innovia/vault-gke-values.yaml

## vault-gke-values.yaml
global:
  tlsDisable: false

server:
  # resources:
  #   requests:
  #     memory: 256Mi
  #     cpu: 250m
  #   limits:
  #     memory: 256Mi
  #     cpu: 250m
  extraEnvironmentVars:
    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/vault-gcs/vault_gcs_key.json
  extraVolumes:
  - type: secret
    name: vault-gcs
    path: "/vault/userconfig"
  - type: secret
    name: vault-tls
    path: "/etc/tls"

  authDelegator:
    enabled: true

  ha:
    enabled: true
    # This should be HCL.
    config: |
      ui = true

      listener "tcp" {
        tls_disable = 0
        tls_cert_file = "/etc/tls/vault-tls/vault.pem"
        tls_key_file = "/etc/tls/vault-tls/vault-key.pem"
        tls_client_ca_file =  "/etc/tls/vault-tls/ca.pem"
        tls_min_version = "tls12"
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }

      storage "gcs" {
        bucket     = "GCS_BUCKET_NAME"
        ha_enabled = "true"
      }

      # Example configuration for using auto-unseal, using Google Cloud KMS. The
      # GKMS keys must already exist, and the cluster must have a service account
      # that is authorized to access GCP KMS.
      seal "gcpckms" {
        project     = "GCP_PROJECT"
        region      = "global"
        key_ring    = "vault-helm-unseal-kr"
        crypto_key  = "vault-helm-unseal-key"
      }

  # Exposing VAULT UI to a GCP loadbalancer WITH IAP Backend config
  # 1. create the backend config https://cloud.google.com/iap/docs/enabling-kubernetes-howto
  # 2. create a Google Managed Certificate https://cloud.google.com/load-balancing/docs/ssl-certificates
  # 3. create static global ip  "gcloud compute addresses create vault-ui --global"
  #    and set the loadBalancerIP below
  # 4. create a DNS entry for that IP - and update the host in the ingress section below
  # 5. uncomment the section below
  # 6. install
  # -------------------------------------
  # readinessProbe:
  #   enabled: true
  #   path: /v1/sys/health?standbyok=true

  # ui:
  #   enabled: true
  #   serviceType: "NodePort"
  #   externalPort: 443
  #   loadBalancerIP: "LOAD_BALANCER_IP"


  # service:
  #   clusterIP: {}
  #   type: NodePort
  #   annotations:
  #     cloud.google.com/app-protocols: '{"http":"HTTPS"}'
  #     beta.cloud.google.com/backend-config: '{"ports": {"http":"config-default"}}'

  # ingress:
  #   enabled: true
  #   labels: {}
  #   # traffic: external
  #   annotations:
  #     # must be global static ip not regional!
  #     kubernetes.io/ingress.global-static-ip-name: "vault-ui"
  #     #the controller will only create rules for port 443 based on the TLS section.
  #     kubernetes.io/ingress.allow-http: "false"
  #     # represents the specific pre-shared SSL certificate for the Ingress controller to use.
  #     networking.gke.io/managed-certificates: "vault-ui-certificate"
  #     # kubernetes.io/tls-acme: "true"
  #   hosts:
  #     - host: vault.domain.com
  #       paths:
  #       - /*
	global:
	tlsDisable: false

	server:
	# resources:
	# requests:
	# memory: 256Mi
	# cpu: 250m
	# limits:
	# memory: 256Mi
	# cpu: 250m
	extraEnvironmentVars:
	GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/vault-gcs/vault_gcs_key.json
	extraVolumes:
	- type: secret
	name: vault-gcs
	path: "/vault/userconfig"
	- type: secret
	name: vault-tls
	path: "/etc/tls"

	authDelegator:
	enabled: true

	ha:
	enabled: true
	# This should be HCL.
	config: \|
	ui = true

	listener "tcp" {
	tls_disable = 0
	tls_cert_file = "/etc/tls/vault-tls/vault.pem"
	tls_key_file = "/etc/tls/vault-tls/vault-key.pem"
	tls_client_ca_file = "/etc/tls/vault-tls/ca.pem"
	tls_min_version = "tls12"
	address = "[::]:8200"
	cluster_address = "[::]:8201"
	}

	storage "gcs" {
	bucket = "GCS_BUCKET_NAME"
	ha_enabled = "true"
	}

	# Example configuration for using auto-unseal, using Google Cloud KMS. The
	# GKMS keys must already exist, and the cluster must have a service account
	# that is authorized to access GCP KMS.
	seal "gcpckms" {
	project = "GCP_PROJECT"
	region = "global"
	key_ring = "vault-helm-unseal-kr"
	crypto_key = "vault-helm-unseal-key"
	}

	# Exposing VAULT UI to a GCP loadbalancer WITH IAP Backend config
	# 1. create the backend config https://cloud.google.com/iap/docs/enabling-kubernetes-howto
	# 2. create a Google Managed Certificate https://cloud.google.com/load-balancing/docs/ssl-certificates
	# 3. create static global ip "gcloud compute addresses create vault-ui --global"
	# and set the loadBalancerIP below
	# 4. create a DNS entry for that IP - and update the host in the ingress section below
	# 5. uncomment the section below
	# 6. install
	# -------------------------------------
	# readinessProbe:
	# enabled: true
	# path: /v1/sys/health?standbyok=true

	# ui:
	# enabled: true
	# serviceType: "NodePort"
	# externalPort: 443
	# loadBalancerIP: "LOAD_BALANCER_IP"


	# service:
	# clusterIP: {}
	# type: NodePort
	# annotations:
	# cloud.google.com/app-protocols: '{"http":"HTTPS"}'
	# beta.cloud.google.com/backend-config: '{"ports": {"http":"config-default"}}'

	# ingress:
	# enabled: true
	# labels: {}
	# # traffic: external
	# annotations:
	# # must be global static ip not regional!
	# kubernetes.io/ingress.global-static-ip-name: "vault-ui"
	# #the controller will only create rules for port 443 based on the TLS section.
	# kubernetes.io/ingress.allow-http: "false"
	# # represents the specific pre-shared SSL certificate for the Ingress controller to use.
	# networking.gke.io/managed-certificates: "vault-ui-certificate"
	# # kubernetes.io/tls-acme: "true"
	# hosts:
	# - host: vault.domain.com
	# paths:
	# - /*