2018-09-28 20:45:58 +00:00
|
|
|
# Available parameters and their default values for the Vault chart.
|
2018-08-18 21:15:37 +00:00
|
|
|
|
2018-09-02 23:19:11 +00:00
|
|
|
global:
|
|
|
|
|
# enabled is the master enabled switch. Setting this to true or false
|
|
|
|
|
# will enable or disable all the components within this chart by default.
|
|
|
|
|
enabled: true
|
2019-10-24 16:58:32 +00:00
|
|
|
# Image pull secret to use for registry authentication.
|
2021-07-23 16:05:24 +00:00
|
|
|
# Alternatively, the value may be specified as an array of strings.
|
2019-10-24 16:58:32 +00:00
|
|
|
imagePullSecrets: []
|
|
|
|
|
# imagePullSecrets:
|
|
|
|
|
# - name: image-pull-secret
|
2019-08-20 15:40:47 +00:00
|
|
|
# TLS for end-to-end encrypted transport
|
|
|
|
|
tlsDisable: true
|
2020-08-24 18:19:12 +00:00
|
|
|
# If deploying to OpenShift
|
2020-06-03 02:10:41 +00:00
|
|
|
openshift: false
|
2020-06-26 06:42:52 +00:00
|
|
|
# Create PodSecurityPolicy for pods
|
|
|
|
|
psp:
|
|
|
|
|
enable: false
|
|
|
|
|
# Annotation for PodSecurityPolicy.
|
|
|
|
|
# This is a multi-line templated string map, and can also be set as YAML.
|
|
|
|
|
annotations: |
|
|
|
|
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
|
|
|
|
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
|
|
|
|
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
|
|
|
|
|
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
|
2018-09-08 14:52:31 +00:00
|
|
|
|
2019-12-19 15:57:51 +00:00
|
|
|
injector:
|
|
|
|
|
# True if you want to enable vault agent injection.
|
|
|
|
|
enabled: true
|
|
|
|
|
|
2021-01-05 11:14:00 +00:00
|
|
|
replicas: 1
|
|
|
|
|
|
2021-04-12 20:59:38 +00:00
|
|
|
# Configures the port the injector should listen on
|
|
|
|
|
port: 8080
|
|
|
|
|
|
2021-08-31 22:16:06 +00:00
|
|
|
# If multiple replicas are specified, by default a leader will be determined
|
|
|
|
|
# so that only one injector attempts to create TLS certificates.
|
2021-01-05 11:14:00 +00:00
|
|
|
leaderElector:
|
|
|
|
|
enabled: true
|
|
|
|
|
|
2020-08-20 23:03:12 +00:00
|
|
|
# If true, will enable a node exporter metrics endpoint at /metrics.
|
|
|
|
|
metrics:
|
|
|
|
|
enabled: false
|
|
|
|
|
|
2020-02-21 16:16:33 +00:00
|
|
|
# External vault server address for the injector to use. Setting this will
|
|
|
|
|
# disable deployment of a vault server along with the injector.
|
|
|
|
|
externalVaultAddr: ""
|
|
|
|
|
|
2019-12-19 15:57:51 +00:00
|
|
|
# image sets the repo and tag of the vault-k8s image to use for the injector.
|
|
|
|
|
image:
|
|
|
|
|
repository: "hashicorp/vault-k8s"
|
2021-11-17 23:46:28 +00:00
|
|
|
tag: "0.14.1"
|
2019-12-19 15:57:51 +00:00
|
|
|
pullPolicy: IfNotPresent
|
|
|
|
|
|
2020-01-18 12:36:45 +00:00
|
|
|
# agentImage sets the repo and tag of the Vault image to use for the Vault Agent
|
|
|
|
|
# containers. This should be set to the official Vault image. Vault 1.3.1+ is
|
2019-12-19 15:57:51 +00:00
|
|
|
# required.
|
|
|
|
|
agentImage:
|
2021-07-12 17:00:12 +00:00
|
|
|
repository: "hashicorp/vault"
|
2021-11-17 23:46:28 +00:00
|
|
|
tag: "1.9.0"
|
2019-12-19 15:57:51 +00:00
|
|
|
|
2021-04-12 21:01:14 +00:00
|
|
|
# The default values for the injected Vault Agent containers.
|
|
|
|
|
agentDefaults:
|
|
|
|
|
# For more information on configuring resources, see the K8s documentation:
|
|
|
|
|
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
|
|
|
|
cpuLimit: "500m"
|
|
|
|
|
cpuRequest: "250m"
|
|
|
|
|
memLimit: "128Mi"
|
|
|
|
|
memRequest: "64Mi"
|
|
|
|
|
|
|
|
|
|
# Default template type for secrets when no custom template is specified.
|
|
|
|
|
# Possible values include: "json" and "map".
|
|
|
|
|
template: "map"
|
|
|
|
|
|
2021-07-06 16:49:48 +00:00
|
|
|
# Default values within Agent's template_config stanza.
|
|
|
|
|
templateConfig:
|
|
|
|
|
exitOnRetryFailure: true
|
2021-11-06 02:07:25 +00:00
|
|
|
staticSecretRenderInterval: ""
|
2021-07-06 16:49:48 +00:00
|
|
|
|
2020-03-03 18:32:50 +00:00
|
|
|
# Mount Path of the Vault Kubernetes Auth Method.
|
|
|
|
|
authPath: "auth/kubernetes"
|
|
|
|
|
|
2021-04-08 15:18:16 +00:00
|
|
|
# Configures the log verbosity of the injector.
|
|
|
|
|
# Supported log levels include: trace, debug, info, warn, error
|
2020-03-06 20:03:58 +00:00
|
|
|
logLevel: "info"
|
|
|
|
|
|
|
|
|
|
# Configures the log format of the injector. Supported log formats: "standard", "json".
|
|
|
|
|
logFormat: "standard"
|
2020-04-27 15:38:26 +00:00
|
|
|
|
2020-03-06 20:03:58 +00:00
|
|
|
# Configures all Vault Agent sidecars to revoke their token when shutting down
|
|
|
|
|
revokeOnShutdown: false
|
|
|
|
|
|
2019-12-19 15:57:51 +00:00
|
|
|
# namespaceSelector is the selector for restricting the webhook to only
|
2020-03-20 15:37:40 +00:00
|
|
|
# specific namespaces.
|
2019-12-19 15:57:51 +00:00
|
|
|
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
|
|
|
|
|
# for more details.
|
|
|
|
|
# Example:
|
2020-03-20 15:37:40 +00:00
|
|
|
# namespaceSelector:
|
2019-12-19 15:57:51 +00:00
|
|
|
# matchLabels:
|
|
|
|
|
# sidecar-injector: enabled
|
|
|
|
|
namespaceSelector: {}
|
2021-02-20 04:02:04 +00:00
|
|
|
# objectSelector is the selector for restricting the webhook to only
|
|
|
|
|
# specific labels.
|
|
|
|
|
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
|
|
|
|
|
# for more details.
|
|
|
|
|
# Example:
|
|
|
|
|
# objectSelector:
|
|
|
|
|
# matchLabels:
|
|
|
|
|
# vault-sidecar-injector: enabled
|
|
|
|
|
objectSelector: {}
|
2019-12-19 15:57:51 +00:00
|
|
|
|
2020-12-07 15:18:25 +00:00
|
|
|
# Configures failurePolicy of the webhook. The "unspecified" default behaviour deoends on the
|
|
|
|
|
# API Version of the WebHook.
|
2020-10-13 13:20:06 +00:00
|
|
|
# To block pod creation while webhook is unavailable, set the policy to `Fail` below.
|
|
|
|
|
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
|
|
|
|
|
#
|
2020-12-07 15:18:25 +00:00
|
|
|
failurePolicy: Ignore
|
2020-10-13 13:20:06 +00:00
|
|
|
|
2021-08-16 20:49:26 +00:00
|
|
|
# Extra annotations to attach to the webhook
|
|
|
|
|
webhookAnnotations: {}
|
|
|
|
|
|
2019-12-19 15:57:51 +00:00
|
|
|
certs:
|
|
|
|
|
# secretName is the name of the secret that has the TLS certificate and
|
|
|
|
|
# private key to serve the injector webhook. If this is null, then the
|
|
|
|
|
# injector will default to its automatic management mode that will assign
|
|
|
|
|
# a service account to the injector to generate its own certificates.
|
|
|
|
|
secretName: null
|
|
|
|
|
|
2021-08-16 20:49:26 +00:00
|
|
|
# caBundle is a base64-encoded PEM-encoded certificate bundle for the CA
|
|
|
|
|
# that signed the TLS certificate that the webhook serves. This must be set
|
|
|
|
|
# if secretName is non-null, unless an external service like cert-manager is
|
|
|
|
|
# keeping the caBundle updated.
|
2019-12-19 15:57:51 +00:00
|
|
|
caBundle: ""
|
|
|
|
|
|
|
|
|
|
# certName and keyName are the names of the files within the secret for
|
|
|
|
|
# the TLS cert and private key, respectively. These have reasonable
|
|
|
|
|
# defaults but can be customized if necessary.
|
|
|
|
|
certName: tls.crt
|
|
|
|
|
keyName: tls.key
|
|
|
|
|
|
|
|
|
|
resources: {}
|
|
|
|
|
# resources:
|
|
|
|
|
# requests:
|
|
|
|
|
# memory: 256Mi
|
|
|
|
|
# cpu: 250m
|
|
|
|
|
# limits:
|
|
|
|
|
# memory: 256Mi
|
|
|
|
|
# cpu: 250m
|
|
|
|
|
|
2020-10-20 13:05:29 +00:00
|
|
|
# extraEnvironmentVars is a list of extra environment variables to set in the
|
2020-03-19 04:30:22 +00:00
|
|
|
# injector deployment.
|
|
|
|
|
extraEnvironmentVars: {}
|
|
|
|
|
# KUBERNETES_SERVICE_HOST: kubernetes.default.svc
|
|
|
|
|
|
2020-03-20 05:43:52 +00:00
|
|
|
# Affinity Settings for injector pods
|
2021-07-07 23:07:58 +00:00
|
|
|
# This can either be multi-line string or YAML matching the PodSpec's affinity field.
|
2021-01-05 11:14:00 +00:00
|
|
|
# Commenting out or setting as empty the affinity variable, will allow
|
|
|
|
|
# deployment of multiple replicas to single node services such as Minikube.
|
|
|
|
|
affinity: |
|
|
|
|
|
podAntiAffinity:
|
|
|
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
- labelSelector:
|
|
|
|
|
matchLabels:
|
2021-01-12 01:51:13 +00:00
|
|
|
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
|
2021-01-05 11:14:00 +00:00
|
|
|
app.kubernetes.io/instance: "{{ .Release.Name }}"
|
2021-01-09 01:55:47 +00:00
|
|
|
component: webhook
|
2021-01-05 11:14:00 +00:00
|
|
|
topologyKey: kubernetes.io/hostname
|
2020-03-20 05:43:52 +00:00
|
|
|
|
|
|
|
|
# Toleration Settings for injector pods
|
2021-07-07 23:07:58 +00:00
|
|
|
# This should be either a multi-line string or YAML matching the Toleration array
|
2020-03-20 05:43:52 +00:00
|
|
|
# in a PodSpec.
|
2021-07-07 23:07:58 +00:00
|
|
|
tolerations: []
|
2020-03-20 05:43:52 +00:00
|
|
|
|
2021-07-07 23:07:58 +00:00
|
|
|
# nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map.
|
2020-03-20 05:43:52 +00:00
|
|
|
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
|
|
|
|
|
# Example:
|
2021-07-07 23:07:58 +00:00
|
|
|
# nodeSelector:
|
2020-03-20 05:43:52 +00:00
|
|
|
# beta.kubernetes.io/arch: amd64
|
2021-07-07 23:07:58 +00:00
|
|
|
nodeSelector: {}
|
2020-03-20 05:43:52 +00:00
|
|
|
|
2020-05-01 01:37:27 +00:00
|
|
|
# Priority class for injector pods
|
|
|
|
|
priorityClassName: ""
|
|
|
|
|
|
2020-10-01 15:06:53 +00:00
|
|
|
# Extra annotations to attach to the injector pods
|
|
|
|
|
# This can either be YAML or a YAML-formatted multi-line templated string map
|
|
|
|
|
# of the annotations to apply to the injector pods
|
|
|
|
|
annotations: {}
|
|
|
|
|
|
2020-12-07 16:28:06 +00:00
|
|
|
# Extra labels to attach to the agent-injector
|
|
|
|
|
# This should be a YAML map of the labels to apply to the injector
|
|
|
|
|
extraLabels: {}
|
|
|
|
|
|
2021-04-08 14:03:56 +00:00
|
|
|
# Should the injector pods run on the host network (useful when using
|
|
|
|
|
# an alternate CNI in EKS)
|
|
|
|
|
hostNetwork: false
|
|
|
|
|
|
2020-12-07 15:31:54 +00:00
|
|
|
# Injector service specific config
|
|
|
|
|
service:
|
|
|
|
|
# Extra annotations to attach to the injector service
|
|
|
|
|
annotations: {}
|
|
|
|
|
|
2018-08-18 21:15:37 +00:00
|
|
|
server:
|
2021-04-06 13:56:11 +00:00
|
|
|
# If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details
|
|
|
|
|
enabled: true
|
|
|
|
|
|
2021-06-11 20:29:30 +00:00
|
|
|
# [Enterprise Only] This value refers to a Kubernetes secret that you have
|
|
|
|
|
# created that contains your enterprise license. If you are not using an
|
|
|
|
|
# enterprise image or if you plan to introduce the license key via another
|
|
|
|
|
# route, then leave secretName blank ("") or set it to null.
|
|
|
|
|
# Requires Vault Enterprise 1.8 or later.
|
|
|
|
|
enterpriseLicense:
|
|
|
|
|
# The name of the Kubernetes secret that holds the enterprise license. The
|
|
|
|
|
# secret must be in the same namespace that Vault is installed into.
|
|
|
|
|
secretName: ""
|
|
|
|
|
# The key within the Kubernetes secret that holds the enterprise license.
|
|
|
|
|
secretKey: "license"
|
|
|
|
|
|
2018-10-05 21:34:07 +00:00
|
|
|
# Resource requests, limits, etc. for the server cluster placement. This
|
|
|
|
|
# should map directly to the value of the resources field for a PodSpec.
|
|
|
|
|
# By default no direct resource request is made.
|
2019-10-24 16:40:19 +00:00
|
|
|
|
2019-11-28 22:39:28 +00:00
|
|
|
image:
|
2021-07-12 17:00:12 +00:00
|
|
|
repository: "hashicorp/vault"
|
2021-11-17 23:46:28 +00:00
|
|
|
tag: "1.9.0"
|
2019-11-28 22:39:28 +00:00
|
|
|
# Overrides the default Image Pull Policy
|
|
|
|
|
pullPolicy: IfNotPresent
|
|
|
|
|
|
2020-01-18 12:36:45 +00:00
|
|
|
# Configure the Update Strategy Type for the StatefulSet
|
|
|
|
|
# See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
|
|
|
|
|
updateStrategyType: "OnDelete"
|
|
|
|
|
|
2021-04-08 15:18:16 +00:00
|
|
|
# Configure the logging verbosity for the Vault server.
|
|
|
|
|
# Supported log levels include: trace, debug, info, warn, error
|
|
|
|
|
logLevel: ""
|
|
|
|
|
|
|
|
|
|
# Configure the logging format for the Vault server.
|
|
|
|
|
# Supported log formats include: standard, json
|
|
|
|
|
logFormat: ""
|
|
|
|
|
|
2020-05-20 16:16:54 +00:00
|
|
|
resources: {}
|
2019-07-31 18:26:12 +00:00
|
|
|
# resources:
|
|
|
|
|
# requests:
|
|
|
|
|
# memory: 256Mi
|
|
|
|
|
# cpu: 250m
|
|
|
|
|
# limits:
|
|
|
|
|
# memory: 256Mi
|
|
|
|
|
# cpu: 250m
|
|
|
|
|
|
2020-01-18 12:36:45 +00:00
|
|
|
# Ingress allows ingress services to be created to allow external access
|
2019-11-11 15:51:00 +00:00
|
|
|
# from Kubernetes to access Vault pods.
|
2020-06-03 02:10:41 +00:00
|
|
|
# If deployment is on OpenShift, the following block is ignored.
|
|
|
|
|
# In order to expose the service, use the route section below
|
2019-09-27 15:42:24 +00:00
|
|
|
ingress:
|
|
|
|
|
enabled: false
|
2019-11-07 16:23:56 +00:00
|
|
|
labels: {}
|
|
|
|
|
# traffic: external
|
2019-09-27 15:42:24 +00:00
|
|
|
annotations: {}
|
2020-03-20 15:37:40 +00:00
|
|
|
# |
|
2019-09-27 15:42:24 +00:00
|
|
|
# kubernetes.io/ingress.class: nginx
|
|
|
|
|
# kubernetes.io/tls-acme: "true"
|
2020-04-27 15:28:50 +00:00
|
|
|
# or
|
|
|
|
|
# kubernetes.io/ingress.class: nginx
|
|
|
|
|
# kubernetes.io/tls-acme: "true"
|
2021-07-15 18:15:46 +00:00
|
|
|
|
2021-10-21 16:23:45 +00:00
|
|
|
# Optionally use ingressClassName instead of deprecated annotation.
|
|
|
|
|
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation
|
|
|
|
|
ingressClassName: ""
|
|
|
|
|
|
2021-10-25 15:30:06 +00:00
|
|
|
# As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases.
|
|
|
|
|
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values.
|
|
|
|
|
pathType: Prefix
|
|
|
|
|
|
2021-07-15 18:15:46 +00:00
|
|
|
# When HA mode is enabled and K8s service registration is being used,
|
|
|
|
|
# configure the ingress to point to the Vault active service.
|
|
|
|
|
activeService: true
|
2019-09-27 15:42:24 +00:00
|
|
|
hosts:
|
|
|
|
|
- host: chart-example.local
|
|
|
|
|
paths: []
|
2021-04-08 14:09:19 +00:00
|
|
|
## Extra paths to prepend to the host configuration. This is useful when working with annotation based services.
|
|
|
|
|
extraPaths: []
|
|
|
|
|
# - path: /*
|
|
|
|
|
# backend:
|
2021-10-09 00:13:21 +00:00
|
|
|
# service:
|
|
|
|
|
# name: ssl-redirect
|
|
|
|
|
# port:
|
|
|
|
|
# number: use-annotation
|
2019-09-27 15:42:24 +00:00
|
|
|
tls: []
|
|
|
|
|
# - secretName: chart-example-tls
|
|
|
|
|
# hosts:
|
|
|
|
|
# - chart-example.local
|
|
|
|
|
|
2020-06-03 02:10:41 +00:00
|
|
|
# OpenShift only - create a route to expose the service
|
|
|
|
|
# The created route will be of type passthrough
|
|
|
|
|
route:
|
|
|
|
|
enabled: false
|
2021-07-15 18:15:46 +00:00
|
|
|
|
|
|
|
|
# When HA mode is enabled and K8s service registration is being used,
|
|
|
|
|
# configure the route to point to the Vault active service.
|
|
|
|
|
activeService: true
|
|
|
|
|
|
2020-06-03 02:10:41 +00:00
|
|
|
labels: {}
|
|
|
|
|
annotations: {}
|
|
|
|
|
host: chart-example.local
|
2019-09-27 15:42:24 +00:00
|
|
|
|
2019-08-22 15:05:31 +00:00
|
|
|
# authDelegator enables a cluster role binding to be attached to the service
|
|
|
|
|
# account. This cluster role binding can be used to setup Kubernetes auth
|
2019-08-08 18:14:58 +00:00
|
|
|
# method. https://www.vaultproject.io/docs/auth/kubernetes.html
|
|
|
|
|
authDelegator:
|
2019-12-19 15:57:51 +00:00
|
|
|
enabled: true
|
2020-01-18 12:36:45 +00:00
|
|
|
|
2020-05-20 16:16:54 +00:00
|
|
|
# extraInitContainers is a list of init containers. Specified as a YAML list.
|
2020-05-08 18:35:39 +00:00
|
|
|
# This is useful if you need to run a script to provision TLS certificates or
|
|
|
|
|
# write out configuration files in a dynamic way.
|
|
|
|
|
extraInitContainers: null
|
2020-07-14 14:23:08 +00:00
|
|
|
# # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder,
|
|
|
|
|
# # which is defined in the volumes value.
|
|
|
|
|
# - name: oauthapp
|
|
|
|
|
# image: "alpine"
|
|
|
|
|
# command: [sh, -c]
|
|
|
|
|
# args:
|
|
|
|
|
# - cd /tmp &&
|
|
|
|
|
# wget https://github.com/puppetlabs/vault-plugin-secrets-oauthapp/releases/download/v1.2.0/vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64.tar.xz -O oauthapp.xz &&
|
|
|
|
|
# tar -xf oauthapp.xz &&
|
|
|
|
|
# mv vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64 /usr/local/libexec/vault/oauthapp &&
|
|
|
|
|
# chmod +x /usr/local/libexec/vault/oauthapp
|
|
|
|
|
# volumeMounts:
|
|
|
|
|
# - name: plugins
|
|
|
|
|
# mountPath: /usr/local/libexec/vault
|
2020-05-08 18:35:39 +00:00
|
|
|
|
2020-05-20 16:16:54 +00:00
|
|
|
# extraContainers is a list of sidecar containers. Specified as a YAML list.
|
2019-11-21 19:07:41 +00:00
|
|
|
extraContainers: null
|
|
|
|
|
|
2020-01-15 10:06:54 +00:00
|
|
|
# shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
|
|
|
|
|
# This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation
|
|
|
|
|
shareProcessNamespace: false
|
2020-03-03 18:32:50 +00:00
|
|
|
|
2020-01-14 15:09:20 +00:00
|
|
|
# extraArgs is a string containing additional Vault server arguments.
|
|
|
|
|
extraArgs: ""
|
2019-08-08 18:14:58 +00:00
|
|
|
|
2019-11-28 23:24:41 +00:00
|
|
|
# Used to define custom readinessProbe settings
|
|
|
|
|
readinessProbe:
|
|
|
|
|
enabled: true
|
|
|
|
|
# If you need to use a http path instead of the default exec
|
2019-12-16 23:07:23 +00:00
|
|
|
# path: /v1/sys/health?standbyok=true
|
2020-10-20 13:34:48 +00:00
|
|
|
|
2020-09-15 20:24:38 +00:00
|
|
|
# When a probe fails, Kubernetes will try failureThreshold times before giving up
|
|
|
|
|
failureThreshold: 2
|
|
|
|
|
# Number of seconds after the container has started before probe initiates
|
|
|
|
|
initialDelaySeconds: 5
|
|
|
|
|
# How often (in seconds) to perform the probe
|
|
|
|
|
periodSeconds: 5
|
|
|
|
|
# Minimum consecutive successes for the probe to be considered successful after having failed
|
|
|
|
|
successThreshold: 1
|
|
|
|
|
# Number of seconds after which the probe times out.
|
|
|
|
|
timeoutSeconds: 3
|
2019-11-28 23:24:41 +00:00
|
|
|
# Used to enable a livenessProbe for the pods
|
|
|
|
|
livenessProbe:
|
|
|
|
|
enabled: false
|
2019-12-16 23:07:23 +00:00
|
|
|
path: "/v1/sys/health?standbyok=true"
|
2020-09-15 20:24:38 +00:00
|
|
|
# When a probe fails, Kubernetes will try failureThreshold times before giving up
|
|
|
|
|
failureThreshold: 2
|
|
|
|
|
# Number of seconds after the container has started before probe initiates
|
2019-12-16 23:07:23 +00:00
|
|
|
initialDelaySeconds: 60
|
2020-09-15 20:24:38 +00:00
|
|
|
# How often (in seconds) to perform the probe
|
|
|
|
|
periodSeconds: 5
|
|
|
|
|
# Minimum consecutive successes for the probe to be considered successful after having failed
|
|
|
|
|
successThreshold: 1
|
|
|
|
|
# Number of seconds after which the probe times out.
|
|
|
|
|
timeoutSeconds: 3
|
2019-11-28 23:24:41 +00:00
|
|
|
|
2020-01-30 17:39:08 +00:00
|
|
|
# Used to set the sleep time during the preStop step
|
|
|
|
|
preStopSleepSeconds: 5
|
|
|
|
|
|
2020-05-28 18:53:46 +00:00
|
|
|
# Used to define commands to run after the pod is ready.
|
|
|
|
|
# This can be used to automate processes such as initialization
|
|
|
|
|
# or boostrapping auth methods.
|
|
|
|
|
postStart: []
|
|
|
|
|
# - /bin/sh
|
|
|
|
|
# - -c
|
|
|
|
|
# - /vault/userconfig/myscript/run.sh
|
|
|
|
|
|
2020-10-20 13:05:29 +00:00
|
|
|
# extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
|
2019-07-31 18:26:12 +00:00
|
|
|
# used to include variables required for auto-unseal.
|
|
|
|
|
extraEnvironmentVars: {}
|
2019-10-28 15:56:29 +00:00
|
|
|
# GOOGLE_REGION: global
|
|
|
|
|
# GOOGLE_PROJECT: myproject
|
|
|
|
|
# GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
|
2018-11-20 22:23:16 +00:00
|
|
|
|
2020-10-20 13:05:29 +00:00
|
|
|
# extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set.
|
2019-08-14 20:29:07 +00:00
|
|
|
# These variables take value from existing Secret objects.
|
|
|
|
|
extraSecretEnvironmentVars: []
|
|
|
|
|
# - envName: AWS_SECRET_ACCESS_KEY
|
|
|
|
|
# secretName: vault
|
|
|
|
|
# secretKey: AWS_SECRET_ACCESS_KEY
|
|
|
|
|
|
2021-03-25 14:21:21 +00:00
|
|
|
# Deprecated: please use 'volumes' instead.
|
2018-11-27 21:45:32 +00:00
|
|
|
# extraVolumes is a list of extra volumes to mount. These will be exposed
|
|
|
|
|
# to Vault in the path `/vault/userconfig/<name>/`. The value below is
|
|
|
|
|
# an array of objects, examples are shown below.
|
|
|
|
|
extraVolumes: []
|
|
|
|
|
# - type: secret (or "configMap")
|
|
|
|
|
# name: my-secret
|
2019-08-14 20:29:07 +00:00
|
|
|
# path: null # default is `/vault/userconfig`
|
2018-12-03 17:30:50 +00:00
|
|
|
|
2020-07-14 14:23:08 +00:00
|
|
|
# volumes is a list of volumes made available to all containers. These are rendered
|
|
|
|
|
# via toYaml rather than pre-processed like the extraVolumes value.
|
|
|
|
|
# The purpose is to make it easy to share volumes between containers.
|
|
|
|
|
volumes: null
|
|
|
|
|
# - name: plugins
|
|
|
|
|
# emptyDir: {}
|
|
|
|
|
|
|
|
|
|
# volumeMounts is a list of volumeMounts for the main server container. These are rendered
|
|
|
|
|
# via toYaml rather than pre-processed like the extraVolumes value.
|
|
|
|
|
# The purpose is to make it easy to share volumes between containers.
|
|
|
|
|
volumeMounts: null
|
|
|
|
|
# - mountPath: /usr/local/libexec/vault
|
|
|
|
|
# name: plugins
|
|
|
|
|
# readOnly: true
|
|
|
|
|
|
2018-12-03 17:30:50 +00:00
|
|
|
# Affinity Settings
|
|
|
|
|
# Commenting out or setting as empty the affinity variable, will allow
|
2019-08-22 15:05:31 +00:00
|
|
|
# deployment to single node services such as Minikube
|
2021-07-07 23:07:58 +00:00
|
|
|
# This should be either a multi-line string or YAML matching the PodSpec's affinity field.
|
2018-12-03 17:30:50 +00:00
|
|
|
affinity: |
|
|
|
|
|
podAntiAffinity:
|
|
|
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
- labelSelector:
|
|
|
|
|
matchLabels:
|
2019-10-07 16:55:52 +00:00
|
|
|
app.kubernetes.io/name: {{ template "vault.name" . }}
|
|
|
|
|
app.kubernetes.io/instance: "{{ .Release.Name }}"
|
2018-12-03 17:30:50 +00:00
|
|
|
component: server
|
|
|
|
|
topologyKey: kubernetes.io/hostname
|
2019-08-05 16:31:06 +00:00
|
|
|
|
|
|
|
|
# Toleration Settings for server pods
|
2021-07-07 23:07:58 +00:00
|
|
|
# This should be either a multi-line string or YAML matching the Toleration array
|
2019-08-05 16:31:06 +00:00
|
|
|
# in a PodSpec.
|
2021-07-07 23:07:58 +00:00
|
|
|
tolerations: []
|
2019-08-05 16:31:06 +00:00
|
|
|
|
2021-07-07 23:07:58 +00:00
|
|
|
# nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map.
|
2019-08-05 16:31:06 +00:00
|
|
|
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
|
|
|
|
|
# Example:
|
2021-07-07 23:07:58 +00:00
|
|
|
# nodeSelector:
|
2019-08-05 16:31:06 +00:00
|
|
|
# beta.kubernetes.io/arch: amd64
|
2021-07-07 23:07:58 +00:00
|
|
|
nodeSelector: {}
|
2019-08-05 16:31:06 +00:00
|
|
|
|
2020-09-16 06:40:56 +00:00
|
|
|
# Enables network policy for server pods
|
|
|
|
|
networkPolicy:
|
|
|
|
|
enabled: false
|
2020-12-16 17:30:24 +00:00
|
|
|
egress: []
|
|
|
|
|
# egress:
|
|
|
|
|
# - to:
|
|
|
|
|
# - ipBlock:
|
|
|
|
|
# cidr: 10.0.0.0/24
|
|
|
|
|
# ports:
|
|
|
|
|
# - protocol: TCP
|
|
|
|
|
# port: 443
|
2020-09-16 06:40:56 +00:00
|
|
|
|
2020-05-01 01:37:27 +00:00
|
|
|
# Priority class for server pods
|
|
|
|
|
priorityClassName: ""
|
|
|
|
|
|
2019-10-06 19:50:48 +00:00
|
|
|
# Extra labels to attach to the server pods
|
2020-05-20 16:16:54 +00:00
|
|
|
# This should be a YAML map of the labels to apply to the server pods
|
2019-10-06 19:50:48 +00:00
|
|
|
extraLabels: {}
|
|
|
|
|
|
2019-08-05 16:31:06 +00:00
|
|
|
# Extra annotations to attach to the server pods
|
2020-04-27 15:28:50 +00:00
|
|
|
# This can either be YAML or a YAML-formatted multi-line templated string map
|
|
|
|
|
# of the annotations to apply to the server pods
|
2019-08-05 16:31:06 +00:00
|
|
|
annotations: {}
|
2019-08-22 15:05:31 +00:00
|
|
|
|
2019-07-31 18:26:12 +00:00
|
|
|
# Enables a headless service to be used by the Vault Statefulset
|
|
|
|
|
service:
|
|
|
|
|
enabled: true
|
2019-08-22 15:05:31 +00:00
|
|
|
# clusterIP controls whether a Cluster IP address is attached to the
|
|
|
|
|
# Vault service within Kubernetes. By default the Vault service will
|
|
|
|
|
# be given a Cluster IP address, set to None to disable. When disabled
|
|
|
|
|
# Kubernetes will create a "headless" service. Headless services can be
|
2019-08-08 18:14:58 +00:00
|
|
|
# used to communicate with pods directly through DNS instead of a round robin
|
|
|
|
|
# load balancer.
|
2019-08-12 13:57:56 +00:00
|
|
|
# clusterIP: None
|
2020-01-18 12:36:45 +00:00
|
|
|
|
|
|
|
|
# Configures the service type for the main Vault service. Can be ClusterIP
|
2019-12-18 17:22:19 +00:00
|
|
|
# or NodePort.
|
|
|
|
|
#type: ClusterIP
|
|
|
|
|
|
2021-10-18 13:45:52 +00:00
|
|
|
# The externalTrafficPolicy can be set to either Cluster or Local
|
|
|
|
|
# and is only valid for LoadBalancer and NodePort service types.
|
|
|
|
|
# The default value is Cluster.
|
|
|
|
|
# ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy
|
|
|
|
|
externalTrafficPolicy: Cluster
|
|
|
|
|
|
2020-01-18 12:36:45 +00:00
|
|
|
# If type is set to "NodePort", a specific nodePort value can be configured,
|
2019-12-18 17:22:19 +00:00
|
|
|
# will be random if left blank.
|
|
|
|
|
#nodePort: 30000
|
2018-12-03 17:30:50 +00:00
|
|
|
|
2019-09-06 15:13:23 +00:00
|
|
|
# Port on which Vault server is listening
|
|
|
|
|
port: 8200
|
|
|
|
|
# Target port to which the service should be mapped to
|
|
|
|
|
targetPort: 8200
|
2020-04-27 15:28:50 +00:00
|
|
|
# Extra annotations for the service definition. This can either be YAML or a
|
|
|
|
|
# YAML-formatted multi-line templated string map of the annotations to apply
|
|
|
|
|
# to the service.
|
2019-09-11 15:39:25 +00:00
|
|
|
annotations: {}
|
2019-11-28 23:24:41 +00:00
|
|
|
|
2019-08-22 15:05:31 +00:00
|
|
|
# This configures the Vault Statefulset to create a PVC for data
|
2020-03-26 14:15:08 +00:00
|
|
|
# storage when using the file or raft backend storage engines.
|
2019-11-18 16:59:15 +00:00
|
|
|
# See https://www.vaultproject.io/docs/configuration/storage/index.html to know more
|
2019-07-31 18:26:12 +00:00
|
|
|
dataStorage:
|
|
|
|
|
enabled: true
|
|
|
|
|
# Size of the PVC created
|
|
|
|
|
size: 10Gi
|
2020-10-01 13:32:46 +00:00
|
|
|
# Location where the PVC will be mounted.
|
|
|
|
|
mountPath: "/vault/data"
|
2019-08-22 15:05:31 +00:00
|
|
|
# Name of the storage class to use. If null it will use the
|
2019-07-31 18:26:12 +00:00
|
|
|
# configured default Storage Class.
|
|
|
|
|
storageClass: null
|
|
|
|
|
# Access Mode of the storage device being used for the PVC
|
|
|
|
|
accessMode: ReadWriteOnce
|
2020-08-20 18:02:27 +00:00
|
|
|
# Annotations to apply to the PVC
|
|
|
|
|
annotations: {}
|
2019-07-31 18:26:12 +00:00
|
|
|
|
2019-08-22 15:05:31 +00:00
|
|
|
# This configures the Vault Statefulset to create a PVC for audit
|
|
|
|
|
# logs. Once Vault is deployed, initialized and unseal, Vault must
|
|
|
|
|
# be configured to use this for audit logs. This will be mounted to
|
2019-07-31 18:26:12 +00:00
|
|
|
# /vault/audit
|
2019-08-22 15:05:31 +00:00
|
|
|
# See https://www.vaultproject.io/docs/audit/index.html to know more
|
2019-07-31 18:26:12 +00:00
|
|
|
auditStorage:
|
|
|
|
|
enabled: false
|
|
|
|
|
# Size of the PVC created
|
|
|
|
|
size: 10Gi
|
2020-10-01 13:32:46 +00:00
|
|
|
# Location where the PVC will be mounted.
|
|
|
|
|
mountPath: "/vault/audit"
|
2019-08-22 15:05:31 +00:00
|
|
|
# Name of the storage class to use. If null it will use the
|
2019-07-31 18:26:12 +00:00
|
|
|
# configured default Storage Class.
|
|
|
|
|
storageClass: null
|
|
|
|
|
# Access Mode of the storage device being used for the PVC
|
|
|
|
|
accessMode: ReadWriteOnce
|
2020-08-20 18:02:27 +00:00
|
|
|
# Annotations to apply to the PVC
|
|
|
|
|
annotations: {}
|
2019-07-31 18:26:12 +00:00
|
|
|
|
|
|
|
|
# Run Vault in "dev" mode. This requires no further setup, no state management,
|
|
|
|
|
# and no initialization. This is useful for experimenting with Vault without
|
|
|
|
|
# needing to unseal, store keys, et. al. All data is lost on restart - do not
|
|
|
|
|
# use dev mode for anything other than experimenting.
|
|
|
|
|
# See https://www.vaultproject.io/docs/concepts/dev-server.html to know more
|
|
|
|
|
dev:
|
|
|
|
|
enabled: false
|
|
|
|
|
|
2020-12-07 15:09:38 +00:00
|
|
|
# Set VAULT_DEV_ROOT_TOKEN_ID value
|
|
|
|
|
devRootToken: "root"
|
|
|
|
|
|
2019-08-22 15:05:31 +00:00
|
|
|
# Run Vault in "standalone" mode. This is the default mode that will deploy if
|
|
|
|
|
# no arguments are given to helm. This requires a PVC for data storage to use
|
|
|
|
|
# the "file" backend. This mode is not highly available and should not be scaled
|
2019-07-31 18:26:12 +00:00
|
|
|
# past a single replica.
|
|
|
|
|
standalone:
|
|
|
|
|
enabled: "-"
|
|
|
|
|
|
|
|
|
|
# config is a raw string of default configuration when using a Stateful
|
|
|
|
|
# deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
|
|
|
|
|
# and store data there. This is only used when using a Replica count of 1, and
|
|
|
|
|
# using a stateful set. This should be HCL.
|
2020-06-04 17:37:31 +00:00
|
|
|
|
2020-10-20 13:34:48 +00:00
|
|
|
# Note: Configuration files are stored in ConfigMaps so sensitive data
|
2020-06-04 17:37:31 +00:00
|
|
|
# such as passwords should be either mounted through extraSecretEnvironmentVars
|
2020-10-20 13:34:48 +00:00
|
|
|
# or through a Kube secret. For more information see:
|
2020-06-04 17:37:31 +00:00
|
|
|
# https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
|
2019-07-31 18:26:12 +00:00
|
|
|
config: |
|
|
|
|
|
ui = true
|
2019-08-08 18:14:58 +00:00
|
|
|
|
2019-07-31 18:26:12 +00:00
|
|
|
listener "tcp" {
|
|
|
|
|
tls_disable = 1
|
2019-08-08 18:14:58 +00:00
|
|
|
address = "[::]:8200"
|
|
|
|
|
cluster_address = "[::]:8201"
|
2019-07-31 18:26:12 +00:00
|
|
|
}
|
|
|
|
|
storage "file" {
|
|
|
|
|
path = "/vault/data"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Example configuration for using auto-unseal, using Google Cloud KMS. The
|
|
|
|
|
# GKMS keys must already exist, and the cluster must have a service account
|
|
|
|
|
# that is authorized to access GCP KMS.
|
|
|
|
|
#seal "gcpckms" {
|
|
|
|
|
# project = "vault-helm-dev"
|
|
|
|
|
# region = "global"
|
|
|
|
|
# key_ring = "vault-helm-unseal-kr"
|
|
|
|
|
# crypto_key = "vault-helm-unseal-key"
|
|
|
|
|
#}
|
|
|
|
|
|
2019-08-22 15:05:31 +00:00
|
|
|
# Run Vault in "HA" mode. There are no storage requirements unless audit log
|
|
|
|
|
# persistence is required. In HA mode Vault will configure itself to use Consul
|
|
|
|
|
# for its storage backend. The default configuration provided will work the Consul
|
|
|
|
|
# Helm project by default. It is possible to manually configure Vault to use a
|
2019-07-31 18:26:12 +00:00
|
|
|
# different HA backend.
|
|
|
|
|
ha:
|
|
|
|
|
enabled: false
|
|
|
|
|
replicas: 3
|
2020-04-27 15:38:26 +00:00
|
|
|
|
2020-07-14 14:09:43 +00:00
|
|
|
# Set the api_addr configuration for Vault HA
|
|
|
|
|
# See https://www.vaultproject.io/docs/configuration#api_addr
|
|
|
|
|
# If set to null, this will be set to the Pod IP Address
|
|
|
|
|
apiAddr: null
|
|
|
|
|
|
2020-04-27 15:38:26 +00:00
|
|
|
# Enables Vault's integrated Raft storage. Unlike the typical HA modes where
|
|
|
|
|
# Vault's persistence is external (such as Consul), enabling Raft mode will create
|
2020-03-26 14:15:08 +00:00
|
|
|
# persistent volumes for Vault to store data according to the configuration under server.dataStorage.
|
|
|
|
|
# The Vault cluster will coordinate leader elections and failovers internally.
|
2020-03-18 19:49:14 +00:00
|
|
|
raft:
|
2020-04-27 15:38:26 +00:00
|
|
|
|
2020-03-18 19:49:14 +00:00
|
|
|
# Enables Raft integrated storage
|
|
|
|
|
enabled: false
|
2020-04-27 15:38:26 +00:00
|
|
|
# Set the Node Raft ID to the name of the pod
|
|
|
|
|
setNodeId: false
|
2020-10-20 13:34:48 +00:00
|
|
|
|
|
|
|
|
# Note: Configuration files are stored in ConfigMaps so sensitive data
|
2020-06-04 17:37:31 +00:00
|
|
|
# such as passwords should be either mounted through extraSecretEnvironmentVars
|
2020-10-20 13:34:48 +00:00
|
|
|
# or through a Kube secret. For more information see:
|
2020-06-04 17:37:31 +00:00
|
|
|
# https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
|
2020-03-18 19:49:14 +00:00
|
|
|
config: |
|
|
|
|
|
ui = true
|
|
|
|
|
|
|
|
|
|
listener "tcp" {
|
|
|
|
|
tls_disable = 1
|
|
|
|
|
address = "[::]:8200"
|
|
|
|
|
cluster_address = "[::]:8201"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
storage "raft" {
|
|
|
|
|
path = "/vault/data"
|
|
|
|
|
}
|
2019-07-31 18:26:12 +00:00
|
|
|
|
2020-04-09 13:26:58 +00:00
|
|
|
service_registration "kubernetes" {}
|
2020-10-20 13:34:48 +00:00
|
|
|
|
2019-07-31 18:26:12 +00:00
|
|
|
# config is a raw string of default configuration when using a Stateful
|
|
|
|
|
# deployment. Default is to use a Consul for its HA storage backend.
|
|
|
|
|
# This should be HCL.
|
2020-10-20 13:34:48 +00:00
|
|
|
|
|
|
|
|
# Note: Configuration files are stored in ConfigMaps so sensitive data
|
2020-06-04 17:37:31 +00:00
|
|
|
# such as passwords should be either mounted through extraSecretEnvironmentVars
|
2020-10-20 13:34:48 +00:00
|
|
|
# or through a Kube secret. For more information see:
|
2020-06-04 17:37:31 +00:00
|
|
|
# https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
|
2019-07-31 18:26:12 +00:00
|
|
|
config: |
|
|
|
|
|
ui = true
|
2019-08-20 21:09:06 +00:00
|
|
|
|
2019-07-31 18:26:12 +00:00
|
|
|
listener "tcp" {
|
|
|
|
|
tls_disable = 1
|
2019-08-08 18:14:58 +00:00
|
|
|
address = "[::]:8200"
|
|
|
|
|
cluster_address = "[::]:8201"
|
2019-07-31 18:26:12 +00:00
|
|
|
}
|
|
|
|
|
storage "consul" {
|
|
|
|
|
path = "vault"
|
|
|
|
|
address = "HOST_IP:8500"
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-09 13:26:58 +00:00
|
|
|
service_registration "kubernetes" {}
|
|
|
|
|
|
2019-07-31 18:26:12 +00:00
|
|
|
# Example configuration for using auto-unseal, using Google Cloud KMS. The
|
|
|
|
|
# GKMS keys must already exist, and the cluster must have a service account
|
|
|
|
|
# that is authorized to access GCP KMS.
|
|
|
|
|
#seal "gcpckms" {
|
|
|
|
|
# project = "vault-helm-dev-246514"
|
|
|
|
|
# region = "global"
|
|
|
|
|
# key_ring = "vault-helm-unseal-kr"
|
|
|
|
|
# crypto_key = "vault-helm-unseal-key"
|
|
|
|
|
#}
|
|
|
|
|
|
2019-08-22 15:05:31 +00:00
|
|
|
# A disruption budget limits the number of pods of a replicated application
|
2019-07-31 18:26:12 +00:00
|
|
|
# that are down simultaneously from voluntary disruptions
|
|
|
|
|
disruptionBudget:
|
|
|
|
|
enabled: true
|
|
|
|
|
|
|
|
|
|
# maxUnavailable will default to (n/2)-1 where n is the number of
|
|
|
|
|
# replicas. If you'd like a custom value, you can specify an override here.
|
|
|
|
|
maxUnavailable: null
|
2018-09-12 00:53:02 +00:00
|
|
|
|
2019-12-11 21:04:57 +00:00
|
|
|
# Definition of the serviceAccount used to run Vault.
|
2020-10-20 13:34:48 +00:00
|
|
|
# These options are also used when using an external Vault server to validate
|
|
|
|
|
# Kubernetes tokens.
|
2019-12-11 21:04:57 +00:00
|
|
|
serviceAccount:
|
2020-08-19 02:13:02 +00:00
|
|
|
# Specifies whether a service account should be created
|
|
|
|
|
create: true
|
|
|
|
|
# The name of the service account to use.
|
|
|
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
|
|
|
name: ""
|
2020-04-27 15:28:50 +00:00
|
|
|
# Extra annotations for the serviceAccount definition. This can either be
|
|
|
|
|
# YAML or a YAML-formatted multi-line templated string map of the
|
|
|
|
|
# annotations to apply to the serviceAccount.
|
2019-09-06 14:48:12 +00:00
|
|
|
annotations: {}
|
2019-11-28 23:24:41 +00:00
|
|
|
|
2020-08-14 22:04:52 +00:00
|
|
|
# Settings for the statefulSet used to run Vault.
|
|
|
|
|
statefulSet:
|
|
|
|
|
# Extra annotations for the statefulSet. This can either be YAML or a
|
|
|
|
|
# YAML-formatted multi-line templated string map of the annotations to apply
|
|
|
|
|
# to the statefulSet.
|
|
|
|
|
annotations: {}
|
|
|
|
|
|
2019-07-31 18:26:12 +00:00
|
|
|
# Vault UI
|
|
|
|
|
ui:
|
2018-09-28 20:45:58 +00:00
|
|
|
# True if you want to create a Service entry for the Vault UI.
|
2018-09-12 00:53:02 +00:00
|
|
|
#
|
|
|
|
|
# serviceType can be used to control the type of service created. For
|
|
|
|
|
# example, setting this to "LoadBalancer" will create an external load
|
|
|
|
|
# balancer (for supported K8S installations) to access the UI.
|
2018-11-26 21:35:52 +00:00
|
|
|
enabled: false
|
2020-08-20 18:39:46 +00:00
|
|
|
publishNotReadyAddresses: true
|
|
|
|
|
# The service should only contain selectors for active Vault pod
|
|
|
|
|
activeVaultPodOnly: false
|
2019-07-31 18:26:12 +00:00
|
|
|
serviceType: "ClusterIP"
|
2019-08-20 15:40:47 +00:00
|
|
|
serviceNodePort: null
|
2019-09-06 14:27:31 +00:00
|
|
|
externalPort: 8200
|
2021-05-25 14:20:23 +00:00
|
|
|
targetPort: 8200
|
2019-10-18 16:41:53 +00:00
|
|
|
|
2021-10-18 13:45:52 +00:00
|
|
|
# The externalTrafficPolicy can be set to either Cluster or Local
|
|
|
|
|
# and is only valid for LoadBalancer and NodePort service types.
|
|
|
|
|
# The default value is Cluster.
|
|
|
|
|
# ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy
|
|
|
|
|
externalTrafficPolicy: Cluster
|
|
|
|
|
|
|
|
|
|
#loadBalancerSourceRanges:
|
2019-10-18 16:41:53 +00:00
|
|
|
# - 10.0.0.0/16
|
|
|
|
|
# - 1.78.23.3/32
|
|
|
|
|
|
2019-09-06 14:27:31 +00:00
|
|
|
# loadBalancerIP:
|
2019-08-16 15:59:51 +00:00
|
|
|
|
|
|
|
|
# Extra annotations to attach to the ui service
|
2020-04-27 15:28:50 +00:00
|
|
|
# This can either be YAML or a YAML-formatted multi-line templated string map
|
|
|
|
|
# of the annotations to apply to the ui service
|
2019-08-16 15:59:51 +00:00
|
|
|
annotations: {}
|
2021-03-19 14:14:38 +00:00
|
|
|
|
|
|
|
|
# secrets-store-csi-driver-provider-vault
|
|
|
|
|
csi:
|
|
|
|
|
# True if you want to install a secrets-store-csi-driver-provider-vault daemonset.
|
|
|
|
|
#
|
|
|
|
|
# Requires installing the secrets-store-csi-driver separately, see:
|
|
|
|
|
# https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver
|
|
|
|
|
#
|
|
|
|
|
# With the driver and provider installed, you can mount Vault secrets into volumes
|
|
|
|
|
# similar to the Vault Agent injector, and you can also sync those secrets into
|
|
|
|
|
# Kubernetes secrets.
|
|
|
|
|
enabled: false
|
|
|
|
|
|
|
|
|
|
image:
|
2021-03-25 13:02:36 +00:00
|
|
|
repository: "hashicorp/vault-csi-provider"
|
2021-06-17 17:52:21 +00:00
|
|
|
tag: "0.3.0"
|
2021-03-19 14:14:38 +00:00
|
|
|
pullPolicy: IfNotPresent
|
|
|
|
|
|
2021-03-25 14:21:21 +00:00
|
|
|
# volumes is a list of volumes made available to all containers. These are rendered
|
|
|
|
|
# via toYaml rather than pre-processed like the extraVolumes value.
|
|
|
|
|
# The purpose is to make it easy to share volumes between containers.
|
|
|
|
|
volumes: null
|
|
|
|
|
# - name: tls
|
|
|
|
|
# secret:
|
|
|
|
|
# secretName: vault-tls
|
|
|
|
|
|
|
|
|
|
# volumeMounts is a list of volumeMounts for the main server container. These are rendered
|
|
|
|
|
# via toYaml rather than pre-processed like the extraVolumes value.
|
|
|
|
|
# The purpose is to make it easy to share volumes between containers.
|
|
|
|
|
volumeMounts: null
|
|
|
|
|
# - name: tls
|
|
|
|
|
# mountPath: "/vault/tls"
|
|
|
|
|
# readOnly: true
|
2021-03-19 14:14:38 +00:00
|
|
|
|
|
|
|
|
resources: {}
|
|
|
|
|
# resources:
|
|
|
|
|
# requests:
|
|
|
|
|
# cpu: 50m
|
|
|
|
|
# memory: 128Mi
|
|
|
|
|
# limits:
|
|
|
|
|
# cpu: 50m
|
|
|
|
|
# memory: 128Mi
|
|
|
|
|
|
|
|
|
|
# Settings for the daemonSet used to run the provider.
|
|
|
|
|
daemonSet:
|
|
|
|
|
updateStrategy:
|
|
|
|
|
type: RollingUpdate
|
|
|
|
|
maxUnavailable: ""
|
|
|
|
|
# Extra annotations for the daemonSet. This can either be YAML or a
|
|
|
|
|
# YAML-formatted multi-line templated string map of the annotations to apply
|
|
|
|
|
# to the daemonSet.
|
|
|
|
|
annotations: {}
|
2021-09-15 18:12:24 +00:00
|
|
|
# Provider host path (must match the CSI provider's path)
|
|
|
|
|
providersDir: "/etc/kubernetes/secrets-store-csi-providers"
|
|
|
|
|
# Kubelet host path
|
|
|
|
|
kubeletRootDir: "/var/lib/kubelet"
|
2021-05-18 00:14:19 +00:00
|
|
|
|
2021-03-19 14:14:38 +00:00
|
|
|
pod:
|
|
|
|
|
# Extra annotations for the provider pods. This can either be YAML or a
|
|
|
|
|
# YAML-formatted multi-line templated string map of the annotations to apply
|
|
|
|
|
# to the pod.
|
|
|
|
|
annotations: {}
|
|
|
|
|
|
2021-05-18 00:14:19 +00:00
|
|
|
# Toleration Settings for provider pods
|
2021-07-07 23:07:58 +00:00
|
|
|
# This should be either a multi-line string or YAML matching the Toleration array
|
2021-05-18 00:14:19 +00:00
|
|
|
# in a PodSpec.
|
2021-07-07 23:07:58 +00:00
|
|
|
tolerations: []
|
2021-05-18 00:14:19 +00:00
|
|
|
|
2021-03-19 14:14:38 +00:00
|
|
|
serviceAccount:
|
|
|
|
|
# Extra annotations for the serviceAccount definition. This can either be
|
|
|
|
|
# YAML or a YAML-formatted multi-line templated string map of the
|
|
|
|
|
# annotations to apply to the serviceAccount.
|
|
|
|
|
annotations: {}
|
|
|
|
|
|
|
|
|
|
# Used to configure readinessProbe for the pods.
|
|
|
|
|
readinessProbe:
|
2021-03-25 14:19:31 +00:00
|
|
|
# When a probe fails, Kubernetes will try failureThreshold times before giving up
|
2021-03-19 14:14:38 +00:00
|
|
|
failureThreshold: 2
|
2021-03-25 14:19:31 +00:00
|
|
|
# Number of seconds after the container has started before probe initiates
|
2021-03-19 14:14:38 +00:00
|
|
|
initialDelaySeconds: 5
|
2021-03-25 14:19:31 +00:00
|
|
|
# How often (in seconds) to perform the probe
|
2021-03-19 14:14:38 +00:00
|
|
|
periodSeconds: 5
|
2021-03-25 14:19:31 +00:00
|
|
|
# Minimum consecutive successes for the probe to be considered successful after having failed
|
2021-03-19 14:14:38 +00:00
|
|
|
successThreshold: 1
|
2021-03-25 14:19:31 +00:00
|
|
|
# Number of seconds after which the probe times out.
|
2021-03-19 14:14:38 +00:00
|
|
|
timeoutSeconds: 3
|
|
|
|
|
# Used to configure livenessProbe for the pods.
|
|
|
|
|
livenessProbe:
|
2021-03-25 14:19:31 +00:00
|
|
|
# When a probe fails, Kubernetes will try failureThreshold times before giving up
|
2021-03-19 14:14:38 +00:00
|
|
|
failureThreshold: 2
|
2021-03-25 14:19:31 +00:00
|
|
|
# Number of seconds after the container has started before probe initiates
|
2021-03-19 14:14:38 +00:00
|
|
|
initialDelaySeconds: 5
|
2021-03-25 14:19:31 +00:00
|
|
|
# How often (in seconds) to perform the probe
|
2021-03-19 14:14:38 +00:00
|
|
|
periodSeconds: 5
|
2021-03-25 14:19:31 +00:00
|
|
|
# Minimum consecutive successes for the probe to be considered successful after having failed
|
2021-03-19 14:14:38 +00:00
|
|
|
successThreshold: 1
|
2021-03-25 14:19:31 +00:00
|
|
|
# Number of seconds after which the probe times out.
|
2021-03-19 14:14:38 +00:00
|
|
|
timeoutSeconds: 3
|
|
|
|
|
|
|
|
|
|
# Enables debug logging.
|
2021-03-25 14:19:31 +00:00
|
|
|
debug: false
|
2021-05-21 11:48:21 +00:00
|
|
|
|
|
|
|
|
# Pass arbitrary additional arguments to vault-csi-provider.
|
|
|
|
|
extraArgs: []
|
