2018-09-28 15:45:58 -05:00
|
|
|
# Available parameters and their default values for the Vault chart.
|
2018-08-18 14:15:37 -07:00
|
|
|
|
|
|
|
|
# Server, when enabled, configures a server cluster to run. This should
|
2018-09-28 15:45:58 -05:00
|
|
|
# be disabled if you plan on connecting to a Vault cluster external to
|
2018-08-18 14:15:37 -07:00
|
|
|
# the Kube cluster.
|
|
|
|
|
|
2018-09-02 16:19:11 -07:00
|
|
|
global:
|
|
|
|
|
# enabled is the master enabled switch. Setting this to true or false
|
|
|
|
|
# will enable or disable all the components within this chart by default.
|
|
|
|
|
# Each component can be overridden using the component-specific "enabled"
|
|
|
|
|
# value.
|
|
|
|
|
enabled: true
|
|
|
|
|
|
2018-09-28 15:45:58 -05:00
|
|
|
# Image is the name (and tag) of the Vault Docker image for clients and
|
2018-09-05 07:45:54 -07:00
|
|
|
# servers below. This can be overridden per component.
|
2018-11-16 15:52:25 -06:00
|
|
|
#image: "vault:0.11.1"
|
|
|
|
|
image: "vault:1.0.0-beta2"
|
2018-09-08 07:52:31 -07:00
|
|
|
|
2018-08-18 14:15:37 -07:00
|
|
|
server:
|
2018-11-27 15:26:48 -06:00
|
|
|
enabled: "-"
|
2018-09-05 07:45:54 -07:00
|
|
|
image: null
|
2018-10-05 16:11:45 -05:00
|
|
|
replicas: 1
|
2018-09-22 09:57:36 -07:00
|
|
|
|
|
|
|
|
# storage and storageClass are the settings for configuring stateful
|
|
|
|
|
# storage for the server pods. storage should be set to the disk size of
|
|
|
|
|
# the attached volume. storageClass is the class of storage which defaults
|
|
|
|
|
# to null (the Kube cluster will pick the default).
|
2018-08-18 14:15:37 -07:00
|
|
|
storage: 10Gi
|
2018-09-22 09:57:36 -07:00
|
|
|
storageClass: null
|
2018-08-18 14:15:37 -07:00
|
|
|
|
|
|
|
|
# Resource requests, limits, etc. for the server cluster placement. This
|
|
|
|
|
# should map directly to the value of the resources field for a PodSpec.
|
|
|
|
|
# By default no direct resource request is made.
|
|
|
|
|
resources: {}
|
|
|
|
|
|
2018-11-19 14:49:30 -06:00
|
|
|
# config is a raw string of default configuration when using a Stateful
|
2018-10-05 16:34:07 -05:00
|
|
|
# deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
|
|
|
|
|
# and store data there. This is only used when using a Replica count of 1, and
|
|
|
|
|
# using a stateful set
|
|
|
|
|
# This should be HCL
|
2018-11-19 14:49:30 -06:00
|
|
|
config: |
|
2018-10-02 16:14:57 -05:00
|
|
|
ui = true
|
|
|
|
|
listener "tcp" {
|
|
|
|
|
tls_disable = 1
|
|
|
|
|
address = "0.0.0.0:8200"
|
|
|
|
|
}
|
2018-11-26 11:44:05 -06:00
|
|
|
|
|
|
|
|
#api_addr = "POD_IP:8201"
|
|
|
|
|
|
2018-10-02 16:14:57 -05:00
|
|
|
storage "file" {
|
2018-10-05 16:11:45 -05:00
|
|
|
path = "/vault/data"
|
2018-10-02 16:14:57 -05:00
|
|
|
}
|
2018-08-18 14:15:37 -07:00
|
|
|
|
2018-12-03 16:08:20 -06:00
|
|
|
# Example configuration for using auto-unseal, using Google Cloud KMS. The
|
|
|
|
|
# GKMS keys must already exist, and the cluster must have a service account
|
|
|
|
|
# that is authorized to access GCP KMS.
|
|
|
|
|
# seal "gcpckms" {
|
|
|
|
|
# project = "vault-helm-dev"
|
|
|
|
|
# region = "global"
|
|
|
|
|
# key_ring = "vault-helm"
|
|
|
|
|
# crypto_key = "vault-init"
|
|
|
|
|
# }
|
2018-11-26 11:44:05 -06:00
|
|
|
|
2018-09-08 08:28:13 -07:00
|
|
|
# extraVolumes is a list of extra volumes to mount. These will be exposed
|
2018-09-28 15:45:58 -05:00
|
|
|
# to Vault in the path `/vault/userconfig/<name>/`. The value below is
|
2018-09-08 08:28:13 -07:00
|
|
|
# an array of objects, examples are shown below.
|
|
|
|
|
extraVolumes: []
|
|
|
|
|
# - type: secret (or "configMap")
|
|
|
|
|
# name: my-secret
|
2018-11-27 15:45:32 -06:00
|
|
|
# load: false # if true, will add to `-config` to load by Vault
|
2018-09-08 08:35:07 -07:00
|
|
|
|
2018-11-26 16:12:03 -06:00
|
|
|
serverHA:
|
2018-10-05 16:34:07 -05:00
|
|
|
enabled: false
|
|
|
|
|
image: null
|
2018-11-20 16:23:39 -06:00
|
|
|
replicas: 1
|
2018-10-05 16:34:07 -05:00
|
|
|
|
|
|
|
|
# storage and storageClass are the settings for configuring stateful
|
|
|
|
|
# storage for the server pods. storage should be set to the disk size of
|
|
|
|
|
# the attached volume. storageClass is the class of storage which defaults
|
|
|
|
|
# to null (the Kube cluster will pick the default).
|
|
|
|
|
storage: 2Gi
|
|
|
|
|
storageClass: null
|
|
|
|
|
|
|
|
|
|
# Resource requests, limits, etc. for the server cluster placement. This
|
|
|
|
|
# should map directly to the value of the resources field for a PodSpec.
|
|
|
|
|
# By default no direct resource request is made.
|
|
|
|
|
resources: {}
|
|
|
|
|
|
2018-11-20 16:23:16 -06:00
|
|
|
# updatePartition is used to control a careful rolling update of Vault
|
|
|
|
|
# servers. This should be done particularly when changing the version
|
|
|
|
|
# of Vault. Please refer to the documentation for more information.
|
|
|
|
|
updatePartition: 0
|
|
|
|
|
|
2018-11-19 14:49:30 -06:00
|
|
|
# config is a raw string of default configuration when using a Stateful
|
2018-10-05 16:34:07 -05:00
|
|
|
# deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
|
|
|
|
|
# and store data there. This is only used when using a Replica count of 1, and
|
|
|
|
|
# using a stateful set
|
|
|
|
|
# This should be HCL
|
2018-11-19 14:49:30 -06:00
|
|
|
config: |
|
2018-10-05 16:34:07 -05:00
|
|
|
ui = true
|
|
|
|
|
listener "tcp" {
|
|
|
|
|
tls_disable = 1
|
|
|
|
|
address = "0.0.0.0:8200"
|
2018-10-08 16:35:20 -05:00
|
|
|
cluster_address = "POD_IP:8201"
|
2018-10-05 16:34:07 -05:00
|
|
|
}
|
2018-10-08 16:35:20 -05:00
|
|
|
|
2018-10-05 16:34:07 -05:00
|
|
|
storage "consul" {
|
2018-10-08 16:35:20 -05:00
|
|
|
path = "vault"
|
2018-10-05 16:34:07 -05:00
|
|
|
address = "HOST_IP:8500"
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 16:08:20 -06:00
|
|
|
# Example configuration for using auto-unseal, using Google Cloud KMS. The
|
|
|
|
|
# GKMS keys must already exist, and the cluster must have a service account
|
|
|
|
|
# that is authorized to access GCP KMS.
|
|
|
|
|
# seal "gcpckms" {
|
|
|
|
|
# project = "vault-helm-dev"
|
|
|
|
|
# region = "global"
|
|
|
|
|
# key_ring = "vault-helm"
|
|
|
|
|
# crypto_key = "vault-init"
|
|
|
|
|
# }
|
2018-11-20 16:23:16 -06:00
|
|
|
|
2018-11-27 15:45:32 -06:00
|
|
|
# extraVolumes is a list of extra volumes to mount. These will be exposed
|
|
|
|
|
# to Vault in the path `/vault/userconfig/<name>/`. The value below is
|
|
|
|
|
# an array of objects, examples are shown below.
|
|
|
|
|
extraVolumes: []
|
|
|
|
|
# - type: secret (or "configMap")
|
|
|
|
|
# name: my-secret
|
|
|
|
|
# load: false # if true, will add to `-config` to load by Vault
|
2018-12-03 11:30:50 -06:00
|
|
|
|
2018-11-30 16:29:46 -06:00
|
|
|
disruptionBudget:
|
|
|
|
|
enabled: true
|
|
|
|
|
|
|
|
|
|
# maxUnavailable will default to (n/2)-1 where n is the number of
|
|
|
|
|
# replicas. If you'd like a custom value, you can specify an override here.
|
|
|
|
|
maxUnavailable: null
|
2018-11-27 15:45:32 -06:00
|
|
|
|
2018-12-03 11:30:50 -06:00
|
|
|
# Affinity Settings
|
|
|
|
|
# Commenting out or setting as empty the affinity variable, will allow
|
|
|
|
|
# deployment to single node services such as Minikube
|
|
|
|
|
affinity: |
|
|
|
|
|
podAntiAffinity:
|
|
|
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
- labelSelector:
|
|
|
|
|
matchLabels:
|
|
|
|
|
app: {{ template "vault.name" . }}
|
|
|
|
|
release: "{{ .Release.Name }}"
|
|
|
|
|
component: server
|
|
|
|
|
topologyKey: kubernetes.io/hostname
|
|
|
|
|
|
2018-09-11 17:53:02 -07:00
|
|
|
ui:
|
2018-09-28 15:45:58 -05:00
|
|
|
# True if you want to enable the Vault UI. The UI will run only
|
2018-09-11 17:53:02 -07:00
|
|
|
# on the server nodes. This makes UI access via the service below (if
|
2018-09-28 15:45:58 -05:00
|
|
|
# enabled) predictable rather than "any node" if you're running Vault
|
2018-09-11 17:53:02 -07:00
|
|
|
# clients as well.
|
2018-11-26 16:12:03 -06:00
|
|
|
#
|
|
|
|
|
# This value is used for both Single Server and HA mode setups
|
|
|
|
|
enabled: false
|
2018-09-11 17:53:02 -07:00
|
|
|
|
2018-09-28 15:45:58 -05:00
|
|
|
# True if you want to create a Service entry for the Vault UI.
|
2018-09-11 17:53:02 -07:00
|
|
|
#
|
|
|
|
|
# serviceType can be used to control the type of service created. For
|
|
|
|
|
# example, setting this to "LoadBalancer" will create an external load
|
|
|
|
|
# balancer (for supported K8S installations) to access the UI.
|
|
|
|
|
service:
|
|
|
|
|
enabled: true
|
2018-10-29 10:36:53 -05:00
|
|
|
type: LoadBalancer
|
2018-11-26 15:35:52 -06:00
|
|
|
|
|
|
|
|
# Run Vault in "dev" mode. This requires no further setup, no state management,
|
|
|
|
|
# and no initialization. This is useful for experimenting with Vault without
|
|
|
|
|
# needing to unseal, store keys, et. al. All data is lost on restart - do not
|
|
|
|
|
# use dev mode for anything other than experimenting.
|
|
|
|
|
# See https://www.vaultproject.io/docs/concepts/dev-server.html to know more
|
|
|
|
|
dev:
|
|
|
|
|
enabled: false
|
|
|
|
|
image: null
|
