2018-09-28 20:45:58 +00:00
|
|
|
# Available parameters and their default values for the Vault chart.
|
2018-08-18 21:15:37 +00:00
|
|
|
|
2018-09-02 23:19:11 +00:00
|
|
|
global:
|
|
|
|
|
# enabled is the master enabled switch. Setting this to true or false
|
|
|
|
|
# will enable or disable all the components within this chart by default.
|
|
|
|
|
enabled: true
|
|
|
|
|
|
2019-07-31 18:26:12 +00:00
|
|
|
# Image is the name (and tag) of the Vault Docker image.
|
2019-08-02 20:17:26 +00:00
|
|
|
image: "vault:1.2.0"
|
2018-09-08 14:52:31 +00:00
|
|
|
|
2018-08-18 21:15:37 +00:00
|
|
|
server:
|
2018-10-05 21:34:07 +00:00
|
|
|
# Resource requests, limits, etc. for the server cluster placement. This
|
|
|
|
|
# should map directly to the value of the resources field for a PodSpec.
|
|
|
|
|
# By default no direct resource request is made.
|
2019-07-31 18:26:12 +00:00
|
|
|
resources:
|
|
|
|
|
# resources:
|
|
|
|
|
# requests:
|
|
|
|
|
# memory: 256Mi
|
|
|
|
|
# cpu: 250m
|
|
|
|
|
# limits:
|
|
|
|
|
# memory: 256Mi
|
|
|
|
|
# cpu: 250m
|
|
|
|
|
|
|
|
|
|
# extraEnvVars is a list of extra enviroment variables to set with the stateful set. These could be
|
|
|
|
|
# used to include variables required for auto-unseal.
|
|
|
|
|
extraEnvironmentVars: {}
|
|
|
|
|
# GOOGLE_REGION: global,
|
|
|
|
|
# GOOGLE_PROJECT: myproject,
|
|
|
|
|
# GOOGLE_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
|
2018-11-20 22:23:16 +00:00
|
|
|
|
2018-11-27 21:45:32 +00:00
|
|
|
# extraVolumes is a list of extra volumes to mount. These will be exposed
|
|
|
|
|
# to Vault in the path `/vault/userconfig/<name>/`. The value below is
|
|
|
|
|
# an array of objects, examples are shown below.
|
|
|
|
|
extraVolumes: []
|
|
|
|
|
# - type: secret (or "configMap")
|
|
|
|
|
# name: my-secret
|
|
|
|
|
# load: false # if true, will add to `-config` to load by Vault
|
2018-12-03 17:30:50 +00:00
|
|
|
|
|
|
|
|
# Affinity Settings
|
|
|
|
|
# Commenting out or setting as empty the affinity variable, will allow
|
2019-07-31 18:26:12 +00:00
|
|
|
# deployment to single node services such as Minikube
|
2018-12-03 17:30:50 +00:00
|
|
|
affinity: |
|
|
|
|
|
podAntiAffinity:
|
|
|
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
- labelSelector:
|
|
|
|
|
matchLabels:
|
|
|
|
|
app: {{ template "vault.name" . }}
|
|
|
|
|
release: "{{ .Release.Name }}"
|
|
|
|
|
component: server
|
|
|
|
|
topologyKey: kubernetes.io/hostname
|
2019-07-31 18:26:12 +00:00
|
|
|
|
|
|
|
|
# Enables a headless service to be used by the Vault Statefulset
|
|
|
|
|
service:
|
|
|
|
|
enabled: true
|
2018-12-03 17:30:50 +00:00
|
|
|
|
2019-07-31 18:26:12 +00:00
|
|
|
# This configures the Vault Statefulset to create a PVC for data
|
|
|
|
|
# storage when using the file backend.
|
|
|
|
|
# See https://www.vaultproject.io/docs/audit/index.html to know more
|
|
|
|
|
dataStorage:
|
|
|
|
|
enabled: true
|
|
|
|
|
# Size of the PVC created
|
|
|
|
|
size: 10Gi
|
|
|
|
|
# Name of the storage class to use. If null it will use the
|
|
|
|
|
# configured default Storage Class.
|
|
|
|
|
storageClass: null
|
|
|
|
|
# Access Mode of the storage device being used for the PVC
|
|
|
|
|
accessMode: ReadWriteOnce
|
|
|
|
|
|
|
|
|
|
# This configures the Vault Statefulset to create a PVC for audit
|
|
|
|
|
# logs. Once Vault is deployed, initialized and unseal, Vault must
|
|
|
|
|
# be configured to use this for audit logs. This will be mounted to
|
|
|
|
|
# /vault/audit
|
|
|
|
|
# See https://www.vaultproject.io/docs/audit/index.html to know more
|
|
|
|
|
auditStorage:
|
|
|
|
|
enabled: false
|
|
|
|
|
# Size of the PVC created
|
|
|
|
|
size: 10Gi
|
|
|
|
|
# Name of the storage class to use. If null it will use the
|
|
|
|
|
# configured default Storage Class.
|
|
|
|
|
storageClass: null
|
|
|
|
|
# Access Mode of the storage device being used for the PVC
|
|
|
|
|
accessMode: ReadWriteOnce
|
|
|
|
|
|
|
|
|
|
# Run Vault in "dev" mode. This requires no further setup, no state management,
|
|
|
|
|
# and no initialization. This is useful for experimenting with Vault without
|
|
|
|
|
# needing to unseal, store keys, et. al. All data is lost on restart - do not
|
|
|
|
|
# use dev mode for anything other than experimenting.
|
|
|
|
|
# See https://www.vaultproject.io/docs/concepts/dev-server.html to know more
|
|
|
|
|
dev:
|
|
|
|
|
enabled: false
|
|
|
|
|
|
|
|
|
|
# Run Vault in "standalone" mode. This is the default mode that will deploy if
|
|
|
|
|
# no arguments are given to helm. This requires a PVC for data storage to use
|
|
|
|
|
# the "file" backend. This mode is not highly available and should not be scaled
|
|
|
|
|
# past a single replica.
|
|
|
|
|
standalone:
|
|
|
|
|
enabled: "-"
|
|
|
|
|
|
|
|
|
|
# config is a raw string of default configuration when using a Stateful
|
|
|
|
|
# deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
|
|
|
|
|
# and store data there. This is only used when using a Replica count of 1, and
|
|
|
|
|
# using a stateful set. This should be HCL.
|
|
|
|
|
config: |
|
|
|
|
|
ui = true
|
|
|
|
|
api_addr = "http://POD_IP:8200"
|
|
|
|
|
listener "tcp" {
|
|
|
|
|
tls_disable = 1
|
|
|
|
|
address = "0.0.0.0:8200"
|
|
|
|
|
}
|
|
|
|
|
storage "file" {
|
|
|
|
|
path = "/vault/data"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Example configuration for using auto-unseal, using Google Cloud KMS. The
|
|
|
|
|
# GKMS keys must already exist, and the cluster must have a service account
|
|
|
|
|
# that is authorized to access GCP KMS.
|
|
|
|
|
#seal "gcpckms" {
|
|
|
|
|
# project = "vault-helm-dev"
|
|
|
|
|
# region = "global"
|
|
|
|
|
# key_ring = "vault-helm-unseal-kr"
|
|
|
|
|
# crypto_key = "vault-helm-unseal-key"
|
|
|
|
|
#}
|
|
|
|
|
|
|
|
|
|
# Run Vault in "HA" mode. There are no storage requirements unless audit log
|
|
|
|
|
# persistence is required. In HA mode Vault will configure itself to use Consul
|
|
|
|
|
# for its storage backend. The default configuration provided will work the Consul
|
|
|
|
|
# Helm project by default. It is possible to manually configure Vault to use a
|
|
|
|
|
# different HA backend.
|
|
|
|
|
ha:
|
|
|
|
|
enabled: false
|
|
|
|
|
replicas: 3
|
|
|
|
|
|
|
|
|
|
# config is a raw string of default configuration when using a Stateful
|
|
|
|
|
# deployment. Default is to use a Consul for its HA storage backend.
|
|
|
|
|
# This should be HCL.
|
|
|
|
|
config: |
|
|
|
|
|
ui = true
|
|
|
|
|
api_addr = "http://POD_IP:8200"
|
|
|
|
|
listener "tcp" {
|
|
|
|
|
tls_disable = 1
|
|
|
|
|
address = "0.0.0.0:8200"
|
|
|
|
|
}
|
|
|
|
|
storage "consul" {
|
|
|
|
|
path = "vault"
|
|
|
|
|
address = "HOST_IP:8500"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Example configuration for using auto-unseal, using Google Cloud KMS. The
|
|
|
|
|
# GKMS keys must already exist, and the cluster must have a service account
|
|
|
|
|
# that is authorized to access GCP KMS.
|
|
|
|
|
#seal "gcpckms" {
|
|
|
|
|
# project = "vault-helm-dev-246514"
|
|
|
|
|
# region = "global"
|
|
|
|
|
# key_ring = "vault-helm-unseal-kr"
|
|
|
|
|
# crypto_key = "vault-helm-unseal-key"
|
|
|
|
|
#}
|
|
|
|
|
|
|
|
|
|
# A disruption budget limits the number of pods of a replicated application
|
|
|
|
|
# that are down simultaneously from voluntary disruptions
|
|
|
|
|
disruptionBudget:
|
|
|
|
|
enabled: true
|
|
|
|
|
|
|
|
|
|
# maxUnavailable will default to (n/2)-1 where n is the number of
|
|
|
|
|
# replicas. If you'd like a custom value, you can specify an override here.
|
|
|
|
|
maxUnavailable: null
|
2018-09-12 00:53:02 +00:00
|
|
|
|
2019-07-31 18:26:12 +00:00
|
|
|
# Vault UI
|
|
|
|
|
ui:
|
2018-09-28 20:45:58 +00:00
|
|
|
# True if you want to create a Service entry for the Vault UI.
|
2018-09-12 00:53:02 +00:00
|
|
|
#
|
|
|
|
|
# serviceType can be used to control the type of service created. For
|
|
|
|
|
# example, setting this to "LoadBalancer" will create an external load
|
|
|
|
|
# balancer (for supported K8S installations) to access the UI.
|
2018-11-26 21:35:52 +00:00
|
|
|
enabled: false
|
2019-07-31 18:26:12 +00:00
|
|
|
serviceType: "ClusterIP"
|
