370 lines
14 KiB
YAML
370 lines
14 KiB
YAML
#vault:
|
|
#
|
|
# # Available parameters and their default values for the Vault chart.
|
|
#
|
|
# global:
|
|
# # enabled is the master enabled switch. Setting this to true or false
|
|
# # will enable or disable all the components within this chart by default.
|
|
# enabled: true
|
|
# # Image pull secret to use for registry authentication.
|
|
# imagePullSecrets: []
|
|
# # imagePullSecrets:
|
|
# # - name: image-pull-secret
|
|
# # TLS for end-to-end encrypted transport
|
|
# tlsDisable: true
|
|
#
|
|
# injector:
|
|
# # True if you want to enable vault agent injection.
|
|
# enabled: true
|
|
#
|
|
# # External vault server address for the injector to use. Setting this will
|
|
# # disable deployment of a vault server along with the injector.
|
|
# externalVaultAddr: ""
|
|
#
|
|
# # image sets the repo and tag of the vault-k8s image to use for the injector.
|
|
# image:
|
|
# repository: "hashicorp/vault-k8s"
|
|
# tag: "0.2.0"
|
|
# pullPolicy: always
|
|
#
|
|
# # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
|
|
# # containers. This should be set to the official Vault image. Vault 1.3.1+ is
|
|
# # required.
|
|
# agentImage:
|
|
# repository: "vault"
|
|
# tag: "1.3.2"
|
|
#
|
|
# # namespaceSelector is the selector for restricting the webhook to only
|
|
# # specific namespaces. This should be set to a multiline string.
|
|
# # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
|
|
# # for more details.
|
|
# # Example:
|
|
# # namespaceSelector: |
|
|
# # matchLabels:
|
|
# # sidecar-injector: enabled
|
|
# namespaceSelector: {}
|
|
#
|
|
# certs:
|
|
# # secretName is the name of the secret that has the TLS certificate and
|
|
# # private key to serve the injector webhook. If this is null, then the
|
|
# # injector will default to its automatic management mode that will assign
|
|
# # a service account to the injector to generate its own certificates.
|
|
# secretName: null
|
|
#
|
|
# # caBundle is a base64-encoded PEM-encoded certificate bundle for the
|
|
# # CA that signed the TLS certificate that the webhook serves. This must
|
|
# # be set if secretName is non-null.
|
|
# caBundle: ""
|
|
#
|
|
# # certName and keyName are the names of the files within the secret for
|
|
# # the TLS cert and private key, respectively. These have reasonable
|
|
# # defaults but can be customized if necessary.
|
|
# certName: tls.crt
|
|
# keyName: tls.key
|
|
#
|
|
# resources: {}
|
|
# # resources:
|
|
# # requests:
|
|
# # memory: 256Mi
|
|
# # cpu: 250m
|
|
# # limits:
|
|
# # memory: 256Mi
|
|
# # cpu: 250m
|
|
#
|
|
# server:
|
|
# # Resource requests, limits, etc. for the server cluster placement. This
|
|
# # should map directly to the value of the resources field for a PodSpec.
|
|
# # By default no direct resource request is made.
|
|
#
|
|
# image:
|
|
# repository: "vault"
|
|
# tag: "1.3.2"
|
|
# # Overrides the default Image Pull Policy
|
|
# pullPolicy: IfNotPresent
|
|
#
|
|
# # Configure the Update Strategy Type for the StatefulSet
|
|
# # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
|
|
# updateStrategyType: "OnDelete"
|
|
#
|
|
# resources:
|
|
# # resources:
|
|
# # requests:
|
|
# # memory: 256Mi
|
|
# # cpu: 250m
|
|
# # limits:
|
|
# # memory: 256Mi
|
|
# # cpu: 250m
|
|
#
|
|
# # Ingress allows ingress services to be created to allow external access
|
|
# # from Kubernetes to access Vault pods.
|
|
# ingress:
|
|
# enabled: false
|
|
# labels: {}
|
|
# # traffic: external
|
|
# annotations: {}
|
|
# # kubernetes.io/ingress.class: nginx
|
|
# # kubernetes.io/tls-acme: "true"
|
|
# hosts:
|
|
# - host: chart-example.local
|
|
# paths: []
|
|
#
|
|
# tls: []
|
|
# # - secretName: chart-example-tls
|
|
# # hosts:
|
|
# # - chart-example.local
|
|
#
|
|
#
|
|
# # authDelegator enables a cluster role binding to be attached to the service
|
|
# # account. This cluster role binding can be used to setup Kubernetes auth
|
|
# # method. https://www.vaultproject.io/docs/auth/kubernetes.html
|
|
# authDelegator:
|
|
# enabled: true
|
|
#
|
|
# # extraContainers is a list of sidecar containers. Specified as a raw YAML string.
|
|
# extraContainers: null
|
|
#
|
|
# # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
|
|
# # This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation
|
|
# shareProcessNamespace: false
|
|
#
|
|
# # extraArgs is a string containing additional Vault server arguments.
|
|
# extraArgs: ""
|
|
#
|
|
# # Used to define custom readinessProbe settings
|
|
# readinessProbe:
|
|
# enabled: true
|
|
# # If you need to use a http path instead of the default exec
|
|
# # path: /v1/sys/health?standbyok=true
|
|
# # Used to enable a livenessProbe for the pods
|
|
# livenessProbe:
|
|
# enabled: false
|
|
# path: "/v1/sys/health?standbyok=true"
|
|
# initialDelaySeconds: 60
|
|
#
|
|
# # Used to set the sleep time during the preStop step
|
|
# preStopSleepSeconds: 5
|
|
#
|
|
# # extraEnvironmentVars is a list of extra enviroment variables to set with the stateful set. These could be
|
|
# # used to include variables required for auto-unseal.
|
|
# extraEnvironmentVars: {}
|
|
# # GOOGLE_REGION: global
|
|
# # GOOGLE_PROJECT: myproject
|
|
# # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
|
|
#
|
|
# # extraSecretEnvironmentVars is a list of extra enviroment variables to set with the stateful set.
|
|
# # These variables take value from existing Secret objects.
|
|
# extraSecretEnvironmentVars: []
|
|
# # - envName: AWS_SECRET_ACCESS_KEY
|
|
# # secretName: vault
|
|
# # secretKey: AWS_SECRET_ACCESS_KEY
|
|
#
|
|
# # extraVolumes is a list of extra volumes to mount. These will be exposed
|
|
# # to Vault in the path `/vault/userconfig/<name>/`. The value below is
|
|
# # an array of objects, examples are shown below.
|
|
# extraVolumes: []
|
|
# # - type: secret (or "configMap")
|
|
# # name: my-secret
|
|
# # path: null # default is `/vault/userconfig`
|
|
#
|
|
# # Affinity Settings
|
|
# # Commenting out or setting as empty the affinity variable, will allow
|
|
# # deployment to single node services such as Minikube
|
|
# affinity: |
|
|
# podAntiAffinity:
|
|
# requiredDuringSchedulingIgnoredDuringExecution:
|
|
# - labelSelector:
|
|
# matchLabels:
|
|
# app.kubernetes.io/name: {{ template "vault.name" . }}
|
|
# app.kubernetes.io/instance: "{{ .Release.Name }}"
|
|
# component: server
|
|
# topologyKey: kubernetes.io/hostname
|
|
#
|
|
# # Toleration Settings for server pods
|
|
# # This should be a multi-line string matching the Toleration array
|
|
# # in a PodSpec.
|
|
# tolerations: {}
|
|
#
|
|
# # nodeSelector labels for server pod assignment, formatted as a muli-line string.
|
|
# # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
|
|
# # Example:
|
|
# # nodeSelector: |
|
|
# # beta.kubernetes.io/arch: amd64
|
|
# nodeSelector: {}
|
|
#
|
|
# # Extra labels to attach to the server pods
|
|
# # This should be a multi-line string mapping directly to the a map of
|
|
# # the labels to apply to the server pods
|
|
# extraLabels: {}
|
|
#
|
|
# # Extra annotations to attach to the server pods
|
|
# # This should be a multi-line string mapping directly to the a map of
|
|
# # the annotations to apply to the server pods
|
|
# annotations: {}
|
|
#
|
|
# # Enables a headless service to be used by the Vault Statefulset
|
|
# service:
|
|
# enabled: true
|
|
# # clusterIP controls whether a Cluster IP address is attached to the
|
|
# # Vault service within Kubernetes. By default the Vault service will
|
|
# # be given a Cluster IP address, set to None to disable. When disabled
|
|
# # Kubernetes will create a "headless" service. Headless services can be
|
|
# # used to communicate with pods directly through DNS instead of a round robin
|
|
# # load balancer.
|
|
# # clusterIP: None
|
|
#
|
|
# # Configures the service type for the main Vault service. Can be ClusterIP
|
|
# # or NodePort.
|
|
# #type: ClusterIP
|
|
#
|
|
# # If type is set to "NodePort", a specific nodePort value can be configured,
|
|
# # will be random if left blank.
|
|
# #nodePort: 30000
|
|
#
|
|
# # Port on which Vault server is listening
|
|
# port: 8200
|
|
# # Target port to which the service should be mapped to
|
|
# targetPort: 8200
|
|
# # Extra annotations for the service definition
|
|
# annotations: {}
|
|
#
|
|
# # This configures the Vault Statefulset to create a PVC for data
|
|
# # storage when using the file backend.
|
|
# # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more
|
|
# dataStorage:
|
|
# enabled: true
|
|
# # Size of the PVC created
|
|
# size: 10Gi
|
|
# # Name of the storage class to use. If null it will use the
|
|
# # configured default Storage Class.
|
|
# storageClass: null
|
|
# # Access Mode of the storage device being used for the PVC
|
|
# accessMode: ReadWriteOnce
|
|
#
|
|
# # This configures the Vault Statefulset to create a PVC for audit
|
|
# # logs. Once Vault is deployed, initialized and unseal, Vault must
|
|
# # be configured to use this for audit logs. This will be mounted to
|
|
# # /vault/audit
|
|
# # See https://www.vaultproject.io/docs/audit/index.html to know more
|
|
# auditStorage:
|
|
# enabled: false
|
|
# # Size of the PVC created
|
|
# size: 10Gi
|
|
# # Name of the storage class to use. If null it will use the
|
|
# # configured default Storage Class.
|
|
# storageClass: null
|
|
# # Access Mode of the storage device being used for the PVC
|
|
# accessMode: ReadWriteOnce
|
|
#
|
|
# # Run Vault in "dev" mode. This requires no further setup, no state management,
|
|
# # and no initialization. This is useful for experimenting with Vault without
|
|
# # needing to unseal, store keys, et. al. All data is lost on restart - do not
|
|
# # use dev mode for anything other than experimenting.
|
|
# # See https://www.vaultproject.io/docs/concepts/dev-server.html to know more
|
|
# dev:
|
|
# enabled: false
|
|
#
|
|
# # Run Vault in "standalone" mode. This is the default mode that will deploy if
|
|
# # no arguments are given to helm. This requires a PVC for data storage to use
|
|
# # the "file" backend. This mode is not highly available and should not be scaled
|
|
# # past a single replica.
|
|
# standalone:
|
|
# enabled: "-"
|
|
#
|
|
# # config is a raw string of default configuration when using a Stateful
|
|
# # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
|
|
# # and store data there. This is only used when using a Replica count of 1, and
|
|
# # using a stateful set. This should be HCL.
|
|
# config: |
|
|
# ui = true
|
|
#
|
|
# listener "tcp" {
|
|
# tls_disable = 1
|
|
# address = "[::]:8200"
|
|
# cluster_address = "[::]:8201"
|
|
# }
|
|
# storage "file" {
|
|
# path = "/vault/data"
|
|
# }
|
|
#
|
|
# # Example configuration for using auto-unseal, using Google Cloud KMS. The
|
|
# # GKMS keys must already exist, and the cluster must have a service account
|
|
# # that is authorized to access GCP KMS.
|
|
# #seal "gcpckms" {
|
|
# # project = "vault-helm-dev"
|
|
# # region = "global"
|
|
# # key_ring = "vault-helm-unseal-kr"
|
|
# # crypto_key = "vault-helm-unseal-key"
|
|
# #}
|
|
#
|
|
# # Run Vault in "HA" mode. There are no storage requirements unless audit log
|
|
# # persistence is required. In HA mode Vault will configure itself to use Consul
|
|
# # for its storage backend. The default configuration provided will work the Consul
|
|
# # Helm project by default. It is possible to manually configure Vault to use a
|
|
# # different HA backend.
|
|
# ha:
|
|
# enabled: false
|
|
# replicas: 3
|
|
#
|
|
# # config is a raw string of default configuration when using a Stateful
|
|
# # deployment. Default is to use a Consul for its HA storage backend.
|
|
# # This should be HCL.
|
|
# config: |
|
|
# ui = true
|
|
#
|
|
# listener "tcp" {
|
|
# tls_disable = 1
|
|
# address = "[::]:8200"
|
|
# cluster_address = "[::]:8201"
|
|
# }
|
|
# storage "consul" {
|
|
# path = "vault"
|
|
# address = "HOST_IP:8500"
|
|
# }
|
|
#
|
|
# # Example configuration for using auto-unseal, using Google Cloud KMS. The
|
|
# # GKMS keys must already exist, and the cluster must have a service account
|
|
# # that is authorized to access GCP KMS.
|
|
# #seal "gcpckms" {
|
|
# # project = "vault-helm-dev-246514"
|
|
# # region = "global"
|
|
# # key_ring = "vault-helm-unseal-kr"
|
|
# # crypto_key = "vault-helm-unseal-key"
|
|
# #}
|
|
#
|
|
# # A disruption budget limits the number of pods of a replicated application
|
|
# # that are down simultaneously from voluntary disruptions
|
|
# disruptionBudget:
|
|
# enabled: true
|
|
#
|
|
# # maxUnavailable will default to (n/2)-1 where n is the number of
|
|
# # replicas. If you'd like a custom value, you can specify an override here.
|
|
# maxUnavailable: null
|
|
#
|
|
# # Definition of the serviceAccount used to run Vault.
|
|
# serviceAccount:
|
|
# annotations: {}
|
|
#
|
|
# # Vault UI
|
|
# ui:
|
|
# # True if you want to create a Service entry for the Vault UI.
|
|
# #
|
|
# # serviceType can be used to control the type of service created. For
|
|
# # example, setting this to "LoadBalancer" will create an external load
|
|
# # balancer (for supported K8S installations) to access the UI.
|
|
# enabled: false
|
|
# serviceType: "ClusterIP"
|
|
# serviceNodePort: null
|
|
# externalPort: 8200
|
|
#
|
|
# # loadBalancerSourceRanges:
|
|
# # - 10.0.0.0/16
|
|
# # - 1.78.23.3/32
|
|
#
|
|
# # loadBalancerIP:
|
|
#
|
|
# # Extra annotations to attach to the ui service
|
|
# # This should be a multi-line string mapping directly to the a map of
|
|
# # the annotations to apply to the ui service
|
|
# annotations: {}
|
|
#
|