This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Vault Helm Chart Value Overrides | |
| global: | |
| enabled: true | |
| tlsDisable: false | |
| injector: | |
| enabled: true | |
| # Use the Vault K8s Image https://github.com/hashicorp/vault-k8s/ | |
| image: | |
| repository: "hashicorp/vault-k8s" | |
| tag: "latest" | |
| resources: | |
| requests: | |
| memory: 256Mi | |
| cpu: 250m | |
| limits: | |
| memory: 256Mi | |
| cpu: 250m | |
| server: | |
| # These Resource Limits are in line with node requirements in the | |
| # Vault Reference Architecture for a Small Cluster | |
| resources: | |
| requests: | |
| memory: 256Mi | |
| cpu: 500m | |
| limits: | |
| memory: 256Mi | |
| cpu: 500m | |
| # For HA configuration and because we need to manually init the vault, | |
| # we need to define custom readiness/liveness Probe settings | |
| readinessProbe: | |
| enabled: true | |
| path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204" | |
| livenessProbe: | |
| enabled: true | |
| path: "/v1/sys/health?standbyok=true" | |
| initialDelaySeconds: 60 | |
| # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be | |
| # used to include variables required for auto-unseal. | |
| extraEnvironmentVars: | |
| VAULT_CACERT: /vault/userconfig/rootCA/rootCACert.pem | |
| # extraVolumes is a list of extra volumes to mount. These will be exposed | |
| # to Vault in the path `/vault/userconfig/<name>/`. | |
| extraVolumes: | |
| - type: secret | |
| name: tls-server | |
| - type: secret | |
| name: rootCA | |
| # This configures the Vault Statefulset to create a PVC for audit logs. | |
| # See https://www.vaultproject.io/docs/audit/index.html to know more | |
| auditStorage: | |
| enabled: false | |
| dataStorage: | |
| enabled: true | |
| storageClass: local-storage | |
| standalone: | |
| enabled: false | |
| # Run Vault in "HA" mode. | |
| ha: | |
| enabled: true | |
| replicas: 3 | |
| raft: | |
| enabled: true | |
| setNodeId: true | |
| config: | | |
| ui = true | |
| listener "tcp" { | |
| address = "[::]:8200" | |
| cluster_address = "[::]:8201" | |
| tls_cert_file = "/vault/userconfig/tls-server/tls.crt" | |
| tls_key_file = "/vault/userconfig/tls-server/tls.key" | |
| tls_ca_cert_file = "/vault/userconfig/rootCA/rootCACert.pem" | |
| } | |
| storage "raft" { | |
| path = "/vault/data" | |
| retry_join { | |
| leader_api_addr = "https://vault-0.vault-internal:8200" | |
| leader_ca_cert_file = "/vault/userconfig/rootCA/rootCACert.pem" | |
| leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt" | |
| leader_client_key_file = "/vault/userconfig/tls-server/tls.key" | |
| } | |
| retry_join { | |
| leader_api_addr = "https://vault-1.vault-internal:8200" | |
| leader_ca_cert_file = "/vault/userconfig/rootCA/rootCACert.pem" | |
| leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt" | |
| leader_client_key_file = "/vault/userconfig/tls-server/tls.key" | |
| } | |
| retry_join { | |
| leader_api_addr = "https://vault-2.vault-internal:8200" | |
| leader_ca_cert_file = "/vault/userconfig/rootCA/rootCACert.pem" | |
| leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt" | |
| leader_client_key_file = "/vault/userconfig/tls-server/tls.key" | |
| } | |
| autopilot { | |
| cleanup_dead_servers = "true" | |
| last_contact_threshold = "200ms" | |
| last_contact_failure_threshold = "10m" | |
| max_trailing_logs = 250000 | |
| min_quorum = 5 | |
| server_stabilization_time = "10s" | |
| } | |
| } | |
| service_registration "kubernetes" {} | |
| # Vault UI | |
| ui: | |
| enabled: true | |
| serviceType: "LoadBalancer" | |
| serviceNodePort: null | |
| externalPort: 8200 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment