vault: global: enabled: true tlsDisable: false resources: requests: memory: 256Mi cpu: 250m limits: memory: 256Mi cpu: 250m server: image: repository: "hashicorp/vault" # These Resource Limits are in line with node requirements in the # Vault Reference Architecture for a Small Cluster #resources: # requests: # memory: 8Gi # cpu: 2000m # limits: # memory: 16Gi # cpu: 2000m # For HA configuration and because we need to manually init the vault, # we need to define custom readiness/liveness Probe settings readinessProbe: enabled: true path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204" livenessProbe: enabled: true path: "/v1/sys/health?standbyok=true" initialDelaySeconds: 60 # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be # used to include variables required for auto-unseal. extraEnvironmentVars: VAULT_CACERT: /vault/userconfig/vault-server-tls/vault.ca extraSecretEnvironmentVars: - envName: VAULT_TOKEN secretName: autounseal secretKey: VAULT_TOKEN volumes: - name: userconfig-vault-server-tls secret: defaultMode: 420 secretName: vault-server-tls volumeMounts: - mountPath: /vault/userconfig/vault-server-tls name: userconfig-vault-server-tls readOnly: true # This configures the Vault Statefulset to create a PVC for audit logs. # See https://www.vaultproject.io/docs/audit/index.html to know more auditStorage: enabled: true standalone: enabled: false config: | disable_mlock = true ui = true listener "tcp" { address = "[::]:8200" cluster_address = "[::]:8201" tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" tls_key_file = "/vault/userconfig/vault-server-tls/vault.key" } seal "transit" { address = "https://root-vault.internal.durp.info" disable_renewal = "false" key_name = "autounseal" mount_path = "transit/" tls_skip_verify = "true" } storage "raft" { path = "/vault/data" } # Run Vault in "HA" mode. ha: enabled: true replicas: 3 raft: enabled: true setNodeId: true config: | ui = true cluster_name = "vault-integrated-storage" listener "tcp" { address = "[::]:8200" cluster_address = "[::]:8201" tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" tls_key_file = "/vault/userconfig/vault-server-tls/vault.key" } seal "transit" { address = "https://root-vault.internal.durp.info" disable_renewal = "false" key_name = "autounseal" mount_path = "transit/" tls_skip_verify = "true" } storage "raft" { path = "/vault/data" retry_join { leader_api_addr = "https://vault-0.vault-internal:8200" leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca" leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key" } retry_join { leader_api_addr = "https://vault-1.vault-internal:8200" leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca" leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key" } retry_join { leader_api_addr = "https://vault-2.vault-internal:8200" leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca" leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key" } } # Vault UI ui: enabled: false serviceType: "LoadBalancer" serviceNodePort: null externalPort: 8200