# ============================ # Configurations for the vault # ============================ # The type of secrets "vault" to use. # # Vaults # ------ # The following table lists the supported "vault" types: # # | Type | Description | Current Status | Required Fields | # | ----------- | -------------------- | -------------- | --------------------------------------------------- | # | `hashicorp` | Uses Hashicorp Vault | Implemented | `vaultName` (if `create` not true) | # | `azure` | Uses Azure Key Vault | Implemented | `vaultName`, `clientId`, `clientSecret`, `tenantId` | # type: 'hashicorp' # The name of the vault instance to connect to # # This is relevant if type is set to `hashicorp` or `azure` # Note, if `create` is true this is ignored # # For `hashicorp`, this is generally the hostname of the Hashicorp Vault instance to connect to # For `azure`, this is the name of the Azure Key Vault instance to connect to #vaultName: '' # The port of the vault instance to connect to # # ONLY RELEVANT iF `type` IS SET TO `hashicorp` AND `create` IS NOT TRUE #vaultPort: 8200 # The client ID of the Azure Key Vault instance # # ONLY RELEVANT IF `type` IS SET TO `azure` #clientID: "" # The client secret of the Azure Key Vault instance # # ONLY RELEVANT IF `type` IS SET TO `azure` #clientSecret: "" # The tenant ID of the Azure Key Vault instance # # ONLY RELEVANT IF `type` IS SET TO `azure` #tenantID: "" # Configurations to create a Hashicorp Vault instance as part of the Helm chart # # THIS IS ONLY RELEVANT IF `type` IS SET TO `hashicorp` create: # If a Hashicorp Vault instance should be created as part of the Helm chart enabled: true # Configurations for the image to use if creating the Hashicorp Vault instance # as part of the Helm chart image: # The repository of the image to use repository: /ba-custom-hashicorp-vault # The tag of the image to use tag: latest # Configurations for the ingress of the created Hashicorp Vault instance ingress: # If an ingress should be created for the created Hashicorp Vault instance enabled: true # The host of the ingress for the created Hashicorp Vault instance host: vault. # As part of the custom Hashicorp Vault image it includes a "snapshot server" # This allows for the triggering and receiving of manual backups ("snapshots") and restoration via HTTP snapshotServer: # If the snapshot server should be enabled/running enabled: true # The external port that is opened via the service resource externalPort: 81 # The internal port that the snapshot server listens on internalPort: 8300 # Configurations for the `vault-creds` Persistent Volume Claim (PVC). # The `vault-creds` PVC is used for the credentials used by the snapshot server to authenticate with Vault vaultCredsPVC: storageClassName: vault-role-vars-rook-cephfs size: 512Mi # Configurations for the AppRole authentication method for the created Vault instance appRole: # The name of the environment variable/secret that contains the Role ID for the app roleIDSecretName: VAULT_ROLE_ID # The name of the environment variable/secret that contains the Secret ID for the app secretIDSecretName: VAULT_SECRET_ID # Configurations for the `role-vars` Persistent Volume Claim (PVC). # The `role-vars` PVC is used for the app's AppRole auth access variables (role & secret IDs etc...) roleVarsPVC: # Because the PVC needs to be a RWX type volume (so that multiple pods can access it) # Because the app and the vault are separate pods. # We need to use a storage class that supports RWX (Custom create CephFS backed storage class) storageClassName: vault-role-vars-rook-cephfs # The size of the PVC (note because this is largely just credentials a small size is sufficient) size: 512Mi # Configurations for the `vault-data` Persistent Volume Claim (PVC). # The `vault-data` PVC is used for the Vault's data storage. # In particular, a PVC allows data persistence across pod restarts. vaultData: # The storage class to use for the PVC # Note, because there are no special requirements here we can use a standard RWO type volume # Which means the default storage class (Rook Ceph Block) is sufficient storageClassName: rook-ceph-block # The access modes for the PVC (shouldn't ever really need to be changed) accessModes: - ReadWriteOnce # The size of the PVC (Note, this should be sized according to expected usage) size: 2Gi