DirectorySecurity AdvisoriesPricing
Sign in
Directory
hashicorp-vault logoHELM

hashicorp-vault

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:

1
# Copyright IBM Corp. 2018, 2026
2
# SPDX-License-Identifier: MPL-2.0
3
4
# Available parameters and their default values for the Vault chart.
5
6
global:
7
# enabled is the master enabled switch. Setting this to true or false
8
# will enable or disable all the components within this chart by default.
9
enabled: true
10
# The namespace to deploy to. Defaults to the `helm` installation namespace.
11
namespace: ""
12
# Image pull secret to use for registry authentication.
13
# Alternatively, the value may be specified as an array of strings.
14
imagePullSecrets: []
15
# imagePullSecrets:
16
# - name: image-pull-secret
17
18
# TLS for end-to-end encrypted transport
19
tlsDisable: true
20
# External vault server address for the injector and CSI provider to use.
21
# Setting this will disable deployment of a vault server.
22
externalVaultAddr: ""
23
# If deploying to OpenShift
24
openshift: false
25
# Create PodSecurityPolicy for pods
26
psp:
27
enable: false
28
# Annotation for PodSecurityPolicy.
29
# This is a multi-line templated string map, and can also be set as YAML.
30
annotations: |
31
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
32
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
33
seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
34
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
35
serverTelemetry:
36
# Enable integration with the Prometheus Operator
37
# See the top level serverTelemetry section below before enabling this feature.
38
prometheusOperator: false
39
injector:
40
# True if you want to enable vault agent injection.
41
# @default: global.enabled
42
enabled: "-"
43
replicas: 1
44
# Configures the port the injector should listen on
45
port: 8080
46
# If multiple replicas are specified, by default a leader will be determined
47
# so that only one injector attempts to create TLS certificates.
48
leaderElector:
49
enabled: true
50
# If true, will enable a node exporter metrics endpoint at /metrics.
51
metrics:
52
enabled: false
53
# Deprecated: Please use global.externalVaultAddr instead.
54
externalVaultAddr: ""
55
# image sets the repo and tag of the vault-k8s image to use for the injector.
56
image:
57
repository: cgr.dev/chainguard-private/vault-k8s
58
tag: latest@sha256:9e1dac68dbdcac3a708dcf516a2b41ada0e0cb1adc1a25dc9a9933dd603000cf
59
pullPolicy: IfNotPresent
60
# agentImage sets the repo and tag of the Vault image to use for the Vault Agent
61
# containers. This should be set to the official Vault image. Vault 1.3.1+ is
62
# required.
63
agentImage:
64
repository: cgr.dev/chainguard-private/vault
65
tag: latest@sha256:17faa0ac104146587d4a9906ce17bd06b10064cc187a328a5393170df71aa8cb
66
# The default values for the injected Vault Agent containers.
67
agentDefaults:
68
# For more information on configuring resources, see the K8s documentation:
69
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
70
cpuLimit: "500m"
71
cpuRequest: "250m"
72
memLimit: "128Mi"
73
memRequest: "64Mi"
74
# ephemeralLimit: "128Mi"
75
# ephemeralRequest: "64Mi"
76
77
# Default template type for secrets when no custom template is specified.
78
# Possible values include: "json" and "map".
79
template: "map"
80
# Default values within Agent's template_config stanza.
81
templateConfig:
82
exitOnRetryFailure: true
83
staticSecretRenderInterval: ""
84
# Used to define custom livenessProbe settings
85
livenessProbe:
86
# When a probe fails, Kubernetes will try failureThreshold times before giving up
87
failureThreshold: 2
88
# Number of seconds after the container has started before probe initiates
89
initialDelaySeconds: 5
90
# How often (in seconds) to perform the probe
91
periodSeconds: 2
92
# Minimum consecutive successes for the probe to be considered successful after having failed
93
successThreshold: 1
94
# Number of seconds after which the probe times out.
95
timeoutSeconds: 5
96
# Used to define custom readinessProbe settings
97
readinessProbe:
98
# When a probe fails, Kubernetes will try failureThreshold times before giving up
99
failureThreshold: 2
100
# Number of seconds after the container has started before probe initiates
101
initialDelaySeconds: 5
102
# How often (in seconds) to perform the probe
103
periodSeconds: 2
104
# Minimum consecutive successes for the probe to be considered successful after having failed
105
successThreshold: 1
106
# Number of seconds after which the probe times out.
107
timeoutSeconds: 5
108
# Used to define custom startupProbe settings
109
startupProbe:
110
# When a probe fails, Kubernetes will try failureThreshold times before giving up
111
failureThreshold: 12
112
# Number of seconds after the container has started before probe initiates
113
initialDelaySeconds: 5
114
# How often (in seconds) to perform the probe
115
periodSeconds: 5
116
# Minimum consecutive successes for the probe to be considered successful after having failed
117
successThreshold: 1
118
# Number of seconds after which the probe times out.
119
timeoutSeconds: 5
120
# Mount Path of the Vault Kubernetes Auth Method.
121
authPath: "auth/kubernetes"
122
# Configures the log verbosity of the injector.
123
# Supported log levels include: trace, debug, info, warn, error
124
logLevel: "info"
125
# Configures the log format of the injector. Supported log formats: "standard", "json".
126
logFormat: "standard"
127
# Configures all Vault Agent sidecars to revoke their token when shutting down
128
revokeOnShutdown: false
129
webhook:
130
# Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
131
# API Version of the WebHook.
132
# To block pod creation while the webhook is unavailable, set the policy to `Fail` below.
133
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
134
#
135
failurePolicy: Ignore
136
# matchPolicy specifies the approach to accepting changes based on the rules of
137
# the MutatingWebhookConfiguration.
138
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy
139
# for more details.
140
#
141
matchPolicy: Exact
142
# timeoutSeconds is the amount of seconds before the webhook request will be ignored
143
# or fails.
144
# If it is ignored or fails depends on the failurePolicy
145
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts
146
# for more details.
147
#
148
timeoutSeconds: 30
149
# namespaceSelector is the selector for restricting the webhook to only
150
# specific namespaces.
151
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
152
# for more details.
153
# Example:
154
# namespaceSelector:
155
# matchLabels:
156
# sidecar-injector: enabled
157
namespaceSelector: {}
158
# objectSelector is the selector for restricting the webhook to only
159
# specific labels.
160
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
161
# for more details.
162
# Example:
163
# objectSelector:
164
# matchLabels:
165
# vault-sidecar-injector: enabled
166
objectSelector: |
167
matchExpressions:
168
- key: app.kubernetes.io/name
169
operator: NotIn
170
values:
171
- {{ template "vault.name" . }}-agent-injector
172
# Extra annotations to attach to the webhook
173
annotations: {}
174
# Deprecated: please use 'webhook.failurePolicy' instead
175
# Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
176
# API Version of the WebHook.
177
# To block pod creation while webhook is unavailable, set the policy to `Fail` below.
178
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
179
#
180
failurePolicy: Ignore
181
# Deprecated: please use 'webhook.namespaceSelector' instead
182
# namespaceSelector is the selector for restricting the webhook to only
183
# specific namespaces.
184
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
185
# for more details.
186
# Example:
187
# namespaceSelector:
188
# matchLabels:
189
# sidecar-injector: enabled
190
namespaceSelector: {}
191
# Deprecated: please use 'webhook.objectSelector' instead
192
# objectSelector is the selector for restricting the webhook to only
193
# specific labels.
194
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
195
# for more details.
196
# Example:
197
# objectSelector:
198
# matchLabels:
199
# vault-sidecar-injector: enabled
200
objectSelector: {}
201
# Deprecated: please use 'webhook.annotations' instead
202
# Extra annotations to attach to the webhook
203
webhookAnnotations: {}
204
certs:
205
# secretName is the name of the secret that has the TLS certificate and
206
# private key to serve the injector webhook. If this is null, then the
207
# injector will default to its automatic management mode that will assign
208
# a service account to the injector to generate its own certificates.
209
secretName: null
210
# caBundle is a base64-encoded PEM-encoded certificate bundle for the CA
211
# that signed the TLS certificate that the webhook serves. This must be set
212
# if secretName is non-null unless an external service like cert-manager is
213
# keeping the caBundle updated.
214
caBundle: ""
215
# certName and keyName are the names of the files within the secret for
216
# the TLS cert and private key, respectively. These have reasonable
217
# defaults but can be customized if necessary.
218
certName: tls.crt
219
keyName: tls.key
220
# Security context for the pod template and the injector container
221
# The default pod securityContext is:
222
# runAsNonRoot: true
223
# runAsGroup: {{ .Values.injector.gid | default 1000 }}
224
# runAsUser: {{ .Values.injector.uid | default 100 }}
225
# fsGroup: {{ .Values.injector.gid | default 1000 }}
226
# and for container is
227
# allowPrivilegeEscalation: false
228
# capabilities:
229
# drop:
230
# - ALL
231
securityContext:
232
pod: {}
233
container: {}
234
resources: {}
235
# resources:
236
# requests:
237
# memory: 256Mi
238
# cpu: 250m
239
# limits:
240
# memory: 256Mi
241
# cpu: 250m
242
243
# extraEnvironmentVars is a list of extra environment variables to set in the
244
# injector deployment.
245
extraEnvironmentVars: {}
246
# KUBERNETES_SERVICE_HOST: kubernetes.default.svc
247
248
# Affinity Settings for injector pods
249
# This can either be a multi-line string or YAML matching the PodSpec's affinity field.
250
# Commenting out or setting as empty the affinity variable, will allow
251
# deployment of multiple replicas to single node services such as Minikube.
252
affinity: |
253
podAntiAffinity:
254
requiredDuringSchedulingIgnoredDuringExecution:
255
- labelSelector:
256
matchLabels:
257
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
258
app.kubernetes.io/instance: "{{ .Release.Name }}"
259
component: webhook
260
topologyKey: kubernetes.io/hostname
261
# Topology settings for injector pods
262
# ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
263
# This should be either a multi-line string or YAML matching the topologySpreadConstraints array
264
# in a PodSpec.
265
topologySpreadConstraints: []
266
# Toleration Settings for injector pods
267
# This should be either a multi-line string or YAML matching the Toleration array
268
# in a PodSpec.
269
tolerations: []
270
# nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map.
271
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
272
# Example:
273
# nodeSelector:
274
# beta.kubernetes.io/arch: amd64
275
nodeSelector: {}
276
# Priority class for injector pods
277
priorityClassName: ""
278
# Extra annotations to attach to the injector pods
279
# This can either be YAML or a YAML-formatted multi-line templated string map
280
# of the annotations to apply to the injector pods
281
annotations: {}
282
# Extra labels to attach to the agent-injector
283
# This should be a YAML map of the labels to apply to the injector
284
extraLabels: {}
285
# Should the injector pods run on the host network (useful when using
286
# an alternate CNI in EKS)
287
hostNetwork: false
288
# Injector service specific config
289
service:
290
# Extra annotations to attach to the injector service
291
annotations: {}
292
# Injector serviceAccount specific config
293
serviceAccount:
294
# Extra annotations to attach to the injector serviceAccount
295
annotations: {}
296
# A disruption budget limits the number of pods of a replicated application
297
# that are down simultaneously from voluntary disruptions
298
podDisruptionBudget: {}
299
# podDisruptionBudget:
300
# maxUnavailable: 1
301
302
# strategy for updating the deployment. This can be a multi-line string or a
303
# YAML map.
304
strategy: {}
305
# strategy: |
306
# rollingUpdate:
307
# maxSurge: 25%
308
# maxUnavailable: 25%
309
# type: RollingUpdate
310
server:
311
# If true, or "-" with global.enabled true, Vault server will be installed.
312
# See vault.mode in _helpers.tpl for implementation details.
313
enabled: "-"
314
# [Enterprise Only] This value refers to a Kubernetes secret that you have
315
# created that contains your enterprise license. If you are not using an
316
# enterprise image or if you plan to introduce the license key via another
317
# route, then leave secretName blank ("") or set it to null.
318
# Requires Vault Enterprise 1.8 or later.
319
enterpriseLicense:
320
# The name of the Kubernetes secret that holds the enterprise license. The
321
# secret must be in the same namespace that Vault is installed into.
322
secretName: ""
323
# The key within the Kubernetes secret that holds the enterprise license.
324
secretKey: "license"
325
# OpenShift service-ca operator integration
326
# Automates TLS certificate generation via the service-ca operator
327
serviceCA:
328
# Enable service-ca operator annotations and ConfigMap creation
329
# Requires: global.openshift=true
330
enabled: false
331
# Secret name where service-ca will store the generated certificate
332
# IMPORTANT: Must match the secret name in server.volumes below
333
secretName: "vault-tls"
334
# ConfigMap name for service-ca CA bundle injection
335
# IMPORTANT: Must match the ConfigMap name in server.volumes below
336
configMapName: "service-ca-bundle"
337
# IMPORTANT: Configure server.volumes, server.volumeMounts, AND server config to use service-ca
338
#
339
# Step 1: Mount the service-ca resources as volumes
340
# volumes:
341
# - name: vault-tls
342
# secret:
343
# secretName: vault-tls # Must match serviceCA.secretName above
344
# - name: service-ca-bundle
345
# configMap:
346
# name: service-ca-bundle # Must match serviceCA.configMapName above
347
#
348
# volumeMounts:
349
# - name: vault-tls
350
# mountPath: /vault/userconfig/vault-tls
351
# readOnly: true
352
# - name: service-ca-bundle
353
# mountPath: /vault/userconfig/service-ca-bundle
354
# readOnly: true
355
#
356
# Step 2: Configure Vault listener to use the certificates (in server.ha.config or server.ha.raft.config)
357
# listener "tcp" {
358
# tls_disable = 0
359
# address = "[::]:8200"
360
# cluster_address = "[::]:8201"
361
# tls_cert_file = "/vault/userconfig/vault-tls/tls.crt"
362
# tls_key_file = "/vault/userconfig/vault-tls/tls.key"
363
# tls_client_ca_file = "/vault/userconfig/service-ca-bundle/service-ca.crt"
364
# }
365
image:
366
repository: cgr.dev/chainguard-private/vault
367
tag: latest@sha256:17faa0ac104146587d4a9906ce17bd06b10064cc187a328a5393170df71aa8cb
368
# Overrides the default Image Pull Policy
369
pullPolicy: IfNotPresent
370
# Configure the Update Strategy Type for the StatefulSet
371
# See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
372
updateStrategyType: "OnDelete"
373
# Configure the logging verbosity for the Vault server.
374
# Supported log levels include: trace, debug, info, warn, error
375
logLevel: ""
376
# Configure the logging format for the Vault server.
377
# Supported log formats include: standard, json
378
logFormat: ""
379
# Resource requests, limits, etc. for the server cluster placement. This
380
# should map directly to the value of the resources field for a PodSpec.
381
# By default no direct resource request is made.
382
resources: {}
383
# resources:
384
# requests:
385
# memory: 256Mi
386
# cpu: 250m
387
# limits:
388
# memory: 256Mi
389
# cpu: 250m
390
391
# Ingress allows ingress services to be created to allow external access
392
# from Kubernetes to access Vault pods.
393
# If deployment is on OpenShift, the following block is ignored.
394
# In order to expose the service, use the route section below
395
ingress:
396
enabled: false
397
labels: {}
398
# traffic: external
399
annotations: {}
400
# |
401
# kubernetes.io/ingress.class: nginx
402
# kubernetes.io/tls-acme: "true"
403
# or
404
# kubernetes.io/ingress.class: nginx
405
# kubernetes.io/tls-acme: "true"
406
407
# Optionally use ingressClassName instead of deprecated annotation.
408
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation
409
ingressClassName: ""
410
# As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases.
411
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values.
412
pathType: Prefix
413
# When HA mode is enabled and K8s service registration is being used,
414
# configure the ingress to point to the Vault active service.
415
activeService: true
416
hosts:
417
- host: chart-example.local
418
paths: []
419
## Extra paths to prepend to the host configuration. This is useful when working with annotation based services.
420
extraPaths: []
421
# - path: /*
422
# backend:
423
# service:
424
# name: ssl-redirect
425
# port:
426
# number: use-annotation
427
tls: []
428
# - secretName: chart-example-tls
429
# hosts:
430
# - chart-example.local
431
httproute:
432
enabled: false
433
labels: {}
434
annotations: {}
435
activeService: true
436
hostnames: []
437
# - host-example
438
439
# Keep in mind parentRefs field is required
440
parentRefs: []
441
# - name: vault-gateway-example
442
# namespace: example-ns
443
444
matches:
445
- path:
446
type: PathPrefix
447
value: /
448
## Filters define the filters that are applied to requests that match this rule.
449
filters: []
450
## Additional custom rules that can be added to the route
451
additionalRules: []
452
# hostAliases is a list of aliases to be added to /etc/hosts. Specified as a YAML list.
453
hostAliases: []
454
# - ip: 127.0.0.1
455
# hostnames:
456
# - chart-example.local
457
458
# OpenShift only - create a route to expose the service
459
# By default the created route will be of type passthrough
460
route:
461
enabled: false
462
# When HA mode is enabled and K8s service registration is being used,
463
# configure the route to point to the Vault active service.
464
activeService: true
465
labels: {}
466
annotations: {}
467
host: chart-example.local
468
# tls will be passed directly to the route's TLS config, which
469
# can be used to configure other termination methods that terminate
470
# TLS at the router
471
tls:
472
termination: passthrough
473
# authDelegator enables a cluster role binding to be attached to the service
474
# account. This cluster role binding can be used to setup Kubernetes auth
475
# method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes
476
authDelegator:
477
enabled: true
478
# extraInitContainers is a list of init containers. Specified as a YAML list.
479
# This is useful if you need to run a script to provision TLS certificates or
480
# write out configuration files in a dynamic way.
481
extraInitContainers: null
482
# # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder,
483
# # which is defined in the volumes value.
484
# - name: oauthapp
485
# image: "alpine"
486
# command: [sh, -c]
487
# args:
488
# - cd /tmp &&
489
# wget https://github.com/puppetlabs/vault-plugin-secrets-oauthapp/releases/download/v1.2.0/vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64.tar.xz -O oauthapp.xz &&
490
# tar -xf oauthapp.xz &&
491
# mv vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64 /usr/local/libexec/vault/oauthapp &&
492
# chmod +x /usr/local/libexec/vault/oauthapp
493
# volumeMounts:
494
# - name: plugins
495
# mountPath: /usr/local/libexec/vault
496
497
# extraContainers is a list of sidecar containers. Specified as a YAML list.
498
extraContainers: null
499
# shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
500
# This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation
501
shareProcessNamespace: false
502
# extraArgs is a string containing additional Vault server arguments.
503
extraArgs: ""
504
# extraPorts is a list of extra ports. Specified as a YAML list.
505
# This is useful if you need to add additional ports to the statefulset in dynamic way.
506
extraPorts: null
507
# - containerPort: 8300
508
# name: http-monitoring
509
510
# Used to define custom readinessProbe settings
511
readinessProbe:
512
enabled: true
513
# If you need to use a http path instead of the default exec
514
# path: /v1/sys/health?standbyok=true
515
516
# Port number on which readinessProbe will be checked.
517
port: 8200
518
# When a probe fails, Kubernetes will try failureThreshold times before giving up
519
failureThreshold: 2
520
# Number of seconds after the container has started before probe initiates
521
initialDelaySeconds: 5
522
# How often (in seconds) to perform the probe
523
periodSeconds: 5
524
# Minimum consecutive successes for the probe to be considered successful after having failed
525
successThreshold: 1
526
# Number of seconds after which the probe times out.
527
timeoutSeconds: 3
528
# Used to enable a livenessProbe for the pods
529
livenessProbe:
530
enabled: false
531
# Used to define a liveness exec command. If provided, exec is preferred to httpGet (path) as the livenessProbe handler.
532
execCommand: []
533
# - /bin/sh
534
# - -c
535
# - /vault/userconfig/mylivenessscript/run.sh
536
# Path for the livenessProbe to use httpGet as the livenessProbe handler
537
path: "/v1/sys/health?standbyok=true"
538
# Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler
539
port: 8200
540
# When a probe fails, Kubernetes will try failureThreshold times before giving up
541
failureThreshold: 2
542
# Number of seconds after the container has started before probe initiates
543
initialDelaySeconds: 60
544
# How often (in seconds) to perform the probe
545
periodSeconds: 5
546
# Minimum consecutive successes for the probe to be considered successful after having failed
547
successThreshold: 1
548
# Number of seconds after which the probe times out.
549
timeoutSeconds: 3
550
# Optional duration in seconds the pod needs to terminate gracefully.
551
# See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
552
terminationGracePeriodSeconds: 10
553
# Used to set the sleep time during the preStop step, if custom preStop
554
# commands are not set.
555
preStopSleepSeconds: 5
556
# Used to define custom preStop exec commands to run before the pod is
557
# terminated. If not set, this will default to:
558
# preStop:
559
# - "/bin/sh"
560
# - "-c"
561
# - "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)"
562
preStop: []
563
# Used to define commands to run after the pod is ready.
564
# This can be used to automate processes such as initialization
565
# or boostrapping auth methods.
566
postStart: []
567
# - /bin/sh
568
# - -c
569
# - /vault/userconfig/myscript/run.sh
570
571
# extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
572
# used to include variables required for auto-unseal.
573
extraEnvironmentVars: {}
574
# GOOGLE_REGION: global
575
# GOOGLE_PROJECT: myproject
576
# GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
577
578
# extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set.
579
# These variables take value from existing Secret objects.
580
extraSecretEnvironmentVars: []
581
# - envName: AWS_SECRET_ACCESS_KEY
582
# secretName: vault
583
# secretKey: AWS_SECRET_ACCESS_KEY
584
585
# Deprecated: please use 'volumes' instead.
586
# extraVolumes is a list of extra volumes to mount. These will be exposed
587
# to Vault in the path `/vault/userconfig/<name>/`. The value below is
588
# an array of objects, examples are shown below.
589
extraVolumes: []
590
# - type: secret (or "configMap")
591
# name: my-secret
592
# path: null # default is `/vault/userconfig`
593
594
# volumes is a list of volumes made available to all containers. These are rendered
595
# via toYaml rather than pre-processed like the extraVolumes value.
596
# The purpose is to make it easy to share volumes between containers.
597
volumes: null
598
# - name: plugins
599
# emptyDir: {}
600
601
# volumeMounts is a list of volumeMounts for the main server container. These are rendered
602
# via toYaml rather than pre-processed like the extraVolumes value.
603
# The purpose is to make it easy to share volumes between containers.
604
volumeMounts: null
605
# - mountPath: /usr/local/libexec/vault
606
# name: plugins
607
# readOnly: true
608
609
# Affinity Settings
610
# Commenting out or setting as empty the affinity variable, will allow
611
# deployment to single node services such as Minikube
612
# This should be either a multi-line string or YAML matching the PodSpec's affinity field.
613
affinity: |
614
podAntiAffinity:
615
requiredDuringSchedulingIgnoredDuringExecution:
616
- labelSelector:
617
matchLabels:
618
app.kubernetes.io/name: {{ template "vault.name" . }}
619
app.kubernetes.io/instance: "{{ .Release.Name }}"
620
component: server
621
topologyKey: kubernetes.io/hostname
622
# Topology settings for server pods
623
# ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
624
# This should be either a multi-line string or YAML matching the topologySpreadConstraints array
625
# in a PodSpec.
626
topologySpreadConstraints: []
627
# Toleration Settings for server pods
628
# This should be either a multi-line string or YAML matching the Toleration array
629
# in a PodSpec.
630
tolerations: []
631
# nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map.
632
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
633
# Example:
634
# nodeSelector:
635
# beta.kubernetes.io/arch: amd64
636
nodeSelector: {}
637
# Enables network policy for server pods
638
networkPolicy:
639
enabled: false
640
egress: []
641
# egress:
642
# - to:
643
# - ipBlock:
644
# cidr: 10.0.0.0/24
645
# ports:
646
# - protocol: TCP
647
# port: 443
648
ingress:
649
- from:
650
- namespaceSelector: {}
651
ports:
652
- port: 8200
653
protocol: TCP
654
- port: 8201
655
protocol: TCP
656
# Priority class for server pods
657
priorityClassName: ""
658
# Extra labels to attach to the server pods
659
# This should be a YAML map of the labels to apply to the server pods
660
extraLabels: {}
661
# Extra annotations to attach to the server pods
662
# This can either be YAML or a YAML-formatted multi-line templated string map
663
# of the annotations to apply to the server pods
664
annotations: {}
665
# Add an annotation to the server configmap and the statefulset pods,
666
# vaultproject.io/config-checksum, that is a hash of the Vault configuration.
667
# This can be used together with an OnDelete deployment strategy to help
668
# identify which pods still need to be deleted during a deployment to pick up
669
# any configuration changes.
670
includeConfigAnnotation: false
671
# Enables a headless service to be used by the Vault Statefulset
672
service:
673
enabled: true
674
# Enable or disable the vault-active service, which selects Vault pods that
675
# have labeled themselves as the cluster leader with `vault-active: "true"`.
676
active:
677
enabled: true
678
# Extra annotations for the service definition. This can either be YAML or a
679
# YAML-formatted multi-line templated string map of the annotations to apply
680
# to the active service.
681
annotations: {}
682
# Enable or disable the vault-standby service, which selects Vault pods that
683
# have labeled themselves as a cluster follower with `vault-active: "false"`.
684
standby:
685
enabled: true
686
# Extra annotations for the service definition. This can either be YAML or a
687
# YAML-formatted multi-line templated string map of the annotations to apply
688
# to the standby service.
689
annotations: {}
690
# If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}`
691
# When disabled, services may select Vault pods not deployed from the chart.
692
# Does not affect the headless vault-internal service with `ClusterIP: None`
693
instanceSelector:
694
enabled: true
695
# clusterIP controls whether a Cluster IP address is attached to the
696
# Vault service within Kubernetes. By default, the Vault service will
697
# be given a Cluster IP address, set to None to disable. When disabled
698
# Kubernetes will create a "headless" service. Headless services can be
699
# used to communicate with pods directly through DNS instead of a round-robin
700
# load balancer.
701
# clusterIP: None
702
703
# Configures the service type for the main Vault service. Can be ClusterIP
704
# or NodePort.
705
#type: ClusterIP
706
707
# The IP family and IP families options are to set the behaviour in a dual-stack environment.
708
# Omitting these values will let the service fall back to whatever the CNI dictates the defaults
709
# should be.
710
# These are only supported for kubernetes versions >=1.23.0
711
#
712
# Configures the service's supported IP family policy, can be either:
713
# SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range.
714
# PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service.
715
# RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges.
716
ipFamilyPolicy: ""
717
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well.
718
# Can be IPv4 and/or IPv6.
719
ipFamilies: []
720
# Do not wait for pods to be ready before including them in the services'
721
# targets. Does not apply to the headless service, which is used for
722
# cluster-internal communication.
723
publishNotReadyAddresses: true
724
# The externalTrafficPolicy can be set to either Cluster or Local
725
# and is only valid for LoadBalancer and NodePort service types.
726
# The default value is Cluster.
727
# ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy
728
externalTrafficPolicy: Cluster
729
# If type is set to "NodePort", a specific nodePort value can be configured,
730
# will be random if left blank.
731
#nodePort: 30000
732
733
# When HA mode is enabled
734
# If type is set to "NodePort", a specific nodePort value can be configured,
735
# will be random if left blank.
736
#activeNodePort: 30001
737
738
# When HA mode is enabled
739
# If type is set to "NodePort", a specific nodePort value can be configured,
740
# will be random if left blank.
741
#standbyNodePort: 30002
742
743
# Port on which Vault server is listening
744
port: 8200
745
# Target port to which the service should be mapped to
746
targetPort: 8200
747
# Extra annotations for the service definition. This can either be YAML or a
748
# YAML-formatted multi-line templated string map of the annotations to apply
749
# to the service.
750
annotations: {}
751
# This configures the Vault Statefulset to create a PVC for data
752
# storage when using the file or raft backend storage engines.
753
# See https://developer.hashicorp.com/vault/docs/configuration/storage to know more
754
dataStorage:
755
enabled: true
756
# Size of the PVC created
757
size: 10Gi
758
# Location where the PVC will be mounted.
759
mountPath: "/vault/data"
760
# Name of the storage class to use. If null it will use the
761
# configured default Storage Class.
762
storageClass: null
763
# Access Mode of the storage device being used for the PVC
764
accessMode: ReadWriteOnce
765
# Annotations to apply to the PVC
766
annotations: {}
767
# Labels to apply to the PVC
768
labels: {}
769
# Persistent Volume Claim (PVC) retention policy
770
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
771
# Example:
772
# persistentVolumeClaimRetentionPolicy:
773
# whenDeleted: Retain
774
# whenScaled: Retain
775
persistentVolumeClaimRetentionPolicy: {}
776
# This configures the Vault Statefulset to create a PVC for audit
777
# logs. Once Vault is deployed, initialized, and unsealed, Vault must
778
# be configured to use this for audit logs. This will be mounted to
779
# /vault/audit
780
# See https://developer.hashicorp.com/vault/docs/audit to know more
781
auditStorage:
782
enabled: false
783
# Size of the PVC created
784
size: 10Gi
785
# Location where the PVC will be mounted.
786
mountPath: "/vault/audit"
787
# Name of the storage class to use. If null it will use the
788
# configured default Storage Class.
789
storageClass: null
790
# Access Mode of the storage device being used for the PVC
791
accessMode: ReadWriteOnce
792
# Annotations to apply to the PVC
793
annotations: {}
794
# Labels to apply to the PVC
795
labels: {}
796
# Run Vault in "dev" mode. This requires no further setup, no state management,
797
# and no initialization. This is useful for experimenting with Vault without
798
# needing to unseal, store keys, et. al. All data is lost on restart - do not
799
# use dev mode for anything other than experimenting.
800
# See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more
801
dev:
802
enabled: false
803
# Set VAULT_DEV_ROOT_TOKEN_ID value
804
devRootToken: "root"
805
# Run Vault in "standalone" mode. This is the default mode that will deploy if
806
# no arguments are given to helm. This requires a PVC for data storage to use
807
# the "file" backend. This mode is not highly available and should not be scaled
808
# past a single replica.
809
standalone:
810
enabled: "-"
811
# config is a raw string of default configuration when using a Stateful
812
# deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
813
# and store data there. This is only used when using a Replica count of 1, and
814
# using a stateful set. Supported formats are HCL and JSON.
815
816
# Note: Configuration files are stored in ConfigMaps so sensitive data
817
# such as passwords should be either mounted through extraSecretEnvironmentVars
818
# or through a Kube secret. For more information see:
819
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
820
config: |-
821
ui = true
822
823
listener "tcp" {
824
tls_disable = 1
825
address = "[::]:8200"
826
cluster_address = "[::]:8201"
827
# Enable unauthenticated metrics access (necessary for Prometheus Operator)
828
#telemetry {
829
# unauthenticated_metrics_access = "true"
830
#}
831
}
832
storage "file" {
833
path = "/vault/data"
834
}
835
836
# Example configuration for using auto-unseal, using Google Cloud KMS. The
837
# GKMS keys must already exist, and the cluster must have a service account
838
# that is authorized to access GCP KMS.
839
#seal "gcpckms" {
840
# project = "vault-helm-dev"
841
# region = "global"
842
# key_ring = "vault-helm-unseal-kr"
843
# crypto_key = "vault-helm-unseal-key"
844
#}
845
846
# Example configuration for enabling Prometheus metrics in your config.
847
#telemetry {
848
# prometheus_retention_time = "30s"
849
# disable_hostname = true
850
#}
851
# Run Vault in "HA" mode. There are no storage requirements unless the audit log
852
# persistence is required. In HA mode Vault will configure itself to use Consul
853
# for its storage backend. The default configuration provided will work the Consul
854
# Helm project by default. It is possible to manually configure Vault to use a
855
# different HA backend.
856
ha:
857
enabled: false
858
replicas: 3
859
# Set the api_addr configuration for Vault HA
860
# See https://developer.hashicorp.com/vault/docs/configuration#api_addr
861
# If set to null, this will be set to the Pod IP Address
862
apiAddr: null
863
# Set the cluster_addr configuration for Vault HA
864
# See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr
865
# If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201
866
clusterAddr: null
867
# Enables Vault's integrated Raft storage. Unlike the typical HA modes where
868
# Vault's persistence is external (such as Consul), enabling Raft mode will create
869
# persistent volumes for Vault to store data according to the configuration under server.dataStorage.
870
# The Vault cluster will coordinate leader elections and failovers internally.
871
raft:
872
# Enables Raft integrated storage
873
enabled: false
874
# Set the Node Raft ID to the name of the pod
875
setNodeId: false
876
# Vault Enterprise Redundancy Zones
877
# Enables automatic zone detection for Vault Enterprise autopilot redundancy zones.
878
# Requires:
879
# - Kubernetes 1.35+ (PodTopologyLabelsAdmission enabled by default)
880
# - Vault Enterprise
881
# - server.ha.enabled=true and server.ha.raft.enabled=true
882
# - Nodes labeled with topology.kubernetes.io/zone
883
# - VAULT_REDUNDANCY_ZONE placeholder in server.ha.raft.config
884
# - server.topologySpreadConstraints with topology.kubernetes.io/zone (optional but recommended for proper zone separation)
885
# When enabled:
886
# - The zone label from the node is exposed as VAULT_REDUNDANCY_ZONE
887
# environment variable and substituted into the raft config.
888
# - The PDB maxUnavailable defaults to 1 (instead of ⌊(n-1)/2⌋) because
889
# the PDB cannot distinguish voting from non-voting pods. Override with
890
# server.ha.disruptionBudget.maxUnavailable if needed.
891
# See: https://developer.hashicorp.com/vault/docs/enterprise/redundancy-zones
892
redundancyZones:
893
enabled: false
894
# Note: Configuration files are stored in ConfigMaps so sensitive data
895
# such as passwords should be either mounted through extraSecretEnvironmentVars
896
# or through a Kube secret. For more information see:
897
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
898
# Supported formats are HCL and JSON.
899
config: |
900
ui = true
901
902
listener "tcp" {
903
tls_disable = 1
904
address = "[::]:8200"
905
cluster_address = "[::]:8201"
906
# Enable unauthenticated metrics access (necessary for Prometheus Operator)
907
#telemetry {
908
# unauthenticated_metrics_access = "true"
909
#}
910
}
911
912
storage "raft" {
913
path = "/vault/data"
914
# Uncomment for Vault Enterprise redundancy zones (requires server.ha.raft.redundancyZones.enabled = true)
915
# autopilot_redundancy_zone = "VAULT_REDUNDANCY_ZONE"
916
}
917
918
service_registration "kubernetes" {}
919
# config is a raw string of default configuration when using a Stateful
920
# deployment. Default is to use a Consul for its HA storage backend.
921
# Supported formats are HCL and JSON.
922
923
# Note: Configuration files are stored in ConfigMaps so sensitive data
924
# such as passwords should be either mounted through extraSecretEnvironmentVars
925
# or through a Kube secret. For more information see:
926
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
927
config: |
928
ui = true
929
930
listener "tcp" {
931
tls_disable = 1
932
address = "[::]:8200"
933
cluster_address = "[::]:8201"
934
}
935
storage "consul" {
936
path = "vault"
937
address = "HOST_IP:8500"
938
}
939
940
service_registration "kubernetes" {}
941
942
# Example configuration for using auto-unseal, using Google Cloud KMS. The
943
# GKMS keys must already exist, and the cluster must have a service account
944
# that is authorized to access GCP KMS.
945
#seal "gcpckms" {
946
# project = "vault-helm-dev-246514"
947
# region = "global"
948
# key_ring = "vault-helm-unseal-kr"
949
# crypto_key = "vault-helm-unseal-key"
950
#}
951
952
# Example configuration for enabling Prometheus metrics.
953
# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.
954
# You may wish to enable unauthenticated metrics in the listener block above.
955
#telemetry {
956
# prometheus_retention_time = "30s"
957
# disable_hostname = true
958
#}
959
# A disruption budget limits the number of pods of a replicated application
960
# that are down simultaneously from voluntary disruptions
961
disruptionBudget:
962
enabled: true
963
# maxUnavailable will default to ⌊(n-1)/2⌋ (equivalently, ceil(n/2)-1) where
964
# n is the number of replicas. If you'd like a custom value, you can specify
965
# an override here.
966
maxUnavailable: null
967
# Definition of the serviceAccount used to run Vault.
968
# These options are also used when using an external Vault server to validate
969
# Kubernetes tokens.
970
serviceAccount:
971
# Specifies whether a service account should be created
972
create: true
973
# The name of the service account to use.
974
# If not set and create is true, a name is generated using the fullname template
975
name: ""
976
# Create a Secret API object to store a non-expiring token for the service account.
977
# Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default.
978
# Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible.
979
# For more details, see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets
980
# serviceAccount.create must be equal to 'true' in order to use this feature.
981
createSecret: false
982
# Extra annotations for the serviceAccount definition. This can either be
983
# YAML or a YAML-formatted multi-line templated string map of the
984
# annotations to apply to the serviceAccount.
985
annotations: {}
986
# Extra labels to attach to the serviceAccount
987
# This should be a YAML map of the labels to apply to the serviceAccount
988
extraLabels: {}
989
# Enable or disable a service account role binding with the permissions required for
990
# Vault's Kubernetes service_registration config option.
991
# See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes
992
serviceDiscovery:
993
enabled: true
994
# Settings for the statefulSet used to run Vault.
995
statefulSet:
996
# Extra annotations for the statefulSet. This can either be YAML or a
997
# YAML-formatted multi-line templated string map of the annotations to apply
998
# to the statefulSet.
999
annotations: {}
1000
# Set the pod and container security contexts.
1001
# If not set, these will default to, and for *not* OpenShift:
1002
# pod:
1003
# runAsNonRoot: true
1004
# runAsGroup: {{ .Values.server.gid | default 1000 }}
1005
# runAsUser: {{ .Values.server.uid | default 100 }}
1006
# fsGroup: {{ .Values.server.gid | default 1000 }}
1007
# container:
1008
# allowPrivilegeEscalation: false
1009
#
1010
# If not set, these will default to, and for OpenShift:
1011
# pod: {}
1012
# container: {}
1013
securityContext:
1014
pod: {}
1015
container: {}
1016
# Should the server pods run on the host network
1017
hostNetwork: false
1018
# Vault UI
1019
ui:
1020
# True if you want to create a Service entry for the Vault UI.
1021
#
1022
# serviceType can be used to control the type of service created. For
1023
# example, setting this to "LoadBalancer" will create an external load
1024
# balancer (for supported K8S installations) to access the UI.
1025
enabled: false
1026
publishNotReadyAddresses: true
1027
# The service should only contain selectors for active Vault pod
1028
activeVaultPodOnly: false
1029
serviceType: "ClusterIP"
1030
serviceNodePort: null
1031
externalPort: 8200
1032
targetPort: 8200
1033
# The IP family and IP families options are to set the behaviour in a dual-stack environment.
1034
# Omitting these values will let the service fall back to whatever the CNI dictates the defaults
1035
# should be.
1036
# These are only supported for kubernetes versions >=1.23.0
1037
#
1038
# Configures the service's supported IP family, can be either:
1039
# SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range.
1040
# PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service.
1041
# RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges.
1042
serviceIPFamilyPolicy: ""
1043
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well
1044
# Can be IPv4 and/or IPv6.
1045
serviceIPFamilies: []
1046
# The externalTrafficPolicy can be set to either Cluster or Local
1047
# and is only valid for LoadBalancer and NodePort service types.
1048
# The default value is Cluster.
1049
# ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy
1050
externalTrafficPolicy: Cluster
1051
#loadBalancerSourceRanges:
1052
# - 10.0.0.0/16
1053
# - 1.78.23.3/32
1054
1055
# loadBalancerIP:
1056
1057
# Extra annotations to attach to the ui service
1058
# This can either be YAML or a YAML-formatted multi-line templated string map
1059
# of the annotations to apply to the ui service
1060
annotations: {}
1061
# secrets-store-csi-driver-provider-vault
1062
csi:
1063
# True if you want to install a secrets-store-csi-driver-provider-vault daemonset.
1064
#
1065
# Requires installing the secrets-store-csi-driver separately, see:
1066
# https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver
1067
#
1068
# With the driver and provider installed, you can mount Vault secrets into volumes
1069
# similar to the Vault Agent injector, and you can also sync those secrets into
1070
# Kubernetes secrets.
1071
enabled: false
1072
image:
1073
repository: cgr.dev/chainguard-private/vault-csi-provider
1074
tag: latest@sha256:df8f5529d8d657d75c702257d0ce05f0b1341872f8a84a085b76a20a202713b4
1075
pullPolicy: IfNotPresent
1076
# volumes is a list of volumes made available to all containers. These are rendered
1077
# via toYaml rather than pre-processed like the extraVolumes value.
1078
# The purpose is to make it easy to share volumes between containers.
1079
volumes: null
1080
# - name: tls
1081
# secret:
1082
# secretName: vault-tls
1083
1084
# volumeMounts is a list of volumeMounts for the main server container. These are rendered
1085
# via toYaml rather than pre-processed like the extraVolumes value.
1086
# The purpose is to make it easy to share volumes between containers.
1087
volumeMounts: null
1088
# - name: tls
1089
# mountPath: "/vault/tls"
1090
# readOnly: true
1091
1092
resources: {}
1093
# resources:
1094
# requests:
1095
# cpu: 50m
1096
# memory: 128Mi
1097
# limits:
1098
# cpu: 50m
1099
# memory: 128Mi
1100
1101
# Override the default secret name for the CSI Provider's HMAC key used for
1102
# generating secret versions.
1103
hmacSecretName: ""
1104
# Allow modification of the hostNetwork parameter to avoid the need of a
1105
# dedicated pod ip
1106
hostNetwork: false
1107
# Settings for the daemonSet used to run the provider.
1108
daemonSet:
1109
updateStrategy:
1110
type: RollingUpdate
1111
maxUnavailable: ""
1112
# Extra annotations for the daemonSet. This can either be YAML or a
1113
# YAML-formatted multi-line templated string map of the annotations to apply
1114
# to the daemonSet.
1115
annotations: {}
1116
# Provider host path (must match the CSI provider's path)
1117
providersDir: "/var/run/secrets-store-csi-providers"
1118
# Kubelet host path
1119
kubeletRootDir: "/var/lib/kubelet"
1120
# Extra labels to attach to the vault-csi-provider daemonSet
1121
# This should be a YAML map of the labels to apply to the csi provider daemonSet
1122
extraLabels: {}
1123
# Security context for the pod template and container in the csi provider
1124
# daemonSet. For OpenShift, the container securityContext defaults to
1125
# `privileged: true`.
1126
securityContext:
1127
pod: {}
1128
container: {}
1129
pod:
1130
# Extra annotations for the provider pods. This can either be YAML or a
1131
# YAML-formatted multi-line templated string map of the annotations to apply
1132
# to the pod.
1133
annotations: {}
1134
# Toleration Settings for provider pods
1135
# This should be either a multi-line string or YAML matching the Toleration array
1136
# in a PodSpec.
1137
tolerations: []
1138
# nodeSelector labels for csi pod assignment, formatted as a multi-line string or YAML map.
1139
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
1140
# Example:
1141
# nodeSelector:
1142
# beta.kubernetes.io/arch: amd64
1143
nodeSelector: {}
1144
# Affinity Settings
1145
# This should be either a multi-line string or YAML matching the PodSpec's affinity field.
1146
affinity: {}
1147
# Extra labels to attach to the vault-csi-provider pod
1148
# This should be a YAML map of the labels to apply to the csi provider pod
1149
extraLabels: {}
1150
agent:
1151
enabled: true
1152
extraArgs: []
1153
image:
1154
repository: cgr.dev/chainguard-private/vault
1155
tag: latest@sha256:17faa0ac104146587d4a9906ce17bd06b10064cc187a328a5393170df71aa8cb
1156
pullPolicy: IfNotPresent
1157
logFormat: standard
1158
logLevel: info
1159
resources: {}
1160
# resources:
1161
# requests:
1162
# memory: 256Mi
1163
# cpu: 250m
1164
# limits:
1165
# memory: 256Mi
1166
# cpu: 250m
1167
1168
# Security context for the vault agent sidecar container
1169
securityContext:
1170
container:
1171
allowPrivilegeEscalation: false
1172
capabilities:
1173
drop:
1174
- ALL
1175
readOnlyRootFilesystem: true
1176
runAsNonRoot: true
1177
runAsUser: 100
1178
runAsGroup: 1000
1179
# Priority class for csi pods
1180
priorityClassName: ""
1181
serviceAccount:
1182
# Extra annotations for the serviceAccount definition. This can either be
1183
# YAML or a YAML-formatted multi-line templated string map of the
1184
# annotations to apply to the serviceAccount.
1185
annotations: {}
1186
# Extra labels to attach to the vault-csi-provider serviceAccount
1187
# This should be a YAML map of the labels to apply to the csi provider serviceAccount
1188
extraLabels: {}
1189
# Used to configure readinessProbe for the pods.
1190
readinessProbe:
1191
# When a probe fails, Kubernetes will try failureThreshold times before giving up
1192
failureThreshold: 2
1193
# Number of seconds after the container has started before probe initiates
1194
initialDelaySeconds: 5
1195
# How often (in seconds) to perform the probe
1196
periodSeconds: 5
1197
# Minimum consecutive successes for the probe to be considered successful after having failed
1198
successThreshold: 1
1199
# Number of seconds after which the probe times out.
1200
timeoutSeconds: 3
1201
# Used to configure livenessProbe for the pods.
1202
livenessProbe:
1203
# When a probe fails, Kubernetes will try failureThreshold times before giving up
1204
failureThreshold: 2
1205
# Number of seconds after the container has started before probe initiates
1206
initialDelaySeconds: 5
1207
# How often (in seconds) to perform the probe
1208
periodSeconds: 5
1209
# Minimum consecutive successes for the probe to be considered successful after having failed
1210
successThreshold: 1
1211
# Number of seconds after which the probe times out.
1212
timeoutSeconds: 3
1213
# Configures the log level for the Vault CSI provider.
1214
# Supported log levels include: trace, debug, info, warn, error, and off
1215
logLevel: "info"
1216
# Deprecated, set logLevel to debug instead.
1217
# If set to true, the logLevel will be set to debug.
1218
debug: false
1219
# Pass arbitrary additional arguments to vault-csi-provider.
1220
# See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments
1221
# for the available command line flags.
1222
extraArgs: []
1223
# Vault is able to collect and publish various runtime metrics.
1224
# Enabling this feature requires setting adding `telemetry{}` stanza to
1225
# the Vault configuration. There are a few examples included in the `config` sections above.
1226
#
1227
# For more information see:
1228
# https://developer.hashicorp.com/vault/docs/configuration/telemetry
1229
# https://developer.hashicorp.com/vault/docs/internals/telemetry
1230
serverTelemetry:
1231
# Enable support for the Prometheus Operator. If authorization is not set for authenticating
1232
# to Vault's metrics endpoint, the following Vault server `telemetry{}` config must be included
1233
# in the `listener "tcp"{}` stanza
1234
# telemetry {
1235
# unauthenticated_metrics_access = "true"
1236
# }
1237
#
1238
# See the `standalone.config` for a more complete example of this.
1239
#
1240
# In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration:
1241
#
1242
# example:
1243
# telemetry {
1244
# prometheus_retention_time = "30s"
1245
# disable_hostname = true
1246
# }
1247
#
1248
# Configuration for monitoring the Vault server.
1249
serviceMonitor:
1250
# The Prometheus operator *must* be installed before enabling this feature,
1251
# if not the chart will fail to install due to missing CustomResourceDefinitions
1252
# provided by the operator.
1253
#
1254
# Instructions on how to install the Helm chart can be found here:
1255
# https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
1256
# More information can be found here:
1257
# https://github.com/prometheus-operator/prometheus-operator
1258
# https://github.com/prometheus-operator/kube-prometheus
1259
1260
# Enable deployment of the Vault Server ServiceMonitor CustomResource.
1261
enabled: false
1262
# Selector labels to add to the ServiceMonitor.
1263
# When empty, defaults to:
1264
# release: prometheus
1265
selectors: {}
1266
# Interval at which Prometheus scrapes metrics
1267
interval: 30s
1268
# Timeout for Prometheus scrapes
1269
scrapeTimeout: 10s
1270
# tlsConfig used for scraping the Vault metrics API.
1271
# See API reference: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.TLSConfig
1272
# example:
1273
# tlsConfig:
1274
# ca:
1275
# secret:
1276
# name: vault-metrics-client
1277
# key: ca.crt
1278
tlsConfig: {}
1279
# authorization used for scraping the Vault metrics API.
1280
# See API reference: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.SafeAuthorization
1281
# example:
1282
# authorization:
1283
# credentials:
1284
# name: vault-metrics-client
1285
# key: token
1286
authorization: {}
1287
# metricRelabelings configures the relabeling rules to apply to the samples before ingestion.
1288
# See API reference: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.RelabelConfig
1289
# example:
1290
# metricRelabelings:
1291
# - sourceLabels: [cluster]
1292
# targetLabel: vault_cluster
1293
metricRelabelings: []
1294
# matchLabels configures the service selector labels for the ServiceMonitor.
1295
# By default, the ServiceMonitor targets services with:
1296
# - HA mode: vault-active: "true" (scrapes the raft leader only)
1297
# - Standalone mode: vault-internal: "true"
1298
#
1299
# To scrape metrics from all Vault pods including standbys (Enterprise only):
1300
# 1. Enable unauthenticated_metrics_access in your Vault listener telemetry config
1301
# 2. Set matchLabels to target the vault-internal headless service
1302
# See: https://developer.hashicorp.com/vault/docs/configuration/telemetry#prometheus
1303
#
1304
# Example:
1305
# matchLabels:
1306
# vault-internal: "true"
1307
matchLabels: {}
1308
prometheusRules:
1309
# The Prometheus operator *must* be installed before enabling this feature,
1310
# if not the chart will fail to install due to missing CustomResourceDefinitions
1311
# provided by the operator.
1312
1313
# Deploy the PrometheusRule custom resource for AlertManager based alerts.
1314
# Requires that AlertManager is properly deployed.
1315
enabled: false
1316
# Selector labels to add to the PrometheusRules.
1317
# When empty, defaults to:
1318
# release: prometheus
1319
selectors: {}
1320
# Some example rules.
1321
rules: []
1322
# - alert: vault-HighResponseTime
1323
# annotations:
1324
# message: The response time of Vault is over 500ms on average over the last 5 minutes.
1325
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
1326
# for: 5m
1327
# labels:
1328
# severity: warning
1329
# - alert: vault-HighResponseTime
1330
# annotations:
1331
# message: The response time of Vault is over 1s on average over the last 5 minutes.
1332
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
1333
# for: 5m
1334
# labels:
1335
# severity: critical
1336

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.