vault:
  global:
    enabled: true
    tlsDisable: true
    resources:
      requests:
        memory: 256Mi
        cpu: 250m
      limits:
        memory: 256Mi
        cpu: 250m
  
  server:
    image:
      repository: "hashicorp/vault"
    # These Resource Limits are in line with node requirements in the
    # Vault Reference Architecture for a Small Cluster
    #resources:
    #  requests:
    #    memory: 8Gi
    #    cpu: 2000m
    #  limits:
    #    memory: 16Gi
    #    cpu: 2000m
  
    # For HA configuration and because we need to manually init the vault,
    # we need to define custom readiness/liveness Probe settings
    readinessProbe:
      enabled: true
      path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
    livenessProbe:
      enabled: true
      path: "/v1/sys/health?standbyok=true"
      initialDelaySeconds: 60
  
    # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
    # used to include variables required for auto-unseal.
    #extraEnvironmentVars:
      #VAULT_CACERT: /vault/userconfig/vault-server-tls/vault.ca

    extraSecretEnvironmentVars: 
      - envName: VAULT_TOKEN
        secretName: autounseal
        secretKey: VAULT_TOKEN
  
    #volumes:
    #  - name: userconfig-vault-server-tls
    #    secret:
    #      defaultMode: 420
    #      secretName: vault-server-tls 

    #volumeMounts:
    #  - mountPath: /vault/userconfig/vault-server-tls
    #    name: userconfig-vault-server-tls
    #    readOnly: true
  
    # This configures the Vault Statefulset to create a PVC for audit logs.
    # See https://www.vaultproject.io/docs/audit/index.html to know more
    auditStorage:
      enabled: true
  
    standalone:
      enabled: false

      config: |
        disable_mlock = true
        ui = true
        listener "tcp" {
          address = "[::]:8200"
          cluster_address = "[::]:8201"
        }

        seal "transit" {
          address = "http://192.168.20.253:8201"
          disable_renewal = "false"
          key_name = "autounseal"
          mount_path = "transit/"
          tls_skip_verify = "true"
        }

        storage "raft" {
            path = "/vault/data"
        }
  
    # Run Vault in "HA" mode.
    ha:
      enabled: true
      replicas: 3
      raft:
        enabled: true
        setNodeId: true
  
        config: |
          ui = true
          cluster_name = "vault-integrated-storage"
          listener "tcp" {
            address = "[::]:8200"
            cluster_address = "[::]:8201"
          }

          seal "transit" {
            address = "https://192.168.20.253:8201"
            disable_renewal = "false"
            key_name = "autounseal"
            mount_path = "transit/"
            tls_skip_verify = "true"
          }
  
          storage "raft" {
            path = "/vault/data"
            retry_join {
              leader_api_addr = "http://vault-0.vault-internal:8200"
              tls_skip_verify = "true"
            }
            retry_join {
              leader_api_addr = "http://vault-1.vault-internal:8200"
            }
            retry_join {
              leader_api_addr = "http://vault-2.vault-internal:8200"
            }
          } 
  
  # Vault UI
  ui:
    enabled: true
    serviceType: "LoadBalancer"
    serviceNodePort: null
    externalPort: 8200