# Available parameters and their default values for the Vault chart. global: # enabled is the master enabled switch. Setting this to true or false # will enable or disable all the components within this chart by default. enabled: true # Image pull secret to use for registry authentication. imagePullSecrets: [] # imagePullSecrets: # - name: image-pull-secret # TLS for end-to-end encrypted transport tlsDisable: false # Beta Feature: If deploying to OpenShift openshift: false injector: # True if you want to enable vault agent injection. enabled: true # External vault server address for the injector to use. Setting this will # disable deployment of a vault server along with the injector. externalVaultAddr: "" # image sets the repo and tag of the vault-k8s image to use for the injector. image: repository: "hashicorp/vault-k8s" tag: "0.4.0" pullPolicy: IfNotPresent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent # containers. This should be set to the official Vault image. Vault 1.3.1+ is # required. agentImage: repository: "vault" tag: "1.4.2" # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes" # Configures the log verbosity of the injector. Supported log levels: Trace, Debug, Error, Warn, Info logLevel: "trace" # Configures the log format of the injector. Supported log formats: "standard", "json". logFormat: "standard" # Configures all Vault Agent sidecars to revoke their token when shutting down revokeOnShutdown: false # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector # for more details. # Example: # namespaceSelector: # matchLabels: # sidecar-injector: enabled namespaceSelector: {} certs: # secretName is the name of the secret that has the TLS certificate and # private key to serve the injector webhook. If this is null, then the # injector will default to its automatic management mode that will assign # a service account to the injector to generate its own certificates. secretName: null #secretName: vault-tls # caBundle is a base64-encoded PEM-encoded certificate bundle for the # CA that signed the TLS certificate that the webhook serves. This must # be set if secretName is non-null. caBundle: "" # certName and keyName are the names of the files within the secret for # the TLS cert and private key, respectively. These have reasonable # defaults but can be customized if necessary. #certName: tls.crt #keyName: tls.key resources: {} # resources: # requests: # memory: 256Mi # cpu: 250m # limits: # memory: 256Mi # cpu: 250m # extraEnvironmentVars is a list of extra enviroment variables to set in the # injector deployment. extraEnvironmentVars: {} #extraEnvironmentVars: # VAULT_CACERT: /vault/userconfig/vault-tls/ca.crt # KUBERNETES_SERVICE_HOST: kubernetes.default.svc # Affinity Settings for injector pods # This should be a multi-line string matching the affinity section of a # PodSpec. affinity: null # Toleration Settings for injector pods # This should be a multi-line string matching the Toleration array # in a PodSpec. tolerations: null # nodeSelector labels for injector pod assignment, formatted as a muli-line string. # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector # Example: # nodeSelector: | # beta.kubernetes.io/arch: amd64 nodeSelector: null # Priority class for injector pods priorityClassName: "" server: # Resource requests, limits, etc. for the server cluster placement. This # should map directly to the value of the resources field for a PodSpec. # By default no direct resource request is made. image: repository: "vault" tag: "1.4.2" # Overrides the default Image Pull Policy pullPolicy: IfNotPresent # Configure the Update Strategy Type for the StatefulSet # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies updateStrategyType: "OnDelete" resources: {} # resources: # requests: # memory: 256Mi # cpu: 250m # limits: # memory: 256Mi # cpu: 250m # Ingress allows ingress services to be created to allow external access # from Kubernetes to access Vault pods. # If deployment is on OpenShift, the following block is ignored. # In order to expose the service, use the route section below ingress: enabled: false labels: {} # traffic: external annotations: {} # | # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # or # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" hosts: - host: chart-example.local paths: [] tls: # secretName is the name of the secret that has the TLS certificate and # private key to serve the injector webhook. If this is null, then the # injector will default to its automatic management mode that will assign # a service account to the injector to generate its own certificates. secretName: vault-tls #hosts: # - vault #tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local # OpenShift only - create a route to expose the service # The created route will be of type passthrough route: enabled: false labels: {} annotations: {} host: chart-example.local # authDelegator enables a cluster role binding to be attached to the service # account. This cluster role binding can be used to setup Kubernetes auth # method. https://www.vaultproject.io/docs/auth/kubernetes.html authDelegator: enabled: true # extraInitContainers is a list of init containers. Specified as a YAML list. # This is useful if you need to run a script to provision TLS certificates or # write out configuration files in a dynamic way. extraInitContainers: null # extraContainers is a list of sidecar containers. Specified as a YAML list. extraContainers: null # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers # This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation shareProcessNamespace: false # extraArgs is a string containing additional Vault server arguments. extraArgs: "" # Used to define custom readinessProbe settings readinessProbe: enabled: true # If you need to use a http path instead of the default exec # path: /v1/sys/health?standbyok=true # Used to enable a livenessProbe for the pods livenessProbe: enabled: false path: "/v1/sys/health?standbyok=true" initialDelaySeconds: 60 # Used to set the sleep time during the preStop step preStopSleepSeconds: 5 # Used to define commands to run after the pod is ready. # This can be used to automate processes such as initialization # or boostrapping auth methods. postStart: [] # - /bin/sh # - -c # - /vault/userconfig/myscript/run.sh # extraEnvironmentVars is a list of extra enviroment variables to set with the stateful set. These could be # used to include variables required for auto-unseal. #extraEnvironmentVars: {} extraEnvironmentVars: VAULT_CACERT: /vault/userconfig/vault-tls/ca.crt VAULT_ADDR: "https://$(HOSTNAME).vault-v1-internal.vault:8200" # GOOGLE_REGION: global # GOOGLE_PROJECT: myproject # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json # extraSecretEnvironmentVars is a list of extra enviroment variables to set with the stateful set. # These variables take value from existing Secret objects. extraSecretEnvironmentVars: [] # - envName: AWS_SECRET_ACCESS_KEY # secretName: vault # secretKey: AWS_SECRET_ACCESS_KEY # extraVolumes is a list of extra volumes to mount. These will be exposed # to Vault in the path `/vault/userconfig//`. The value below is # an array of objects, examples are shown below. #extraVolumes: [] extraVolumes: - type: secret name: vault-tls path: /vault/userconfig # Affinity Settings # Commenting out or setting as empty the affinity variable, will allow # deployment to single node services such as Minikube affinity: | podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/name: {{ template "vault.name" . }} app.kubernetes.io/instance: "{{ .Release.Name }}" component: server topologyKey: kubernetes.io/hostname # Toleration Settings for server pods # This should be a multi-line string matching the Toleration array # in a PodSpec. tolerations: null # nodeSelector labels for server pod assignment, formatted as a muli-line string. # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector # Example: # nodeSelector: | # beta.kubernetes.io/arch: amd64 nodeSelector: null # Priority class for server pods priorityClassName: "" # Extra labels to attach to the server pods # This should be a YAML map of the labels to apply to the server pods extraLabels: {} # Extra annotations to attach to the server pods # This can either be YAML or a YAML-formatted multi-line templated string map # of the annotations to apply to the server pods annotations: {} # Enables a headless service to be used by the Vault Statefulset service: enabled: true # clusterIP controls whether a Cluster IP address is attached to the # Vault service within Kubernetes. By default the Vault service will # be given a Cluster IP address, set to None to disable. When disabled # Kubernetes will create a "headless" service. Headless services can be # used to communicate with pods directly through DNS instead of a round robin # load balancer. clusterIP: None # Configures the service type for the main Vault service. Can be ClusterIP # or NodePort. #type: ClusterIP # If type is set to "NodePort", a specific nodePort value can be configured, # will be random if left blank. #nodePort: 30000 # Port on which Vault server is listening port: 8200 # Target port to which the service should be mapped to targetPort: 8200 # Extra annotations for the service definition. This can either be YAML or a # YAML-formatted multi-line templated string map of the annotations to apply # to the service. annotations: {} # This configures the Vault Statefulset to create a PVC for data # storage when using the file or raft backend storage engines. # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more dataStorage: enabled: true # Size of the PVC created size: 10Gi # Name of the storage class to use. If null it will use the # configured default Storage Class. storageClass: vault # Access Mode of the storage device being used for the PVC accessMode: ReadWriteOnce # This configures the Vault Statefulset to create a PVC for audit # logs. Once Vault is deployed, initialized and unseal, Vault must # be configured to use this for audit logs. This will be mounted to # /vault/audit # See https://www.vaultproject.io/docs/audit/index.html to know more auditStorage: enabled: true # Size of the PVC created size: 10Gi # Name of the storage class to use. If null it will use the # configured default Storage Class. storageClass: vault # Access Mode of the storage device being used for the PVC accessMode: ReadWriteOnce # Run Vault in "dev" mode. This requires no further setup, no state management, # and no initialization. This is useful for experimenting with Vault without # needing to unseal, store keys, et. al. All data is lost on restart - do not # use dev mode for anything other than experimenting. # See https://www.vaultproject.io/docs/concepts/dev-server.html to know more dev: enabled: false # Run Vault in "standalone" mode. This is the default mode that will deploy if # no arguments are given to helm. This requires a PVC for data storage to use # the "file" backend. This mode is not highly available and should not be scaled # past a single replica. standalone: enabled: false # Run Vault in "HA" mode. There are no storage requirements unless audit log # persistence is required. In HA mode Vault will configure itself to use Consul # for its storage backend. The default configuration provided will work the Consul # Helm project by default. It is possible to manually configure Vault to use a # different HA backend. ha: enabled: true replicas: 3 # Enables Vaults integrated Raft storage. Unlike the typical HA modes where # Vaults persistence is external such as Consul, enabling Raft mode will create # persistent volumes for Vault to store data according to the configuration under server.dataStorage. # The Vault cluster will coordinate leader elections and failovers internally. raft: # Enables Raft integrated storage enabled: true # Set the Node Raft ID to the name of the pod setNodeId: false config: | disable_mlock = true ui = true listener "tcp" { tls_disable = 0 address = "0.0.0.0:8200" tls_client_ca_file = "/vault/userconfig/vault-tls/ca.crt" tls_cert_file = "/vault/userconfig/vault-tls/tls.crt" tls_key_file = "/vault/userconfig/vault-tls/tls.key" } api_addr = "https://vault-v1.vault-v1-internal.vault:8200" cluster_addr = "https://vault-v1.vault-v1-internal.vault:8201" storage "raft" { path = "/vault/data" retry_join { leader_api_addr = "https://vault-v1-0.vault-v1-internal.vault:8200" leader_ca_cert_file = "/vault/userconfig/vault-tls/ca.crt" leader_client_cert_file = "/vault/userconfig/vault-tls/tls.crt" leader_client_key_file = "/vault/userconfig/vault-tls/tls.key" } retry_join { leader_api_addr = "https://vault-v1-1.vault-v1-internal.vault:8200" leader_ca_cert_file = "/vault/userconfig/vault-tls/ca.crt" leader_client_cert_file = "/vault/userconfig/vault-tls/tls.crt" leader_client_key_file = "/vault/userconfig/vault-tls/tls.key" } retry_join { leader_api_addr = "https://vault-v1-2.vault-v1-internal.vault:8200" leader_ca_cert_file = "/vault/userconfig/vault-tls/ca.crt" leader_client_cert_file = "/vault/userconfig/vault-tls/tls.crt" leader_client_key_file = "/vault/userconfig/vault-tls/tls.key" } } service_registration "kubernetes" {} seal "awskms" { region = "ca-central-1" access_key = "--obfuscated--" secret_key = "--obfuscated--" kms_key_id = "--obfuscated--" } # config is a raw string of default configuration when using a Stateful # deployment. Default is to use a Consul for its HA storage backend. # This should be HCL. #config: null # A disruption budget limits the number of pods of a replicated application # that are down simultaneously from voluntary disruptions disruptionBudget: enabled: true # maxUnavailable will default to n divided per 2 -1 where n is the number of # replicas. If youd like a custom value, you can specify an override here. maxUnavailable: 1 # Definition of the serviceAccount used to run Vault. serviceAccount: # Extra annotations for the serviceAccount definition. This can either be # YAML or a YAML-formatted multi-line templated string map of the # annotations to apply to the serviceAccount. annotations: {} # Vault UI ui: # True if you want to create a Service entry for the Vault UI. # # serviceType can be used to control the type of service created. For # example, setting this to "LoadBalancer" will create an external load # balancer for supported K8S installations to access the UI. enabled: true serviceType: "ClusterIP" serviceNodePort: null externalPort: 8200 # loadBalancerSourceRanges: # - 10.0.0.0/16 # - 1.78.23.3/32 # loadBalancerIP: # Extra annotations to attach to the ui service # This can either be YAML or a YAML-formatted multi-line templated string map # of the annotations to apply to the ui service annotations: {}