custom-hashicorp-vault-helm/values.yaml

# ============================
# Configurations for the vault
# ============================

# The type of secrets "vault" to use.
# 
# The only appropriate value here is `hashicorp` at present.
#
# This is left here so that if in the future there is distinction between different Hashicorp Vault types this can be extended.
# Also, downstream charts may use this to determine which type of vault (outside Hashicorp Vault) to connect to.
# 
type: 'hashicorp'

# The name of the vault instance to connect to
# 
# Note, if `create` is true this is ignored
# 
# This is generally the hostname of the Hashicorp Vault instance to connect to
#vaultName: ''

# The port of the vault instance to connect to
# 
# ONLY RELEVANT iF `create` IS NOT TRUE
#vaultPort: 8200
  
# Configurations to create a Hashicorp Vault instance as part of the Helm chart
# 
# THIS IS ONLY RELEVANT IF `type` IS SET TO `hashicorp`
create:
  # If a Hashicorp Vault instance should be created as part of the Helm chart
  enabled: true

  # Configurations for the image to use if creating the Hashicorp Vault instance
  # as part of the Helm chart
  image:
    # The repository of the image to use
    repository: <redacted-private-repo>/ba-custom-hashicorp-vault 

    # The tag of the image to use
    tag: latest
    
  # Configurations for the ingress of the created Hashicorp Vault instance
  ingress:
    # If an ingress should be created for the created Hashicorp Vault instance
    enabled: true

    # The host of the ingress for the created Hashicorp Vault instance
    host: vault.<redacted-private-hostname>
    
  # As part of the custom Hashicorp Vault image it includes a "snapshot server"
  # This allows for the triggering and receiving of manual backups ("snapshots") and restoration via HTTP
  snapshotServer:
    # If the snapshot server should be enabled/running
    enabled: true

    # The external port that is opened via the service resource
    externalPort: 81

    # The internal port that the snapshot server listens on
    internalPort: 8300

    # Configurations for the `vault-creds` Persistent Volume Claim (PVC).
    # The `vault-creds` PVC is used for the credentials used by the snapshot server to authenticate with Vault
    vaultCredsPVC:
      storageClassName: vault-role-vars-rook-cephfs
      size: 512Mi
  
  # Configurations for the AppRole authentication method for the created Vault instance
  appRole:
    # The name of the environment variable/secret that contains the Role ID for the app
    roleIDSecretName: VAULT_ROLE_ID

    # The name of the environment variable/secret that contains the Secret ID for the app
    secretIDSecretName: VAULT_SECRET_ID

  # Configurations for the `role-vars` Persistent Volume Claim (PVC). 
  # The `role-vars` PVC is used for the app's AppRole auth access variables (role & secret IDs etc...)
  roleVarsPVC:
    # Because the PVC needs to be a RWX type volume (so that multiple pods can access it) 
    # Because the app and the vault are separate pods. 
    # We need to use a storage class that supports RWX (Custom create CephFS backed storage class)
    storageClassName: vault-role-vars-rook-cephfs
    
    # The size of the PVC (note because this is largely just credentials a small size is sufficient)
    size: 512Mi
  
  # Configurations for the `vault-data` Persistent Volume Claim (PVC).
  # The `vault-data` PVC is used for the Vault's data storage.
  # In particular, a PVC allows data persistence across pod restarts.
  vaultData:
    # The storage class to use for the PVC 
    # Note, because there are no special requirements here we can use a standard RWO type volume
    # Which means the default storage class (Rook Ceph Block) is sufficient
    storageClassName: rook-ceph-block
    
    # The access modes for the PVC (shouldn't ever really need to be changed)
    accessModes:
      - ReadWriteOnce
    
    # The size of the PVC (Note, this should be sized according to expected usage)
    size: 2Gi