Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
openbao-helm/values.yaml
Clint Shryock 66211943e8
update values, single-server and test
2018-11-27 15:45:32 -06:00

167 lines
5.9 KiB
YAML
Raw Blame History

# Available parameters and their default values for the Vault chart.
# Server, when enabled, configures a server cluster to run. This should
# be disabled if you plan on connecting to a Vault cluster external to
# the Kube cluster.
global:
# enabled is the master enabled switch. Setting this to true or false
# will enable or disable all the components within this chart by default.
# Each component can be overridden using the component-specific "enabled"
# value.
enabled: true
# Domain to register the Vault DNS server to listen for.
# TODO: verify for vault (don't think it's needed)
domain: vault
# Image is the name (and tag) of the Vault Docker image for clients and
# servers below. This can be overridden per component.
#image: "vault:0.11.1"
image: "vault:1.0.0-beta2"
server:
enabled: "-"
image: null
replicas: 1
# storage and storageClass are the settings for configuring stateful
# storage for the server pods. storage should be set to the disk size of
# the attached volume. storageClass is the class of storage which defaults
# to null (the Kube cluster will pick the default).
storage: 10Gi
storageClass: null
# Resource requests, limits, etc. for the server cluster placement. This
# should map directly to the value of the resources field for a PodSpec.
# By default no direct resource request is made.
resources: {}
# config is a raw string of default configuration when using a Stateful
# deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
# and store data there. This is only used when using a Replica count of 1, and
# using a stateful set
# This should be HCL
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "0.0.0.0:8200"
}
#api_addr = "POD_IP:8201"
storage "file" {
path = "/vault/data"
}
# The GKMS keys must already exist, and the cluster must have a service
# account that is authorized to access GCP KMS, and ass
seal "gcpckms" {
project = "vault-helm-dev"
region = "global"
key_ring = "vault-helm"
crypto_key = "vault-init"
}
# extraVolumes is a list of extra volumes to mount. These will be exposed
# to Vault in the path `/vault/userconfig/<name>/`. The value below is
# an array of objects, examples are shown below.
extraVolumes: []
# - type: secret (or "configMap")
# name: my-secret
# load: false # if true, will add to `-config` to load by Vault
serverHA:
enabled: false
image: null
replicas: 1
# storage and storageClass are the settings for configuring stateful
# storage for the server pods. storage should be set to the disk size of
# the attached volume. storageClass is the class of storage which defaults
# to null (the Kube cluster will pick the default).
storage: 2Gi
storageClass: null
# Resource requests, limits, etc. for the server cluster placement. This
# should map directly to the value of the resources field for a PodSpec.
# By default no direct resource request is made.
resources: {}
# updatePartition is used to control a careful rolling update of Vault
# servers. This should be done particularly when changing the version
# of Vault. Please refer to the documentation for more information.
updatePartition: 0
# config is a raw string of default configuration when using a Stateful
# deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
# and store data there. This is only used when using a Replica count of 1, and
# using a stateful set
# This should be HCL
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "0.0.0.0:8200"
cluster_address = "POD_IP:8201"
}
storage "consul" {
path = "vault"
address = "HOST_IP:8500"
}
# The GKMS keys must already exist, and the cluster must have a service
# account that is authorized to access GCP KMS, and ass
seal "gcpckms" {
project = "vault-helm-dev"
region = "global"
key_ring = "vault-helm"
crypto_key = "vault-init"
}
# extraVolumes is a list of extra volumes to mount. These will be exposed
# to Vault in the path `/vault/userconfig/<name>/`. The value below is
# an array of objects, examples are shown below.
extraVolumes: []
# - type: secret (or "configMap")
# name: my-secret
# load: false # if true, will add to `-config` to load by Vault
# Configuration for DNS configuration within the Kubernetes cluster.
# This creates a service that routes to all agents (client or server)
# for serving DNS requests. This DOES NOT automatically configure kube-dns
# today, so you must still manually configure a `stubDomain` with kube-dns
# for this to have any effect:
# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers
# TODO: verify for vault (don't think it's needed)
dns:
enabled: "-"
ui:
# True if you want to enable the Vault UI. The UI will run only
# on the server nodes. This makes UI access via the service below (if
# enabled) predictable rather than "any node" if you're running Vault
# clients as well.
#
# This value is used for both Single Server and HA mode setups
enabled: false
# True if you want to create a Service entry for the Vault UI.
#
# serviceType can be used to control the type of service created. For
# example, setting this to "LoadBalancer" will create an external load
# balancer (for supported K8S installations) to access the UI.
service:
enabled: true
type: LoadBalancer
# Run Vault in "dev" mode. This requires no further setup, no state management,
# and no initialization. This is useful for experimenting with Vault without
# needing to unseal, store keys, et. al. All data is lost on restart - do not
# use dev mode for anything other than experimenting.
# See https://www.vaultproject.io/docs/concepts/dev-server.html to know more
dev:
enabled: false
image: null
Reference in a new issue View git blame Copy permalink