-
Notifications
You must be signed in to change notification settings - Fork 1
/
values.yaml
68 lines (65 loc) · 2.46 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
---
# -- The global namespace containes some globally used variables used in patterns
# @default -- depends on the individual settings
global:
# -- Setting the enforces openshift templates for the vault chart
openshift: true
# -- The DNS entry for the cluster the chart is being rendered on with the apps. prefix
localClusterDomain: apps.foo.cluster.com
# -- A number of settings passed down to the vault subchart
# @default -- depends on the individual settings
vault:
injector:
# -- Vault agent injection support
enabled: false
ui:
# -- Vault UI support
enabled: true
server:
# -- Additional environment variables injected in the vault pod
extraEnvironmentVars:
VAULT_CACERT: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
VAULT_ADDR: https://vault.vault.svc.cluster.local:8200
# -- Base configuration for the standalone vault server
standalone:
config: |
ui = true
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/vault-secret/tls.crt"
tls_key_file = "/vault/userconfig/vault-secret/tls.key"
}
storage "file" {
path = "/vault/data"
}
# -- Extra volumes that are automatically mounted in the vault pod under /vault/userconfig/<name>
extraVolumes:
- type: secret
name: vault-secret
service:
# -- Enables an associated k8s service when running the vault
enabled: true
nonha:
# -- Annotation to inject a secret called `vault-secret` to the nonha service
annotations:
service.beta.openshift.io/serving-cert-secret-name: vault-secret
internal:
# -- Annotation to inject a secret called `vault-secret` to the internal service
annotations:
service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal
route:
host: null
# -- Enable route support when exposing the vault
enabled: true
tls:
# We cannot use passthrough because you'd be talking to
# https://vault-vault.apps.mcg-hub.blueprints.rhecoeng.com but you'd
# get vault.vault.svc/vault.vault.svc.cluster.local
# -- Termination type of the vault route
termination: "reencrypt"
image:
# -- Where to fetch the vault images from
repository: "registry.connect.redhat.com/hashicorp/vault"
# -- Tag to use for the vault image
tag: "1.18.3-ubi"