Configuration

Important Note: This chart is not compatible with Helm 3. Please use Helm 2 with this chart.

The chart is highly customizable using Helm configuration values. Each value has a default tuned for an optimal getting started experience with Vault. Before going into production, please review the parameters below and consider if they're appropriate for your deployment.

global - These global values affect multiple components of the chart.
- enabled (boolean: true) - The master enabled/disabled configuration. If this is true, most components will be installed by default. If this is false, no components will be installed by default and manually opting-in is required, such as by setting server.enabled to true.
- imagePullSecrets (string: "") - Defines secrets to be used when pulling images from private registries.
  - name: (string: required) - Name of the secret containing files required for authentication to private image registries.
- tlsDisable (boolean: true) - When set to true, changes URLs from https to http (such as the VAULT_ADDR=http://127.0.0.1:8200 environment variable set on the Vault pods).
injector - Values that configure running a Vault Agent Injector Admission Webhook Controller within Kubernetes.
- enabled (boolean: true) - When set to true, the Vault Agent Injector Admission Webhook controller will be created.
- image - Values that configure the Vault Agent Injector Docker image.
  - repository (string: "hashicorp/vault-k8s") - The name of the Docker image for Vault Agent Injector.
  - tag (string: "0.2.0") - The tag of the Docker image for the Vault Agent Injector. This should be pinned to a specific version when running in production. Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
  - pullPolicy (string: "IfNotPresent") - The pull policy for container images. The default pull policy is IfNotPresent which causes the Kubelet to skip pulling an image if it already exists.
- agentImage - Values that configure the Vault Agent sidecar image.
  - repository (string: "vault") - The name of the Docker image for the Vault Agent sidecar. This should be set to the official Vault Docker image.
  - tag (string: "1.3.1") - The tag of the Vault Docker image to use for the Vault Agent Sidecar. Vault 1.3.1+ is required by the admission controller.
- resources (string: "") - The resource requests and limits (CPU, memory, etc.) for each of the server. This should be a multi-line string mapping directly to a Kubernetes ResourceRequirements object. If this isn't specified, then the pods won't request any specific amount of resources.
  Setting this is highly recommended.
```
# Resources are defined as a formatted multi-line string:
resources: |
  requests:
    memory: "10Gi"
  limits:
    memory: "10Gi"
```
- namespaceSelector (string: "") - The selector used by the admission webhook controller to limit what namespaces where injection can happen. If set to null, all non-system namespaces are eligible for injection.
```
# Selectors are defined as a formatted multi-line string.
# In this example, all namespaces with the label "injection: enabled" are eligible:
namespaceSelector: |
  matchLabels:
    injection: enabled
```
- certs - The certs section configures how the webhook TLS certs are configured. These are the TLS certs for the Kube apiserver communicating to the webhook. By default, the injector will generate and manage its own certs, but this requires the ability for the injector to update its own MutatingWebhookConfiguration. In a production environment, custom certs should probably be used. Configure the values below to enable this.
  - secretName (string: "") - secretName is the name of the Kubernetes secret that has the TLS certificate and private key to serve the injector webhook. If this is null, then the injector will default to its automatic management mode.
  - caBundle (string: "") - The PEM-encoded CA public certificate bundle for the TLS certificate served by the injector. This must be specified as a string and can't come from a secret because it must be statically configured on the Kubernetes MutatingAdmissionWebhook resource. This only needs to be specified if secretName is not null.
  - certName (string: "tls.crt") - The name of the certificate file within the secretName secret.
  - keyName (string: "tls.key") - The name of the key file within the secretName secret.
server - Values that configure running a Vault server within Kubernetes.
- image - Values that configure the Vault Docker image.
  - repository (string: "vault") - The name of the Docker image for the containers running Vault.
  - tag (string: "1.3.1") - The tag of the Docker image for the containers running Vault. This should be pinned to a specific version when running in production. Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
  - pullPolicy (string: "IfNotPresent") - The pull policy for container images. The default pull policy is IfNotPresent which causes the Kubelet to skip pulling an image if it already exists.
  - resources (string: null) - The resource requests and limits (CPU, memory, etc.) for each of the server. This should be a multi-line string mapping directly to a Kubernetes ResourceRequirements object. If this isn't specified, then the pods won't request any specific amount of resources. Setting this is highly recommended.
    # Resources are defined as a formatted multi-line string: resources: | requests: memory: "10Gi" limits: memory: "10Gi"
  - ingress - Values that configure Ingress services for Vault.
    - enabled (boolean: false) - When set to true, an Ingress service will be created.
    - annotations (string) - This value defines additional annotations to add to the Ingress service. This should be formatted as a multi-line string.
    annotations: | kubernetes.io/ingress.class: nginx kubernetes.io/tls-acme: "true"
    - hosts - Values that configure the Ingress host rules.
      - host (string: required): Name of the host to use for Ingress.
      - paths (string: required): This value defines the types of host rules for the Ingress service.
      paths: - backend: serviceName: service2 servicePort: 80
  - tls - Values that configure the Ingress TLS rules.
    - hosts (string: null): Name of the hosts defined in the Common Name of the TLS Certificate. This should be formated as a multi-line string.
    - secretName (string: null): Name of the secret containing the required TLS files such as certificates and keys.
    hosts: - sslexample.foo.com - sslexample.bar.com secretName: testsecret-tls
  - authDelegator - Values that configure the Cluster Role Binding attached to the Vault service account.
    - enabled (boolean: true) - When set to true, a Cluster Role Binding will be bound to the Vault service account. This Cluster Role Binding has the necessary privileges for Vault to use the Kubernetes Auth Method.
  - readinessProbe - Values that configure the readiness probe for the Vault pods.
    - enabled (boolean: true) - When set to true, a readiness probe will be applied to the Vault pods.
    - path (string: "") - When set to a value, enables HTTP/HTTPS probes instead of using the default exec probe. The http/https scheme is controled by the tlsDisable value.
```
readinessProbe:
  enabled: true
  path: /v1/sys/health?standbyok=true
```
  - livelinessProbes - Values that configure the liveliness probe for the Vault pods.
    - enabled (boolean: false) - When set to true, a liveliness probe will be applied to the Vault pods.
    - path (string: "/v1/sys/health?standbyok=true") - When set to a value, enables HTTP/HTTPS probes instead of using the default exec probe. The http/https scheme is controled by the tlsDisable value.
    - initialDelaySeconds (int: 60) - Sets the initial delay of the liveliness probe when the container starts.
```
livelinessProbe:
  enabled: true
  path: /v1/sys/health?standbyok=true
  initialDelaySeconds: 60
```
  - extraContainers (array: []) - The extra containers to be applied to the Vault server pods.
```
extraContainers:
  - name: mycontainer
    image: 'app:0.0.0'
    env: ...
```
```
# Extra Environment Variables are defined as key/value strings.
extraEnvironmentVars:
  GOOGLE_REGION: global
  GOOGLE_PROJECT: myproject
  GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
```
  - extraEnvironmentVars - The extra environment variables to be applied to the Vault server. This should be a multi-line key/value string.
```
# Extra Environment Variables are defined as key/value strings.
extraEnvironmentVars:
  GOOGLE_REGION: global
  GOOGLE_PROJECT: myproject
  GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
```
  - extraArgs (string: null) - The extra arguments to be applied to the Vault server startup command.
    extraArgs: '-config=/path/to/extra/config.hcl -log-format=json'
  - extraSecretEnvironmentVars (string: null) - The extra environment variables populated from a secret to be applied to the Vault server. This should be a multi-line key/value string.
    - envName (string: required) - Name of the environment variable to be populated in the Vault container.
    - secretName (string: required) - Name of Kubernetes secret used to populate the environment variable defined by envName.
    - secretKey (string: required) - Name of the key where the requested secret value is located in the Kubernetes secret.
    # Extra Environment Variables populated from a secret. extraSecretEnvironmentVars: - envName: AWS_SECRET_ACCESS_KEY secretName: vault secretKey: AWS_SECRET_ACCESS_KEY
  - extraVolumes (array: []) - A list of extra volumes to mount to Vault servers. This is useful for bringing in extra data that can be referenced by other configurations at a well known path, such as TLS certificates. The value of this should be a list of objects. Each object supports the following keys:
    - type (string: required) - Type of the volume, must be one of "configMap" or "secret". Case sensitive.
    - name (string: required) - Name of the configMap or secret to be mounted. This also controls the path that it is mounted to. The volume will be mounted to /vault/userconfig/<name> by default unless path is configured.
    - path (string: /vault/userconfigs) - Name of the path where a configMap or secret is mounted. If not specified the volume will be mounted to /vault/userconfig/<name of volume>.
    extraVolumes: - type: 'secret' name: 'vault-certs' path: '/etc/pki'
  - affinity - This value defines the affinity for server pods. It defaults to allowing only a single pod on each node, which minimizes risk of the cluster becoming unusable if a node is lost. If you need to run more pods per node (for example, testing on Minikube), set this value to null.
```
# Recommended default server affinity:
affinity: |
  podAntiAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
    - labelSelector:
      matchLabels:
        app: {{ template "vault.name" . }}
        release: "{{ .Release.Name }}"
        component: server
      topologyKey: kubernetes.io/hostname
```
  - tolerations (array []) - This value defines the tolerations that are acceptable when being scheduled.
```
tolerations:
  - key: 'node.kubernetes.io/unreachable'
    operator: 'Exists'
    effect: 'NoExecute'
    tolerationSeconds: 6000
```
  - nodeSelector - This value defines additional node selection criteria for more control over where the Vault servers are deployed.
```
nodeSelector:
  disktype: ssd
```
  - extraLabels - This value defines additional labels for server pods. This should be formatted as a multi-line string.
```
extraLabels: |
  "sample/label1": "foo"
  "sample/label2": "bar"
```
  - annotations - This value defines additional annotations for server pods. This should be a formatted as a multi-line string.
```
annotations: |
  "sample/annotation1": "foo"
  "sample/annotation2": "bar"
```
  - service - Values that configure the Kubernetes service created for Vault.
    - enabled (boolean: true) - When set to true, a Kubernetes service will be created for Vault.
    - clusterIP (string) - ClusterIP controls whether an IP address (cluster IP) is attached to the Vault service within Kubernetes. By default the Vault service will be given a Cluster IP address, set to None to disable. When disabled Kubernetes will create a "headless" service. Headless services can be used to communicate with pods directly through DNS instead of a round robin load balancer.
    - type (string: "ClusterIP") - Sets the type of service to create, such as NodePort.
    - port (int: 8200) - Port on which Vault server is listening inside the pod.
    - targetPort (int: 8200) - Port on which the service is listening.
    - nodePort (int:) - When type is set to NodePort, the bound node port can be configured using this value. A random port will be assigned if this is left blank.
    - annotations (string) - This value defines additional annotations for the service. This should be formatted as a multi-line string.
    annotations: | "sample/annotation1": "foo" "sample/annotation2": "bar"
  - serviceAccount - Values that configure the Kubernetes service account created for Vault.
    - annotations (string) - This value defines additional annotations for the service account. This should be formatted as a multi-line string.
    annotations: | "sample/annotation1": "foo" "sample/annotation2": "bar"
  - extraVolumes - This configures the Service resource created for the Vault server.
    - enabled (boolean: true) - Enables a service to allow other pods running in Kubernetes to communicate with the Vault server.
  - dataStorage - This configures the volume used for storing Vault data when not using external storage such as Consul.
    - enabled (boolean: true) - Enables a persistent volume to be created for storing Vault data when not using an external storage service.
    - size (string: 10Gi) - Size of the volume to be created for Vault's data storage when not using an external storage service.
    - storageClass (string: null) - Name of the storage class to use when creating the data storage volume.
    - accessMode (string: ReadWriteOnce) - Type of access mode of the storage device. See the official Kubernetes for more information.
  - auditStorage - This configures the volume used for storing Vault's audit logs. See the Vault documentation for more information.
    - enabled (boolean: true) - Enables a persistent volume to be created for storing Vault's audit logs.
    - size (string: 10Gi) - Size of the volume to be created for Vault's audit logs.
    - storageClass (string: null) - Name of the storage class to use when creating the audit storage volume.
    - accessMode (string: ReadWriteOnce) - Type of access mode of the storage device.
  - dev - This configures dev mode for the Vault server.
    - enabled (boolean: false) - Enables dev mode for the Vault server. This mode is useful for experimenting with Vault without needing to unseal.
    Security Warning: Never, ever, ever run a "dev" mode server in production. It is insecure and will lose data on every restart (since it stores data in-memory). It is only made for development or experimentation.
  - standalone - This configures standalone mode for the Vault server.
    - enabled (boolean: true) - Enables standalone mode for the Vault server. This mode uses the file storage backend and requires a volume for persistence (dataStorage).
    - config (string: "{}") - A raw string of extra HCL or JSON configuration for Vault servers. This will be saved as-is into a ConfigMap that is read by the Vault servers. This can be used to add additional configuration that isn't directly exposed by the chart.
    # ExtraConfig values are formatted as a multi-line string: config: | api_addr = "http://POD_IP:8200" listener "tcp" { tls_disable = 1 address = "0.0.0.0:8200" } storage "file" { path = "/vault/data" }
    This can also be set using Helm's --set flag (vault-helm v0.1.0 and later), using the following syntax:
    --set server.standalone.config='{ listener "tcp" { address = "0.0.0.0:8200" }'
  - ha - This configures ha mode for the Vault server.
    - enabled (boolean: false) - Enables ha mode for the Vault server. This mode uses a highly available backend storage (such as Consul) to store Vault's data. By default this is configured to use Consul Helm. For a complete list of storage backends, see the Vault documentation.
    - replicas (int: 5) - The number of pods to deploy to create a highly available cluster of Vault servers.
    - updatePartition (int: 0) - If an updatePartition is specified, all Pods with an ordinal that is greater than or equal to the partition will be updated when the StatefulSet’s .spec.template is updated. If set to 0, this disables parition updates. For more information see the official Kubernetes documentation.
    - config (string: "{}") - A raw string of extra HCL or JSON configuration for Vault servers. This will be saved as-is into a ConfigMap that is read by the Vault servers. This can be used to add additional configuration that isn't directly exposed by the chart.
    # ExtraConfig values are formatted as a multi-line string: config: | ui = true api_addr = "http://POD_IP:8200" listener "tcp" { tls_disable = 1 address = "0.0.0.0:8200" } storage "consul" { path = "vault" address = "HOST_IP:8500" }
    This can also be set using Helm's --set flag (vault-helm v0.1.0 and later), using the following syntax:
    --set server.ha.config='{ listener "tcp" { address = "0.0.0.0:8200" }'
  - disruptionBudget - Values that configures the disruption budget policy. See the official Kubernetes documentation for more information.
    - enabled (boolean: true) - Enables disruption budget policy to limit the number of pods that are down simultaneously from voluntary disruptions.
    - maxUnavailable (int: null) - The maximum number of unavailable pods. By default, this will be automatically computed based on the server.replicas value to be (n/2)-1. If you need to set this to 0, you will need to add a --set 'server.disruptionBudget.maxUnavailable=0' flag to the helm chart installation command because of a limitation in the Helm templating language.
ui - Values that configure the Vault UI.
- enabled (boolean: false) - If true, the UI will be enabled. The UI will only be enabled on Vault servers. If server.enabled is false, then this setting has no effect. To expose the UI in some way, you must configure ui.service.
- serviceType (string: ClusterIP) - The service type to register. This defaults to ClusterIP. The available service types are documented on the Kubernetes website.
- serviceNodePort (int: null) - Sets the Node Port value when using serviceType: NodePort on the Vault UI service.
- externalPort (int: 8200) - Sets the external port value of the service.
- loadBalancerSourceRanges (string) - This value defines additional source CIDRs when using serviceType: LoadBalancer. This should be formatted as a multi-line string.
```
loadBalancerSourceRanges:
  - 10.0.0.0/16
  - 120.78.23.3/32
```
- loadBalancerIP (string) - This value defines the IP address of the load balancer when using serviceType: LoadBalancer.
- annotations (string) - This value defines additional annotations for the UI service. This should be a formatted as a multi-line string.
```
annotations: |
  "sample/annotation1": "foo"
  "sample/annotation2": "bar"
```