hashicorp-vault
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# Copyright IBM Corp. 2018, 2025
2
# SPDX-License-Identifier: MPL-2.0
3
4
# Available parameters and their default values for the Vault chart.
5
6
global:
7
# enabled is the master enabled switch. Setting this to true or false
8
# will enable or disable all the components within this chart by default.
9
enabled: true
10
# The namespace to deploy to. Defaults to the `helm` installation namespace.
11
namespace: ""
12
# Image pull secret to use for registry authentication.
13
# Alternatively, the value may be specified as an array of strings.
14
imagePullSecrets: []
15
# imagePullSecrets:
16
# - name: image-pull-secret
17
18
# TLS for end-to-end encrypted transport
19
tlsDisable: true
20
# External vault server address for the injector and CSI provider to use.
21
# Setting this will disable deployment of a vault server.
22
externalVaultAddr: ""
23
# If deploying to OpenShift
24
openshift: false
25
# Create PodSecurityPolicy for pods
26
psp:
27
enable: false
28
# Annotation for PodSecurityPolicy.
29
# This is a multi-line templated string map, and can also be set as YAML.
30
annotations: |
31
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
32
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
33
seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
34
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
35
serverTelemetry:
36
# Enable integration with the Prometheus Operator
37
# See the top level serverTelemetry section below before enabling this feature.
38
prometheusOperator: false
39
injector:
40
# True if you want to enable vault agent injection.
41
# @default: global.enabled
42
enabled: "-"
43
replicas: 1
44
# Configures the port the injector should listen on
45
port: 8080
46
# If multiple replicas are specified, by default a leader will be determined
47
# so that only one injector attempts to create TLS certificates.
48
leaderElector:
49
enabled: true
50
# If true, will enable a node exporter metrics endpoint at /metrics.
51
metrics:
52
enabled: false
53
# Deprecated: Please use global.externalVaultAddr instead.
54
externalVaultAddr: ""
55
# image sets the repo and tag of the vault-k8s image to use for the injector.
56
image:
57
repository: cgr.dev/chainguard-private/vault-k8s
58
tag: latest@sha256:49ee19340687ccd0b749b23eb8ed5bffe03b504692879fcd927b46054dfc4451
59
pullPolicy: IfNotPresent
60
# agentImage sets the repo and tag of the Vault image to use for the Vault Agent
61
# containers. This should be set to the official Vault image. Vault 1.3.1+ is
62
# required.
63
agentImage:
64
repository: cgr.dev/chainguard-private/vault
65
tag: latest@sha256:df045aea7f18e4451ad669461387e271fbf30530a7832802c5db5b59fe76eeb7
66
# The default values for the injected Vault Agent containers.
67
agentDefaults:
68
# For more information on configuring resources, see the K8s documentation:
69
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
70
cpuLimit: "500m"
71
cpuRequest: "250m"
72
memLimit: "128Mi"
73
memRequest: "64Mi"
74
# ephemeralLimit: "128Mi"
75
# ephemeralRequest: "64Mi"
76
77
# Default template type for secrets when no custom template is specified.
78
# Possible values include: "json" and "map".
79
template: "map"
80
# Default values within Agent's template_config stanza.
81
templateConfig:
82
exitOnRetryFailure: true
83
staticSecretRenderInterval: ""
84
# Used to define custom livenessProbe settings
85
livenessProbe:
86
# When a probe fails, Kubernetes will try failureThreshold times before giving up
87
failureThreshold: 2
88
# Number of seconds after the container has started before probe initiates
89
initialDelaySeconds: 5
90
# How often (in seconds) to perform the probe
91
periodSeconds: 2
92
# Minimum consecutive successes for the probe to be considered successful after having failed
93
successThreshold: 1
94
# Number of seconds after which the probe times out.
95
timeoutSeconds: 5
96
# Used to define custom readinessProbe settings
97
readinessProbe:
98
# When a probe fails, Kubernetes will try failureThreshold times before giving up
99
failureThreshold: 2
100
# Number of seconds after the container has started before probe initiates
101
initialDelaySeconds: 5
102
# How often (in seconds) to perform the probe
103
periodSeconds: 2
104
# Minimum consecutive successes for the probe to be considered successful after having failed
105
successThreshold: 1
106
# Number of seconds after which the probe times out.
107
timeoutSeconds: 5
108
# Used to define custom startupProbe settings
109
startupProbe:
110
# When a probe fails, Kubernetes will try failureThreshold times before giving up
111
failureThreshold: 12
112
# Number of seconds after the container has started before probe initiates
113
initialDelaySeconds: 5
114
# How often (in seconds) to perform the probe
115
periodSeconds: 5
116
# Minimum consecutive successes for the probe to be considered successful after having failed
117
successThreshold: 1
118
# Number of seconds after which the probe times out.
119
timeoutSeconds: 5
120
# Mount Path of the Vault Kubernetes Auth Method.
121
authPath: "auth/kubernetes"
122
# Configures the log verbosity of the injector.
123
# Supported log levels include: trace, debug, info, warn, error
124
logLevel: "info"
125
# Configures the log format of the injector. Supported log formats: "standard", "json".
126
logFormat: "standard"
127
# Configures all Vault Agent sidecars to revoke their token when shutting down
128
revokeOnShutdown: false
129
webhook:
130
# Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
131
# API Version of the WebHook.
132
# To block pod creation while the webhook is unavailable, set the policy to `Fail` below.
133
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
134
#
135
failurePolicy: Ignore
136
# matchPolicy specifies the approach to accepting changes based on the rules of
137
# the MutatingWebhookConfiguration.
138
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy
139
# for more details.
140
#
141
matchPolicy: Exact
142
# timeoutSeconds is the amount of seconds before the webhook request will be ignored
143
# or fails.
144
# If it is ignored or fails depends on the failurePolicy
145
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts
146
# for more details.
147
#
148
timeoutSeconds: 30
149
# namespaceSelector is the selector for restricting the webhook to only
150
# specific namespaces.
151
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
152
# for more details.
153
# Example:
154
# namespaceSelector:
155
# matchLabels:
156
# sidecar-injector: enabled
157
namespaceSelector: {}
158
# objectSelector is the selector for restricting the webhook to only
159
# specific labels.
160
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
161
# for more details.
162
# Example:
163
# objectSelector:
164
# matchLabels:
165
# vault-sidecar-injector: enabled
166
objectSelector: |
167
matchExpressions:
168
- key: app.kubernetes.io/name
169
operator: NotIn
170
values:
171
- {{ template "vault.name" . }}-agent-injector
172
# Extra annotations to attach to the webhook
173
annotations: {}
174
# Deprecated: please use 'webhook.failurePolicy' instead
175
# Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the
176
# API Version of the WebHook.
177
# To block pod creation while webhook is unavailable, set the policy to `Fail` below.
178
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
179
#
180
failurePolicy: Ignore
181
# Deprecated: please use 'webhook.namespaceSelector' instead
182
# namespaceSelector is the selector for restricting the webhook to only
183
# specific namespaces.
184
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
185
# for more details.
186
# Example:
187
# namespaceSelector:
188
# matchLabels:
189
# sidecar-injector: enabled
190
namespaceSelector: {}
191
# Deprecated: please use 'webhook.objectSelector' instead
192
# objectSelector is the selector for restricting the webhook to only
193
# specific labels.
194
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
195
# for more details.
196
# Example:
197
# objectSelector:
198
# matchLabels:
199
# vault-sidecar-injector: enabled
200
objectSelector: {}
201
# Deprecated: please use 'webhook.annotations' instead
202
# Extra annotations to attach to the webhook
203
webhookAnnotations: {}
204
certs:
205
# secretName is the name of the secret that has the TLS certificate and
206
# private key to serve the injector webhook. If this is null, then the
207
# injector will default to its automatic management mode that will assign
208
# a service account to the injector to generate its own certificates.
209
secretName: null
210
# caBundle is a base64-encoded PEM-encoded certificate bundle for the CA
211
# that signed the TLS certificate that the webhook serves. This must be set
212
# if secretName is non-null unless an external service like cert-manager is
213
# keeping the caBundle updated.
214
caBundle: ""
215
# certName and keyName are the names of the files within the secret for
216
# the TLS cert and private key, respectively. These have reasonable
217
# defaults but can be customized if necessary.
218
certName: tls.crt
219
keyName: tls.key
220
# Security context for the pod template and the injector container
221
# The default pod securityContext is:
222
# runAsNonRoot: true
223
# runAsGroup: {{ .Values.injector.gid | default 1000 }}
224
# runAsUser: {{ .Values.injector.uid | default 100 }}
225
# fsGroup: {{ .Values.injector.gid | default 1000 }}
226
# and for container is
227
# allowPrivilegeEscalation: false
228
# capabilities:
229
# drop:
230
# - ALL
231
securityContext:
232
pod: {}
233
container: {}
234
resources: {}
235
# resources:
236
# requests:
237
# memory: 256Mi
238
# cpu: 250m
239
# limits:
240
# memory: 256Mi
241
# cpu: 250m
242
243
# extraEnvironmentVars is a list of extra environment variables to set in the
244
# injector deployment.
245
extraEnvironmentVars: {}
246
# KUBERNETES_SERVICE_HOST: kubernetes.default.svc
247
248
# Affinity Settings for injector pods
249
# This can either be a multi-line string or YAML matching the PodSpec's affinity field.
250
# Commenting out or setting as empty the affinity variable, will allow
251
# deployment of multiple replicas to single node services such as Minikube.
252
affinity: |
253
podAntiAffinity:
254
requiredDuringSchedulingIgnoredDuringExecution:
255
- labelSelector:
256
matchLabels:
257
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
258
app.kubernetes.io/instance: "{{ .Release.Name }}"
259
component: webhook
260
topologyKey: kubernetes.io/hostname
261
# Topology settings for injector pods
262
# ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
263
# This should be either a multi-line string or YAML matching the topologySpreadConstraints array
264
# in a PodSpec.
265
topologySpreadConstraints: []
266
# Toleration Settings for injector pods
267
# This should be either a multi-line string or YAML matching the Toleration array
268
# in a PodSpec.
269
tolerations: []
270
# nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map.
271
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
272
# Example:
273
# nodeSelector:
274
# beta.kubernetes.io/arch: amd64
275
nodeSelector: {}
276
# Priority class for injector pods
277
priorityClassName: ""
278
# Extra annotations to attach to the injector pods
279
# This can either be YAML or a YAML-formatted multi-line templated string map
280
# of the annotations to apply to the injector pods
281
annotations: {}
282
# Extra labels to attach to the agent-injector
283
# This should be a YAML map of the labels to apply to the injector
284
extraLabels: {}
285
# Should the injector pods run on the host network (useful when using
286
# an alternate CNI in EKS)
287
hostNetwork: false
288
# Injector service specific config
289
service:
290
# Extra annotations to attach to the injector service
291
annotations: {}
292
# Injector serviceAccount specific config
293
serviceAccount:
294
# Extra annotations to attach to the injector serviceAccount
295
annotations: {}
296
# A disruption budget limits the number of pods of a replicated application
297
# that are down simultaneously from voluntary disruptions
298
podDisruptionBudget: {}
299
# podDisruptionBudget:
300
# maxUnavailable: 1
301
302
# strategy for updating the deployment. This can be a multi-line string or a
303
# YAML map.
304
strategy: {}
305
# strategy: |
306
# rollingUpdate:
307
# maxSurge: 25%
308
# maxUnavailable: 25%
309
# type: RollingUpdate
310
server:
311
# If true, or "-" with global.enabled true, Vault server will be installed.
312
# See vault.mode in _helpers.tpl for implementation details.
313
enabled: "-"
314
# [Enterprise Only] This value refers to a Kubernetes secret that you have
315
# created that contains your enterprise license. If you are not using an
316
# enterprise image or if you plan to introduce the license key via another
317
# route, then leave secretName blank ("") or set it to null.
318
# Requires Vault Enterprise 1.8 or later.
319
enterpriseLicense:
320
# The name of the Kubernetes secret that holds the enterprise license. The
321
# secret must be in the same namespace that Vault is installed into.
322
secretName: ""
323
# The key within the Kubernetes secret that holds the enterprise license.
324
secretKey: "license"
325
# OpenShift service-ca operator integration
326
# Automates TLS certificate generation via the service-ca operator
327
serviceCA:
328
# Enable service-ca operator annotations and ConfigMap creation
329
# Requires: global.openshift=true
330
enabled: false
331
# Secret name where service-ca will store the generated certificate
332
# IMPORTANT: Must match the secret name in server.volumes below
333
secretName: "vault-tls"
334
# ConfigMap name for service-ca CA bundle injection
335
# IMPORTANT: Must match the ConfigMap name in server.volumes below
336
configMapName: "service-ca-bundle"
337
# IMPORTANT: Configure server.volumes, server.volumeMounts, AND server config to use service-ca
338
#
339
# Step 1: Mount the service-ca resources as volumes
340
# volumes:
341
# - name: vault-tls
342
# secret:
343
# secretName: vault-tls # Must match serviceCA.secretName above
344
# - name: service-ca-bundle
345
# configMap:
346
# name: service-ca-bundle # Must match serviceCA.configMapName above
347
#
348
# volumeMounts:
349
# - name: vault-tls
350
# mountPath: /vault/userconfig/vault-tls
351
# readOnly: true
352
# - name: service-ca-bundle
353
# mountPath: /vault/userconfig/service-ca-bundle
354
# readOnly: true
355
#
356
# Step 2: Configure Vault listener to use the certificates (in server.ha.config or server.ha.raft.config)
357
# listener "tcp" {
358
# tls_disable = 0
359
# address = "[::]:8200"
360
# cluster_address = "[::]:8201"
361
# tls_cert_file = "/vault/userconfig/vault-tls/tls.crt"
362
# tls_key_file = "/vault/userconfig/vault-tls/tls.key"
363
# tls_client_ca_file = "/vault/userconfig/service-ca-bundle/service-ca.crt"
364
# }
365
image:
366
repository: cgr.dev/chainguard-private/vault
367
tag: latest@sha256:df045aea7f18e4451ad669461387e271fbf30530a7832802c5db5b59fe76eeb7
368
# Overrides the default Image Pull Policy
369
pullPolicy: IfNotPresent
370
# Configure the Update Strategy Type for the StatefulSet
371
# See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
372
updateStrategyType: "OnDelete"
373
# Configure the logging verbosity for the Vault server.
374
# Supported log levels include: trace, debug, info, warn, error
375
logLevel: ""
376
# Configure the logging format for the Vault server.
377
# Supported log formats include: standard, json
378
logFormat: ""
379
# Resource requests, limits, etc. for the server cluster placement. This
380
# should map directly to the value of the resources field for a PodSpec.
381
# By default no direct resource request is made.
382
resources: {}
383
# resources:
384
# requests:
385
# memory: 256Mi
386
# cpu: 250m
387
# limits:
388
# memory: 256Mi
389
# cpu: 250m
390
391
# Ingress allows ingress services to be created to allow external access
392
# from Kubernetes to access Vault pods.
393
# If deployment is on OpenShift, the following block is ignored.
394
# In order to expose the service, use the route section below
395
ingress:
396
enabled: false
397
labels: {}
398
# traffic: external
399
annotations: {}
400
# |
401
# kubernetes.io/ingress.class: nginx
402
# kubernetes.io/tls-acme: "true"
403
# or
404
# kubernetes.io/ingress.class: nginx
405
# kubernetes.io/tls-acme: "true"
406
407
# Optionally use ingressClassName instead of deprecated annotation.
408
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation
409
ingressClassName: ""
410
# As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases.
411
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values.
412
pathType: Prefix
413
# When HA mode is enabled and K8s service registration is being used,
414
# configure the ingress to point to the Vault active service.
415
activeService: true
416
hosts:
417
- host: chart-example.local
418
paths: []
419
## Extra paths to prepend to the host configuration. This is useful when working with annotation based services.
420
extraPaths: []
421
# - path: /*
422
# backend:
423
# service:
424
# name: ssl-redirect
425
# port:
426
# number: use-annotation
427
tls: []
428
# - secretName: chart-example-tls
429
# hosts:
430
# - chart-example.local
431
# hostAliases is a list of aliases to be added to /etc/hosts. Specified as a YAML list.
432
hostAliases: []
433
# - ip: 127.0.0.1
434
# hostnames:
435
# - chart-example.local
436
437
# OpenShift only - create a route to expose the service
438
# By default the created route will be of type passthrough
439
route:
440
enabled: false
441
# When HA mode is enabled and K8s service registration is being used,
442
# configure the route to point to the Vault active service.
443
activeService: true
444
labels: {}
445
annotations: {}
446
host: chart-example.local
447
# tls will be passed directly to the route's TLS config, which
448
# can be used to configure other termination methods that terminate
449
# TLS at the router
450
tls:
451
termination: passthrough
452
# authDelegator enables a cluster role binding to be attached to the service
453
# account. This cluster role binding can be used to setup Kubernetes auth
454
# method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes
455
authDelegator:
456
enabled: true
457
# extraInitContainers is a list of init containers. Specified as a YAML list.
458
# This is useful if you need to run a script to provision TLS certificates or
459
# write out configuration files in a dynamic way.
460
extraInitContainers: null
461
# # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder,
462
# # which is defined in the volumes value.
463
# - name: oauthapp
464
# image: "alpine"
465
# command: [sh, -c]
466
# args:
467
# - cd /tmp &&
468
# wget https://github.com/puppetlabs/vault-plugin-secrets-oauthapp/releases/download/v1.2.0/vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64.tar.xz -O oauthapp.xz &&
469
# tar -xf oauthapp.xz &&
470
# mv vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64 /usr/local/libexec/vault/oauthapp &&
471
# chmod +x /usr/local/libexec/vault/oauthapp
472
# volumeMounts:
473
# - name: plugins
474
# mountPath: /usr/local/libexec/vault
475
476
# extraContainers is a list of sidecar containers. Specified as a YAML list.
477
extraContainers: null
478
# shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
479
# This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation
480
shareProcessNamespace: false
481
# extraArgs is a string containing additional Vault server arguments.
482
extraArgs: ""
483
# extraPorts is a list of extra ports. Specified as a YAML list.
484
# This is useful if you need to add additional ports to the statefulset in dynamic way.
485
extraPorts: null
486
# - containerPort: 8300
487
# name: http-monitoring
488
489
# Used to define custom readinessProbe settings
490
readinessProbe:
491
enabled: true
492
# If you need to use a http path instead of the default exec
493
# path: /v1/sys/health?standbyok=true
494
495
# Port number on which readinessProbe will be checked.
496
port: 8200
497
# When a probe fails, Kubernetes will try failureThreshold times before giving up
498
failureThreshold: 2
499
# Number of seconds after the container has started before probe initiates
500
initialDelaySeconds: 5
501
# How often (in seconds) to perform the probe
502
periodSeconds: 5
503
# Minimum consecutive successes for the probe to be considered successful after having failed
504
successThreshold: 1
505
# Number of seconds after which the probe times out.
506
timeoutSeconds: 3
507
# Used to enable a livenessProbe for the pods
508
livenessProbe:
509
enabled: false
510
# Used to define a liveness exec command. If provided, exec is preferred to httpGet (path) as the livenessProbe handler.
511
execCommand: []
512
# - /bin/sh
513
# - -c
514
# - /vault/userconfig/mylivenessscript/run.sh
515
# Path for the livenessProbe to use httpGet as the livenessProbe handler
516
path: "/v1/sys/health?standbyok=true"
517
# Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler
518
port: 8200
519
# When a probe fails, Kubernetes will try failureThreshold times before giving up
520
failureThreshold: 2
521
# Number of seconds after the container has started before probe initiates
522
initialDelaySeconds: 60
523
# How often (in seconds) to perform the probe
524
periodSeconds: 5
525
# Minimum consecutive successes for the probe to be considered successful after having failed
526
successThreshold: 1
527
# Number of seconds after which the probe times out.
528
timeoutSeconds: 3
529
# Optional duration in seconds the pod needs to terminate gracefully.
530
# See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
531
terminationGracePeriodSeconds: 10
532
# Used to set the sleep time during the preStop step, if custom preStop
533
# commands are not set.
534
preStopSleepSeconds: 5
535
# Used to define custom preStop exec commands to run before the pod is
536
# terminated. If not set, this will default to:
537
# preStop:
538
# - "/bin/sh"
539
# - "-c"
540
# - "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)"
541
preStop: []
542
# Used to define commands to run after the pod is ready.
543
# This can be used to automate processes such as initialization
544
# or boostrapping auth methods.
545
postStart: []
546
# - /bin/sh
547
# - -c
548
# - /vault/userconfig/myscript/run.sh
549
550
# extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
551
# used to include variables required for auto-unseal.
552
extraEnvironmentVars: {}
553
# GOOGLE_REGION: global
554
# GOOGLE_PROJECT: myproject
555
# GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
556
557
# extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set.
558
# These variables take value from existing Secret objects.
559
extraSecretEnvironmentVars: []
560
# - envName: AWS_SECRET_ACCESS_KEY
561
# secretName: vault
562
# secretKey: AWS_SECRET_ACCESS_KEY
563
564
# Deprecated: please use 'volumes' instead.
565
# extraVolumes is a list of extra volumes to mount. These will be exposed
566
# to Vault in the path `/vault/userconfig/<name>/`. The value below is
567
# an array of objects, examples are shown below.
568
extraVolumes: []
569
# - type: secret (or "configMap")
570
# name: my-secret
571
# path: null # default is `/vault/userconfig`
572
573
# volumes is a list of volumes made available to all containers. These are rendered
574
# via toYaml rather than pre-processed like the extraVolumes value.
575
# The purpose is to make it easy to share volumes between containers.
576
volumes: null
577
# - name: plugins
578
# emptyDir: {}
579
580
# volumeMounts is a list of volumeMounts for the main server container. These are rendered
581
# via toYaml rather than pre-processed like the extraVolumes value.
582
# The purpose is to make it easy to share volumes between containers.
583
volumeMounts: null
584
# - mountPath: /usr/local/libexec/vault
585
# name: plugins
586
# readOnly: true
587
588
# Affinity Settings
589
# Commenting out or setting as empty the affinity variable, will allow
590
# deployment to single node services such as Minikube
591
# This should be either a multi-line string or YAML matching the PodSpec's affinity field.
592
affinity: |
593
podAntiAffinity:
594
requiredDuringSchedulingIgnoredDuringExecution:
595
- labelSelector:
596
matchLabels:
597
app.kubernetes.io/name: {{ template "vault.name" . }}
598
app.kubernetes.io/instance: "{{ .Release.Name }}"
599
component: server
600
topologyKey: kubernetes.io/hostname
601
# Topology settings for server pods
602
# ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
603
# This should be either a multi-line string or YAML matching the topologySpreadConstraints array
604
# in a PodSpec.
605
topologySpreadConstraints: []
606
# Toleration Settings for server pods
607
# This should be either a multi-line string or YAML matching the Toleration array
608
# in a PodSpec.
609
tolerations: []
610
# nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map.
611
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
612
# Example:
613
# nodeSelector:
614
# beta.kubernetes.io/arch: amd64
615
nodeSelector: {}
616
# Enables network policy for server pods
617
networkPolicy:
618
enabled: false
619
egress: []
620
# egress:
621
# - to:
622
# - ipBlock:
623
# cidr: 10.0.0.0/24
624
# ports:
625
# - protocol: TCP
626
# port: 443
627
ingress:
628
- from:
629
- namespaceSelector: {}
630
ports:
631
- port: 8200
632
protocol: TCP
633
- port: 8201
634
protocol: TCP
635
# Priority class for server pods
636
priorityClassName: ""
637
# Extra labels to attach to the server pods
638
# This should be a YAML map of the labels to apply to the server pods
639
extraLabels: {}
640
# Extra annotations to attach to the server pods
641
# This can either be YAML or a YAML-formatted multi-line templated string map
642
# of the annotations to apply to the server pods
643
annotations: {}
644
# Add an annotation to the server configmap and the statefulset pods,
645
# vaultproject.io/config-checksum, that is a hash of the Vault configuration.
646
# This can be used together with an OnDelete deployment strategy to help
647
# identify which pods still need to be deleted during a deployment to pick up
648
# any configuration changes.
649
includeConfigAnnotation: false
650
# Enables a headless service to be used by the Vault Statefulset
651
service:
652
enabled: true
653
# Enable or disable the vault-active service, which selects Vault pods that
654
# have labeled themselves as the cluster leader with `vault-active: "true"`.
655
active:
656
enabled: true
657
# Extra annotations for the service definition. This can either be YAML or a
658
# YAML-formatted multi-line templated string map of the annotations to apply
659
# to the active service.
660
annotations: {}
661
# Enable or disable the vault-standby service, which selects Vault pods that
662
# have labeled themselves as a cluster follower with `vault-active: "false"`.
663
standby:
664
enabled: true
665
# Extra annotations for the service definition. This can either be YAML or a
666
# YAML-formatted multi-line templated string map of the annotations to apply
667
# to the standby service.
668
annotations: {}
669
# If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}`
670
# When disabled, services may select Vault pods not deployed from the chart.
671
# Does not affect the headless vault-internal service with `ClusterIP: None`
672
instanceSelector:
673
enabled: true
674
# clusterIP controls whether a Cluster IP address is attached to the
675
# Vault service within Kubernetes. By default, the Vault service will
676
# be given a Cluster IP address, set to None to disable. When disabled
677
# Kubernetes will create a "headless" service. Headless services can be
678
# used to communicate with pods directly through DNS instead of a round-robin
679
# load balancer.
680
# clusterIP: None
681
682
# Configures the service type for the main Vault service. Can be ClusterIP
683
# or NodePort.
684
#type: ClusterIP
685
686
# The IP family and IP families options are to set the behaviour in a dual-stack environment.
687
# Omitting these values will let the service fall back to whatever the CNI dictates the defaults
688
# should be.
689
# These are only supported for kubernetes versions >=1.23.0
690
#
691
# Configures the service's supported IP family policy, can be either:
692
# SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range.
693
# PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service.
694
# RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges.
695
ipFamilyPolicy: ""
696
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well.
697
# Can be IPv4 and/or IPv6.
698
ipFamilies: []
699
# Do not wait for pods to be ready before including them in the services'
700
# targets. Does not apply to the headless service, which is used for
701
# cluster-internal communication.
702
publishNotReadyAddresses: true
703
# The externalTrafficPolicy can be set to either Cluster or Local
704
# and is only valid for LoadBalancer and NodePort service types.
705
# The default value is Cluster.
706
# ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy
707
externalTrafficPolicy: Cluster
708
# If type is set to "NodePort", a specific nodePort value can be configured,
709
# will be random if left blank.
710
#nodePort: 30000
711
712
# When HA mode is enabled
713
# If type is set to "NodePort", a specific nodePort value can be configured,
714
# will be random if left blank.
715
#activeNodePort: 30001
716
717
# When HA mode is enabled
718
# If type is set to "NodePort", a specific nodePort value can be configured,
719
# will be random if left blank.
720
#standbyNodePort: 30002
721
722
# Port on which Vault server is listening
723
port: 8200
724
# Target port to which the service should be mapped to
725
targetPort: 8200
726
# Extra annotations for the service definition. This can either be YAML or a
727
# YAML-formatted multi-line templated string map of the annotations to apply
728
# to the service.
729
annotations: {}
730
# This configures the Vault Statefulset to create a PVC for data
731
# storage when using the file or raft backend storage engines.
732
# See https://developer.hashicorp.com/vault/docs/configuration/storage to know more
733
dataStorage:
734
enabled: true
735
# Size of the PVC created
736
size: 10Gi
737
# Location where the PVC will be mounted.
738
mountPath: "/vault/data"
739
# Name of the storage class to use. If null it will use the
740
# configured default Storage Class.
741
storageClass: null
742
# Access Mode of the storage device being used for the PVC
743
accessMode: ReadWriteOnce
744
# Annotations to apply to the PVC
745
annotations: {}
746
# Labels to apply to the PVC
747
labels: {}
748
# Persistent Volume Claim (PVC) retention policy
749
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
750
# Example:
751
# persistentVolumeClaimRetentionPolicy:
752
# whenDeleted: Retain
753
# whenScaled: Retain
754
persistentVolumeClaimRetentionPolicy: {}
755
# This configures the Vault Statefulset to create a PVC for audit
756
# logs. Once Vault is deployed, initialized, and unsealed, Vault must
757
# be configured to use this for audit logs. This will be mounted to
758
# /vault/audit
759
# See https://developer.hashicorp.com/vault/docs/audit to know more
760
auditStorage:
761
enabled: false
762
# Size of the PVC created
763
size: 10Gi
764
# Location where the PVC will be mounted.
765
mountPath: "/vault/audit"
766
# Name of the storage class to use. If null it will use the
767
# configured default Storage Class.
768
storageClass: null
769
# Access Mode of the storage device being used for the PVC
770
accessMode: ReadWriteOnce
771
# Annotations to apply to the PVC
772
annotations: {}
773
# Labels to apply to the PVC
774
labels: {}
775
# Run Vault in "dev" mode. This requires no further setup, no state management,
776
# and no initialization. This is useful for experimenting with Vault without
777
# needing to unseal, store keys, et. al. All data is lost on restart - do not
778
# use dev mode for anything other than experimenting.
779
# See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more
780
dev:
781
enabled: false
782
# Set VAULT_DEV_ROOT_TOKEN_ID value
783
devRootToken: "root"
784
# Run Vault in "standalone" mode. This is the default mode that will deploy if
785
# no arguments are given to helm. This requires a PVC for data storage to use
786
# the "file" backend. This mode is not highly available and should not be scaled
787
# past a single replica.
788
standalone:
789
enabled: "-"
790
# config is a raw string of default configuration when using a Stateful
791
# deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
792
# and store data there. This is only used when using a Replica count of 1, and
793
# using a stateful set. Supported formats are HCL and JSON.
794
795
# Note: Configuration files are stored in ConfigMaps so sensitive data
796
# such as passwords should be either mounted through extraSecretEnvironmentVars
797
# or through a Kube secret. For more information see:
798
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
799
config: |-
800
ui = true
801
802
listener "tcp" {
803
tls_disable = 1
804
address = "[::]:8200"
805
cluster_address = "[::]:8201"
806
# Enable unauthenticated metrics access (necessary for Prometheus Operator)
807
#telemetry {
808
# unauthenticated_metrics_access = "true"
809
#}
810
}
811
storage "file" {
812
path = "/vault/data"
813
}
814
815
# Example configuration for using auto-unseal, using Google Cloud KMS. The
816
# GKMS keys must already exist, and the cluster must have a service account
817
# that is authorized to access GCP KMS.
818
#seal "gcpckms" {
819
# project = "vault-helm-dev"
820
# region = "global"
821
# key_ring = "vault-helm-unseal-kr"
822
# crypto_key = "vault-helm-unseal-key"
823
#}
824
825
# Example configuration for enabling Prometheus metrics in your config.
826
#telemetry {
827
# prometheus_retention_time = "30s"
828
# disable_hostname = true
829
#}
830
# Run Vault in "HA" mode. There are no storage requirements unless the audit log
831
# persistence is required. In HA mode Vault will configure itself to use Consul
832
# for its storage backend. The default configuration provided will work the Consul
833
# Helm project by default. It is possible to manually configure Vault to use a
834
# different HA backend.
835
ha:
836
enabled: false
837
replicas: 3
838
# Set the api_addr configuration for Vault HA
839
# See https://developer.hashicorp.com/vault/docs/configuration#api_addr
840
# If set to null, this will be set to the Pod IP Address
841
apiAddr: null
842
# Set the cluster_addr configuration for Vault HA
843
# See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr
844
# If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201
845
clusterAddr: null
846
# Enables Vault's integrated Raft storage. Unlike the typical HA modes where
847
# Vault's persistence is external (such as Consul), enabling Raft mode will create
848
# persistent volumes for Vault to store data according to the configuration under server.dataStorage.
849
# The Vault cluster will coordinate leader elections and failovers internally.
850
raft:
851
# Enables Raft integrated storage
852
enabled: false
853
# Set the Node Raft ID to the name of the pod
854
setNodeId: false
855
# Note: Configuration files are stored in ConfigMaps so sensitive data
856
# such as passwords should be either mounted through extraSecretEnvironmentVars
857
# or through a Kube secret. For more information see:
858
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
859
# Supported formats are HCL and JSON.
860
config: |
861
ui = true
862
863
listener "tcp" {
864
tls_disable = 1
865
address = "[::]:8200"
866
cluster_address = "[::]:8201"
867
# Enable unauthenticated metrics access (necessary for Prometheus Operator)
868
#telemetry {
869
# unauthenticated_metrics_access = "true"
870
#}
871
}
872
873
storage "raft" {
874
path = "/vault/data"
875
}
876
877
service_registration "kubernetes" {}
878
# config is a raw string of default configuration when using a Stateful
879
# deployment. Default is to use a Consul for its HA storage backend.
880
# Supported formats are HCL and JSON.
881
882
# Note: Configuration files are stored in ConfigMaps so sensitive data
883
# such as passwords should be either mounted through extraSecretEnvironmentVars
884
# or through a Kube secret. For more information see:
885
# https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
886
config: |
887
ui = true
888
889
listener "tcp" {
890
tls_disable = 1
891
address = "[::]:8200"
892
cluster_address = "[::]:8201"
893
}
894
storage "consul" {
895
path = "vault"
896
address = "HOST_IP:8500"
897
}
898
899
service_registration "kubernetes" {}
900
901
# Example configuration for using auto-unseal, using Google Cloud KMS. The
902
# GKMS keys must already exist, and the cluster must have a service account
903
# that is authorized to access GCP KMS.
904
#seal "gcpckms" {
905
# project = "vault-helm-dev-246514"
906
# region = "global"
907
# key_ring = "vault-helm-unseal-kr"
908
# crypto_key = "vault-helm-unseal-key"
909
#}
910
911
# Example configuration for enabling Prometheus metrics.
912
# If you are using Prometheus Operator you can enable a ServiceMonitor resource below.
913
# You may wish to enable unauthenticated metrics in the listener block above.
914
#telemetry {
915
# prometheus_retention_time = "30s"
916
# disable_hostname = true
917
#}
918
# A disruption budget limits the number of pods of a replicated application
919
# that are down simultaneously from voluntary disruptions
920
disruptionBudget:
921
enabled: true
922
# maxUnavailable will default to (n/2)-1 where n is the number of
923
# replicas. If you'd like a custom value, you can specify an override here.
924
maxUnavailable: null
925
# Definition of the serviceAccount used to run Vault.
926
# These options are also used when using an external Vault server to validate
927
# Kubernetes tokens.
928
serviceAccount:
929
# Specifies whether a service account should be created
930
create: true
931
# The name of the service account to use.
932
# If not set and create is true, a name is generated using the fullname template
933
name: ""
934
# Create a Secret API object to store a non-expiring token for the service account.
935
# Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default.
936
# Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible.
937
# For more details, see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets
938
# serviceAccount.create must be equal to 'true' in order to use this feature.
939
createSecret: false
940
# Extra annotations for the serviceAccount definition. This can either be
941
# YAML or a YAML-formatted multi-line templated string map of the
942
# annotations to apply to the serviceAccount.
943
annotations: {}
944
# Extra labels to attach to the serviceAccount
945
# This should be a YAML map of the labels to apply to the serviceAccount
946
extraLabels: {}
947
# Enable or disable a service account role binding with the permissions required for
948
# Vault's Kubernetes service_registration config option.
949
# See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes
950
serviceDiscovery:
951
enabled: true
952
# Settings for the statefulSet used to run Vault.
953
statefulSet:
954
# Extra annotations for the statefulSet. This can either be YAML or a
955
# YAML-formatted multi-line templated string map of the annotations to apply
956
# to the statefulSet.
957
annotations: {}
958
# Set the pod and container security contexts.
959
# If not set, these will default to, and for *not* OpenShift:
960
# pod:
961
# runAsNonRoot: true
962
# runAsGroup: {{ .Values.server.gid | default 1000 }}
963
# runAsUser: {{ .Values.server.uid | default 100 }}
964
# fsGroup: {{ .Values.server.gid | default 1000 }}
965
# container:
966
# allowPrivilegeEscalation: false
967
#
968
# If not set, these will default to, and for OpenShift:
969
# pod: {}
970
# container: {}
971
securityContext:
972
pod: {}
973
container: {}
974
# Should the server pods run on the host network
975
hostNetwork: false
976
# Vault UI
977
ui:
978
# True if you want to create a Service entry for the Vault UI.
979
#
980
# serviceType can be used to control the type of service created. For
981
# example, setting this to "LoadBalancer" will create an external load
982
# balancer (for supported K8S installations) to access the UI.
983
enabled: false
984
publishNotReadyAddresses: true
985
# The service should only contain selectors for active Vault pod
986
activeVaultPodOnly: false
987
serviceType: "ClusterIP"
988
serviceNodePort: null
989
externalPort: 8200
990
targetPort: 8200
991
# The IP family and IP families options are to set the behaviour in a dual-stack environment.
992
# Omitting these values will let the service fall back to whatever the CNI dictates the defaults
993
# should be.
994
# These are only supported for kubernetes versions >=1.23.0
995
#
996
# Configures the service's supported IP family, can be either:
997
# SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range.
998
# PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service.
999
# RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges.
1000
serviceIPFamilyPolicy: ""
1001
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well
1002
# Can be IPv4 and/or IPv6.
1003
serviceIPFamilies: []
1004
# The externalTrafficPolicy can be set to either Cluster or Local
1005
# and is only valid for LoadBalancer and NodePort service types.
1006
# The default value is Cluster.
1007
# ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy
1008
externalTrafficPolicy: Cluster
1009
#loadBalancerSourceRanges:
1010
# - 10.0.0.0/16
1011
# - 1.78.23.3/32
1012
1013
# loadBalancerIP:
1014
1015
# Extra annotations to attach to the ui service
1016
# This can either be YAML or a YAML-formatted multi-line templated string map
1017
# of the annotations to apply to the ui service
1018
annotations: {}
1019
# secrets-store-csi-driver-provider-vault
1020
csi:
1021
# True if you want to install a secrets-store-csi-driver-provider-vault daemonset.
1022
#
1023
# Requires installing the secrets-store-csi-driver separately, see:
1024
# https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver
1025
#
1026
# With the driver and provider installed, you can mount Vault secrets into volumes
1027
# similar to the Vault Agent injector, and you can also sync those secrets into
1028
# Kubernetes secrets.
1029
enabled: false
1030
image:
1031
repository: cgr.dev/chainguard-private/vault-csi-provider
1032
tag: latest@sha256:c59e391483ad57ab78faa4b52cd90a116883c0ec62426f980787d47f573b9acc
1033
pullPolicy: IfNotPresent
1034
# volumes is a list of volumes made available to all containers. These are rendered
1035
# via toYaml rather than pre-processed like the extraVolumes value.
1036
# The purpose is to make it easy to share volumes between containers.
1037
volumes: null
1038
# - name: tls
1039
# secret:
1040
# secretName: vault-tls
1041
1042
# volumeMounts is a list of volumeMounts for the main server container. These are rendered
1043
# via toYaml rather than pre-processed like the extraVolumes value.
1044
# The purpose is to make it easy to share volumes between containers.
1045
volumeMounts: null
1046
# - name: tls
1047
# mountPath: "/vault/tls"
1048
# readOnly: true
1049
1050
resources: {}
1051
# resources:
1052
# requests:
1053
# cpu: 50m
1054
# memory: 128Mi
1055
# limits:
1056
# cpu: 50m
1057
# memory: 128Mi
1058
1059
# Override the default secret name for the CSI Provider's HMAC key used for
1060
# generating secret versions.
1061
hmacSecretName: ""
1062
# Allow modification of the hostNetwork parameter to avoid the need of a
1063
# dedicated pod ip
1064
hostNetwork: false
1065
# Settings for the daemonSet used to run the provider.
1066
daemonSet:
1067
updateStrategy:
1068
type: RollingUpdate
1069
maxUnavailable: ""
1070
# Extra annotations for the daemonSet. This can either be YAML or a
1071
# YAML-formatted multi-line templated string map of the annotations to apply
1072
# to the daemonSet.
1073
annotations: {}
1074
# Provider host path (must match the CSI provider's path)
1075
providersDir: "/var/run/secrets-store-csi-providers"
1076
# Kubelet host path
1077
kubeletRootDir: "/var/lib/kubelet"
1078
# Extra labels to attach to the vault-csi-provider daemonSet
1079
# This should be a YAML map of the labels to apply to the csi provider daemonSet
1080
extraLabels: {}
1081
# Security context for the pod template and container in the csi provider
1082
# daemonSet. For OpenShift, the container securityContext defaults to
1083
# `privileged: true`.
1084
securityContext:
1085
pod: {}
1086
container: {}
1087
pod:
1088
# Extra annotations for the provider pods. This can either be YAML or a
1089
# YAML-formatted multi-line templated string map of the annotations to apply
1090
# to the pod.
1091
annotations: {}
1092
# Toleration Settings for provider pods
1093
# This should be either a multi-line string or YAML matching the Toleration array
1094
# in a PodSpec.
1095
tolerations: []
1096
# nodeSelector labels for csi pod assignment, formatted as a multi-line string or YAML map.
1097
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
1098
# Example:
1099
# nodeSelector:
1100
# beta.kubernetes.io/arch: amd64
1101
nodeSelector: {}
1102
# Affinity Settings
1103
# This should be either a multi-line string or YAML matching the PodSpec's affinity field.
1104
affinity: {}
1105
# Extra labels to attach to the vault-csi-provider pod
1106
# This should be a YAML map of the labels to apply to the csi provider pod
1107
extraLabels: {}
1108
agent:
1109
enabled: true
1110
extraArgs: []
1111
image:
1112
repository: cgr.dev/chainguard-private/vault
1113
tag: latest@sha256:df045aea7f18e4451ad669461387e271fbf30530a7832802c5db5b59fe76eeb7
1114
pullPolicy: IfNotPresent
1115
logFormat: standard
1116
logLevel: info
1117
resources: {}
1118
# resources:
1119
# requests:
1120
# memory: 256Mi
1121
# cpu: 250m
1122
# limits:
1123
# memory: 256Mi
1124
# cpu: 250m
1125
1126
# Security context for the vault agent sidecar container
1127
securityContext:
1128
container:
1129
allowPrivilegeEscalation: false
1130
capabilities:
1131
drop:
1132
- ALL
1133
readOnlyRootFilesystem: true
1134
runAsNonRoot: true
1135
runAsUser: 100
1136
runAsGroup: 1000
1137
# Priority class for csi pods
1138
priorityClassName: ""
1139
serviceAccount:
1140
# Extra annotations for the serviceAccount definition. This can either be
1141
# YAML or a YAML-formatted multi-line templated string map of the
1142
# annotations to apply to the serviceAccount.
1143
annotations: {}
1144
# Extra labels to attach to the vault-csi-provider serviceAccount
1145
# This should be a YAML map of the labels to apply to the csi provider serviceAccount
1146
extraLabels: {}
1147
# Used to configure readinessProbe for the pods.
1148
readinessProbe:
1149
# When a probe fails, Kubernetes will try failureThreshold times before giving up
1150
failureThreshold: 2
1151
# Number of seconds after the container has started before probe initiates
1152
initialDelaySeconds: 5
1153
# How often (in seconds) to perform the probe
1154
periodSeconds: 5
1155
# Minimum consecutive successes for the probe to be considered successful after having failed
1156
successThreshold: 1
1157
# Number of seconds after which the probe times out.
1158
timeoutSeconds: 3
1159
# Used to configure livenessProbe for the pods.
1160
livenessProbe:
1161
# When a probe fails, Kubernetes will try failureThreshold times before giving up
1162
failureThreshold: 2
1163
# Number of seconds after the container has started before probe initiates
1164
initialDelaySeconds: 5
1165
# How often (in seconds) to perform the probe
1166
periodSeconds: 5
1167
# Minimum consecutive successes for the probe to be considered successful after having failed
1168
successThreshold: 1
1169
# Number of seconds after which the probe times out.
1170
timeoutSeconds: 3
1171
# Configures the log level for the Vault CSI provider.
1172
# Supported log levels include: trace, debug, info, warn, error, and off
1173
logLevel: "info"
1174
# Deprecated, set logLevel to debug instead.
1175
# If set to true, the logLevel will be set to debug.
1176
debug: false
1177
# Pass arbitrary additional arguments to vault-csi-provider.
1178
# See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments
1179
# for the available command line flags.
1180
extraArgs: []
1181
# Vault is able to collect and publish various runtime metrics.
1182
# Enabling this feature requires setting adding `telemetry{}` stanza to
1183
# the Vault configuration. There are a few examples included in the `config` sections above.
1184
#
1185
# For more information see:
1186
# https://developer.hashicorp.com/vault/docs/configuration/telemetry
1187
# https://developer.hashicorp.com/vault/docs/internals/telemetry
1188
serverTelemetry:
1189
# Enable support for the Prometheus Operator. If authorization is not set for authenticating
1190
# to Vault's metrics endpoint, the following Vault server `telemetry{}` config must be included
1191
# in the `listener "tcp"{}` stanza
1192
# telemetry {
1193
# unauthenticated_metrics_access = "true"
1194
# }
1195
#
1196
# See the `standalone.config` for a more complete example of this.
1197
#
1198
# In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration:
1199
#
1200
# example:
1201
# telemetry {
1202
# prometheus_retention_time = "30s"
1203
# disable_hostname = true
1204
# }
1205
#
1206
# Configuration for monitoring the Vault server.
1207
serviceMonitor:
1208
# The Prometheus operator *must* be installed before enabling this feature,
1209
# if not the chart will fail to install due to missing CustomResourceDefinitions
1210
# provided by the operator.
1211
#
1212
# Instructions on how to install the Helm chart can be found here:
1213
# https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
1214
# More information can be found here:
1215
# https://github.com/prometheus-operator/prometheus-operator
1216
# https://github.com/prometheus-operator/kube-prometheus
1217
1218
# Enable deployment of the Vault Server ServiceMonitor CustomResource.
1219
enabled: false
1220
# Selector labels to add to the ServiceMonitor.
1221
# When empty, defaults to:
1222
# release: prometheus
1223
selectors: {}
1224
# Interval at which Prometheus scrapes metrics
1225
interval: 30s
1226
# Timeout for Prometheus scrapes
1227
scrapeTimeout: 10s
1228
# tlsConfig used for scraping the Vault metrics API.
1229
# See API reference: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.TLSConfig
1230
# example:
1231
# tlsConfig:
1232
# ca:
1233
# secret:
1234
# name: vault-metrics-client
1235
# key: ca.crt
1236
tlsConfig: {}
1237
# authorization used for scraping the Vault metrics API.
1238
# See API reference: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.SafeAuthorization
1239
# example:
1240
# authorization:
1241
# credentials:
1242
# name: vault-metrics-client
1243
# key: token
1244
authorization: {}
1245
# metricRelabelings configures the relabeling rules to apply to the samples before ingestion.
1246
# See API reference: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.RelabelConfig
1247
# example:
1248
# metricRelabelings:
1249
# - sourceLabels: [cluster]
1250
# targetLabel: vault_cluster
1251
metricRelabelings: []
1252
# matchLabels configures the service selector labels for the ServiceMonitor.
1253
# By default, the ServiceMonitor targets services with:
1254
# - HA mode: vault-active: "true" (scrapes the raft leader only)
1255
# - Standalone mode: vault-internal: "true"
1256
#
1257
# To scrape metrics from all Vault pods including standbys (Enterprise only):
1258
# 1. Enable unauthenticated_metrics_access in your Vault listener telemetry config
1259
# 2. Set matchLabels to target the vault-internal headless service
1260
# See: https://developer.hashicorp.com/vault/docs/configuration/telemetry#prometheus
1261
#
1262
# Example:
1263
# matchLabels:
1264
# vault-internal: "true"
1265
matchLabels: {}
1266
prometheusRules:
1267
# The Prometheus operator *must* be installed before enabling this feature,
1268
# if not the chart will fail to install due to missing CustomResourceDefinitions
1269
# provided by the operator.
1270
1271
# Deploy the PrometheusRule custom resource for AlertManager based alerts.
1272
# Requires that AlertManager is properly deployed.
1273
enabled: false
1274
# Selector labels to add to the PrometheusRules.
1275
# When empty, defaults to:
1276
# release: prometheus
1277
selectors: {}
1278
# Some example rules.
1279
rules: []
1280
# - alert: vault-HighResponseTime
1281
# annotations:
1282
# message: The response time of Vault is over 500ms on average over the last 5 minutes.
1283
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
1284
# for: 5m
1285
# labels:
1286
# severity: warning
1287
# - alert: vault-HighResponseTime
1288
# annotations:
1289
# message: The response time of Vault is over 1s on average over the last 5 minutes.
1290
# expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
1291
# for: 5m
1292
# labels:
1293
# severity: critical
1294
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.