vault values.yaml
📜
global.enabled📜
Type: bool
true
global.imagePullSecrets[0].name📜
Type: string
"private-registry"
global.tlsDisable📜
Type: bool
true
global.externalVaultAddr📜
Type: string
""
global.openshift📜
Type: bool
false
global.psp.enable📜
Type: bool
false
global.psp.annotations📜
Type: string
"seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default\napparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default\nseccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default\napparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default\n"
global.serverTelemetry.prometheusOperator📜
Type: bool
false
injector.enabled📜
Type: string
"-"
injector.replicas📜
Type: int
1
injector.port📜
Type: int
8080
injector.leaderElector.enabled📜
Type: bool
false
injector.metrics.enabled📜
Type: bool
true
injector.externalVaultAddr📜
Type: string
""
injector.image.repository📜
Type: string
"registry1.dso.mil/ironbank/hashicorp/vault/vault-k8s"
injector.image.tag📜
Type: string
"v1.4.1"
injector.image.pullPolicy📜
Type: string
"IfNotPresent"
injector.agentImage.repository📜
Type: string
"registry1.dso.mil/ironbank/hashicorp/vault"
injector.agentImage.tag📜
Type: string
"1.14.10"
injector.agentDefaults.cpuLimit📜
Type: string
"500m"
injector.agentDefaults.cpuRequest📜
Type: string
"500m"
injector.agentDefaults.memLimit📜
Type: string
"250Mi"
injector.agentDefaults.memRequest📜
Type: string
"250Mi"
injector.agentDefaults.template📜
Type: string
"map"
injector.agentDefaults.templateConfig.exitOnRetryFailure📜
Type: bool
true
injector.agentDefaults.templateConfig.staticSecretRenderInterval📜
Type: string
""
injector.livenessProbe.failureThreshold📜
Type: int
2
injector.livenessProbe.initialDelaySeconds📜
Type: int
5
injector.livenessProbe.periodSeconds📜
Type: int
2
injector.livenessProbe.successThreshold📜
Type: int
1
injector.livenessProbe.timeoutSeconds📜
Type: int
5
injector.readinessProbe.failureThreshold📜
Type: int
2
injector.readinessProbe.initialDelaySeconds📜
Type: int
5
injector.readinessProbe.periodSeconds📜
Type: int
2
injector.readinessProbe.successThreshold📜
Type: int
1
injector.readinessProbe.timeoutSeconds📜
Type: int
5
injector.startupProbe.failureThreshold📜
Type: int
12
injector.startupProbe.initialDelaySeconds📜
Type: int
5
injector.startupProbe.periodSeconds📜
Type: int
5
injector.startupProbe.successThreshold📜
Type: int
1
injector.startupProbe.timeoutSeconds📜
Type: int
5
injector.authPath📜
Type: string
"auth/kubernetes"
injector.logLevel📜
Type: string
"info"
injector.logFormat📜
Type: string
"standard"
injector.revokeOnShutdown📜
Type: bool
false
injector.webhook.failurePolicy📜
Type: string
"Ignore"
injector.webhook.matchPolicy📜
Type: string
"Exact"
injector.webhook.timeoutSeconds📜
Type: int
30
injector.webhook.namespaceSelector📜
Type: object
{}
injector.webhook.objectSelector📜
Type: string
"matchExpressions:\n- key: app.kubernetes.io/name\n operator: NotIn\n values:\n - {{ template \"vault.name\" . }}-agent-injector\n"
injector.webhook.annotations📜
Type: object
{}
injector.failurePolicy📜
Type: string
"Ignore"
injector.namespaceSelector📜
Type: object
{}
injector.objectSelector📜
Type: object
{}
injector.webhookAnnotations📜
Type: object
{}
injector.certs.secretName📜
Type: string
nil
injector.certs.caBundle📜
Type: string
""
injector.certs.certName📜
Type: string
"tls.crt"
injector.certs.keyName📜
Type: string
"tls.key"
injector.securityContext.pod📜
Type: object
{}
injector.securityContext.container.capabilities.drop[0]📜
Type: string
"ALL"
injector.resources.requests.memory📜
Type: string
"256Mi"
injector.resources.requests.cpu📜
Type: string
"250m"
injector.resources.limits.memory📜
Type: string
"256Mi"
injector.resources.limits.cpu📜
Type: string
"250m"
injector.extraEnvironmentVars📜
Type: object
{}
injector.affinity📜
Type: string
"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"vault.name\" . }}-agent-injector\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: webhook\n topologyKey: kubernetes.io/hostname\n"
injector.topologySpreadConstraints📜
Type: list
[]
injector.tolerations📜
Type: list
[]
injector.nodeSelector📜
Type: object
{}
injector.priorityClassName📜
Type: string
""
injector.annotations📜
Type: object
{}
injector.extraLabels📜
Type: object
{}
injector.hostNetwork📜
Type: bool
false
injector.service.annotations📜
Type: object
{}
injector.serviceAccount.annotations📜
Type: object
{}
injector.podDisruptionBudget📜
Type: object
{}
injector.strategy📜
Type: object
{}
server.enabled📜
Type: bool
true
server.extraSecretEnvironmentVars[0].envName📜
Type: string
"AWS_ACCESS_KEY_ID"
server.extraSecretEnvironmentVars[0].secretName📜
Type: string
"eks-creds"
server.extraSecretEnvironmentVars[0].secretKey📜
Type: string
"AWS_ACCESS_KEY_ID"
server.extraSecretEnvironmentVars[1].envName📜
Type: string
"AWS_SECRET_ACCESS_KEY"
server.extraSecretEnvironmentVars[1].secretName📜
Type: string
"eks-creds"
server.extraSecretEnvironmentVars[1].secretKey📜
Type: string
"AWS_SECRET_ACCESS_KEY"
server.enterpriseLicense.secretName📜
Type: string
""
server.enterpriseLicense.secretKey📜
Type: string
"license"
server.image.repository📜
Type: string
"registry1.dso.mil/ironbank/hashicorp/vault"
server.image.tag📜
Type: string
"1.14.10"
server.image.pullPolicy📜
Type: string
"IfNotPresent"
server.updateStrategyType📜
Type: string
"OnDelete"
server.logLevel📜
Type: string
""
server.logFormat📜
Type: string
""
server.resources.requests.memory📜
Type: string
"256Mi"
server.resources.requests.cpu📜
Type: string
"250m"
server.resources.limits.memory📜
Type: string
"256Mi"
server.resources.limits.cpu📜
Type: string
"250m"
server.ingress.enabled📜
Type: bool
false
server.ingress.labels📜
Type: object
{}
server.ingress.annotations📜
Type: object
{}
server.ingress.ingressClassName📜
Type: string
""
server.ingress.pathType📜
Type: string
"Prefix"
server.ingress.activeService📜
Type: bool
true
server.ingress.hosts[0].host📜
Type: string
"chart-example.local"
server.ingress.hosts[0].paths📜
Type: list
[]
server.ingress.extraPaths📜
Type: list
[]
server.ingress.tls📜
Type: list
[]
server.route.enabled📜
Type: bool
false
server.route.activeService📜
Type: bool
true
server.route.labels📜
Type: object
{}
server.route.annotations📜
Type: object
{}
server.route.host📜
Type: string
"chart-example.local"
server.route.tls.termination📜
Type: string
"passthrough"
server.authDelegator.enabled📜
Type: bool
true
server.extraInitContainers📜
Type: string
nil
server.extraContainers📜
Type: string
nil
server.shareProcessNamespace📜
Type: bool
false
server.extraArgs📜
Type: string
""
server.extraPorts📜
Type: string
nil
server.readinessProbe.enabled📜
Type: bool
true
server.readinessProbe.port📜
Type: int
8200
server.readinessProbe.failureThreshold📜
Type: int
2
server.readinessProbe.initialDelaySeconds📜
Type: int
5
server.readinessProbe.periodSeconds📜
Type: int
5
server.readinessProbe.successThreshold📜
Type: int
1
server.readinessProbe.timeoutSeconds📜
Type: int
3
server.livenessProbe.enabled📜
Type: bool
false
server.livenessProbe.path📜
Type: string
"/v1/sys/health?standbyok=true"
server.livenessProbe.port📜
Type: int
8200
server.livenessProbe.failureThreshold📜
Type: int
2
server.livenessProbe.initialDelaySeconds📜
Type: int
60
server.livenessProbe.periodSeconds📜
Type: int
5
server.livenessProbe.successThreshold📜
Type: int
1
server.livenessProbe.timeoutSeconds📜
Type: int
3
server.terminationGracePeriodSeconds📜
Type: int
10
server.preStopSleepSeconds📜
Type: int
5
server.postStart📜
Type: list
[]
server.extraEnvironmentVars📜
Type: object
{}
server.extraSecretEnvironmentVars📜
Type: list
[]
server.extraVolumes📜
Type: list
[]
server.volumes📜
Type: string
nil
server.volumeMounts📜
Type: string
nil
server.affinity📜
Type: string
"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app.kubernetes.io/name: {{ template \"vault.name\" . }}\n app.kubernetes.io/instance: \"{{ .Release.Name }}\"\n component: server\n topologyKey: kubernetes.io/hostname\n"
server.topologySpreadConstraints📜
Type: list
[]
server.tolerations📜
Type: list
[]
server.nodeSelector📜
Type: object
{}
server.networkPolicy.enabled📜
Type: bool
false
server.networkPolicy.egress📜
Type: list
[]
server.priorityClassName📜
Type: string
""
server.extraLabels📜
Type: object
{}
server.annotations📜
Type: object
{}
server.service.enabled📜
Type: bool
true
server.service.active.enabled📜
Type: bool
true
server.service.standby.enabled📜
Type: bool
true
server.service.instanceSelector.enabled📜
Type: bool
true
server.service.publishNotReadyAddresses📜
Type: bool
true
server.service.externalTrafficPolicy📜
Type: string
"Cluster"
server.service.port📜
Type: int
8200
server.service.targetPort📜
Type: int
8200
server.service.annotations📜
Type: object
{}
server.dataStorage.enabled📜
Type: bool
true
server.dataStorage.size📜
Type: string
"10Gi"
server.dataStorage.mountPath📜
Type: string
"/vault/data"
server.dataStorage.storageClass📜
Type: string
nil
server.dataStorage.accessMode📜
Type: string
"ReadWriteOnce"
server.dataStorage.annotations📜
Type: object
{}
server.auditStorage.enabled📜
Type: bool
true
server.auditStorage.size📜
Type: string
"10Gi"
server.auditStorage.mountPath📜
Type: string
"/vault/audit"
server.auditStorage.storageClass📜
Type: string
nil
server.auditStorage.accessMode📜
Type: string
"ReadWriteOnce"
server.auditStorage.annotations📜
Type: object
{}
server.dev.enabled📜
Type: bool
false
server.dev.devRootToken📜
Type: string
"root"
server.standalone.enabled📜
Type: string
"-"
server.standalone.config📜
Type: string
"ui = true\n\nlistener \"tcp\" {\n {{- if and .Values.istio.vault.tls.cert .Values.istio.vault.tls.key (not .Values.global.tlsDisable) }}\n tls_disable = 0\n tls_key_file = \"/vault/tls/tls.key\"\n tls_cert_file = \"/vault/tls/tls.crt\"\n {{- else }}\n tls_disable = 1\n {{- end }}\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\n\ntelemetry {\n prometheus_retention_time = \"24h\"\n disable_hostname = true\n unauthenticated_metrics_access = true\n}\n\n{{- if .Values.server.dataStorage.enabled }}\nstorage \"raft\" {\n path = \"/vault/data\"\n}\n{{- end }}\n\n{{- if and (not .Values.server.dataStorage.enabled) .Values.minio.enabled }}\nstorage \"s3\" {\n access_key = \"{{ .Values.minio.accessKey }}\"\n secret_key = \"{{ .Values.minio.secretKey }}\"\n endpoint = \"{{ .Values.minio.endpoint }}\"\n bucket = \"{{ .Values.minio.bucketName }}\"\n s3_force_path_style = \"true\"\n disable_ssl = \"{{ .Values.minio.disableSSL }}\"\n}\n{{- end }}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"vault-helm-dev\"\n# region = \"global\"\n# key_ring = \"vault-helm-unseal-kr\"\n# crypto_key = \"vault-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics in your config.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"
server.ha.enabled📜
Type: bool
false
server.ha.replicas📜
Type: int
3
server.ha.apiAddr📜
Type: string
nil
server.ha.clusterAddr📜
Type: string
nil
server.ha.raft.enabled📜
Type: bool
true
server.ha.raft.setNodeId📜
Type: bool
true
server.ha.raft.config📜
Type: string
"ui = true\n\nlistener \"tcp\" {\n {{- if and .Values.istio.vault.tls.cert .Values.istio.vault.tls.key (not .Values.global.tlsDisable) }}\n tls_disable = 0\n tls_key_file = \"/vault/tls/tls.key\"\n tls_cert_file = \"/vault/tls/tls.crt\"\n {{- else }}\n tls_disable = 1\n {{- end }}\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n # Enable unauthenticated metrics access (necessary for Prometheus Operator)\n #telemetry {\n # unauthenticated_metrics_access = \"true\"\n #}\n}\n\nstorage \"raft\" {\n path = \"/vault/data\"\n}\n\ntelemetry {\n prometheus_retention_time = \"24h\"\n disable_hostname = true\n unauthenticated_metrics_access = true\n}\n\n\nservice_registration \"kubernetes\" {}\n"
server.ha.config📜
Type: string
"ui = true\n\nlistener \"tcp\" {\n {{- if and .Values.istio.vault.tls.cert .Values.istio.vault.tls.key (not .Values.global.tlsDisable) }}\n tls_disable = 0\n tls_key_file = \"/vault/tls/tls.key\"\n tls_cert_file = \"/vault/tls/tls.crt\"\n {{- else }}\n tls_disable = 1\n {{- end }}\n address = \"[::]:8200\"\n cluster_address = \"[::]:8201\"\n}\nstorage \"consul\" {\n path = \"vault\"\n address = \"HOST_IP:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n\n# Example configuration for using auto-unseal, using Google Cloud KMS. The\n# GKMS keys must already exist, and the cluster must have a service account\n# that is authorized to access GCP KMS.\n#seal \"gcpckms\" {\n# project = \"vault-helm-dev-246514\"\n# region = \"global\"\n# key_ring = \"vault-helm-unseal-kr\"\n# crypto_key = \"vault-helm-unseal-key\"\n#}\n\n# Example configuration for enabling Prometheus metrics.\n# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.\n# You may wish to enable unauthenticated metrics in the listener block above.\n#telemetry {\n# prometheus_retention_time = \"30s\"\n# disable_hostname = true\n#}\n"
server.ha.disruptionBudget.enabled📜
Type: bool
true
server.ha.disruptionBudget.maxUnavailable📜
Type: string
nil
server.serviceAccount.create📜
Type: bool
true
server.serviceAccount.name📜
Type: string
""
server.serviceAccount.annotations📜
Type: object
{}
server.serviceAccount.extraLabels📜
Type: object
{}
server.serviceAccount.serviceDiscovery.enabled📜
Type: bool
true
server.statefulSet.annotations📜
Type: object
{}
server.statefulSet.securityContext.pod📜
Type: object
{}
server.statefulSet.securityContext.container.capabilities.drop[0]📜
Type: string
"ALL"
server.hostNetwork📜
Type: bool
false
ui.enabled📜
Type: bool
true
ui.publishNotReadyAddresses📜
Type: bool
true
ui.activeVaultPodOnly📜
Type: bool
false
ui.serviceType📜
Type: string
"ClusterIP"
ui.serviceNodePort📜
Type: string
nil
ui.externalPort📜
Type: int
8200
ui.targetPort📜
Type: int
8200
ui.externalTrafficPolicy📜
Type: string
"Cluster"
ui.annotations📜
Type: object
{}
csi.enabled📜
Type: bool
false
csi.image.repository📜
Type: string
"registry1.dso.mil/ironbank/hashicorp/vault-csi-provider"
csi.image.tag📜
Type: string
"v1.4.2"
csi.image.pullPolicy📜
Type: string
"IfNotPresent"
csi.volumes📜
Type: string
nil
csi.volumeMounts📜
Type: string
nil
csi.resources.requests.cpu📜
Type: string
"50m"
csi.resources.requests.memory📜
Type: string
"128Mi"
csi.resources.limits.cpu📜
Type: string
"50m"
csi.resources.limits.memory📜
Type: string
"128Mi"
csi.hmacSecretName📜
Type: string
""
csi.daemonSet.updateStrategy.type📜
Type: string
"RollingUpdate"
csi.daemonSet.updateStrategy.maxUnavailable📜
Type: string
""
csi.daemonSet.annotations📜
Type: object
{}
csi.daemonSet.providersDir📜
Type: string
"/etc/kubernetes/secrets-store-csi-providers"
csi.daemonSet.kubeletRootDir📜
Type: string
"/var/lib/kubelet"
csi.daemonSet.extraLabels📜
Type: object
{}
csi.daemonSet.securityContext.pod📜
Type: object
{}
csi.daemonSet.securityContext.container.capabilities.drop[0]📜
Type: string
"ALL"
csi.pod.annotations📜
Type: object
{}
csi.pod.tolerations📜
Type: list
[]
csi.pod.nodeSelector📜
Type: object
{}
csi.pod.affinity📜
Type: object
{}
csi.pod.extraLabels📜
Type: object
{}
csi.agent.enabled📜
Type: bool
true
csi.agent.extraArgs📜
Type: list
[]
csi.agent.image.repository📜
Type: string
"registry1.dso.mil/ironbank/hashicorp/vault"
csi.agent.image.tag📜
Type: string
"1.14.10"
csi.agent.image.pullPolicy📜
Type: string
"IfNotPresent"
csi.agent.logFormat📜
Type: string
"standard"
csi.agent.logLevel📜
Type: string
"info"
csi.agent.resources.requests.memory📜
Type: string
"256Mi"
csi.agent.resources.requests.cpu📜
Type: string
"250m"
csi.agent.resources.limits.memory📜
Type: string
"256Mi"
csi.agent.resources.limits.cpu📜
Type: string
"250m"
csi.priorityClassName📜
Type: string
""
csi.serviceAccount.annotations📜
Type: object
{}
csi.serviceAccount.extraLabels📜
Type: object
{}
csi.readinessProbe.failureThreshold📜
Type: int
2
csi.readinessProbe.initialDelaySeconds📜
Type: int
5
csi.readinessProbe.periodSeconds📜
Type: int
5
csi.readinessProbe.successThreshold📜
Type: int
1
csi.readinessProbe.timeoutSeconds📜
Type: int
3
csi.livenessProbe.failureThreshold📜
Type: int
2
csi.livenessProbe.initialDelaySeconds📜
Type: int
5
csi.livenessProbe.periodSeconds📜
Type: int
5
csi.livenessProbe.successThreshold📜
Type: int
1
csi.livenessProbe.timeoutSeconds📜
Type: int
3
csi.debug📜
Type: bool
false
csi.extraArgs📜
Type: list
[]
domain📜
Type: string
"bigbang.dev"
monitoring.enabled📜
Type: bool
false
monitoring.namespace📜
Type: string
"monitoring"
networkPolicies.enabled📜
Type: bool
false
networkPolicies.controlPlaneCidr📜
Type: string
"0.0.0.0/0"
networkPolicies.vpcCidr📜
Type: string
"0.0.0.0/0"
networkPolicies.ingressLabels.app📜
Type: string
"istio-ingressgateway"
networkPolicies.ingressLabels.istio📜
Type: string
"ingressgateway"
networkPolicies.additionalPolicies📜
Type: list
[]
autoInit.enabled📜
Type: bool
true
autoInit.image.repository📜
Type: string
"registry1.dso.mil/ironbank/big-bang/base"
autoInit.image.tag📜
Type: string
"2.1.0"
autoInit.storage.size📜
Type: string
"2Gi"
istio.enabled📜
Type: bool
false
istio.hardened.enabled📜
Type: bool
false
istio.hardened.customAuthorizationPolicies📜
Type: list
[]
istio.hardened.monitoring.enabled📜
Type: bool
true
istio.hardened.monitoring.namespaces[0]📜
Type: string
"monitoring"
istio.hardened.monitoring.principals[0]📜
Type: string
"cluster.local/ns/monitoring/sa/monitoring-grafana"
istio.hardened.monitoring.principals[1]📜
Type: string
"cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-alertmanager"
istio.hardened.monitoring.principals[2]📜
Type: string
"cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-operator"
istio.hardened.monitoring.principals[3]📜
Type: string
"cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-prometheus"
istio.hardened.monitoring.principals[4]📜
Type: string
"cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-state-metrics"
istio.hardened.monitoring.principals[5]📜
Type: string
"cluster.local/ns/monitoring/sa/monitoring-monitoring-prometheus-node-exporter"
istio.hardened.apiAccess.enabled📜
Type: bool
true
istio.hardened.apiAccess.ports[0]📜
Type: string
"8200"
istio.vault.enabled📜
Type: bool
true
istio.vault.gateways[0]📜
Type: string
"istio-system/main"
istio.vault.hosts[0]📜
Type: string
"vault.{{ .Values.domain }}"
istio.vault.tls.cert📜
Type: string
""
istio.vault.tls.key📜
Type: string
""
istio.mtls.mode📜
Type: string
"STRICT"
minio.enabled📜
Type: bool
false
customAppIngressSelector.key📜
Type: string
"vault-ingress"
customAppIngressSelector.value📜
Type: bool
true
serverTelemetry.serviceMonitor.enabled📜
Type: bool
false
serverTelemetry.serviceMonitor.selectors📜
Type: object
{}
serverTelemetry.serviceMonitor.interval📜
Type: string
"30s"
serverTelemetry.serviceMonitor.scrapeTimeout📜
Type: string
"10s"
serverTelemetry.prometheusRules.enabled📜
Type: bool
false
serverTelemetry.prometheusRules.selectors📜
Type: object
{}
serverTelemetry.prometheusRules.rules📜
Type: list
[]
bbtests.enabled📜
Type: bool
false
bbtests.cypress.resources.requests.cpu📜
Type: int
1
bbtests.cypress.resources.requests.memory📜
Type: string
"8Gi"
bbtests.cypress.resources.limits.cpu📜
Type: int
1
bbtests.cypress.resources.limits.memory📜
Type: string
"8Gi"
bbtests.cypress.artifacts📜
Type: bool
true
bbtests.cypress.envs.cypress_vault_url📜
Type: string
"http://vault.vault.svc:8200"
bbtests.cypress.secretEnvs[0].name📜
Type: string
"cypress_token"
bbtests.cypress.secretEnvs[0].valueFrom.secretKeyRef.name📜
Type: string
"vault-token"
bbtests.cypress.secretEnvs[0].valueFrom.secretKeyRef.key📜
Type: string
"key"
bbtests.cypress.disableDefaultTests📜
Type: bool
false
openshift📜
Type: bool
false