global:# enabled is the master enabled switch. Setting this to true or false# will enable or disable all the components within this chart by default.enabled:true# TLS for end-to-end encrypted transporttlsDisable:falseinjector:# True if you want to enable vault agent injection.enabled:truereplicas:1# If true, will enable a node exporter metrics endpoint at /metrics.metrics:enabled:false# Mount Path of the Vault Kubernetes Auth Method.authPath:"auth/kubernetes"certs:# secretName is the name of the secret that has the TLS certificate and# private key to serve the injector webhook. If this is null, then the# injector will default to its automatic management mode that will assign# a service account to the injector to generate its own certificates.secretName:null# caBundle is a base64-encoded PEM-encoded certificate bundle for the# CA that signed the TLS certificate that the webhook serves. This must# be set if secretName is non-null.caBundle:""# certName and keyName are the names of the files within the secret for# the TLS cert and private key, respectively. These have reasonable# defaults but can be customized if necessary.certName:tls.crtkeyName:tls.keyserver:# Resource requests, limits, etc. for the server cluster placement. This# should map directly to the value of the resources field for a PodSpec.# By default no direct resource request is made.# Enables a headless service to be used by the Vault Statefulsetservice:enabled:true# Port on which Vault server is listeningport:8200# Target port to which the service should be mapped totargetPort:8200# This configures the Vault Statefulset to create a PVC for audit# logs. Once Vault is deployed, initialized and unseal, Vault must# be configured to use this for audit logs. This will be mounted to# /vault/audit# See https://www.vaultproject.io/docs/audit/index.html to know moreauditStorage:enabled:false# Run Vault in "HA" mode. There are no storage requirements unless audit log# persistence is required. In HA mode Vault will configure itself to use Consul# for its storage backend. The default configuration provided will work the Consul# Helm project by default. It is possible to manually configure Vault to use a# different HA backend.ha:enabled:truereplicas:3# Set the api_addr configuration for Vault HA# See https://www.vaultproject.io/docs/configuration#api_addr# If set to null, this will be set to the Pod IP AddressapiAddr:null# config is a raw string of default configuration when using a Stateful# deployment. Default is to use a Consul for its HA storage backend.# This should be HCL.# Note: Configuration files are stored in ConfigMaps so sensitive data# such as passwords should be either mounted through extraSecretEnvironmentVars# or through a Kube secret. For more information see:# https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurationsconfig:| ui = true
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
# 注意,这个值要和 helm 的参数 global.tlsDisable 一致
tls_disable = false
tls_cert_file = "/etc/certs/vault.crt"
tls_key_file = "/etc/certs/vault.key"
}
# storage "postgresql" {
# connection_url = "postgres://username:password@<host>:5432/vault?sslmode=disable"
# ha_enabled = true
# }
service_registration "kubernetes" {}
# Example configuration for using auto-unseal, using AWS KMS.
# the cluster must have a service account that is authorized to access AWS KMS, through an IAM Role.
# seal "awskms" {
# region = "us-east-1"
# kms_key_id = "<some-key-id>"
# 默认情况下插件会使用 awskms 的公网 endpoint,但是也可以使用如下参数,改用自行创建的 vpc 内网 endpoint
# endpoint = "https://<vpc-endpoint-id>.kms.us-east-1.vpce.amazonaws.com"
# }# Definition of the serviceAccount used to run Vault.# These options are also used when using an external Vault server to validate# Kubernetes tokens.serviceAccount:create:truename:"vault"annotations:# 如果要使用 auto unseal 的话,这个填写拥有 awskms 权限的 AWS IAM Roleeks.amazonaws.com/role-arn:<role-arn># Vault UIui:enabled:truepublishNotReadyAddresses:trueserviceType:ClusterIPactiveVaultPodOnly:trueexternalPort:8200
global:# enabled is the master enabled switch. Setting this to true or false# will enable or disable all the components within this chart by default.enabled:true# TLS for end-to-end encrypted transporttlsDisable:falseinjector:# True if you want to enable vault agent injection.enabled:truereplicas:1# If multiple replicas are specified, by default a leader-elector side-car# will be created so that only one injector attempts to create TLS certificates.leaderElector:enabled:trueimage:repository:"gcr.io/google_containers/leader-elector"tag:"0.4"ttl:60s# If true, will enable a node exporter metrics endpoint at /metrics.metrics:enabled:false# External vault server address for the injector to use. Setting this will# disable deployment of a vault server along with the injector.# TODO 这里的 https ca.crt 要怎么设置?mTLS 又该如何配置?externalVaultAddr:"https://<external-vault-url>"# Mount Path of the Vault Kubernetes Auth Method.authPath:"auth/kubernetes"certs:# secretName is the name of the secret that has the TLS certificate and# private key to serve the injector webhook. If this is null, then the# injector will default to its automatic management mode that will assign# a service account to the injector to generate its own certificates.secretName:null# caBundle is a base64-encoded PEM-encoded certificate bundle for the# CA that signed the TLS certificate that the webhook serves. This must# be set if secretName is non-null.caBundle:""# certName and keyName are the names of the files within the secret for# the TLS cert and private key, respectively. These have reasonable# defaults but can be customized if necessary.certName:tls.crtkeyName:tls.key