global: # enabled is the master enabled switch. Setting this to true or false # will enable or disable all the components within this chart by default. enabled: true # TLS for end-to-end encrypted transport tlsDisable: false injector: # True if you want to enable vault agent injection. enabled: true replicas: 1 # If true, will enable a node exporter metrics endpoint at /metrics. metrics: enabled: false # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" certs: # secretName is the name of the secret that has the TLS certificate and # private key to serve the injector webhook. If this is null, then the # injector will default to its automatic management mode that will assign # a service account to the injector to generate its own certificates. secretName: null # caBundle is a base64-encoded PEM-encoded certificate bundle for the # CA that signed the TLS certificate that the webhook serves. This must # be set if secretName is non-null. caBundle: "" # certName and keyName are the names of the files within the secret for # the TLS cert and private key, respectively. These have reasonable # defaults but can be customized if necessary. certName: tls.crt keyName: tls.key webhook: failurePolicy: Fail failurePolicy: Fail server: # Resource requests, limits, etc. for the server cluster placement. This # should map directly to the value of the resources field for a PodSpec. # By default no direct resource request is made. # Enables a headless service to be used by the Vault Statefulset service: enabled: true # Port on which Vault server is listening port: 8200 # Target port to which the service should be mapped to targetPort: 8200 # This configures the Vault Statefulset to create a PVC for audit # logs. Once Vault is deployed, initialized and unseal, Vault must # be configured to use this for audit logs. This will be mounted to # /vault/audit # See https://www.vaultproject.io/docs/audit/index.html to know more auditStorage: enabled: false # Run Vault in "HA" mode. There are no storage requirements unless audit log # persistence is required. In HA mode Vault will configure itself to use Consul # for its storage backend. The default configuration provided will work the Consul # Helm project by default. It is possible to manually configure Vault to use a # different HA backend. ha: enabled: true replicas: 3 # Set the api_addr configuration for Vault HA # See https://www.vaultproject.io/docs/configuration#api_addr # If set to null, this will be set to the Pod IP Address apiAddr: null # config is a raw string of default configuration when using a Stateful # deployment. Default is to use a Consul for its HA storage backend. # This should be HCL. # Note: Configuration files are stored in ConfigMaps so sensitive data # such as passwords should be either mounted through extraSecretEnvironmentVars # or through a Kube secret. For more information see: # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations config: | ui = true listener "tcp" { address = "[::]:8200" cluster_address = "[::]:8201" # 注意,这个值要和 helm 的参数 global.tlsDisable 一致 tls_disable = false tls_cert_file = "/etc/certs/vault.crt" tls_key_file = "/etc/certs/vault.key" } # storage "postgresql" { # connection_url = "postgres://username:password@:5432/vault?sslmode=disable" # ha_enabled = true # } service_registration "kubernetes" {} # Example configuration for using auto-unseal, using AWS KMS. # the cluster must have a service account that is authorized to access AWS KMS, throught an IAM Role. # seal "awskms" { # region = "us-east-1" # kms_key_id = "" # 默认情况下插件会使用 awskms 的公网 enpoint,但是也可以使用如下参数,改用自行创建的 vpc 内网 endpoint # endpoint = "https://.kms.us-east-1.vpce.amazonaws.com" # } # Definition of the serviceAccount used to run Vault. # These options are also used when using an external Vault server to validate # Kubernetes tokens. serviceAccount: create: true name: "vault" annotations: # 如果要使用 auto unseal 的话,这个填写拥有 awskms 权限的 AWS IAM Role eks.amazonaws.com/role-arn: # Vault UI ui: enabled: true publishNotReadyAddresses: true serviceType: ClusterIP activeVaultPodOnly: true externalPort: 8200