Last active
February 14, 2023 10:39
-
-
Save fvoges/d5e35cf2fbbad568b0a3140a84aa5627 to your computer and use it in GitHub Desktop.
Example Vault Helm chart values.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Vault Helm Chart Value Overrides | |
| global: | |
| enabled: true | |
| tlsDisable: true | |
| injector: | |
| enabled: true | |
| # Use the Vault K8s Image https://github.com/hashicorp/vault-k8s/ | |
| image: | |
| repository: "hashicorp/vault-k8s" | |
| tag: "1.2.0" | |
| resources: | |
| requests: | |
| memory: 256Mi | |
| cpu: 250m | |
| limits: | |
| memory: 256Mi | |
| cpu: 250m | |
| server: | |
| enabled: true | |
| # Use the Enterprise Image | |
| image: | |
| repository: "hashicorp/vault-enterprise" | |
| tag: "1.12.2-ent" | |
| # tag: "1.12.3-ent" | |
| # logLevel: "debug" | |
| # serviceAccount: | |
| # annotations: | | |
| # eks.amazonaws.com/role-arn: "arn:aws:iam::ACCOUNT_ID:role/vault-server" | |
| # These Resource Limits are in line with node requirements in the | |
| # Vault Reference Architecture for a Small Cluster | |
| resources: | |
| requests: | |
| memory: 8Gi | |
| cpu: 2000m | |
| limits: | |
| memory: 16Gi | |
| cpu: 2000m | |
| # Ingress allows ingress services to be created to allow external access | |
| # from Kubernetes to access Vault pods. | |
| # If deployment is on OpenShift, the following block is ignored. | |
| # In order to expose the service, use the route section below | |
| ingress: | |
| enabled: true | |
| labels: | |
| traffic: external | |
| annotations: {} | |
| # | | |
| # kubernetes.io/ingress.class: nginx | |
| # kubernetes.io/tls-acme: "true" | |
| # or | |
| # kubernetes.io/ingress.class: nginx | |
| # kubernetes.io/tls-acme: "true" | |
| # Optionally use ingressClassName instead of deprecated annotation. | |
| # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation | |
| ingressClassName: "" | |
| # As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases. | |
| # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values. | |
| pathType: Prefix | |
| # When HA mode is enabled and K8s service registration is being used, | |
| # configure the ingress to point to the Vault active service. | |
| activeService: true | |
| hosts: | |
| - host: vault.local | |
| paths: [] | |
| ## Extra paths to prepend to the host configuration. This is useful when working with annotation based services. | |
| extraPaths: [] | |
| # - path: /* | |
| # backend: | |
| # service: | |
| # name: ssl-redirect | |
| # port: | |
| # number: use-annotation | |
| tls: [] | |
| # - secretName: chart-example-tls | |
| # hosts: | |
| # - chart-example.local | |
| # For HA configuration and because we need to manually init the vault, | |
| # we need to define custom readiness/liveness Probe settings | |
| readinessProbe: | |
| enabled: true | |
| path: "/v1/sys/health?perfstandbyok=true&standbyok=true&sealedcode=204&uninitcode=204" | |
| livenessProbe: | |
| enabled: true | |
| path: "/v1/sys/health?perfstandbyok=true&standbyok=true" | |
| initialDelaySeconds: 180 | |
| # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be | |
| # used to include variables required for auto-unseal. | |
| extraEnvironmentVars: | |
| #VAULT_CACERT: /vault/userconfig/vault-tls-ca/ca.crt | |
| VAULT_ADDR: http://localhost:8200 | |
| # extraVolumes is a list of extra volumes to mount. These will be exposed | |
| # to Vault in the path `/vault/userconfig/<name>/`. | |
| extraVolumes: | |
| - type: secret | |
| name: vault-license | |
| # - type: secret | |
| # name: vault-tls-cert | |
| # - type: secret | |
| # name: vault-tls-ca | |
| # - type: secret | |
| # name: kms-creds | |
| # This configures the Vault Statefulset to create a PVC for audit logs. | |
| # See https://www.vaultproject.io/docs/audit/index.html to know more | |
| auditStorage: | |
| enabled: true | |
| standalone: | |
| enabled: false | |
| # Run Vault in "HA" mode. | |
| ha: | |
| enabled: true | |
| replicas: 3 | |
| raft: | |
| enabled: true | |
| setNodeId: true | |
| config: | | |
| ui = true | |
| license_path = "/vault/userconfig/vault-license/vault.hclic" | |
| listener "tcp" { | |
| tls_disable = true | |
| # tls_cert_file = "/vault/userconfig/vault-tls-cert/tls.crt" | |
| # tls_key_file = "/vault/userconfig/vault-tls-cert/tls.key" | |
| tls_require_and_verify_client_cert = false | |
| tls_disable_client_certs = true | |
| address = "[::]:8200" | |
| cluster_address = "[::]:8201" | |
| } | |
| storage "raft" { | |
| path = "/vault/data" | |
| retry_join { | |
| auto_join = "provider=k8s namespace=vault label_selector=\"component=server,app.kubernetes.io/name=vault\"" | |
| auto_join_scheme = "http" | |
| # leader_ca_cert_file = "/vault/userconfig/vault-tls-ca/ca.crt" | |
| # leader_tls_servername = "vault.local" | |
| } | |
| autopilot { | |
| cleanup_dead_servers = "true" | |
| last_contact_threshold = "200ms" | |
| last_contact_failure_threshold = "10m" | |
| max_trailing_logs = 250000 | |
| min_quorum = 5 | |
| server_stabilization_time = "10s" | |
| } | |
| } | |
| service_registration "kubernetes" {} | |
| # Vault UI | |
| ui: | |
| enabled: true | |
| serviceType: "LoadBalancer" | |
| serviceNodePort: null | |
| externalPort: 8200 | |
| # For Added Security, edit the below | |
| #loadBalancerSourceRanges: | |
| # - < Your IP RANGE Ex. 10.0.0.0/16 > | |
| # - < YOUR SINGLE IP Ex. 1.78.23.3/32 > | |
| # annotations: | |
| # service.beta.kubernetes.io/aws-load-balancer-type: external | |
| # service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip | |
| # service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Vault Helm Chart Value Overrides | |
| global: | |
| enabled: true | |
| tlsDisable: false | |
| injector: | |
| enabled: true | |
| # Use the Vault K8s Image https://github.com/hashicorp/vault-k8s/ | |
| image: | |
| repository: "hashicorp/vault-k8s" | |
| tag: "1.2.0" | |
| resources: | |
| requests: | |
| memory: 256Mi | |
| cpu: 250m | |
| limits: | |
| memory: 256Mi | |
| cpu: 250m | |
| server: | |
| enabled: true | |
| # Use the Enterprise Image | |
| image: | |
| repository: "hashicorp/vault-enterprise" | |
| tag: "1.12.2-ent" | |
| # tag: "1.12.3-ent" | |
| # logLevel: "debug" | |
| # serviceAccount: | |
| # annotations: | | |
| # eks.amazonaws.com/role-arn: "arn:aws:iam::ACCOUNT_ID:role/vault-server" | |
| # These Resource Limits are in line with node requirements in the | |
| # Vault Reference Architecture for a Small Cluster | |
| # resources: | |
| # requests: | |
| # memory: 8Gi | |
| # cpu: 2000m | |
| # limits: | |
| # memory: 16Gi | |
| # cpu: 2000m | |
| # Ingress allows ingress services to be created to allow external access | |
| # from Kubernetes to access Vault pods. | |
| # If deployment is on OpenShift, the following block is ignored. | |
| # In order to expose the service, use the route section below | |
| ingress: | |
| enabled: true | |
| labels: | |
| traffic: external | |
| annotations: {} | |
| # | | |
| # kubernetes.io/ingress.class: nginx | |
| # kubernetes.io/tls-acme: "true" | |
| # or | |
| # kubernetes.io/ingress.class: nginx | |
| # kubernetes.io/tls-acme: "true" | |
| # Optionally use ingressClassName instead of deprecated annotation. | |
| # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation | |
| ingressClassName: "" | |
| # As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases. | |
| # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values. | |
| pathType: Prefix | |
| # When HA mode is enabled and K8s service registration is being used, | |
| # configure the ingress to point to the Vault active service. | |
| activeService: true | |
| hosts: | |
| - host: vault.local | |
| paths: [] | |
| ## Extra paths to prepend to the host configuration. This is useful when working with annotation based services. | |
| extraPaths: [] | |
| # - path: /* | |
| # backend: | |
| # service: | |
| # name: ssl-redirect | |
| # port: | |
| # number: use-annotation | |
| tls: [] | |
| # - secretName: chart-example-tls | |
| # hosts: | |
| # - chart-example.local | |
| # For HA configuration and because we need to manually init the vault, | |
| # we need to define custom readiness/liveness Probe settings | |
| readinessProbe: | |
| enabled: true | |
| path: "/v1/sys/health?perfstandbyok=true&standbyok=true&sealedcode=204&uninitcode=204" | |
| livenessProbe: | |
| enabled: true | |
| path: "/v1/sys/health?perfstandbyok=true&standbyok=true" | |
| initialDelaySeconds: 60 | |
| # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be | |
| # used to include variables required for auto-unseal. | |
| extraEnvironmentVars: | |
| VAULT_CACERT: /vault/userconfig/vault-tls-ca/ca.crt | |
| # extraVolumes is a list of extra volumes to mount. These will be exposed | |
| # to Vault in the path `/vault/userconfig/<name>/`. | |
| extraVolumes: | |
| - type: secret | |
| name: vault-license | |
| - type: secret | |
| name: vault-tls-cert | |
| - type: secret | |
| name: vault-tls-ca | |
| # - type: secret | |
| # name: kms-creds | |
| # This configures the Vault Statefulset to create a PVC for audit logs. | |
| # See https://www.vaultproject.io/docs/audit/index.html to know more | |
| auditStorage: | |
| enabled: true | |
| standalone: | |
| enabled: false | |
| # Run Vault in "HA" mode. | |
| ha: | |
| enabled: true | |
| replicas: 3 | |
| raft: | |
| enabled: true | |
| setNodeId: true | |
| config: | | |
| ui = true | |
| license_path = "/vault/userconfig/vault-license/vault.hclic" | |
| listener "tcp" { | |
| tls_disable = false | |
| tls_cert_file = "/vault/userconfig/vault-tls-cert/tls.crt" | |
| tls_key_file = "/vault/userconfig/vault-tls-cert/tls.key" | |
| tls_require_and_verify_client_cert = false | |
| tls_disable_client_certs = true | |
| address = "[::]:8200" | |
| cluster_address = "[::]:8201" | |
| } | |
| storage "raft" { | |
| path = "/vault/data" | |
| retry_join { | |
| auto_join = "provider=k8s namespace=vault label_selector=\"component=server,app.kubernetes.io/name=vault\"" | |
| auto_join_scheme = "https" | |
| leader_ca_cert_file = "/vault/userconfig/vault-tls-ca/ca.crt" | |
| leader_tls_servername = "vault.local" | |
| } | |
| autopilot { | |
| cleanup_dead_servers = "true" | |
| last_contact_threshold = "200ms" | |
| last_contact_failure_threshold = "10m" | |
| max_trailing_logs = 250000 | |
| min_quorum = 5 | |
| server_stabilization_time = "10s" | |
| } | |
| } | |
| service_registration "kubernetes" {} | |
| # Vault UI | |
| ui: | |
| enabled: true | |
| serviceType: "LoadBalancer" | |
| serviceNodePort: null | |
| externalPort: 8200 | |
| # For Added Security, edit the below | |
| #loadBalancerSourceRanges: | |
| # - < Your IP RANGE Ex. 10.0.0.0/16 > | |
| # - < YOUR SINGLE IP Ex. 1.78.23.3/32 > | |
| # annotations: | |
| # service.beta.kubernetes.io/aws-load-balancer-type: external | |
| # service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip | |
| # service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment