Created
May 2, 2025 01:47
-
-
Save todd-dsm/72a3b5bd68993f523799ea40d2551dcb to your computer and use it in GitHub Desktop.
Vault Helm values.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # REF HCP: https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration | |
| # REF VAL: https://github.com/hashicorp/vault-helm/blob/main/values.yaml | |
| # REF PLT: https://repo1.dso.mil/big-bang/product/packages/vault/-/blob/main/chart/values.yaml | |
| # --------------------------------------------------------------------------------------------------------- | |
| global: | |
| enabled: true | |
| namespace: "vault" | |
| tlsDisable: true # Default: true | |
| imagePullSecrets: | |
| - name: private-registry | |
| server: | |
| enabled: "-" | |
| image: | |
| repository: "hashicorp/vault" | |
| tag: "1.19.0" | |
| pullPolicy: IfNotPresent | |
| updateStrategyType: "OnDelete" # "RollingUpdate" | |
| resources: | |
| requests: | |
| memory: 256Mi | |
| cpu: 250m | |
| limits: | |
| memory: 256Mi | |
| cpu: 250m | |
| ingress: | |
| enabled: false | |
| # authDelegator enables a cluster role binding to be attached to the service | |
| # account. This cluster role binding can be used to setup Kubernetes auth | |
| # method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes | |
| authDelegator: | |
| enabled: true | |
| # Used to define custom readinessProbe settings | |
| # readinessProbe: | |
| # enabled: true | |
| # # If you need to use a http path instead of the default exec | |
| # # path: /v1/sys/health?standbyok=true | |
| # # Port number on which readinessProbe will be checked. | |
| # port: 8200 | |
| # # When a probe fails, Kubernetes will try failureThreshold times before giving up | |
| # failureThreshold: 2 | |
| # # Number of seconds after the container has started before probe initiates | |
| # initialDelaySeconds: 5 | |
| # # How often (in seconds) to perform the probe | |
| # periodSeconds: 5 | |
| # # Minimum consecutive successes for the probe to be considered successful after having failed | |
| # successThreshold: 1 | |
| # # Number of seconds after which the probe times out. | |
| # timeoutSeconds: 3 | |
| # # Used to enable a livenessProbe for the pods | |
| # livenessProbe: | |
| # enabled: false | |
| # # Used to define a liveness exec command. If provided, exec is preferred to httpGet (path) as the livenessProbe handler. | |
| # execCommand: [] | |
| # # - /bin/sh | |
| # # - -c | |
| # # - /vault/userconfig/mylivenessscript/run.sh | |
| # # Path for the livenessProbe to use httpGet as the livenessProbe handler | |
| # path: "/v1/sys/health?standbyok=true" | |
| # # Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler | |
| # port: 8200 | |
| # # When a probe fails, Kubernetes will try failureThreshold times before giving up | |
| # failureThreshold: 2 | |
| # # Number of seconds after the container has started before probe initiates | |
| # initialDelaySeconds: 60 | |
| # # How often (in seconds) to perform the probe | |
| # periodSeconds: 5 | |
| # # Minimum consecutive successes for the probe to be considered successful after having failed | |
| # successThreshold: 1 | |
| # # Number of seconds after which the probe times out. | |
| # timeoutSeconds: 3 | |
| ha: | |
| enabled: true # Default: false | |
| replicas: 3 | |
| raft: # FIXME: raft.config | |
| enabled: true | |
| config: | | |
| ui = true | |
| listener "tcp" { | |
| tls_disable = 1 | |
| address = "0.0.0.0:8200" | |
| cluster_address = "0.0.0.0:8201" | |
| # Enable unauthenticated metrics access (necessary for Prometheus Operator) | |
| #telemetry { | |
| # unauthenticated_metrics_access = "true" | |
| #} | |
| } | |
| storage "raft" { | |
| path = "/vault/data" | |
| retry_join { | |
| leader_api_addr = "http://vault-0.vault-internal:8200" | |
| } | |
| retry_join { | |
| leader_api_addr = "http://vault-1.vault-internal:8200" | |
| } | |
| retry_join { | |
| leader_api_addr = "http://vault-2.vault-internal:8200" | |
| } | |
| } | |
| service_registration "kubernetes" {} | |
| # FIXME: ha.config: kms_key_id | |
| config: | | |
| ui = true | |
| # listener "tcp" { | |
| # address = "0.0.0.0:8200" | |
| # tls_disable = 0 | |
| # } | |
| listener "tcp" { | |
| tls_disable = 1 | |
| address = "[::]:8200" | |
| cluster_address = "[::]:8201" | |
| } | |
| storage "file" { | |
| path = "/vault/data" | |
| } | |
| seal "awskms" { | |
| region = "us-east-1" # Change this to your AWS region | |
| kms_key_id = "your-kms-key-id" | |
| } | |
| api_addr = "http://$(POD_IP):8200" # FIXME: research these | |
| cluster_addr = "https://$(POD_IP):8201" # FIXME | |
| disruptionBudget: | |
| enabled: true | |
| maxUnavailable: 1 # assuming 3 replicas | |
| # secrets-store-csi-driver-provider-vault; Default: false | |
| # extraEnvironmentVars: | |
| # AWS_REGION: "us-east-1" | |
| # VAULT_AWSKMS_SEAL_KEY_ID: "f430f743-a9b2-4666-bbb8-4ab966d20e2d" | |
| # VAULT_AWSKMS_SEAL_ROLE_ARN: "arn:aws:iam::325262445929:role/vault-iam-role" | |
| ingress: | |
| enabled: true # Set to true if using an ingress controller | |
| # annotations: {} | |
| # hosts: [] | |
| # tls: [] | |
| # Vault UI | |
| ui: | |
| enabled: true | |
| # publishNotReadyAddresses: true | |
| # activeVaultPodOnly: false | |
| # serviceType: "ClusterIP" | |
| # serviceNodePort: null | |
| # externalPort: 8200 | |
| # targetPort: 8200 | |
| # ---------------------------------------------------------------------------------------------------------------------- | |
| # Vault Agent Injector - TEMP CONFIG UNTIL VSO IS ENABLED | |
| # POST VSO: DELETE THIS SECTION TO THE BOTTOM | |
| # REF HCP: https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration | |
| injector: | |
| # True if you want to enable vault agent injection. | |
| # @default: global.enabled | |
| enabled: "-" | |
| replicas: 1 # FIXME | |
| # Configures the port the injector should listen on | |
| port: 8080 | |
| # If multiple replicas are specified, by default a leader will be determined | |
| # so that only one injector attempts to create TLS certificates. | |
| leaderElector: | |
| enabled: true | |
| # If true, will enable a node exporter metrics endpoint at /metrics. | |
| metrics: | |
| enabled: false | |
| # Deprecated: Please use global.externalVaultAddr instead. | |
| externalVaultAddr: "" | |
| # image sets the repo and tag of the vault-k8s image to use for the injector. | |
| image: | |
| repository: "hashicorp/vault-k8s" | |
| tag: "1.6.2" | |
| pullPolicy: IfNotPresent | |
| # agentImage sets the repo and tag of the Vault image to use for the Vault Agent | |
| # containers. This should be set to the official Vault image. Vault 1.3.1+ is | |
| # required. | |
| agentImage: | |
| repository: "hashicorp/vault" | |
| tag: "1.19.0" | |
| # The default values for the injected Vault Agent containers. | |
| agentDefaults: | |
| # For more information on configuring resources, see the K8s documentation: | |
| # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | |
| cpuLimit: "500m" | |
| cpuRequest: "250m" | |
| memLimit: "128Mi" | |
| memRequest: "64Mi" | |
| # ephemeralLimit: "128Mi" | |
| # ephemeralRequest: "64Mi" | |
| # Default template type for secrets when no custom template is specified. | |
| # Possible values include: "json" and "map". | |
| template: "map" | |
| # Default values within Agent's template_config stanza. | |
| templateConfig: | |
| exitOnRetryFailure: true | |
| staticSecretRenderInterval: "" | |
| # Used to define custom livenessProbe settings | |
| livenessProbe: | |
| # When a probe fails, Kubernetes will try failureThreshold times before giving up | |
| failureThreshold: 2 | |
| # Number of seconds after the container has started before probe initiates | |
| initialDelaySeconds: 5 | |
| # How often (in seconds) to perform the probe | |
| periodSeconds: 2 | |
| # Minimum consecutive successes for the probe to be considered successful after having failed | |
| successThreshold: 1 | |
| # Number of seconds after which the probe times out. | |
| timeoutSeconds: 5 | |
| # Used to define custom readinessProbe settings | |
| readinessProbe: | |
| # When a probe fails, Kubernetes will try failureThreshold times before giving up | |
| failureThreshold: 2 | |
| # Number of seconds after the container has started before probe initiates | |
| initialDelaySeconds: 5 | |
| # How often (in seconds) to perform the probe | |
| periodSeconds: 2 | |
| # Minimum consecutive successes for the probe to be considered successful after having failed | |
| successThreshold: 1 | |
| # Number of seconds after which the probe times out. | |
| timeoutSeconds: 5 | |
| # Used to define custom startupProbe settings | |
| startupProbe: | |
| # When a probe fails, Kubernetes will try failureThreshold times before giving up | |
| failureThreshold: 12 | |
| # Number of seconds after the container has started before probe initiates | |
| initialDelaySeconds: 5 | |
| # How often (in seconds) to perform the probe | |
| periodSeconds: 5 | |
| # Minimum consecutive successes for the probe to be considered successful after having failed | |
| successThreshold: 1 | |
| # Number of seconds after which the probe times out. | |
| timeoutSeconds: 5 | |
| # Mount Path of the Vault Kubernetes Auth Method. | |
| authPath: "auth/kubernetes" | |
| # Configures the log verbosity of the injector. | |
| # Supported log levels include: trace, debug, info, warn, error | |
| logLevel: "info" | |
| # Configures the log format of the injector. Supported log formats: "standard", "json". | |
| logFormat: "standard" | |
| # Configures all Vault Agent sidecars to revoke their token when shutting down | |
| revokeOnShutdown: false | |
| webhook: | |
| # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the | |
| # API Version of the WebHook. | |
| # To block pod creation while the webhook is unavailable, set the policy to `Fail` below. | |
| # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy | |
| # | |
| failurePolicy: Ignore | |
| # matchPolicy specifies the approach to accepting changes based on the rules of | |
| # the MutatingWebhookConfiguration. | |
| # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy | |
| # for more details. | |
| # | |
| matchPolicy: Exact | |
| # timeoutSeconds is the amount of seconds before the webhook request will be ignored | |
| # or fails. | |
| # If it is ignored or fails depends on the failurePolicy | |
| # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts | |
| # for more details. | |
| # | |
| timeoutSeconds: 30 | |
| # namespaceSelector is the selector for restricting the webhook to only | |
| # specific namespaces. | |
| # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector | |
| # for more details. | |
| # Example: | |
| # namespaceSelector: | |
| # matchLabels: | |
| # sidecar-injector: enabled | |
| namespaceSelector: {} | |
| # objectSelector is the selector for restricting the webhook to only | |
| # specific labels. | |
| # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector | |
| # for more details. | |
| # Example: | |
| # objectSelector: | |
| # matchLabels: | |
| # vault-sidecar-injector: enabled | |
| objectSelector: | | |
| matchExpressions: | |
| - key: app.kubernetes.io/name | |
| operator: NotIn | |
| values: | |
| - {{ template "vault.name" . }}-agent-injector | |
| # Extra annotations to attach to the webhook | |
| annotations: {} | |
| # Deprecated: please use 'webhook.failurePolicy' instead | |
| # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the | |
| # API Version of the WebHook. | |
| # To block pod creation while webhook is unavailable, set the policy to `Fail` below. | |
| # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy | |
| # | |
| failurePolicy: Ignore | |
| # Deprecated: please use 'webhook.namespaceSelector' instead | |
| # namespaceSelector is the selector for restricting the webhook to only | |
| # specific namespaces. | |
| # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector | |
| # for more details. | |
| # Example: | |
| # namespaceSelector: | |
| # matchLabels: | |
| # sidecar-injector: enabled | |
| namespaceSelector: {} | |
| # Deprecated: please use 'webhook.objectSelector' instead | |
| # objectSelector is the selector for restricting the webhook to only | |
| # specific labels. | |
| # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector | |
| # for more details. | |
| # Example: | |
| # objectSelector: | |
| # matchLabels: | |
| # vault-sidecar-injector: enabled | |
| objectSelector: {} | |
| # Deprecated: please use 'webhook.annotations' instead | |
| # Extra annotations to attach to the webhook | |
| webhookAnnotations: {} | |
| certs: | |
| # secretName is the name of the secret that has the TLS certificate and | |
| # private key to serve the injector webhook. If this is null, then the | |
| # injector will default to its automatic management mode that will assign | |
| # a service account to the injector to generate its own certificates. | |
| secretName: null | |
| # caBundle is a base64-encoded PEM-encoded certificate bundle for the CA | |
| # that signed the TLS certificate that the webhook serves. This must be set | |
| # if secretName is non-null unless an external service like cert-manager is | |
| # keeping the caBundle updated. | |
| caBundle: "" | |
| # certName and keyName are the names of the files within the secret for | |
| # the TLS cert and private key, respectively. These have reasonable | |
| # defaults but can be customized if necessary. | |
| certName: tls.crt | |
| keyName: tls.key | |
| # Security context for the pod template and the injector container | |
| # The default pod securityContext is: | |
| # runAsNonRoot: true | |
| # runAsGroup: {{ .Values.injector.gid | default 1000 }} | |
| # runAsUser: {{ .Values.injector.uid | default 100 }} | |
| # fsGroup: {{ .Values.injector.gid | default 1000 }} | |
| # and for container is | |
| # allowPrivilegeEscalation: false | |
| # capabilities: | |
| # drop: | |
| # - ALL | |
| securityContext: | |
| pod: {} | |
| container: {} | |
| resources: {} | |
| # resources: | |
| # requests: | |
| # memory: 256Mi | |
| # cpu: 250m | |
| # limits: | |
| # memory: 256Mi | |
| # cpu: 250m | |
| # extraEnvironmentVars is a list of extra environment variables to set in the | |
| # injector deployment. | |
| extraEnvironmentVars: {} | |
| # KUBERNETES_SERVICE_HOST: kubernetes.default.svc | |
| # Affinity Settings for injector pods | |
| # This can either be a multi-line string or YAML matching the PodSpec's affinity field. | |
| # Commenting out or setting as empty the affinity variable, will allow | |
| # deployment of multiple replicas to single node services such as Minikube. | |
| affinity: | | |
| podAntiAffinity: | |
| requiredDuringSchedulingIgnoredDuringExecution: | |
| - labelSelector: | |
| matchLabels: | |
| app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector | |
| app.kubernetes.io/instance: "{{ .Release.Name }}" | |
| component: webhook | |
| topologyKey: kubernetes.io/hostname | |
| # Topology settings for injector pods | |
| # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ | |
| # This should be either a multi-line string or YAML matching the topologySpreadConstraints array | |
| # in a PodSpec. | |
| topologySpreadConstraints: [] | |
| # Toleration Settings for injector pods | |
| # This should be either a multi-line string or YAML matching the Toleration array | |
| # in a PodSpec. | |
| tolerations: [] | |
| # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map. | |
| # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector | |
| # Example: | |
| # nodeSelector: | |
| # beta.kubernetes.io/arch: amd64 | |
| nodeSelector: {} | |
| # Priority class for injector pods | |
| priorityClassName: "" | |
| # Extra annotations to attach to the injector pods | |
| # This can either be YAML or a YAML-formatted multi-line templated string map | |
| # of the annotations to apply to the injector pods | |
| annotations: {} | |
| # Extra labels to attach to the agent-injector | |
| # This should be a YAML map of the labels to apply to the injector | |
| extraLabels: {} | |
| # Should the injector pods run on the host network (useful when using | |
| # an alternate CNI in EKS) | |
| hostNetwork: false | |
| # Injector service specific config | |
| service: | |
| # Extra annotations to attach to the injector service | |
| annotations: {} | |
| # Injector serviceAccount specific config | |
| serviceAccount: | |
| # Extra annotations to attach to the injector serviceAccount | |
| annotations: {} | |
| # A disruption budget limits the number of pods of a replicated application | |
| # that are down simultaneously from voluntary disruptions | |
| podDisruptionBudget: {} | |
| # podDisruptionBudget: | |
| # maxUnavailable: 1 | |
| # strategy for updating the deployment. This can be a multi-line string or a | |
| # YAML map. | |
| strategy: {} | |
| # strategy: | | |
| # rollingUpdate: | |
| # maxSurge: 25% | |
| # maxUnavailable: 25% | |
| # type: RollingUpdate |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment