1# Copyright IBM Corp. 2018, 2026
2# SPDX-License-Identifier: MPL-2.0
4# Available parameters and their default values for the Vault chart.
7 # enabled is the master enabled switch. Setting this to true or false
8 # will enable or disable all the components within this chart by default.
10 # The namespace to deploy to. Defaults to the `helm` installation namespace.
12 # Image pull secret to use for registry authentication.
13 # Alternatively, the value may be specified as an array of strings.
16 # - name: image-pull-secret
18 # TLS for end-to-end encrypted transport
20 # External vault server address for the injector and CSI provider to use.
21 # Setting this will disable deployment of a vault server.
23 # If deploying to OpenShift
25 # Create PodSecurityPolicy for pods
28 # Annotation for PodSecurityPolicy.
29 # This is a multi-line templated string map, and can also be set as YAML.
31 seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
32 apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
33 seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
34 apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
36 # Enable integration with the Prometheus Operator
37 # See the top level serverTelemetry section below before enabling this feature.
38 prometheusOperator: false
40 # True if you want to enable vault agent injection.
41 # @default: global.enabled
44 # Configures the port the injector should listen on
46 # If multiple replicas are specified, by default a leader will be determined
47 # so that only one injector attempts to create TLS certificates.
50 # If true, will enable a node exporter metrics endpoint at /metrics.
53 # Deprecated: Please use global.externalVaultAddr instead.
55 # image sets the repo and tag of the vault-k8s image to use for the injector.
57 repository: cgr.dev/chainguard-private/vault-k8s
58 tag: latest@sha256:9e1dac68dbdcac3a708dcf516a2b41ada0e0cb1adc1a25dc9a9933dd603000cf
59 pullPolicy: IfNotPresent
60 # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
61 # containers. This should be set to the official Vault image. Vault 1.3.1+ is
64 repository: cgr.dev/chainguard-private/vault
65 tag: latest@sha256:17faa0ac104146587d4a9906ce17bd06b10064cc187a328a5393170df71aa8cb
66 # The default values for the injected Vault Agent containers.
68 # For more information on configuring resources, see the K8s documentation:
69 # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
74 # ephemeralLimit: "128Mi"
75 # ephemeralRequest: "64Mi"
77 # Default template type for secrets when no custom template is specified.
78 # Possible values include: "json" and "map".
80 # Default values within Agent's template_config stanza.
82 exitOnRetryFailure: true
83 staticSecretRenderInterval: ""
84 # Used to define custom livenessProbe settings
86 # When a probe fails, Kubernetes will try failureThreshold times before giving up
88 # Number of seconds after the container has started before probe initiates
89 initialDelaySeconds: 5
90 # How often (in seconds) to perform the probe
92 # Minimum consecutive successes for the probe to be considered successful after having failed
94 # Number of seconds after which the probe times out.
96 # Used to define custom readinessProbe settings
98 # When a probe fails, Kubernetes will try failureThreshold times before giving up
100 # Number of seconds after the container has started before probe initiates
101 initialDelaySeconds: 5
102 # How often (in seconds) to perform the probe
104 # Minimum consecutive successes for the probe to be considered successful after having failed
106 # Number of seconds after which the probe times out.
108 # Used to define custom startupProbe settings
110 # When a probe fails, Kubernetes will try failureThreshold times before giving up
112 # Number of seconds after the container has started before probe initiates
113 initialDelaySeconds: 5
114 # How often (in seconds) to perform the probe
116 # Minimum consecutive successes for the probe to be considered successful after having failed
118 # Number of seconds after which the probe times out.
120 # Mount Path of the Vault Kubernetes Auth Method.
121 authPath: "auth/kubernetes"
122 # Configures the log verbosity of the injector.
123 # Supported log levels include: trace, debug, info, warn, error
125 # Configures the log format of the injector. Supported log formats: "standard", "json".
126 logFormat: "standard"
127 # Configures all Vault Agent sidecars to revoke their token when shutting down
128 revokeOnShutdown: false
130 # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
131 # API Version of the WebHook.
132 # To block pod creation while the webhook is unavailable, set the policy to `Fail` below.
133 # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
135 failurePolicy: Ignore
136 # matchPolicy specifies the approach to accepting changes based on the rules of
137 # the MutatingWebhookConfiguration.
138 # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy
142 # timeoutSeconds is the amount of seconds before the webhook request will be ignored
144 # If it is ignored or fails depends on the failurePolicy
145 # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts
149 # namespaceSelector is the selector for restricting the webhook to only
150 # specific namespaces.
151 # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
156 # sidecar-injector: enabled
157 namespaceSelector: {}
158 # objectSelector is the selector for restricting the webhook to only
160 # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
165 # vault-sidecar-injector: enabled
168 - key: app.kubernetes.io/name
171 - {{ template "vault.name" . }}-agent-injector
172 # Extra annotations to attach to the webhook
174 # Deprecated: please use 'webhook.failurePolicy' instead
175 # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
176 # API Version of the WebHook.
177 # To block pod creation while webhook is unavailable, set the policy to `Fail` below.
178 # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
180 failurePolicy: Ignore
181 # Deprecated: please use 'webhook.namespaceSelector' instead
182 # namespaceSelector is the selector for restricting the webhook to only
183 # specific namespaces.
184 # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
189 # sidecar-injector: enabled
190 namespaceSelector: {}
191 # Deprecated: please use 'webhook.objectSelector' instead
192 # objectSelector is the selector for restricting the webhook to only
194 # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
199 # vault-sidecar-injector: enabled
201 # Deprecated: please use 'webhook.annotations' instead
202 # Extra annotations to attach to the webhook
203 webhookAnnotations: {}
205 # secretName is the name of the secret that has the TLS certificate and
206 # private key to serve the injector webhook. If this is null, then the
207 # injector will default to its automatic management mode that will assign
208 # a service account to the injector to generate its own certificates.
210 # caBundle is a base64-encoded PEM-encoded certificate bundle for the CA
211 # that signed the TLS certificate that the webhook serves. This must be set
212 # if secretName is non-null unless an external service like cert-manager is
213 # keeping the caBundle updated.
215 # certName and keyName are the names of the files within the secret for
216 # the TLS cert and private key, respectively. These have reasonable
217 # defaults but can be customized if necessary.
220 # Security context for the pod template and the injector container
221 # The default pod securityContext is:
223 # runAsGroup: {{ .Values.injector.gid | default 1000 }}
224 # runAsUser: {{ .Values.injector.uid | default 100 }}
225 # fsGroup: {{ .Values.injector.gid | default 1000 }}
226 # and for container is
227 # allowPrivilegeEscalation: false
243 # extraEnvironmentVars is a list of extra environment variables to set in the
244 # injector deployment.
245 extraEnvironmentVars: {}
246 # KUBERNETES_SERVICE_HOST: kubernetes.default.svc
248 # Affinity Settings for injector pods
249 # This can either be a multi-line string or YAML matching the PodSpec's affinity field.
250 # Commenting out or setting as empty the affinity variable, will allow
251 # deployment of multiple replicas to single node services such as Minikube.
254 requiredDuringSchedulingIgnoredDuringExecution:
257 app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
258 app.kubernetes.io/instance: "{{ .Release.Name }}"
260 topologyKey: kubernetes.io/hostname
261 # Topology settings for injector pods
262 # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
263 # This should be either a multi-line string or YAML matching the topologySpreadConstraints array
265 topologySpreadConstraints: []
266 # Toleration Settings for injector pods
267 # This should be either a multi-line string or YAML matching the Toleration array
270 # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map.
271 # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
274 # beta.kubernetes.io/arch: amd64
276 # Priority class for injector pods
277 priorityClassName: ""
278 # Extra annotations to attach to the injector pods
279 # This can either be YAML or a YAML-formatted multi-line templated string map
280 # of the annotations to apply to the injector pods
282 # Extra labels to attach to the agent-injector
283 # This should be a YAML map of the labels to apply to the injector
285 # Should the injector pods run on the host network (useful when using
286 # an alternate CNI in EKS)
288 # Injector service specific config
290 # Extra annotations to attach to the injector service
292 # Injector serviceAccount specific config
294 # Extra annotations to attach to the injector serviceAccount
296 # A disruption budget limits the number of pods of a replicated application
297 # that are down simultaneously from voluntary disruptions
298 podDisruptionBudget: {}
299 # podDisruptionBudget:
302 # strategy for updating the deployment. This can be a multi-line string or a
308 # maxUnavailable: 25%
309 # type: RollingUpdate
311 # If true, or "-" with global.enabled true, Vault server will be installed.
312 # See vault.mode in _helpers.tpl for implementation details.
314 # [Enterprise Only] This value refers to a Kubernetes secret that you have
315 # created that contains your enterprise license. If you are not using an
316 # enterprise image or if you plan to introduce the license key via another
317 # route, then leave secretName blank ("") or set it to null.
318 # Requires Vault Enterprise 1.8 or later.
320 # The name of the Kubernetes secret that holds the enterprise license. The
321 # secret must be in the same namespace that Vault is installed into.
323 # The key within the Kubernetes secret that holds the enterprise license.
325 # OpenShift service-ca operator integration
326 # Automates TLS certificate generation via the service-ca operator
328 # Enable service-ca operator annotations and ConfigMap creation
329 # Requires: global.openshift=true
331 # Secret name where service-ca will store the generated certificate
332 # IMPORTANT: Must match the secret name in server.volumes below
333 secretName: "vault-tls"
334 # ConfigMap name for service-ca CA bundle injection
335 # IMPORTANT: Must match the ConfigMap name in server.volumes below
336 configMapName: "service-ca-bundle"
337 # IMPORTANT: Configure server.volumes, server.volumeMounts, AND server config to use service-ca
339 # Step 1: Mount the service-ca resources as volumes
343 # secretName: vault-tls # Must match serviceCA.secretName above
344 # - name: service-ca-bundle
346 # name: service-ca-bundle # Must match serviceCA.configMapName above
350 # mountPath: /vault/userconfig/vault-tls
352 # - name: service-ca-bundle
353 # mountPath: /vault/userconfig/service-ca-bundle
356 # Step 2: Configure Vault listener to use the certificates (in server.ha.config or server.ha.raft.config)
359 # address = "[::]:8200"
360 # cluster_address = "[::]:8201"
361 # tls_cert_file = "/vault/userconfig/vault-tls/tls.crt"
362 # tls_key_file = "/vault/userconfig/vault-tls/tls.key"
363 # tls_client_ca_file = "/vault/userconfig/service-ca-bundle/service-ca.crt"
366 repository: cgr.dev/chainguard-private/vault
367 tag: latest@sha256:17faa0ac104146587d4a9906ce17bd06b10064cc187a328a5393170df71aa8cb
368 # Overrides the default Image Pull Policy
369 pullPolicy: IfNotPresent
370 # Configure the Update Strategy Type for the StatefulSet
371 # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
372 updateStrategyType: "OnDelete"
373 # Configure the logging verbosity for the Vault server.
374 # Supported log levels include: trace, debug, info, warn, error
376 # Configure the logging format for the Vault server.
377 # Supported log formats include: standard, json
379 # Resource requests, limits, etc. for the server cluster placement. This
380 # should map directly to the value of the resources field for a PodSpec.
381 # By default no direct resource request is made.
391 # Ingress allows ingress services to be created to allow external access
392 # from Kubernetes to access Vault pods.
393 # If deployment is on OpenShift, the following block is ignored.
394 # In order to expose the service, use the route section below
401 # kubernetes.io/ingress.class: nginx
402 # kubernetes.io/tls-acme: "true"
404 # kubernetes.io/ingress.class: nginx
405 # kubernetes.io/tls-acme: "true"
407 # Optionally use ingressClassName instead of deprecated annotation.
408 # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation
410 # As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases.
411 # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values.
413 # When HA mode is enabled and K8s service registration is being used,
414 # configure the ingress to point to the Vault active service.
417 - host: chart-example.local
419 ## Extra paths to prepend to the host configuration. This is useful when working with annotation based services.
426 # number: use-annotation
428 # - secretName: chart-example-tls
430 # - chart-example.local
439 # Keep in mind parentRefs field is required
441 # - name: vault-gateway-example
442 # namespace: example-ns
448 ## Filters define the filters that are applied to requests that match this rule.
450 ## Additional custom rules that can be added to the route
452 # hostAliases is a list of aliases to be added to /etc/hosts. Specified as a YAML list.
456 # - chart-example.local
458 # OpenShift only - create a route to expose the service
459 # By default the created route will be of type passthrough
462 # When HA mode is enabled and K8s service registration is being used,
463 # configure the route to point to the Vault active service.
467 host: chart-example.local
468 # tls will be passed directly to the route's TLS config, which
469 # can be used to configure other termination methods that terminate
472 termination: passthrough
473 # authDelegator enables a cluster role binding to be attached to the service
474 # account. This cluster role binding can be used to setup Kubernetes auth
475 # method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes
478 # extraInitContainers is a list of init containers. Specified as a YAML list.
479 # This is useful if you need to run a script to provision TLS certificates or
480 # write out configuration files in a dynamic way.
481 extraInitContainers: null
482 # # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder,
483 # # which is defined in the volumes value.
489 # wget https://github.com/puppetlabs/vault-plugin-secrets-oauthapp/releases/download/v1.2.0/vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64.tar.xz -O oauthapp.xz &&
490 # tar -xf oauthapp.xz &&
491 # mv vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64 /usr/local/libexec/vault/oauthapp &&
492 # chmod +x /usr/local/libexec/vault/oauthapp
495 # mountPath: /usr/local/libexec/vault
497 # extraContainers is a list of sidecar containers. Specified as a YAML list.
498 extraContainers: null
499 # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
500 # This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation
501 shareProcessNamespace: false
502 # extraArgs is a string containing additional Vault server arguments.
504 # extraPorts is a list of extra ports. Specified as a YAML list.
505 # This is useful if you need to add additional ports to the statefulset in dynamic way.
507 # - containerPort: 8300
508 # name: http-monitoring
510 # Used to define custom readinessProbe settings
513 # If you need to use a http path instead of the default exec
514 # path: /v1/sys/health?standbyok=true
516 # Port number on which readinessProbe will be checked.
518 # When a probe fails, Kubernetes will try failureThreshold times before giving up
520 # Number of seconds after the container has started before probe initiates
521 initialDelaySeconds: 5
522 # How often (in seconds) to perform the probe
524 # Minimum consecutive successes for the probe to be considered successful after having failed
526 # Number of seconds after which the probe times out.
528 # Used to enable a livenessProbe for the pods
531 # Used to define a liveness exec command. If provided, exec is preferred to httpGet (path) as the livenessProbe handler.
535 # - /vault/userconfig/mylivenessscript/run.sh
536 # Path for the livenessProbe to use httpGet as the livenessProbe handler
537 path: "/v1/sys/health?standbyok=true"
538 # Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler
540 # When a probe fails, Kubernetes will try failureThreshold times before giving up
542 # Number of seconds after the container has started before probe initiates
543 initialDelaySeconds: 60
544 # How often (in seconds) to perform the probe
546 # Minimum consecutive successes for the probe to be considered successful after having failed
548 # Number of seconds after which the probe times out.
550 # Optional duration in seconds the pod needs to terminate gracefully.
551 # See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
552 terminationGracePeriodSeconds: 10
553 # Used to set the sleep time during the preStop step, if custom preStop
554 # commands are not set.
555 preStopSleepSeconds: 5
556 # Used to define custom preStop exec commands to run before the pod is
557 # terminated. If not set, this will default to:
561 # - "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)"
563 # Used to define commands to run after the pod is ready.
564 # This can be used to automate processes such as initialization
565 # or boostrapping auth methods.
569 # - /vault/userconfig/myscript/run.sh
571 # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
572 # used to include variables required for auto-unseal.
573 extraEnvironmentVars: {}
574 # GOOGLE_REGION: global
575 # GOOGLE_PROJECT: myproject
576 # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
578 # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set.
579 # These variables take value from existing Secret objects.
580 extraSecretEnvironmentVars: []
581 # - envName: AWS_SECRET_ACCESS_KEY
583 # secretKey: AWS_SECRET_ACCESS_KEY
585 # Deprecated: please use 'volumes' instead.
586 # extraVolumes is a list of extra volumes to mount. These will be exposed
587 # to Vault in the path `/vault/userconfig/<name>/`. The value below is
588 # an array of objects, examples are shown below.
590 # - type: secret (or "configMap")
592 # path: null # default is `/vault/userconfig`
594 # volumes is a list of volumes made available to all containers. These are rendered
595 # via toYaml rather than pre-processed like the extraVolumes value.
596 # The purpose is to make it easy to share volumes between containers.
601 # volumeMounts is a list of volumeMounts for the main server container. These are rendered
602 # via toYaml rather than pre-processed like the extraVolumes value.
603 # The purpose is to make it easy to share volumes between containers.
605 # - mountPath: /usr/local/libexec/vault
610 # Commenting out or setting as empty the affinity variable, will allow
611 # deployment to single node services such as Minikube
612 # This should be either a multi-line string or YAML matching the PodSpec's affinity field.
615 requiredDuringSchedulingIgnoredDuringExecution:
618 app.kubernetes.io/name: {{ template "vault.name" . }}
619 app.kubernetes.io/instance: "{{ .Release.Name }}"
621 topologyKey: kubernetes.io/hostname
622 # Topology settings for server pods
623 # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
624 # This should be either a multi-line string or YAML matching the topologySpreadConstraints array
626 topologySpreadConstraints: []
627 # Toleration Settings for server pods
628 # This should be either a multi-line string or YAML matching the Toleration array
631 # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map.
632 # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
635 # beta.kubernetes.io/arch: amd64
637 # Enables network policy for server pods
650 - namespaceSelector: {}
656 # Priority class for server pods
657 priorityClassName: ""
658 # Extra labels to attach to the server pods
659 # This should be a YAML map of the labels to apply to the server pods
661 # Extra annotations to attach to the server pods
662 # This can either be YAML or a YAML-formatted multi-line templated string map
663 # of the annotations to apply to the server pods
665 # Add an annotation to the server configmap and the statefulset pods,
666 # vaultproject.io/config-checksum, that is a hash of the Vault configuration.
667 # This can be used together with an OnDelete deployment strategy to help
668 # identify which pods still need to be deleted during a deployment to pick up
669 # any configuration changes.
670 includeConfigAnnotation: false
671 # Enables a headless service to be used by the Vault Statefulset
674 # Enable or disable the vault-active service, which selects Vault pods that
675 # have labeled themselves as the cluster leader with `vault-active: "true"`.
678 # Extra annotations for the service definition. This can either be YAML or a
679 # YAML-formatted multi-line templated string map of the annotations to apply
680 # to the active service.
682 # Enable or disable the vault-standby service, which selects Vault pods that
683 # have labeled themselves as a cluster follower with `vault-active: "false"`.
686 # Extra annotations for the service definition. This can either be YAML or a
687 # YAML-formatted multi-line templated string map of the annotations to apply
688 # to the standby service.
690 # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}`
691 # When disabled, services may select Vault pods not deployed from the chart.
692 # Does not affect the headless vault-internal service with `ClusterIP: None`
695 # clusterIP controls whether a Cluster IP address is attached to the
696 # Vault service within Kubernetes. By default, the Vault service will
697 # be given a Cluster IP address, set to None to disable. When disabled
698 # Kubernetes will create a "headless" service. Headless services can be
699 # used to communicate with pods directly through DNS instead of a round-robin
703 # Configures the service type for the main Vault service. Can be ClusterIP
707 # The IP family and IP families options are to set the behaviour in a dual-stack environment.
708 # Omitting these values will let the service fall back to whatever the CNI dictates the defaults
710 # These are only supported for kubernetes versions >=1.23.0
712 # Configures the service's supported IP family policy, can be either:
713 # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range.
714 # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service.
715 # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges.
717 # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well.
718 # Can be IPv4 and/or IPv6.
720 # Do not wait for pods to be ready before including them in the services'
721 # targets. Does not apply to the headless service, which is used for
722 # cluster-internal communication.
723 publishNotReadyAddresses: true
724 # The externalTrafficPolicy can be set to either Cluster or Local
725 # and is only valid for LoadBalancer and NodePort service types.
726 # The default value is Cluster.
727 # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy
728 externalTrafficPolicy: Cluster
729 # If type is set to "NodePort", a specific nodePort value can be configured,
730 # will be random if left blank.
733 # When HA mode is enabled
734 # If type is set to "NodePort", a specific nodePort value can be configured,
735 # will be random if left blank.
736 #activeNodePort: 30001
738 # When HA mode is enabled
739 # If type is set to "NodePort", a specific nodePort value can be configured,
740 # will be random if left blank.
741 #standbyNodePort: 30002
743 # Port on which Vault server is listening
745 # Target port to which the service should be mapped to
747 # Extra annotations for the service definition. This can either be YAML or a
748 # YAML-formatted multi-line templated string map of the annotations to apply
751 # This configures the Vault Statefulset to create a PVC for data
752 # storage when using the file or raft backend storage engines.
753 # See https://developer.hashicorp.com/vault/docs/configuration/storage to know more
756 # Size of the PVC created
758 # Location where the PVC will be mounted.
759 mountPath: "/vault/data"
760 # Name of the storage class to use. If null it will use the
761 # configured default Storage Class.
763 # Access Mode of the storage device being used for the PVC
764 accessMode: ReadWriteOnce
765 # Annotations to apply to the PVC
767 # Labels to apply to the PVC
769 # Persistent Volume Claim (PVC) retention policy
770 # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
772 # persistentVolumeClaimRetentionPolicy:
773 # whenDeleted: Retain
775 persistentVolumeClaimRetentionPolicy: {}
776 # This configures the Vault Statefulset to create a PVC for audit
777 # logs. Once Vault is deployed, initialized, and unsealed, Vault must
778 # be configured to use this for audit logs. This will be mounted to
780 # See https://developer.hashicorp.com/vault/docs/audit to know more
783 # Size of the PVC created
785 # Location where the PVC will be mounted.
786 mountPath: "/vault/audit"
787 # Name of the storage class to use. If null it will use the
788 # configured default Storage Class.
790 # Access Mode of the storage device being used for the PVC
791 accessMode: ReadWriteOnce
792 # Annotations to apply to the PVC
794 # Labels to apply to the PVC
796 # Run Vault in "dev" mode. This requires no further setup, no state management,
797 # and no initialization. This is useful for experimenting with Vault without
798 # needing to unseal, store keys, et. al. All data is lost on restart - do not
799 # use dev mode for anything other than experimenting.
800 # See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more
803 # Set VAULT_DEV_ROOT_TOKEN_ID value
805 # Run Vault in "standalone" mode. This is the default mode that will deploy if
806 # no arguments are given to helm. This requires a PVC for data storage to use
807 # the "file" backend. This mode is not highly available and should not be scaled
808 # past a single replica.
811 # config is a raw string of default configuration when using a Stateful
812 # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
813 # and store data there. This is only used when using a Replica count of 1, and
814 # using a stateful set. Supported formats are HCL and JSON.
816 # Note: Configuration files are stored in ConfigMaps so sensitive data
817 # such as passwords should be either mounted through extraSecretEnvironmentVars
818 # or through a Kube secret. For more information see:
819 # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
825 address = "[::]:8200"
826 cluster_address = "[::]:8201"
827 # Enable unauthenticated metrics access (necessary for Prometheus Operator)
829 # unauthenticated_metrics_access = "true"
836 # Example configuration for using auto-unseal, using Google Cloud KMS. The
837 # GKMS keys must already exist, and the cluster must have a service account
838 # that is authorized to access GCP KMS.
840 # project = "vault-helm-dev"
842 # key_ring = "vault-helm-unseal-kr"
843 # crypto_key = "vault-helm-unseal-key"
846 # Example configuration for enabling Prometheus metrics in your config.
848 # prometheus_retention_time = "30s"
849 # disable_hostname = true
851 # Run Vault in "HA" mode. There are no storage requirements unless the audit log
852 # persistence is required. In HA mode Vault will configure itself to use Consul
853 # for its storage backend. The default configuration provided will work the Consul
854 # Helm project by default. It is possible to manually configure Vault to use a
855 # different HA backend.
859 # Set the api_addr configuration for Vault HA
860 # See https://developer.hashicorp.com/vault/docs/configuration#api_addr
861 # If set to null, this will be set to the Pod IP Address
863 # Set the cluster_addr configuration for Vault HA
864 # See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr
865 # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201
867 # Enables Vault's integrated Raft storage. Unlike the typical HA modes where
868 # Vault's persistence is external (such as Consul), enabling Raft mode will create
869 # persistent volumes for Vault to store data according to the configuration under server.dataStorage.
870 # The Vault cluster will coordinate leader elections and failovers internally.
872 # Enables Raft integrated storage
874 # Set the Node Raft ID to the name of the pod
876 # Vault Enterprise Redundancy Zones
877 # Enables automatic zone detection for Vault Enterprise autopilot redundancy zones.
879 # - Kubernetes 1.35+ (PodTopologyLabelsAdmission enabled by default)
881 # - server.ha.enabled=true and server.ha.raft.enabled=true
882 # - Nodes labeled with topology.kubernetes.io/zone
883 # - VAULT_REDUNDANCY_ZONE placeholder in server.ha.raft.config
884 # - server.topologySpreadConstraints with topology.kubernetes.io/zone (optional but recommended for proper zone separation)
886 # - The zone label from the node is exposed as VAULT_REDUNDANCY_ZONE
887 # environment variable and substituted into the raft config.
888 # - The PDB maxUnavailable defaults to 1 (instead of ⌊(n-1)/2⌋) because
889 # the PDB cannot distinguish voting from non-voting pods. Override with
890 # server.ha.disruptionBudget.maxUnavailable if needed.
891 # See: https://developer.hashicorp.com/vault/docs/enterprise/redundancy-zones
894 # Note: Configuration files are stored in ConfigMaps so sensitive data
895 # such as passwords should be either mounted through extraSecretEnvironmentVars
896 # or through a Kube secret. For more information see:
897 # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
898 # Supported formats are HCL and JSON.
904 address = "[::]:8200"
905 cluster_address = "[::]:8201"
906 # Enable unauthenticated metrics access (necessary for Prometheus Operator)
908 # unauthenticated_metrics_access = "true"
914 # Uncomment for Vault Enterprise redundancy zones (requires server.ha.raft.redundancyZones.enabled = true)
915 # autopilot_redundancy_zone = "VAULT_REDUNDANCY_ZONE"
918 service_registration "kubernetes" {}
919 # config is a raw string of default configuration when using a Stateful
920 # deployment. Default is to use a Consul for its HA storage backend.
921 # Supported formats are HCL and JSON.
923 # Note: Configuration files are stored in ConfigMaps so sensitive data
924 # such as passwords should be either mounted through extraSecretEnvironmentVars
925 # or through a Kube secret. For more information see:
926 # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
932 address = "[::]:8200"
933 cluster_address = "[::]:8201"
937 address = "HOST_IP:8500"
940 service_registration "kubernetes" {}
942 # Example configuration for using auto-unseal, using Google Cloud KMS. The
943 # GKMS keys must already exist, and the cluster must have a service account
944 # that is authorized to access GCP KMS.
946 # project = "vault-helm-dev-246514"
948 # key_ring = "vault-helm-unseal-kr"
949 # crypto_key = "vault-helm-unseal-key"
952 # Example configuration for enabling Prometheus metrics.
953 # If you are using Prometheus Operator you can enable a ServiceMonitor resource below.
954 # You may wish to enable unauthenticated metrics in the listener block above.
956 # prometheus_retention_time = "30s"
957 # disable_hostname = true
959 # A disruption budget limits the number of pods of a replicated application
960 # that are down simultaneously from voluntary disruptions
963 # maxUnavailable will default to ⌊(n-1)/2⌋ (equivalently, ceil(n/2)-1) where
964 # n is the number of replicas. If you'd like a custom value, you can specify
967 # Definition of the serviceAccount used to run Vault.
968 # These options are also used when using an external Vault server to validate
971 # Specifies whether a service account should be created
973 # The name of the service account to use.
974 # If not set and create is true, a name is generated using the fullname template
976 # Create a Secret API object to store a non-expiring token for the service account.
977 # Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default.
978 # Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible.
979 # For more details, see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets
980 # serviceAccount.create must be equal to 'true' in order to use this feature.
982 # Extra annotations for the serviceAccount definition. This can either be
983 # YAML or a YAML-formatted multi-line templated string map of the
984 # annotations to apply to the serviceAccount.
986 # Extra labels to attach to the serviceAccount
987 # This should be a YAML map of the labels to apply to the serviceAccount
989 # Enable or disable a service account role binding with the permissions required for
990 # Vault's Kubernetes service_registration config option.
991 # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes
994 # Settings for the statefulSet used to run Vault.
996 # Extra annotations for the statefulSet. This can either be YAML or a
997 # YAML-formatted multi-line templated string map of the annotations to apply
998 # to the statefulSet.
1000 # Set the pod and container security contexts.
1001 # If not set, these will default to, and for *not* OpenShift:
1003 # runAsNonRoot: true
1004 # runAsGroup: {{ .Values.server.gid | default 1000 }}
1005 # runAsUser: {{ .Values.server.uid | default 100 }}
1006 # fsGroup: {{ .Values.server.gid | default 1000 }}
1008 # allowPrivilegeEscalation: false
1010 # If not set, these will default to, and for OpenShift:
1016 # Should the server pods run on the host network
1020 # True if you want to create a Service entry for the Vault UI.
1022 # serviceType can be used to control the type of service created. For
1023 # example, setting this to "LoadBalancer" will create an external load
1024 # balancer (for supported K8S installations) to access the UI.
1026 publishNotReadyAddresses: true
1027 # The service should only contain selectors for active Vault pod
1028 activeVaultPodOnly: false
1029 serviceType: "ClusterIP"
1030 serviceNodePort: null
1033 # The IP family and IP families options are to set the behaviour in a dual-stack environment.
1034 # Omitting these values will let the service fall back to whatever the CNI dictates the defaults
1036 # These are only supported for kubernetes versions >=1.23.0
1038 # Configures the service's supported IP family, can be either:
1039 # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range.
1040 # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service.
1041 # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges.
1042 serviceIPFamilyPolicy: ""
1043 # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well
1044 # Can be IPv4 and/or IPv6.
1045 serviceIPFamilies: []
1046 # The externalTrafficPolicy can be set to either Cluster or Local
1047 # and is only valid for LoadBalancer and NodePort service types.
1048 # The default value is Cluster.
1049 # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy
1050 externalTrafficPolicy: Cluster
1051 #loadBalancerSourceRanges:
1057 # Extra annotations to attach to the ui service
1058 # This can either be YAML or a YAML-formatted multi-line templated string map
1059 # of the annotations to apply to the ui service
1061# secrets-store-csi-driver-provider-vault
1063 # True if you want to install a secrets-store-csi-driver-provider-vault daemonset.
1065 # Requires installing the secrets-store-csi-driver separately, see:
1066 # https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver
1068 # With the driver and provider installed, you can mount Vault secrets into volumes
1069 # similar to the Vault Agent injector, and you can also sync those secrets into
1070 # Kubernetes secrets.
1073 repository: cgr.dev/chainguard-private/vault-csi-provider
1074 tag: latest@sha256:df8f5529d8d657d75c702257d0ce05f0b1341872f8a84a085b76a20a202713b4
1075 pullPolicy: IfNotPresent
1076 # volumes is a list of volumes made available to all containers. These are rendered
1077 # via toYaml rather than pre-processed like the extraVolumes value.
1078 # The purpose is to make it easy to share volumes between containers.
1082 # secretName: vault-tls
1084 # volumeMounts is a list of volumeMounts for the main server container. These are rendered
1085 # via toYaml rather than pre-processed like the extraVolumes value.
1086 # The purpose is to make it easy to share volumes between containers.
1089 # mountPath: "/vault/tls"
1101 # Override the default secret name for the CSI Provider's HMAC key used for
1102 # generating secret versions.
1104 # Allow modification of the hostNetwork parameter to avoid the need of a
1107 # Settings for the daemonSet used to run the provider.
1112 # Extra annotations for the daemonSet. This can either be YAML or a
1113 # YAML-formatted multi-line templated string map of the annotations to apply
1116 # Provider host path (must match the CSI provider's path)
1117 providersDir: "/var/run/secrets-store-csi-providers"
1119 kubeletRootDir: "/var/lib/kubelet"
1120 # Extra labels to attach to the vault-csi-provider daemonSet
1121 # This should be a YAML map of the labels to apply to the csi provider daemonSet
1123 # Security context for the pod template and container in the csi provider
1124 # daemonSet. For OpenShift, the container securityContext defaults to
1125 # `privileged: true`.
1130 # Extra annotations for the provider pods. This can either be YAML or a
1131 # YAML-formatted multi-line templated string map of the annotations to apply
1134 # Toleration Settings for provider pods
1135 # This should be either a multi-line string or YAML matching the Toleration array
1138 # nodeSelector labels for csi pod assignment, formatted as a multi-line string or YAML map.
1139 # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
1142 # beta.kubernetes.io/arch: amd64
1145 # This should be either a multi-line string or YAML matching the PodSpec's affinity field.
1147 # Extra labels to attach to the vault-csi-provider pod
1148 # This should be a YAML map of the labels to apply to the csi provider pod
1154 repository: cgr.dev/chainguard-private/vault
1155 tag: latest@sha256:17faa0ac104146587d4a9906ce17bd06b10064cc187a328a5393170df71aa8cb
1156 pullPolicy: IfNotPresent
1168 # Security context for the vault agent sidecar container
1171 allowPrivilegeEscalation: false
1175 readOnlyRootFilesystem: true
1179 # Priority class for csi pods
1180 priorityClassName: ""
1182 # Extra annotations for the serviceAccount definition. This can either be
1183 # YAML or a YAML-formatted multi-line templated string map of the
1184 # annotations to apply to the serviceAccount.
1186 # Extra labels to attach to the vault-csi-provider serviceAccount
1187 # This should be a YAML map of the labels to apply to the csi provider serviceAccount
1189 # Used to configure readinessProbe for the pods.
1191 # When a probe fails, Kubernetes will try failureThreshold times before giving up
1193 # Number of seconds after the container has started before probe initiates
1194 initialDelaySeconds: 5
1195 # How often (in seconds) to perform the probe
1197 # Minimum consecutive successes for the probe to be considered successful after having failed
1199 # Number of seconds after which the probe times out.
1201 # Used to configure livenessProbe for the pods.
1203 # When a probe fails, Kubernetes will try failureThreshold times before giving up
1205 # Number of seconds after the container has started before probe initiates
1206 initialDelaySeconds: 5
1207 # How often (in seconds) to perform the probe
1209 # Minimum consecutive successes for the probe to be considered successful after having failed
1211 # Number of seconds after which the probe times out.
1213 # Configures the log level for the Vault CSI provider.
1214 # Supported log levels include: trace, debug, info, warn, error, and off
1216 # Deprecated, set logLevel to debug instead.
1217 # If set to true, the logLevel will be set to debug.
1219 # Pass arbitrary additional arguments to vault-csi-provider.
1220 # See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments
1221 # for the available command line flags.
1223# Vault is able to collect and publish various runtime metrics.
1224# Enabling this feature requires setting adding `telemetry{}` stanza to
1225# the Vault configuration. There are a few examples included in the `config` sections above.
1227# For more information see:
1228# https://developer.hashicorp.com/vault/docs/configuration/telemetry
1229# https://developer.hashicorp.com/vault/docs/internals/telemetry
1231 # Enable support for the Prometheus Operator. If authorization is not set for authenticating
1232 # to Vault's metrics endpoint, the following Vault server `telemetry{}` config must be included
1233 # in the `listener "tcp"{}` stanza
1235 # unauthenticated_metrics_access = "true"
1238 # See the `standalone.config` for a more complete example of this.
1240 # In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration:
1244 # prometheus_retention_time = "30s"
1245 # disable_hostname = true
1248 # Configuration for monitoring the Vault server.
1250 # The Prometheus operator *must* be installed before enabling this feature,
1251 # if not the chart will fail to install due to missing CustomResourceDefinitions
1252 # provided by the operator.
1254 # Instructions on how to install the Helm chart can be found here:
1255 # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
1256 # More information can be found here:
1257 # https://github.com/prometheus-operator/prometheus-operator
1258 # https://github.com/prometheus-operator/kube-prometheus
1260 # Enable deployment of the Vault Server ServiceMonitor CustomResource.
1262 # Selector labels to add to the ServiceMonitor.
1263 # When empty, defaults to:
1264 # release: prometheus
1266 # Interval at which Prometheus scrapes metrics
1268 # Timeout for Prometheus scrapes
1270 # tlsConfig used for scraping the Vault metrics API.
1271 # See API reference: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.TLSConfig
1276 # name: vault-metrics-client
1279 # authorization used for scraping the Vault metrics API.
1280 # See API reference: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.SafeAuthorization
1284 # name: vault-metrics-client
1287 # metricRelabelings configures the relabeling rules to apply to the samples before ingestion.
1288 # See API reference: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.RelabelConfig
1290 # metricRelabelings:
1291 # - sourceLabels: [cluster]
1292 # targetLabel: vault_cluster
1293 metricRelabelings: []
1294 # matchLabels configures the service selector labels for the ServiceMonitor.
1295 # By default, the ServiceMonitor targets services with:
1296 # - HA mode: vault-active: "true" (scrapes the raft leader only)
1297 # - Standalone mode: vault-internal: "true"
1299 # To scrape metrics from all Vault pods including standbys (Enterprise only):
1300 # 1. Enable unauthenticated_metrics_access in your Vault listener telemetry config
1301 # 2. Set matchLabels to target the vault-internal headless service
1302 # See: https://developer.hashicorp.com/vault/docs/configuration/telemetry#prometheus
1306 # vault-internal: "true"
1309 # The Prometheus operator *must* be installed before enabling this feature,
1310 # if not the chart will fail to install due to missing CustomResourceDefinitions
1311 # provided by the operator.
1313 # Deploy the PrometheusRule custom resource for AlertManager based alerts.
1314 # Requires that AlertManager is properly deployed.
1316 # Selector labels to add to the PrometheusRules.
1317 # When empty, defaults to:
1318 # release: prometheus
1320 # Some example rules.
1322 # - alert: vault-HighResponseTime
1324 # message: The response time of Vault is over 500ms on average over the last 5 minutes.
1325 # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
1329 # - alert: vault-HighResponseTime
1331 # message: The response time of Vault is over 1s on average over the last 5 minutes.
1332 # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
1335 # severity: critical