A Helm chart to configure Hashicorp's vault.
This chart is used by the Validated Patterns installation script that can be found here
Homepage: https://github.com/validatedpatterns/hashicorp-vault-chart
Name | Url | |
---|---|---|
Validated Patterns Team | validatedpatterns@googlegroups.com |
Repository | Name | Version |
---|---|---|
https://helm.releases.hashicorp.com | vault | 0.28.1 |
Key | Type | Default | Description |
---|---|---|---|
global | object | depends on the individual settings | The global namespace containes some globally used variables used in patterns |
global.localClusterDomain | string | "apps.foo.cluster.com" |
The DNS entry for the cluster the chart is being rendered on with the apps. prefix |
global.openshift | bool | true |
Setting the enforces openshift templates for the vault chart |
vault | object | depends on the individual settings | A number of settings passed down to the vault subchart |
vault.injector.enabled | bool | false |
Vault agent injection support |
vault.server.extraEnvironmentVars | object | {"VAULT_ADDR":"https://vault.vault.svc.cluster.local:8200","VAULT_CACERT":"/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"} |
Additional environment variables injected in the vault pod |
vault.server.extraVolumes | list | [{"name":"vault-secret","type":"secret"}] |
Extra volumes that are automatically mounted in the vault pod under /vault/userconfig/ |
vault.server.image.repository | string | "registry.connect.redhat.com/hashicorp/vault" |
Where to fetch the vault images from |
vault.server.image.tag | string | "1.18.3-ubi" |
Tag to use for the vault image |
vault.server.route.enabled | bool | true |
Enable route support when exposing the vault |
vault.server.route.tls.termination | string | "reencrypt" |
Termination type of the vault route |
vault.server.service.enabled | bool | true |
Enables an associated k8s service when running the vault |
vault.server.service.internal.annotations | object | {"service.beta.openshift.io/serving-cert-secret-name":"vault-secret-internal"} |
Annotation to inject a secret called vault-secret to the internal service |
vault.server.service.nonha.annotations | object | {"service.beta.openshift.io/serving-cert-secret-name":"vault-secret"} |
Annotation to inject a secret called vault-secret to the nonha service |
vault.server.standalone | object | {"config":"ui = true\nlistener \"tcp\" {\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n tls_cert_file = \"/vault/userconfig/vault-secret/tls.crt\"\n tls_key_file = \"/vault/userconfig/vault-secret/tls.key\"\n}\nstorage \"file\" {\n path = \"/vault/data\"\n}\n"} |
Base configuration for the standalone vault server |
vault.ui.enabled | bool | true |
Vault UI support |
Autogenerated from chart metadata using helm-docs v1.14.2
- Edit Chart.yaml with the new version
- In the hashicorp-vault folder, run:
helm dependency update .
- Run
./update-helm-dependency.sh
- Check that the images in ./values.yaml are the same version as upstream
- Git add the new chart in
./charts/vault-<version>.tgz
In order to be able to use vault ssl we need to patch the helm chart to fix upstream issue 674.
Make sure to run "./update-helm-dependency.sh" after you updated the subchart (by calling helm dependency update .)
We can drop this local patch when any one the two conditions is true:
- [1] is fixed in helm and we can require the version that for installs
- PR#779 is merged in vault-helm and our minimum supported OCP version is OCP 4.11 (route subdomain is broken in OCP < 4.11 due to missing commit
In order to update the CRD, copy the following file from the last released patterns operator version:
cp -v patterns-operator/config/crd/bases/gitops.hybrid-cloud-patterns.io_patterns.yaml ./crds/