Bridgeman-Accessible/custom-hashicorp-vault-helm
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
custom-hashicorp-vault-helm/values.yaml
Alan Bridgeman ae8f4ad22b
All checks were successful
Deploy the Helm Chart / build (push) Successful in 11s
Details
Updated chart so that it worked better as a subchart, is more configurable and better documented
2025-12-19 17:11:14 -06:00

122 lines
No EOL
4.6 KiB
YAML
Raw Blame History

# ============================
# Configurations for the vault
# ============================
# The type of secrets "vault" to use.
#
# Vaults
# ------
# The following table lists the supported "vault" types:
#
# | Type | Description | Current Status | Required Fields |
# | ----------- | -------------------- | -------------- | --------------------------------------------------- |
# | `hashicorp` | Uses Hashicorp Vault | Implemented | `vaultName` (if `create` not true) |
# | `azure` | Uses Azure Key Vault | Implemented | `vaultName`, `clientId`, `clientSecret`, `tenantId` |
#
type: 'hashicorp'
# The name of the vault instance to connect to
#
# This is relevant if type is set to `hashicorp` or `azure`
# Note, if `create` is true this is ignored
#
# For `hashicorp`, this is generally the hostname of the Hashicorp Vault instance to connect to
# For `azure`, this is the name of the Azure Key Vault instance to connect to
#vaultName: ''
# The port of the vault instance to connect to
#
# ONLY RELEVANT iF `type` IS SET TO `hashicorp` AND `create` IS NOT TRUE
#vaultPort: 8200
# The client ID of the Azure Key Vault instance
#
# ONLY RELEVANT IF `type` IS SET TO `azure`
#clientID: ""
# The client secret of the Azure Key Vault instance
#
# ONLY RELEVANT IF `type` IS SET TO `azure`
#clientSecret: ""
# The tenant ID of the Azure Key Vault instance
#
# ONLY RELEVANT IF `type` IS SET TO `azure`
#tenantID: ""
# Configurations to create a Hashicorp Vault instance as part of the Helm chart
#
# THIS IS ONLY RELEVANT IF `type` IS SET TO `hashicorp`
create:
# If a Hashicorp Vault instance should be created as part of the Helm chart
enabled: true
# Configurations for the image to use if creating the Hashicorp Vault instance
# as part of the Helm chart
image:
# The repository of the image to use
repository: <redacted-private-repo>/ba-custom-hashicorp-vault
# The tag of the image to use
tag: latest
# Configurations for the ingress of the created Hashicorp Vault instance
ingress:
# If an ingress should be created for the created Hashicorp Vault instance
enabled: true
# The host of the ingress for the created Hashicorp Vault instance
host: vault.<redacted-private-hostname>
# As part of the custom Hashicorp Vault image it includes a "snapshot server"
# This allows for the triggering and receiving of manual backups ("snapshots") and restoration via HTTP
snapshotServer:
# If the snapshot server should be enabled/running
enabled: true
# The external port that is opened via the service resource
externalPort: 81
# The internal port that the snapshot server listens on
internalPort: 8300
# Configurations for the `vault-creds` Persistent Volume Claim (PVC).
# The `vault-creds` PVC is used for the credentials used by the snapshot server to authenticate with Vault
vaultCredsPVC:
storageClassName: vault-role-vars-rook-cephfs
size: 512Mi
# Configurations for the AppRole authentication method for the created Vault instance
appRole:
# The name of the environment variable/secret that contains the Role ID for the app
roleIDSecretName: VAULT_ROLE_ID
# The name of the environment variable/secret that contains the Secret ID for the app
secretIDSecretName: VAULT_SECRET_ID
# Configurations for the `role-vars` Persistent Volume Claim (PVC).
# The `role-vars` PVC is used for the app's AppRole auth access variables (role & secret IDs etc...)
roleVarsPVC:
# Because the PVC needs to be a RWX type volume (so that multiple pods can access it)
# Because the app and the vault are separate pods.
# We need to use a storage class that supports RWX (Custom create CephFS backed storage class)
storageClassName: vault-role-vars-rook-cephfs
# The size of the PVC (note because this is largely just credentials a small size is sufficient)
size: 512Mi
# Configurations for the `vault-data` Persistent Volume Claim (PVC).
# The `vault-data` PVC is used for the Vault's data storage.
# In particular, a PVC allows data persistence across pod restarts.
vaultData:
# The storage class to use for the PVC
# Note, because there are no special requirements here we can use a standard RWO type volume
# Which means the default storage class (Rook Ceph Block) is sufficient
storageClassName: rook-ceph-block
# The access modes for the PVC (shouldn't ever really need to be changed)
accessModes:
- ReadWriteOnce
# The size of the PVC (Note, this should be sized according to expected usage)
size: 2Gi
Reference in a new issue View git blame Copy permalink