away168/vault.yml

## vault.yml


---
# Source: vault/templates/injector-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: spinnaker-vault-agent-injector
  namespace: vault
  labels:
    app.kubernetes.io/name: vault-agent-injector
    app.kubernetes.io/instance: spinnaker
    app.kubernetes.io/managed-by: Helm
---
# Source: vault/templates/server-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: spinnaker-vault
  namespace: vault
  labels:
    helm.sh/chart: vault-0.4.0
    app.kubernetes.io/name: vault
    app.kubernetes.io/instance: spinnaker
    app.kubernetes.io/managed-by: Helm
---
# Source: vault/templates/server-config-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: spinnaker-vault-config
  namespace: vault
  labels:
    helm.sh/chart: vault-0.4.0
    app.kubernetes.io/name: vault
    app.kubernetes.io/instance: spinnaker
    app.kubernetes.io/managed-by: Helm
data:
  extraconfig-from-values.hcl: |-
    disable_mlock = true
    ui = true

    # original listener
    #listener "tcp" {
    #  tls_disable = 1
    #  address = "[::]:8200"
    #  cluster_address = "[::]:8201"
    #}
    # listener with TLS enabled
    listener "tcp" {
      address = "[::]:8200"
      cluster_address = "[::]:8201"
      tls_cert_file = "/vault/certs/tls.crt"
      tls_key_file = "/vault/certs/tls.key"
    }
    storage "file" {
      path = "/vault/data"
    }

    # Example configuration for using auto-unseal, using Google Cloud KMS. The
    # GKMS keys must already exist, and the cluster must have a service account
    # that is authorized to access GCP KMS.
    #seal "gcpckms" {
    #   project     = "vault-helm-dev"
    #   region      = "global"
    #   key_ring    = "vault-helm-unseal-kr"
    #   crypto_key  = "vault-helm-unseal-key"
    #}
---
# Source: vault/templates/injector-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: spinnaker-vault-agent-injector-clusterrole
  labels:
    app.kubernetes.io/name: vault-agent-injector
    app.kubernetes.io/instance: spinnaker
    app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations"]
  verbs:
    - "get"
    - "list"
    - "watch"
    - "patch"
---
# Source: vault/templates/injector-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: spinnaker-vault-agent-injector-binding
  namespace: vault
  labels:
    app.kubernetes.io/name: vault-agent-injector
    app.kubernetes.io/instance: spinnaker
    app.kubernetes.io/managed-by: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: spinnaker-vault-agent-injector-clusterrole
subjects:
- kind: ServiceAccount
  name: spinnaker-vault-agent-injector
  namespace: vault
---
# Source: vault/templates/server-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: spinnaker-vault-server-binding
  namespace: vault
  labels:
    helm.sh/chart: vault-0.4.0
    app.kubernetes.io/name: vault
    app.kubernetes.io/instance: spinnaker
    app.kubernetes.io/managed-by: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: spinnaker-vault
  namespace: vault
---
# Source: vault/templates/injector-service.yaml
apiVersion: v1
kind: Service
metadata:
  name: spinnaker-vault-agent-injector-svc
  namespace: vault
  labels:
    app.kubernetes.io/name: vault-agent-injector
    app.kubernetes.io/instance: spinnaker
    app.kubernetes.io/managed-by: Helm
spec:
  ports:
  - port: 443
    targetPort: 8080
  selector:
    app.kubernetes.io/name: vault-agent-injector
    app.kubernetes.io/instance: spinnaker
    component: webhook
---
# Source: vault/templates/server-service.yaml
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
  name: spinnaker-vault
  namespace: vault
  labels:
    helm.sh/chart: vault-0.4.0
    app.kubernetes.io/name: vault
    app.kubernetes.io/instance: spinnaker
    app.kubernetes.io/managed-by: Helm
  annotations:
    # This must be set in addition to publishNotReadyAddresses due
    # to an open issue where it may not work:
    # https://github.com/kubernetes/kubernetes/issues/58662
    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
spec:
  # We want the servers to become available even if they're not ready
  # since this DNS is also used for join operations.
  publishNotReadyAddresses: true
  ports:
    - name: http
      port: 8200
      targetPort: 8200
    - name: internal
      port: 8201
      targetPort: 8201
  selector:
    app.kubernetes.io/name: vault
    app.kubernetes.io/instance: spinnaker
    component: server
---
# Source: vault/templates/injector-deployment.yaml
# Deployment for the injector
apiVersion: apps/v1
kind: Deployment
metadata:
  name: spinnaker-vault-agent-injector
  namespace: vault
  labels:
    app.kubernetes.io/name: vault-agent-injector
    app.kubernetes.io/instance: spinnaker
    app.kubernetes.io/managed-by: Helm
    component: webhook
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: vault-agent-injector
      app.kubernetes.io/instance: spinnaker
      component: webhook
  template:
    metadata:
      labels:
        app.kubernetes.io/name: vault-agent-injector
        app.kubernetes.io/instance: spinnaker
        component: webhook
    spec:
      serviceAccountName: "spinnaker-vault-agent-injector"
      securityContext:
        runAsNonRoot: true
        runAsGroup: 1000
        runAsUser: 100
      containers:
        - name: sidecar-injector

          image: "hashicorp/vault-k8s:0.2.0"
          imagePullPolicy: "IfNotPresent"
          env:
            - name: AGENT_INJECT_LISTEN
              value: ":8080"
            - name: AGENT_INJECT_LOG_LEVEL
              value: info
            - name: AGENT_INJECT_VAULT_ADDR
              value: https://spinnaker-vault.vault.svc:8200
            - name: AGENT_INJECT_VAULT_IMAGE
              value: "vault:1.3.2"
            - name: AGENT_INJECT_TLS_AUTO
              value: spinnaker-vault-agent-injector-cfg
            - name: AGENT_INJECT_TLS_AUTO_HOSTS
              value: spinnaker-vault-agent-injector-svc,spinnaker-vault-agent-injector-svc.vault,spinnaker-vault-agent-injector-svc.vault.svc
          args:
            - agent-inject
            - 2>&1
          livenessProbe:
            httpGet:
              path: /health/ready
              port: 8080
              scheme: HTTPS
            failureThreshold: 2
            initialDelaySeconds: 1
            periodSeconds: 2
            successThreshold: 1
            timeoutSeconds: 5
          readinessProbe:
            httpGet:
              path: /health/ready
              port: 8080
              scheme: HTTPS
            failureThreshold: 2
            initialDelaySeconds: 2
            periodSeconds: 2
            successThreshold: 1
            timeoutSeconds: 5
---
# Source: vault/templates/server-statefulset.yaml
# StatefulSet to run the actual vault server cluster.
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: spinnaker-vault
  namespace: vault
  labels:
    app.kubernetes.io/name: vault
    app.kubernetes.io/instance: spinnaker
    app.kubernetes.io/managed-by: Helm
spec:
  serviceName: spinnaker-vault
  podManagementPolicy: Parallel
  replicas: 1
  updateStrategy:
    type: OnDelete
  selector:
    matchLabels:
      app.kubernetes.io/name: vault
      app.kubernetes.io/instance: spinnaker
      component: server
  template:
    metadata:
      labels:
        helm.sh/chart: vault-0.4.0
        app.kubernetes.io/name: vault
        app.kubernetes.io/instance: spinnaker
        component: server
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  app.kubernetes.io/name: vault
                  app.kubernetes.io/instance: "spinnaker"
                  component: server
              topologyKey: kubernetes.io/hostname
      terminationGracePeriodSeconds: 10
      serviceAccountName: spinnaker-vault

      securityContext:
        runAsNonRoot: true
        runAsGroup: 1000
        runAsUser: 100
        fsGroup: 1000
      volumes:

        - name: config
          configMap:
            name: spinnaker-vault-config
        # for vault cert / tls
        - name: certs
          secret:
            secretName: vault-tls

      containers:
        - name: vault

          securityContext:
            capabilities:
              add: ["IPC_LOCK"]
          image: vault:1.3.2
          imagePullPolicy: IfNotPresent
          command:
          - "/bin/sh"
          - "-ec"

          args:
          - |
            sed -E "s/HOST_IP/${HOST_IP?}/g" /vault/config/extraconfig-from-values.hcl > /tmp/storageconfig.hcl;
            sed -Ei "s/POD_IP/${POD_IP?}/g" /tmp/storageconfig.hcl;
            /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl

          env:
            - name: HOST_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.hostIP
            - name: POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: VAULT_ADDR
              value: "https://spinnaker-vault.vault.svc.cluster.local:8200"
            - name: VAULT_API_ADDR
              value: "https://$(POD_IP):8200"
            - name: SKIP_CHOWN
              value: "true"
            - name: SKIP_SETCAP
              value: "true"
            - name: VAULT_CACERT
              value: "/vault/certs/tls.crt"


          volumeMounts:
            - name: data
              mountPath: /vault/data
            - name: config
              mountPath: /vault/config
            - name: certs
              mountPath: /vault/certs

          ports:
            - containerPort: 8200
              name: http
            - containerPort: 8201
              name: internal
            - containerPort: 8202
              name: replication
          readinessProbe:
            # Check status; unsealed vault servers return 0
            # The exit code reflects the seal status:
            #   0 - unsealed
            #   1 - error
            #   2 - sealed
            exec:
              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
            failureThreshold: 2
            initialDelaySeconds: 5
            periodSeconds: 3
            successThreshold: 1
            timeoutSeconds: 5
          lifecycle:
            # Vault container doesn't receive SIGTERM from Kubernetes
            # and after the grace period ends, Kube sends SIGKILL.  This
            # causes issues with graceful shutdowns such as deregistering itself
            # from Consul (zombie services).
            preStop:
              exec:
                command: [
                  "/bin/sh", "-c",
                  # Adding a sleep here to give the pod eviction a
                  # chance to propagate, so requests will not be made
                  # to this pod while it's terminating
                  "sleep 5 && kill -SIGTERM $(pidof vault)",
                ]

  volumeClaimTemplates:
    - metadata:
        name: data
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 100Mi
---
# Source: vault/templates/injector-mutating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  name: spinnaker-vault-agent-injector-cfg
  labels:
    app.kubernetes.io/name: vault-agent-injector
    app.kubernetes.io/instance: spinnaker
    app.kubernetes.io/managed-by: Helm
webhooks:
  - name: vault.hashicorp.com
    clientConfig:
      service:
        name: spinnaker-vault-agent-injector-svc
        namespace: vault
        path: "/mutate"
      caBundle:
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]


	---
	# Source: vault/templates/injector-serviceaccount.yaml
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: spinnaker-vault-agent-injector
	namespace: vault
	labels:
	app.kubernetes.io/name: vault-agent-injector
	app.kubernetes.io/instance: spinnaker
	app.kubernetes.io/managed-by: Helm
	---
	# Source: vault/templates/server-serviceaccount.yaml
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: spinnaker-vault
	namespace: vault
	labels:
	helm.sh/chart: vault-0.4.0
	app.kubernetes.io/name: vault
	app.kubernetes.io/instance: spinnaker
	app.kubernetes.io/managed-by: Helm
	---
	# Source: vault/templates/server-config-configmap.yaml
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: spinnaker-vault-config
	namespace: vault
	labels:
	helm.sh/chart: vault-0.4.0
	app.kubernetes.io/name: vault
	app.kubernetes.io/instance: spinnaker
	app.kubernetes.io/managed-by: Helm
	data:
	extraconfig-from-values.hcl: \|-
	disable_mlock = true
	ui = true

	# original listener
	#listener "tcp" {
	# tls_disable = 1
	# address = "[::]:8200"
	# cluster_address = "[::]:8201"
	#}
	# listener with TLS enabled
	listener "tcp" {
	address = "[::]:8200"
	cluster_address = "[::]:8201"
	tls_cert_file = "/vault/certs/tls.crt"
	tls_key_file = "/vault/certs/tls.key"
	}
	storage "file" {
	path = "/vault/data"
	}

	# Example configuration for using auto-unseal, using Google Cloud KMS. The
	# GKMS keys must already exist, and the cluster must have a service account
	# that is authorized to access GCP KMS.
	#seal "gcpckms" {
	# project = "vault-helm-dev"
	# region = "global"
	# key_ring = "vault-helm-unseal-kr"
	# crypto_key = "vault-helm-unseal-key"
	#}
	---
	# Source: vault/templates/injector-clusterrole.yaml
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: spinnaker-vault-agent-injector-clusterrole
	labels:
	app.kubernetes.io/name: vault-agent-injector
	app.kubernetes.io/instance: spinnaker
	app.kubernetes.io/managed-by: Helm
	rules:
	- apiGroups: ["admissionregistration.k8s.io"]
	resources: ["mutatingwebhookconfigurations"]
	verbs:
	- "get"
	- "list"
	- "watch"
	- "patch"
	---
	# Source: vault/templates/injector-clusterrolebinding.yaml
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: spinnaker-vault-agent-injector-binding
	namespace: vault
	labels:
	app.kubernetes.io/name: vault-agent-injector
	app.kubernetes.io/instance: spinnaker
	app.kubernetes.io/managed-by: Helm
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: spinnaker-vault-agent-injector-clusterrole
	subjects:
	- kind: ServiceAccount
	name: spinnaker-vault-agent-injector
	namespace: vault
	---
	# Source: vault/templates/server-clusterrolebinding.yaml
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRoleBinding
	metadata:
	name: spinnaker-vault-server-binding
	namespace: vault
	labels:
	helm.sh/chart: vault-0.4.0
	app.kubernetes.io/name: vault
	app.kubernetes.io/instance: spinnaker
	app.kubernetes.io/managed-by: Helm
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: system:auth-delegator
	subjects:
	- kind: ServiceAccount
	name: spinnaker-vault
	namespace: vault
	---
	# Source: vault/templates/injector-service.yaml
	apiVersion: v1
	kind: Service
	metadata:
	name: spinnaker-vault-agent-injector-svc
	namespace: vault
	labels:
	app.kubernetes.io/name: vault-agent-injector
	app.kubernetes.io/instance: spinnaker
	app.kubernetes.io/managed-by: Helm
	spec:
	ports:
	- port: 443
	targetPort: 8080
	selector:
	app.kubernetes.io/name: vault-agent-injector
	app.kubernetes.io/instance: spinnaker
	component: webhook
	---
	# Source: vault/templates/server-service.yaml
	# Service for Vault cluster
	apiVersion: v1
	kind: Service
	metadata:
	name: spinnaker-vault
	namespace: vault
	labels:
	helm.sh/chart: vault-0.4.0
	app.kubernetes.io/name: vault
	app.kubernetes.io/instance: spinnaker
	app.kubernetes.io/managed-by: Helm
	annotations:
	# This must be set in addition to publishNotReadyAddresses due
	# to an open issue where it may not work:
	# https://github.com/kubernetes/kubernetes/issues/58662
	service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
	spec:
	# We want the servers to become available even if they're not ready
	# since this DNS is also used for join operations.
	publishNotReadyAddresses: true
	ports:
	- name: http
	port: 8200
	targetPort: 8200
	- name: internal
	port: 8201
	targetPort: 8201
	selector:
	app.kubernetes.io/name: vault
	app.kubernetes.io/instance: spinnaker
	component: server
	---
	# Source: vault/templates/injector-deployment.yaml
	# Deployment for the injector
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: spinnaker-vault-agent-injector
	namespace: vault
	labels:
	app.kubernetes.io/name: vault-agent-injector
	app.kubernetes.io/instance: spinnaker
	app.kubernetes.io/managed-by: Helm
	component: webhook
	spec:
	replicas: 1
	selector:
	matchLabels:
	app.kubernetes.io/name: vault-agent-injector
	app.kubernetes.io/instance: spinnaker
	component: webhook
	template:
	metadata:
	labels:
	app.kubernetes.io/name: vault-agent-injector
	app.kubernetes.io/instance: spinnaker
	component: webhook
	spec:
	serviceAccountName: "spinnaker-vault-agent-injector"
	securityContext:
	runAsNonRoot: true
	runAsGroup: 1000
	runAsUser: 100
	containers:
	- name: sidecar-injector

	image: "hashicorp/vault-k8s:0.2.0"
	imagePullPolicy: "IfNotPresent"
	env:
	- name: AGENT_INJECT_LISTEN
	value: ":8080"
	- name: AGENT_INJECT_LOG_LEVEL
	value: info
	- name: AGENT_INJECT_VAULT_ADDR
	value: https://spinnaker-vault.vault.svc:8200
	- name: AGENT_INJECT_VAULT_IMAGE
	value: "vault:1.3.2"
	- name: AGENT_INJECT_TLS_AUTO
	value: spinnaker-vault-agent-injector-cfg
	- name: AGENT_INJECT_TLS_AUTO_HOSTS
	value: spinnaker-vault-agent-injector-svc,spinnaker-vault-agent-injector-svc.vault,spinnaker-vault-agent-injector-svc.vault.svc
	args:
	- agent-inject
	- 2>&1
	livenessProbe:
	httpGet:
	path: /health/ready
	port: 8080
	scheme: HTTPS
	failureThreshold: 2
	initialDelaySeconds: 1
	periodSeconds: 2
	successThreshold: 1
	timeoutSeconds: 5
	readinessProbe:
	httpGet:
	path: /health/ready
	port: 8080
	scheme: HTTPS
	failureThreshold: 2
	initialDelaySeconds: 2
	periodSeconds: 2
	successThreshold: 1
	timeoutSeconds: 5
	---
	# Source: vault/templates/server-statefulset.yaml
	# StatefulSet to run the actual vault server cluster.
	apiVersion: apps/v1
	kind: StatefulSet
	metadata:
	name: spinnaker-vault
	namespace: vault
	labels:
	app.kubernetes.io/name: vault
	app.kubernetes.io/instance: spinnaker
	app.kubernetes.io/managed-by: Helm
	spec:
	serviceName: spinnaker-vault
	podManagementPolicy: Parallel
	replicas: 1
	updateStrategy:
	type: OnDelete
	selector:
	matchLabels:
	app.kubernetes.io/name: vault
	app.kubernetes.io/instance: spinnaker
	component: server
	template:
	metadata:
	labels:
	helm.sh/chart: vault-0.4.0
	app.kubernetes.io/name: vault
	app.kubernetes.io/instance: spinnaker
	component: server
	spec:
	affinity:
	podAntiAffinity:
	requiredDuringSchedulingIgnoredDuringExecution:
	- labelSelector:
	matchLabels:
	app.kubernetes.io/name: vault
	app.kubernetes.io/instance: "spinnaker"
	component: server
	topologyKey: kubernetes.io/hostname
	terminationGracePeriodSeconds: 10
	serviceAccountName: spinnaker-vault

	securityContext:
	runAsNonRoot: true
	runAsGroup: 1000
	runAsUser: 100
	fsGroup: 1000
	volumes:

	- name: config
	configMap:
	name: spinnaker-vault-config
	# for vault cert / tls
	- name: certs
	secret:
	secretName: vault-tls

	containers:
	- name: vault

	securityContext:
	capabilities:
	add: ["IPC_LOCK"]
	image: vault:1.3.2
	imagePullPolicy: IfNotPresent
	command:
	- "/bin/sh"
	- "-ec"

	args:
	- \|
	sed -E "s/HOST_IP/${HOST_IP?}/g" /vault/config/extraconfig-from-values.hcl > /tmp/storageconfig.hcl;
	sed -Ei "s/POD_IP/${POD_IP?}/g" /tmp/storageconfig.hcl;
	/usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl

	env:
	- name: HOST_IP
	valueFrom:
	fieldRef:
	fieldPath: status.hostIP
	- name: POD_IP
	valueFrom:
	fieldRef:
	fieldPath: status.podIP
	- name: VAULT_ADDR
	value: "https://spinnaker-vault.vault.svc.cluster.local:8200"
	- name: VAULT_API_ADDR
	value: "https://$(POD_IP):8200"
	- name: SKIP_CHOWN
	value: "true"
	- name: SKIP_SETCAP
	value: "true"
	- name: VAULT_CACERT
	value: "/vault/certs/tls.crt"


	volumeMounts:
	- name: data
	mountPath: /vault/data
	- name: config
	mountPath: /vault/config
	- name: certs
	mountPath: /vault/certs

	ports:
	- containerPort: 8200
	name: http
	- containerPort: 8201
	name: internal
	- containerPort: 8202
	name: replication
	readinessProbe:
	# Check status; unsealed vault servers return 0
	# The exit code reflects the seal status:
	# 0 - unsealed
	# 1 - error
	# 2 - sealed
	exec:
	command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
	failureThreshold: 2
	initialDelaySeconds: 5
	periodSeconds: 3
	successThreshold: 1
	timeoutSeconds: 5
	lifecycle:
	# Vault container doesn't receive SIGTERM from Kubernetes
	# and after the grace period ends, Kube sends SIGKILL. This
	# causes issues with graceful shutdowns such as deregistering itself
	# from Consul (zombie services).
	preStop:
	exec:
	command: [
	"/bin/sh", "-c",
	# Adding a sleep here to give the pod eviction a
	# chance to propagate, so requests will not be made
	# to this pod while it's terminating
	"sleep 5 && kill -SIGTERM $(pidof vault)",
	]

	volumeClaimTemplates:
	- metadata:
	name: data
	spec:
	accessModes:
	- ReadWriteOnce
	resources:
	requests:
	storage: 100Mi
	---
	# Source: vault/templates/injector-mutating-webhook.yaml
	apiVersion: admissionregistration.k8s.io/v1beta1
	kind: MutatingWebhookConfiguration
	metadata:
	name: spinnaker-vault-agent-injector-cfg
	labels:
	app.kubernetes.io/name: vault-agent-injector
	app.kubernetes.io/instance: spinnaker
	app.kubernetes.io/managed-by: Helm
	webhooks:
	- name: vault.hashicorp.com
	clientConfig:
	service:
	name: spinnaker-vault-agent-injector-svc
	namespace: vault
	path: "/mutate"
	caBundle:
	rules:
	- operations: ["CREATE", "UPDATE"]
	apiGroups: [""]
	apiVersions: ["v1"]
	resources: ["pods"]