Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
openbao-helm/values.yaml
Tom Proctor 8f237e2b82
Generate helm docs
2023-04-19 20:43:49 +01:00

1384 lines
52 KiB
YAML
Raw Permalink Blame History

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# Available parameters and their default values for the Vault chart.
# These global values affect multiple components of the chart.
global:
# The global enabled/disabled configuration. If this is true, most components
# will be installed by default. If this is false, no components will be
# installed by default and manually opting-in is required, such as by setting
# `server.enabled` to true.
enabled: true
# References secrets to be used when pulling images from private registries.
# See [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
# for more details. May be specified as an array of name map entries or just
# as an array of names:
#
# ```yaml
# imagePullSecrets:
# - name: image-pull-secret
# # or
# imagePullSecrets:
# - image-pull-secret
# ```
imagePullSecrets: []
# When set to `true`, changes URLs from `https` to `http` (such as the
# `VAULT_ADDR=http://127.0.0.1:8200` environment variable set on the
# Vault pods).
tlsDisable: true
# External vault server address for the injector and CSI provider to use.
# Setting this will disable deployment of a vault server. A service account
# with token review permissions is automatically created if
# `server.serviceAccount.create=true` is set for the external Vault server
# to use.
externalVaultAddr: ""
# If `true`, enables configuration specific to OpenShift such as NetworkPolicy,
# SecurityContext, and Route.
openshift: false
# Values that configure Pod Security Policy.
psp:
# When set to `true`, enables Pod Security Policies for Vault and Vault Agent Injector.
enable: false
# This value defines additional annotations to add to the Pod Security
# Policies. This can either be YAML or a YAML-formatted multi-line templated
# string.
#
# ```yaml
# annotations:
# seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
# seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
# # or
# annotations: |
# seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
# seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
# ```
annotations: |
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
# Values that configure metrics and telemetry.
serverTelemetry:
# When set to `true`, enables integration with the Prometheus Operator. Be
# sure to configure the top-level [`serverTelemetry`](https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration#servertelemetry-1)
# section for more details and required configuration values.
prometheusOperator: false
# Values that configure running a Vault Agent Injector Admission Webhook
# Controller within Kubernetes.
injector:
# When set to `true`, the Vault Agent Injector Admission Webhook controller
# will be created. When set to `"-"`, defaults to the value of `global.enabled`.
# @type: boolean or string
enabled: "-"
# Deprecated: Please use [global.externalVaultAddr](https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration#externalvaultaddr)
# instead.
externalVaultAddr: ""
# The number of pods to deploy to create a highly available cluster of Vault
# Agent Injectors. Requires Vault K8s 0.7.0 to have more than 1 replica.
replicas: 1
# Values that configure the Vault Agent Injector leader election for HA
# deployments.
leaderElector:
# When set to `true`, enables leader election for Vault Agent Injector. This
# is required when using auto-tls and more than 1 replica.
enabled: true
# Values that configure the Vault Agent Injector Docker image.
image:
# The name of the Docker image for Vault Agent Injector.
repository: "hashicorp/vault-k8s"
# The tag of the Docker image for the Vault Agent Injector. **This should
# be pinned to a specific version when running in production.** Otherwise,
# other changes to the chart may inadvertently upgrade your admission controller.
tag: "1.2.1"
# The pull policy for container images. The default pull policy is `IfNotPresent`
# which causes the Kubelet to skip pulling an image if it already exists.
pullPolicy: IfNotPresent
# Values that configure the Vault Agent sidecar image.
agentImage:
# The name of the Docker image for the Vault Agent sidecar. This should be
# set to the official Vault Docker image.
repository: "hashicorp/vault"
# The tag of the Vault Docker image to use for the Vault Agent Sidecar.
# **Vault 1.3.1+ is required by the admission controller**.
tag: "1.13.1"
# Values that configure the injected Vault Agent containers default values.
# For more information on configuring resources, see the Kubernetes documentation:
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
agentDefaults:
# The default CPU limit for injected Vault Agent containers.
cpuLimit: "500m"
# The default CPU request for injected Vault Agent containers.
cpuRequest: "250m"
# The default memory limit for injected Vault Agent containers.
memLimit: "128Mi"
# The default memory request for injected Vault Agent containers.
memRequest: "64Mi"
# The default template type for rendered secrets if no custom templates are
# defined. Possible values include `map` and `json`.
template: "map"
# Default values within Agent's [`template_config` stanza](https://developer.hashicorp.com/vault/docs/agent/template).
templateConfig:
# Controls whether Vault Agent exits after it has exhausted its number of
# template retry attempts due to failures.
exitOnRetryFailure: true
# Configures how often Vault Agent Template should render non-leased secrets
# such as KV v2. See the [Vault Agent Templates documentation](/docs/agent/template#non-renewable-secrets)
# for more details.
staticSecretRenderInterval: ""
# Values that configure the Vault Agent Injector metric exporter.
metrics:
# When set to `true`, the Vault Agent Injector exports Prometheus metrics at
# the `/metrics` path.
enabled: false
# Mount path of the Vault Kubernetes Auth Method.
authPath: "auth/kubernetes"
# Configures the log verbosity of the injector. Supported log levels: trace,
# debug, error, warn, info.
logLevel: "info"
# Configures the log format of the injector. Supported log formats: "standard",
# "json".
logFormat: "standard"
# Configures all Vault Agent sidecars to revoke their token when shutting down.
revokeOnShutdown: false
# Security context for the pod template and the injector container.
securityContext:
# Defines the securityContext for the injector Pod, as YAML or a YAML-formatted
# multi-line templated string. Default if not specified:
#
# ```yaml
# runAsNonRoot: true
# runAsGroup: {{ .Values.injector.gid | default 1000 }}
# runAsUser: {{ .Values.injector.uid | default 100 }}
# fsGroup: {{ .Values.injector.gid | default 1000 }}
# ```
# @type: dictionary
# @default: {}
pod: {}
# Defines the securityContext for the injector container, as YAML or a
# YAML-formatted multi-line templated string. Default if not specified:
#
# ```yaml
# allowPrivilegeEscalation: false
# capabilities:
# drop:
# - ALL
# ```
# @type: dictionary
# @default: {}
container: {}
# The resource requests and limits (CPU, memory, etc.) for each container of
# the injector. This should be a YAML dictionary of a Kubernetes
# [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core)
# object. If this isn't specified, then the pods won't request any specific
# amount of resources, which limits the ability for Kubernetes to make
# efficient use of compute resources.
#
# **Setting this is highly recommended.**
#
# ```yaml
# resources:
# requests:
# memory: '256Mi'
# cpu: '250m'
# limits:
# memory: '256Mi'
# cpu: '250m'
# ```
# @type: dictionary
# @default: {}
resources: {}
# Values that control the Mutating Webhook Configuration.
webhook:
# Configures failurePolicy of the webhook. To block pod creation while the
# webhook is unavailable, set the policy to `"Fail"`. See
# [Failure Policy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy).
failurePolicy: Ignore
# Specifies the approach to accepting changes based on the rules of the
# MutatingWebhookConfiguration. See
# [Match Policy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy).
matchPolicy: Exact
# Specifies the number of seconds before the webhook request will be ignored
# or fails. If it is ignored or fails depends on the `failurePolicy`. See
# [timeouts](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts).
timeoutSeconds: 30
# The selector used by the admission webhook controller to limit what
# namespaces where injection can happen. If unset, all non-system namespaces
# are eligible for injection. See
# [Matching requests: namespace selector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector).
#
# ```yaml
# namespaceSelector:
# matchLabels:
# sidecar-injector: enabled
# ```
# @type: object
# @default: {}
namespaceSelector: {}
# The selector used by the admission webhook controller to limit what objects
# can be affected by mutation. See
# [Matching requests: object selector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector).
#
# ```yaml
# objectSelector:
# matchLabels:
# sidecar-injector: enabled
# ```
# @type: object
# @default: {}
objectSelector: |
matchExpressions:
- key: app.kubernetes.io/name
operator: NotIn
values:
- {{ template "vault.name" . }}-agent-injector
# Defines additional annotations to attach to the webhook. This can either be
# YAML or a YAML-formatted multi-line templated string.
# @type: string or object
# @default: {}
annotations: {}
# Deprecated: please use
# [`webhook.namespaceSelector`](https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration#namespaceselector) instead.
# @type: dictionary
# @default: {}
namespaceSelector: {}
# Deprecated: please use
# [`webhook.objectSelector`](https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration#objectselector) instead.
# @type: dictionary
# @default: {}
objectSelector: {}
# This value defines additional labels for Vault Agent Injector pods.
#
# ```yaml
# extraLabels:
# 'sample/label1': 'foo'
# 'sample/label2': 'bar'
# ```
# @type: dictionary
# @default: {}
extraLabels: {}
# The certs section configures how the webhook TLS certs are configured. These
# are the TLS certs for the Kube apiserver communicating to the webhook. By
# default, the injector will generate and manage its own certs, but this
# requires the ability for the injector to update its own
# `MutatingWebhookConfiguration`. In a production environment, custom certs
# should probably be used. Configure the values below to enable this.
certs:
# secretName is the name of the Kubernetes secret that has the TLS certificate
# and private key to serve the injector webhook. If this is null, then the
# injector will default to its automatic management mode.
secretName: null
# The PEM-encoded CA public certificate bundle for the TLS certificate served
# by the injector. This must be specified as a string and can't come from a
# secret because it must be statically configured on the Kubernetes
# `MutatingAdmissionWebhook` resource. This only needs to be specified if
# `secretName` is not null.
caBundle: ""
# The name of the certificate file within the `secretName` secret.
certName: tls.crt
# The name of the key file within the `secretName` secret.
keyName: tls.key
# Extra environment variables to set in the injector deployment.
#
# ```yaml
# # Example setting injector TLS options in a deployment:
# extraEnvironmentVars:
# AGENT_INJECT_TLS_MIN_VERSION: tls13
# AGENT_INJECT_TLS_CIPHER_SUITES: ...
# ```
# @type: dictionary
# @default: {}
extraEnvironmentVars: {}
# This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
# for Vault Agent Injector pods. This can either be multi-line string or YAML
# matching the PodSpec's affinity field. It defaults to allowing only a single
# pod on each node, which minimizes risk of the cluster becoming unusable if
# a node is lost. If you need to run more pods per node (for example, testing
# on Minikube), set this value to `null`.
#
# ```yaml
# # Recommended default server affinity:
# affinity: |
# podAntiAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# - labelSelector:
# matchLabels:
# app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
# app.kubernetes.io/instance: "{{ .Release.Name }}"
# component: webhook
# topologyKey: kubernetes.io/hostname
# ```
# @type: string or dictionary
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: "{{ .Release.Name }}"
component: webhook
topologyKey: kubernetes.io/hostname
# [Topology settings](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/)
# for injector pods. This can either be YAML or a YAML-formatted multi-line
# templated string.
topologySpreadConstraints: []
# Toleration Settings for injector pods. This should be either a multi-line
# string or YAML matching the Toleration array.
tolerations: []
# The nodeSelector labels for injector pod assignment, formatted as a multi-line
# string or YAML map. See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
#
# ```yaml
# nodeSelector:
# beta.kubernetes.io/arch: amd64
# ```
# @type: dictionary
# @default: {}
nodeSelector: {}
# Priority class for injector pods.
priorityClassName: ""
# This value defines additional annotations for injector pods. This can either
# be YAML or a YAML-formatted multi-line templated string.
#
# ```yaml
# annotations:
# "sample/annotation1": "foo"
# "sample/annotation2": "bar"
# # or
# annotations: |
# "sample/annotation1": "foo"
# "sample/annotation2": "bar"
# ```
# @type: dictionary
# @default: {}
annotations: {}
# Deprecated: please use [`webhook.failurePolicy`](https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration#failurepolicy) instead.
failurePolicy: Ignore
# Deprecated: please use [`webhook.annotations`](https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration#annotations-1) instead.
# @type: dictionary
# @default: {}
webhookAnnotations: {}
# The service section configures the Kubernetes service for the Vault Agent
# Injector.
service:
# This value defines additional annotations to add to the Vault Agent Injector
# service. This can either be YAML or a YAML-formatted multi-line templated string.
#
# ```yaml
# annotations:
# "sample/annotation1": "foo"
# "sample/annotation2": "bar"
# # or
# annotations: |
# "sample/annotation1": "foo"
# "sample/annotation2": "bar"
# ```
# @type: dictionary
# @default: {}
annotations: {}
# Injector serviceAccount specific config.
serviceAccount:
# Extra annotations to attach to the injector serviceAccount. This can either
# be YAML or a YAML-formatted multi-line templated string.
# @type: dictionary
# @default: {}
annotations: {}
# When set to true, configures the Vault Agent Injector to run on the host
# network. This is useful when alternative cluster networking is used.
hostNetwork: false
# Configures the port the Vault Agent Injector listens on.
port: 8080
# A disruption budget limits the number of pods of a replicated application
# that are down simultaneously from voluntary disruptions.
#
# ```yaml
# podDisruptionBudget:
# maxUnavailable: 1
# ```
# @type: dictionary
# @default: {}
podDisruptionBudget: {}
# Strategy for updating the deployment. This can be a multi-line string or a
# YAML map.
#
# ```yaml
# strategy:
# rollingUpdate:
# maxSurge: 25%
# maxUnavailable: 25%
# type: RollingUpdate
# # or
# strategy: |
# rollingUpdate:
# maxSurge: 25%
# maxUnavailable: 25%
# type: RollingUpdate
# ```
# @type: dictionary
# @default: {}
strategy: {}
# Values that configure the liveness probe for the injector.
livenessProbe:
# When set to a value, configures how many probe failures will be tolerated
# by Kubernetes.
failureThreshold: 2
# Sets the initial delay of the liveness probe when the container starts.
initialDelaySeconds: 5
# When set to a value, configures how often (in seconds) to perform the probe.
periodSeconds: 2
# When set to a value, configures the minimum consecutive successes for the
# probe to be considered successful after having failed.
successThreshold: 1
# When set to a value, configures the number of seconds after which the probe
# times out.
timeoutSeconds: 5
# Values that configure the readiness probe for the injector.
readinessProbe:
# When set to a value, configures how many probe failures will be tolerated
# by Kubernetes.
failureThreshold: 2
# Sets the initial delay of the readiness probe when the container starts.
initialDelaySeconds: 5
# When set to a value, configures how often (in seconds) to perform the probe.
periodSeconds: 2
# When set to a value, configures the minimum consecutive successes for the probe
# to be considered successful after having failed.
successThreshold: 1
# When set to a value, configures the number of seconds after which the probe
# times out.
timeoutSeconds: 5
# Values that configure the startup probe for the injector.
startupProbe:
# When set to a value, configures how many probe failures will be tolerated
# by Kubernetes.
failureThreshold: 12
# Sets the initial delay of the startup probe when the container starts.
initialDelaySeconds: 5
# When set to a value, configures how often (in seconds) to perform the probe.
periodSeconds: 5
# When set to a value, configures the minimum consecutive successes for the probe
# to be considered successful after having failed.
successThreshold: 1
# When set to a value, configures the number of seconds after which the probe
# times out.
timeoutSeconds: 5
server:
# If true, or "-" with global.enabled true, Vault server will be installed.
# See vault.mode in _helpers.tpl for implementation details.
enabled: "-"
# [Enterprise Only] This value refers to a Kubernetes secret that you have
# created that contains your enterprise license. If you are not using an
# enterprise image or if you plan to introduce the license key via another
# route, then leave secretName blank ("") or set it to null.
# Requires Vault Enterprise 1.8 or later.
enterpriseLicense:
# The name of the Kubernetes secret that holds the enterprise license. The
# secret must be in the same namespace that Vault is installed into.
secretName: ""
# The key within the Kubernetes secret that holds the enterprise license.
secretKey: "license"
# Resource requests, limits, etc. for the server cluster placement. This
# should map directly to the value of the resources field for a PodSpec.
# By default no direct resource request is made.
image:
repository: "hashicorp/vault"
tag: "1.13.1"
# Overrides the default Image Pull Policy
pullPolicy: IfNotPresent
# Configure the Update Strategy Type for the StatefulSet
# See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
updateStrategyType: "OnDelete"
# Configure the logging verbosity for the Vault server.
# Supported log levels include: trace, debug, info, warn, error
logLevel: ""
# Configure the logging format for the Vault server.
# Supported log formats include: standard, json
logFormat: ""
resources: {}
# resources:
# requests:
# memory: 256Mi
# cpu: 250m
# limits:
# memory: 256Mi
# cpu: 250m
# Ingress allows ingress services to be created to allow external access
# from Kubernetes to access Vault pods.
# If deployment is on OpenShift, the following block is ignored.
# In order to expose the service, use the route section below
ingress:
enabled: false
labels: {}
# traffic: external
annotations: {}
# |
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# or
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# Optionally use ingressClassName instead of deprecated annotation.
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation
ingressClassName: ""
# As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases.
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values.
pathType: Prefix
# When HA mode is enabled and K8s service registration is being used,
# configure the ingress to point to the Vault active service.
activeService: true
hosts:
- host: chart-example.local
paths: []
## Extra paths to prepend to the host configuration. This is useful when working with annotation based services.
extraPaths: []
# - path: /*
# backend:
# service:
# name: ssl-redirect
# port:
# number: use-annotation
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
# OpenShift only - create a route to expose the service
# By default the created route will be of type passthrough
route:
enabled: false
# When HA mode is enabled and K8s service registration is being used,
# configure the route to point to the Vault active service.
activeService: true
labels: {}
annotations: {}
host: chart-example.local
# tls will be passed directly to the route's TLS config, which
# can be used to configure other termination methods that terminate
# TLS at the router
tls:
termination: passthrough
# authDelegator enables a cluster role binding to be attached to the service
# account. This cluster role binding can be used to setup Kubernetes auth
# method. https://www.vaultproject.io/docs/auth/kubernetes.html
authDelegator:
enabled: true
# extraInitContainers is a list of init containers. Specified as a YAML list.
# This is useful if you need to run a script to provision TLS certificates or
# write out configuration files in a dynamic way.
extraInitContainers: null
# # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder,
# # which is defined in the volumes value.
# - name: oauthapp
# image: "alpine"
# command: [sh, -c]
# args:
# - cd /tmp &&
# wget https://github.com/puppetlabs/vault-plugin-secrets-oauthapp/releases/download/v1.2.0/vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64.tar.xz -O oauthapp.xz &&
# tar -xf oauthapp.xz &&
# mv vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64 /usr/local/libexec/vault/oauthapp &&
# chmod +x /usr/local/libexec/vault/oauthapp
# volumeMounts:
# - name: plugins
# mountPath: /usr/local/libexec/vault
# extraContainers is a list of sidecar containers. Specified as a YAML list.
extraContainers: null
# shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
# This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation
shareProcessNamespace: false
# extraArgs is a string containing additional Vault server arguments.
extraArgs: ""
# extraPorts is a list of extra ports. Specified as a YAML list.
# This is useful if you need to add additional ports to the statefulset in dynamic way.
extraPorts: null
# - containerPort: 8300
# name: http-monitoring
# Used to define custom readinessProbe settings
readinessProbe:
enabled: true
# If you need to use a http path instead of the default exec
# path: /v1/sys/health?standbyok=true
# Port number on which readinessProbe will be checked.
port: 8200
# When a probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 2
# Number of seconds after the container has started before probe initiates
initialDelaySeconds: 5
# How often (in seconds) to perform the probe
periodSeconds: 5
# Minimum consecutive successes for the probe to be considered successful after having failed
successThreshold: 1
# Number of seconds after which the probe times out.
timeoutSeconds: 3
# Used to enable a livenessProbe for the pods
livenessProbe:
enabled: false
path: "/v1/sys/health?standbyok=true"
# Port nuumber on which livenessProbe will be checked.
port: 8200
# When a probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 2
# Number of seconds after the container has started before probe initiates
initialDelaySeconds: 60
# How often (in seconds) to perform the probe
periodSeconds: 5
# Minimum consecutive successes for the probe to be considered successful after having failed
successThreshold: 1
# Number of seconds after which the probe times out.
timeoutSeconds: 3
# Optional duration in seconds the pod needs to terminate gracefully.
# See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
terminationGracePeriodSeconds: 10
# Used to set the sleep time during the preStop step
preStopSleepSeconds: 5
# Used to define commands to run after the pod is ready.
# This can be used to automate processes such as initialization
# or boostrapping auth methods.
postStart: []
# - /bin/sh
# - -c
# - /vault/userconfig/myscript/run.sh
# extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
# used to include variables required for auto-unseal.
extraEnvironmentVars: {}
# GOOGLE_REGION: global
# GOOGLE_PROJECT: myproject
# GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
# extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set.
# These variables take value from existing Secret objects.
extraSecretEnvironmentVars: []
# - envName: AWS_SECRET_ACCESS_KEY
# secretName: vault
# secretKey: AWS_SECRET_ACCESS_KEY
# Deprecated: please use 'volumes' instead.
# extraVolumes is a list of extra volumes to mount. These will be exposed
# to Vault in the path `/vault/userconfig/<name>/`. The value below is
# an array of objects, examples are shown below.
extraVolumes: []
# - type: secret (or "configMap")
# name: my-secret
# path: null # default is `/vault/userconfig`
# volumes is a list of volumes made available to all containers. These are rendered
# via toYaml rather than pre-processed like the extraVolumes value.
# The purpose is to make it easy to share volumes between containers.
volumes: null
# - name: plugins
# emptyDir: {}
# volumeMounts is a list of volumeMounts for the main server container. These are rendered
# via toYaml rather than pre-processed like the extraVolumes value.
# The purpose is to make it easy to share volumes between containers.
volumeMounts: null
# - mountPath: /usr/local/libexec/vault
# name: plugins
# readOnly: true
# Affinity Settings
# Commenting out or setting as empty the affinity variable, will allow
# deployment to single node services such as Minikube
# This should be either a multi-line string or YAML matching the PodSpec's affinity field.
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: "{{ .Release.Name }}"
component: server
topologyKey: kubernetes.io/hostname
# Topology settings for server pods
# ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
# This should be either a multi-line string or YAML matching the topologySpreadConstraints array
# in a PodSpec.
topologySpreadConstraints: []
# Toleration Settings for server pods
# This should be either a multi-line string or YAML matching the Toleration array
# in a PodSpec.
tolerations: []
# nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example:
# nodeSelector:
# beta.kubernetes.io/arch: amd64
nodeSelector: {}
# Enables network policy for server pods
networkPolicy:
enabled: false
egress: []
# egress:
# - to:
# - ipBlock:
# cidr: 10.0.0.0/24
# ports:
# - protocol: TCP
# port: 443
# Priority class for server pods
priorityClassName: ""
# Extra labels to attach to the server pods
# This should be a YAML map of the labels to apply to the server pods
extraLabels: {}
# Extra annotations to attach to the server pods
# This can either be YAML or a YAML-formatted multi-line templated string map
# of the annotations to apply to the server pods
annotations: {}
# Enables a headless service to be used by the Vault Statefulset
service:
enabled: true
# Enable or disable the vault-active service, which selects Vault pods that
# have labelled themselves as the cluster leader with `vault-active: "true"`
active:
enabled: true
# Enable or disable the vault-standby service, which selects Vault pods that
# have labelled themselves as a cluster follower with `vault-active: "false"`
standby:
enabled: true
# If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}`
# When disabled, services may select Vault pods not deployed from the chart.
# Does not affect the headless vault-internal service with `ClusterIP: None`
instanceSelector:
enabled: true
# clusterIP controls whether a Cluster IP address is attached to the
# Vault service within Kubernetes. By default, the Vault service will
# be given a Cluster IP address, set to None to disable. When disabled
# Kubernetes will create a "headless" service. Headless services can be
# used to communicate with pods directly through DNS instead of a round-robin
# load balancer.
# clusterIP: None
# Configures the service type for the main Vault service. Can be ClusterIP
# or NodePort.
#type: ClusterIP
# Do not wait for pods to be ready
publishNotReadyAddresses: true
# The externalTrafficPolicy can be set to either Cluster or Local
# and is only valid for LoadBalancer and NodePort service types.
# The default value is Cluster.
# ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy
externalTrafficPolicy: Cluster
# If type is set to "NodePort", a specific nodePort value can be configured,
# will be random if left blank.
#nodePort: 30000
# When HA mode is enabled
# If type is set to "NodePort", a specific nodePort value can be configured,
# will be random if left blank.
#activeNodePort: 30001
# When HA mode is enabled
# If type is set to "NodePort", a specific nodePort value can be configured,
# will be random if left blank.
#standbyNodePort: 30002
# Port on which Vault server is listening
port: 8200
# Target port to which the service should be mapped to
targetPort: 8200
# Extra annotations for the service definition. This can either be YAML or a
# YAML-formatted multi-line templated string map of the annotations to apply
# to the service.
annotations: {}
# This configures the Vault Statefulset to create a PVC for data
# storage when using the file or raft backend storage engines.
# See https://www.vaultproject.io/docs/configuration/storage/index.html to know more
dataStorage:
enabled: true
# Size of the PVC created
size: 10Gi
# Location where the PVC will be mounted.
mountPath: "/vault/data"
# Name of the storage class to use. If null it will use the
# configured default Storage Class.
storageClass: null
# Access Mode of the storage device being used for the PVC
accessMode: ReadWriteOnce
# Annotations to apply to the PVC
annotations: {}
# This configures the Vault Statefulset to create a PVC for audit
# logs. Once Vault is deployed, initialized, and unsealed, Vault must
# be configured to use this for audit logs. This will be mounted to
# /vault/audit
# See https://www.vaultproject.io/docs/audit/index.html to know more
auditStorage:
enabled: false
# Size of the PVC created
size: 10Gi
# Location where the PVC will be mounted.
mountPath: "/vault/audit"
# Name of the storage class to use. If null it will use the
# configured default Storage Class.
storageClass: null
# Access Mode of the storage device being used for the PVC
accessMode: ReadWriteOnce
# Annotations to apply to the PVC
annotations: {}
# Run Vault in "dev" mode. This requires no further setup, no state management,
# and no initialization. This is useful for experimenting with Vault without
# needing to unseal, store keys, et. al. All data is lost on restart - do not
# use dev mode for anything other than experimenting.
# See https://www.vaultproject.io/docs/concepts/dev-server.html to know more
dev:
enabled: false
# Set VAULT_DEV_ROOT_TOKEN_ID value
devRootToken: "root"
# Run Vault in "standalone" mode. This is the default mode that will deploy if
# no arguments are given to helm. This requires a PVC for data storage to use
# the "file" backend. This mode is not highly available and should not be scaled
# past a single replica.
standalone:
enabled: "-"
# config is a raw string of default configuration when using a Stateful
# deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
# and store data there. This is only used when using a Replica count of 1, and
# using a stateful set. This should be HCL.
# Note: Configuration files are stored in ConfigMaps so sensitive data
# such as passwords should be either mounted through extraSecretEnvironmentVars
# or through a Kube secret. For more information see:
# https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
# Enable unauthenticated metrics access (necessary for Prometheus Operator)
#telemetry {
# unauthenticated_metrics_access = "true"
#}
}
storage "file" {
path = "/vault/data"
}
# Example configuration for using auto-unseal, using Google Cloud KMS. The
# GKMS keys must already exist, and the cluster must have a service account
# that is authorized to access GCP KMS.
#seal "gcpckms" {
# project = "vault-helm-dev"
# region = "global"
# key_ring = "vault-helm-unseal-kr"
# crypto_key = "vault-helm-unseal-key"
#}
# Example configuration for enabling Prometheus metrics in your config.
#telemetry {
# prometheus_retention_time = "30s"
# disable_hostname = true
#}
# Run Vault in "HA" mode. There are no storage requirements unless the audit log
# persistence is required. In HA mode Vault will configure itself to use Consul
# for its storage backend. The default configuration provided will work the Consul
# Helm project by default. It is possible to manually configure Vault to use a
# different HA backend.
ha:
enabled: false
replicas: 3
# Set the api_addr configuration for Vault HA
# See https://www.vaultproject.io/docs/configuration#api_addr
# If set to null, this will be set to the Pod IP Address
apiAddr: null
# Set the cluster_addr confuguration for Vault HA
# See https://www.vaultproject.io/docs/configuration#cluster_addr
# If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201
clusterAddr: null
# Enables Vault's integrated Raft storage. Unlike the typical HA modes where
# Vault's persistence is external (such as Consul), enabling Raft mode will create
# persistent volumes for Vault to store data according to the configuration under server.dataStorage.
# The Vault cluster will coordinate leader elections and failovers internally.
raft:
# Enables Raft integrated storage
enabled: false
# Set the Node Raft ID to the name of the pod
setNodeId: false
# Note: Configuration files are stored in ConfigMaps so sensitive data
# such as passwords should be either mounted through extraSecretEnvironmentVars
# or through a Kube secret. For more information see:
# https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
# Enable unauthenticated metrics access (necessary for Prometheus Operator)
#telemetry {
# unauthenticated_metrics_access = "true"
#}
}
storage "raft" {
path = "/vault/data"
}
service_registration "kubernetes" {}
# config is a raw string of default configuration when using a Stateful
# deployment. Default is to use a Consul for its HA storage backend.
# This should be HCL.
# Note: Configuration files are stored in ConfigMaps so sensitive data
# such as passwords should be either mounted through extraSecretEnvironmentVars
# or through a Kube secret. For more information see:
# https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "consul" {
path = "vault"
address = "HOST_IP:8500"
}
service_registration "kubernetes" {}
# Example configuration for using auto-unseal, using Google Cloud KMS. The
# GKMS keys must already exist, and the cluster must have a service account
# that is authorized to access GCP KMS.
#seal "gcpckms" {
# project = "vault-helm-dev-246514"
# region = "global"
# key_ring = "vault-helm-unseal-kr"
# crypto_key = "vault-helm-unseal-key"
#}
# Example configuration for enabling Prometheus metrics.
# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.
# You may wish to enable unauthenticated metrics in the listener block above.
#telemetry {
# prometheus_retention_time = "30s"
# disable_hostname = true
#}
# A disruption budget limits the number of pods of a replicated application
# that are down simultaneously from voluntary disruptions
disruptionBudget:
enabled: true
# maxUnavailable will default to (n/2)-1 where n is the number of
# replicas. If you'd like a custom value, you can specify an override here.
maxUnavailable: null
# Definition of the serviceAccount used to run Vault.
# These options are also used when using an external Vault server to validate
# Kubernetes tokens.
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# Extra annotations for the serviceAccount definition. This can either be
# YAML or a YAML-formatted multi-line templated string map of the
# annotations to apply to the serviceAccount.
annotations: {}
# Extra labels to attach to the serviceAccount
# This should be a YAML map of the labels to apply to the serviceAccount
extraLabels: {}
# Enable or disable a service account role binding with the permissions required for
# Vault's Kubernetes service_registration config option.
# See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes
serviceDiscovery:
enabled: true
# Settings for the statefulSet used to run Vault.
statefulSet:
# Extra annotations for the statefulSet. This can either be YAML or a
# YAML-formatted multi-line templated string map of the annotations to apply
# to the statefulSet.
annotations: {}
# Set the pod and container security contexts.
# If not set, these will default to, and for *not* OpenShift:
# pod:
# runAsNonRoot: true
# runAsGroup: {{ .Values.server.gid | default 1000 }}
# runAsUser: {{ .Values.server.uid | default 100 }}
# fsGroup: {{ .Values.server.gid | default 1000 }}
# container:
# allowPrivilegeEscalation: false
#
# If not set, these will default to, and for OpenShift:
# pod: {}
# container: {}
securityContext:
pod: {}
container: {}
# Should the server pods run on the host network
hostNetwork: false
# Vault UI
ui:
# True if you want to create a Service entry for the Vault UI.
#
# serviceType can be used to control the type of service created. For
# example, setting this to "LoadBalancer" will create an external load
# balancer (for supported K8S installations) to access the UI.
enabled: false
publishNotReadyAddresses: true
# The service should only contain selectors for active Vault pod
activeVaultPodOnly: false
serviceType: "ClusterIP"
serviceNodePort: null
externalPort: 8200
targetPort: 8200
# The externalTrafficPolicy can be set to either Cluster or Local
# and is only valid for LoadBalancer and NodePort service types.
# The default value is Cluster.
# ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy
externalTrafficPolicy: Cluster
#loadBalancerSourceRanges:
# - 10.0.0.0/16
# - 1.78.23.3/32
# loadBalancerIP:
# Extra annotations to attach to the ui service
# This can either be YAML or a YAML-formatted multi-line templated string map
# of the annotations to apply to the ui service
annotations: {}
# secrets-store-csi-driver-provider-vault
csi:
# True if you want to install a secrets-store-csi-driver-provider-vault daemonset.
#
# Requires installing the secrets-store-csi-driver separately, see:
# https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver
#
# With the driver and provider installed, you can mount Vault secrets into volumes
# similar to the Vault Agent injector, and you can also sync those secrets into
# Kubernetes secrets.
enabled: false
image:
repository: "hashicorp/vault-csi-provider"
tag: "1.3.0"
pullPolicy: IfNotPresent
# volumes is a list of volumes made available to all containers. These are rendered
# via toYaml rather than pre-processed like the extraVolumes value.
# The purpose is to make it easy to share volumes between containers.
volumes: null
# - name: tls
# secret:
# secretName: vault-tls
# volumeMounts is a list of volumeMounts for the main server container. These are rendered
# via toYaml rather than pre-processed like the extraVolumes value.
# The purpose is to make it easy to share volumes between containers.
volumeMounts: null
# - name: tls
# mountPath: "/vault/tls"
# readOnly: true
resources: {}
# resources:
# requests:
# cpu: 50m
# memory: 128Mi
# limits:
# cpu: 50m
# memory: 128Mi
# Override the default secret name for the CSI Provider's HMAC key used for
# generating secret versions.
hmacSecretName: ""
# Settings for the daemonSet used to run the provider.
daemonSet:
updateStrategy:
type: RollingUpdate
maxUnavailable: ""
# Extra annotations for the daemonSet. This can either be YAML or a
# YAML-formatted multi-line templated string map of the annotations to apply
# to the daemonSet.
annotations: {}
# Provider host path (must match the CSI provider's path)
providersDir: "/etc/kubernetes/secrets-store-csi-providers"
# Kubelet host path
kubeletRootDir: "/var/lib/kubelet"
# Extra labels to attach to the vault-csi-provider daemonSet
# This should be a YAML map of the labels to apply to the csi provider daemonSet
extraLabels: {}
# security context for the pod template and container in the csi provider daemonSet
securityContext:
pod: {}
container: {}
pod:
# Extra annotations for the provider pods. This can either be YAML or a
# YAML-formatted multi-line templated string map of the annotations to apply
# to the pod.
annotations: {}
# Toleration Settings for provider pods
# This should be either a multi-line string or YAML matching the Toleration array
# in a PodSpec.
tolerations: []
# Extra labels to attach to the vault-csi-provider pod
# This should be a YAML map of the labels to apply to the csi provider pod
extraLabels: {}
agent:
enabled: true
extraArgs: []
image:
repository: "hashicorp/vault"
tag: "1.13.1"
pullPolicy: IfNotPresent
logFormat: standard
logLevel: info
resources: {}
# resources:
# requests:
# memory: 256Mi
# cpu: 250m
# limits:
# memory: 256Mi
# cpu: 250m
# Priority class for csi pods
priorityClassName: ""
serviceAccount:
# Extra annotations for the serviceAccount definition. This can either be
# YAML or a YAML-formatted multi-line templated string map of the
# annotations to apply to the serviceAccount.
annotations: {}
# Extra labels to attach to the vault-csi-provider serviceAccount
# This should be a YAML map of the labels to apply to the csi provider serviceAccount
extraLabels: {}
# Used to configure readinessProbe for the pods.
readinessProbe:
# When a probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 2
# Number of seconds after the container has started before probe initiates
initialDelaySeconds: 5
# How often (in seconds) to perform the probe
periodSeconds: 5
# Minimum consecutive successes for the probe to be considered successful after having failed
successThreshold: 1
# Number of seconds after which the probe times out.
timeoutSeconds: 3
# Used to configure livenessProbe for the pods.
livenessProbe:
# When a probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 2
# Number of seconds after the container has started before probe initiates
initialDelaySeconds: 5
# How often (in seconds) to perform the probe
periodSeconds: 5
# Minimum consecutive successes for the probe to be considered successful after having failed
successThreshold: 1
# Number of seconds after which the probe times out.
timeoutSeconds: 3
# Enables debug logging.
debug: false
# Pass arbitrary additional arguments to vault-csi-provider.
# See https://www.vaultproject.io/docs/platform/k8s/csi/configurations#command-line-arguments
# for the available command line flags.
extraArgs: []
# Vault is able to collect and publish various runtime metrics.
# Enabling this feature requires setting adding `telemetry{}` stanza to
# the Vault configuration. There are a few examples included in the `config` sections above.
#
# For more information see:
# https://www.vaultproject.io/docs/configuration/telemetry
# https://www.vaultproject.io/docs/internals/telemetry
serverTelemetry:
# Enable support for the Prometheus Operator. Currently, this chart does not support
# authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included
# in the `listener "tcp"{}` stanza
# telemetry {
# unauthenticated_metrics_access = "true"
# }
#
# See the `standalone.config` for a more complete example of this.
#
# In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration:
#
# example:
# telemetry {
# prometheus_retention_time = "30s"
# disable_hostname = true
# }
#
# Configuration for monitoring the Vault server.
serviceMonitor:
# The Prometheus operator *must* be installed before enabling this feature,
# if not the chart will fail to install due to missing CustomResourceDefinitions
# provided by the operator.
#
# Instructions on how to install the Helm chart can be found here:
# https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
# More information can be found here:
# https://github.com/prometheus-operator/prometheus-operator
# https://github.com/prometheus-operator/kube-prometheus
# Enable deployment of the Vault Server ServiceMonitor CustomResource.
enabled: false
# Selector labels to add to the ServiceMonitor.
# When empty, defaults to:
# release: prometheus
selectors: {}
# Interval at which Prometheus scrapes metrics
interval: 30s
# Timeout for Prometheus scrapes
scrapeTimeout: 10s
prometheusRules:
# The Prometheus operator *must* be installed before enabling this feature,
# if not the chart will fail to install due to missing CustomResourceDefinitions
# provided by the operator.
# Deploy the PrometheusRule custom resource for AlertManager based alerts.
# Requires that AlertManager is properly deployed.
enabled: false
# Selector labels to add to the PrometheusRules.
# When empty, defaults to:
# release: prometheus
selectors: {}
# Some example rules.
rules: {}
# - alert: vault-HighResponseTime
# annotations:
# message: The response time of Vault is over 500ms on average over the last 5 minutes.
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
# for: 5m
# labels:
# severity: warning
# - alert: vault-HighResponseTime
# annotations:
# message: The response time of Vault is over 1s on average over the last 5 minutes.
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
# for: 5m
# labels:
# severity: critical
Reference in a new issue View git blame Copy permalink