multiple replicas are specified, by default a leader will be determined
-    # so that only one injector attempts to create TLS certificates.
     leaderElector:
       enabled: true
 
-    # If true, will enable a node exporter metrics endpoint at /metrics.
     metrics:
       enabled: false
 
-    # Deprecated: Please use global.externalVaultAddr instead.
     externalVaultAddr: ""
 
-    # image sets the repo and tag of the vault-k8s image to use for the injector.
     image:
       repository: "hashicorp/vault-k8s"
-      tag: "1.0.1"
+      pullPolicy: Always
-      pullPolicy: IfNotPresent
 
-    # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
-    # containers.  This should be set to the official Vault image.  Vault 1.3.1+ is
-    # required.
     agentImage:
       repository: "hashicorp/vault"
-      tag: "1.12.0"
 
-    # The default values for the injected Vault Agent containers.
     agentDefaults:
-      # For more information on configuring resources, see the K8s documentation:
-      # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
       cpuRequest: "250m"
       memLimit: "128Mi"
       memRequest: "64Mi"
 
-      # Default template type for secrets when no custom template is specified.
-      # Possible values include: "json" and "map".
       template: "map"
 
-      # Default values within Agent's template_config stanza.
       templateConfig:
         exitOnRetryFailure: true
         staticSecretRenderInterval: ""
 
-    # Mount Path of the Vault Kubernetes Auth Method.
     authPath: "auth/kubernetes"
 
-    # Configures the log verbosity of the injector.
-    # Supported log levels include: trace, debug, info, warn, error
     logLevel: "info"
 
-    # Configures the log format of the injector. Supported log formats: "standard", "json".
     logFormat: "standard"
 
-    # Configures all Vault Agent sidecars to revoke their token when shutting down
     revokeOnShutdown: false
 
     webhook:
-      # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
-      # API Version of the WebHook.
-      # To block pod creation while the webhook is unavailable, set the policy to `Fail` below.
-      # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
-      #
       failurePolicy: Ignore
-
-      # matchPolicy specifies the approach to accepting changes based on the rules of
-      # the MutatingWebhookConfiguration.
-      # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy
-      # for more details.
-      #
       matchPolicy: Exact
-
-      # timeoutSeconds is the amount of seconds before the webhook request will be ignored
-      # or fails.
-      # If it is ignored or fails depends on the failurePolicy
-      # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts
-      # for more details.
-      #
       timeoutSeconds: 30
-
-      # namespaceSelector is the selector for restricting the webhook to only
-      # specific namespaces.
-      # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
-      # for more details.
-      # Example:
-      # namespaceSelector:
-      #    matchLabels:
-      #      sidecar-injector: enabled
       namespaceSelector: {}
-
-      # objectSelector is the selector for restricting the webhook to only
-      # specific labels.
-      # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
-      # for more details.
-      # Example:
-      # objectSelector:
-      #    matchLabels:
-      #      vault-sidecar-injector: enabled
       objectSelector: |
         matchExpressions:
         - key: app.kubernetes.io/name
@@ -151,95 +61,33 @@ vault:
           values:
           - {{ template "vault.name" . }}-agent-injector
 
-      # Extra annotations to attach to the webhook
       annotations: {}
 
-    # Deprecated: please use 'webhook.failurePolicy' instead
-    # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
-    # API Version of the WebHook.
-    # To block pod creation while webhook is unavailable, set the policy to `Fail` below.
-    # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
-    #
     failurePolicy: Ignore
 
-    # Deprecated: please use 'webhook.namespaceSelector' instead
-    # namespaceSelector is the selector for restricting the webhook to only
-    # specific namespaces.
-    # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
-    # for more details.
-    # Example:
-    # namespaceSelector:
-    #    matchLabels:
-    #      sidecar-injector: enabled
     namespaceSelector: {}
 
-    # Deprecated: please use 'webhook.objectSelector' instead
-    # objectSelector is the selector for restricting the webhook to only
-    # specific labels.
-    # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
-    # for more details.
-    # Example:
-    # objectSelector:
-    #    matchLabels:
-    #      vault-sidecar-injector: enabled
     objectSelector: {}
-
-    # Deprecated: please use 'webhook.annotations' instead
-    # Extra annotations to attach to the webhook
     webhookAnnotations: {}
 
     certs:
-      # secretName is the name of the secret that has the TLS certificate and
-      # private key to serve the injector webhook. If this is null, then the
-      # injector will default to its automatic management mode that will assign
-      # a service account to the injector to generate its own certificates.
       secretName: null
-
-      # caBundle is a base64-encoded PEM-encoded certificate bundle for the CA
-      # that signed the TLS certificate that the webhook serves. This must be set
-      # if secretName is non-null unless an external service like cert-manager is
-      # keeping the caBundle updated.
       caBundle: ""
-
-      # certName and keyName are the names of the files within the secret for
-      # the TLS cert and private key, respectively. These have reasonable
-      # defaults but can be customized if necessary.
       certName: tls.crt
       keyName: tls.key
 
-    # Security context for the pod template and the injector container
-    # The default pod securityContext is:
-    #   runAsNonRoot: true
-    #   runAsGroup: {{ .Values.injector.gid | default 1000 }}
-    #   runAsUser: {{ .Values.injector.uid | default 100 }}
-    #   fsGroup: {{ .Values.injector.gid | default 1000 }}
-    # and for container is
-    #    allowPrivilegeEscalation: false
-    #    capabilities:
-    #      drop:
-    #        - ALL
     securityContext:
       pod: {}
       container: {}
 
-    resources: {}
+    resources: 
-    # resources:
+       requests:
-    #   requests:
+         memory: 256Mi
-    #     memory: 256Mi
+         cpu: 250m
-    #     cpu: 250m
+       limits:
-    #   limits:
+         memory: 256Mi
-    #     memory: 256Mi
-    #     cpu: 250m
 
-    # extraEnvironmentVars is a list of extra environment variables to set in the
-    # injector deployment.
     extraEnvironmentVars: {}
-      # KUBERNETES_SERVICE_HOST: kubernetes.default.svc
-
-    # Affinity Settings for injector pods
-    # This can either be a multi-line string or YAML matching the PodSpec's affinity field.
-    # Commenting out or setting as empty the affinity variable, will allow
-    # deployment of multiple replicas to single node services such as Minikube.
     affinity: |
       podAntiAffinity:
         requiredDuringSchedulingIgnoredDuringExecution:
@@ -250,58 +98,27 @@ vault:
                 component: webhook
             topologyKey: kubernetes.io/hostname
 
-    # Topology settings for injector pods
-    # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
-    # This should be either a multi-line string or YAML matching the topologySpreadConstraints array
-    # in a PodSpec.
     topologySpreadConstraints: []
 
-    # Toleration Settings for injector pods
-    # This should be either a multi-line string or YAML matching the Toleration array
-    # in a PodSpec.
     tolerations: []
 
-    # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map.
-    # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
-    # Example:
-    # nodeSelector:
-    #   beta.kubernetes.io/arch: amd64
     nodeSelector: {}
 
-    # Priority class for injector pods
     priorityClassName: ""
 
-    # Extra annotations to attach to the injector pods
-    # This can either be YAML or a YAML-formatted multi-line templated string map
-    # of the annotations to apply to the injector pods
     annotations: {}
 
-    # Extra labels to attach to the agent-injector
-    # This should be a YAML map of the labels to apply to the injector
     extraLabels: {}
 
-    # Should the injector pods run on the host network (useful when using
-    # an alternate CNI in EKS)
     hostNetwork: false
 
-    # Injector service specific config
     service:
-      # Extra annotations to attach to the injector service
       annotations: {}
 
-    # Injector serviceAccount specific config
     serviceAccount:
-      # Extra annotations to attach to the injector serviceAccount
       annotations: {}
 
-    # A disruption budget limits the number of pods of a replicated application
-    # that are down simultaneously from voluntary disruptions
     podDisruptionBudget: {}
-    # podDisruptionBudget:
-    #   maxUnavailable: 1
-
-    # strategy for updating the deployment. This can be a multi-line string or a
-    # YAML map.
     strategy: {}
     # strategy: |
     #   rollingUpdate:
@@ -334,7 +151,7 @@ vault:
       repository: "hashicorp/vault"
       tag: "1.12.0"
       # Overrides the default Image Pull Policy
-      pullPolicy: IfNotPresent
+      pullPolicy: Always
 
     # Configure the Update Strategy Type for the StatefulSet
     # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
@@ -362,20 +179,12 @@ vault:
     # If deployment is on OpenShift, the following block is ignored.
     # In order to expose the service, use the route section below
     ingress:
-      enabled: false
+      enabled: true
       labels: {}
         # traffic: external
-      annotations: {}
+      annotations: 
-        # |
+        cert-manager.io/cluster-issuer: letsencrypt-production 
-        # kubernetes.io/ingress.class: nginx
+      ingressClassName: "nginx"
-        # kubernetes.io/tls-acme: "true"
-        #   or
-        # kubernetes.io/ingress.class: nginx
-        # kubernetes.io/tls-acme: "true"
-
-      # Optionally use ingressClassName instead of deprecated annotation.
-      # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation
-      ingressClassName: ""
 
       # As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases.
       # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values.
@@ -395,13 +204,11 @@ vault:
       #       name: ssl-redirect
       #       port:
       #         number: use-annotation
-      tls: []
+      tls: 
-      #  - secretName: chart-example-tls
+        - hosts: 
-      #    hosts:
+          - bitwarden.durp.info
-      #      - chart-example.local
+          secretName: bitwarden-tls
 
-    # OpenShift only - create a route to expose the service
-    # By default the created route will be of type passthrough
     route:
       enabled: false