Important Note: This chart is not compatible with Helm 2. Please use Helm 3 with this chart.
The chart is highly customizable using Helm configuration values. Each value has a default tuned for an optimal getting started experience with Vault. Before going into production, please review the parameters below and consider if they're appropriate for your deployment.
global- These global values affect multiple components of the chart.
boolean: true) - The master enabled/disabled configuration. If this is true, most components will be installed by default. If this is false, no components will be installed by default and manually opting-in is required, such as by setting
string: "") - Defines secrets to be used when pulling images from private registries.
string: required) - Name of the secret containing files required for authentication to private image registries.
boolean: true) - When set to
true, changes URLs from
http(such as the
VAULT_ADDR=http://127.0.0.1:8200environment variable set on the Vault pods).
injector- Values that configure running a Vault Agent Injector Admission Webhook Controller within Kubernetes.
boolean: true) - When set to
true, the Vault Agent Injector Admission Webhook controller will be created.
string: "") - External vault server address for the injector to use. Setting this will disable deployment of the vault server, and only deploy the injector.
image- Values that configure the Vault Agent Injector Docker image.
string: "hashicorp/vault-k8s") - The name of the Docker image for Vault Agent Injector.
string: "0.2.0") - The tag of the Docker image for the Vault Agent Injector. This should be pinned to a specific version when running in production. Otherwise, other changes to the chart may inadvertently upgrade your admission controller.
string: "IfNotPresent") - The pull policy for container images. The default pull policy is
IfNotPresentwhich causes the Kubelet to skip pulling an image if it already exists.
agentImage- Values that configure the Vault Agent sidecar image.
string: "") - The resource requests and limits (CPU, memory, etc.) for each of the server. This should be a multi-line string mapping directly to a Kubernetes ResourceRequirements object. If this isn't specified, then the pods won't request any specific amount of resources.
Setting this is highly recommended.
# Resources are defined as a formatted multi-line string: resources: | requests: memory: "10Gi" limits: memory: "10Gi"
string: "") - The selector used by the admission webhook controller to limit what namespaces where injection can happen. If set to null, all non-system namespaces are eligible for injection.
# Selectors are defined as a formatted multi-line string. # In this example, all namespaces with the label "injection: enabled" are eligible: namespaceSelector: | matchLabels: injection: enabled
certs- The certs section configures how the webhook TLS certs are configured. These are the TLS certs for the Kube apiserver communicating to the webhook. By default, the injector will generate and manage its own certs, but this requires the ability for the injector to update its own
MutatingWebhookConfiguration. In a production environment, custom certs should probably be used. Configure the values below to enable this.
string: "") - secretName is the name of the Kubernetes secret that has the TLS certificate and private key to serve the injector webhook. If this is null, then the injector will default to its automatic management mode.
string: "") - The PEM-encoded CA public certificate bundle for the TLS certificate served by the injector. This must be specified as a string and can't come from a secret because it must be statically configured on the Kubernetes
MutatingAdmissionWebhookresource. This only needs to be specified if
secretNameis not null.
string: "tls.crt") - The name of the certificate file within the
string: "tls.key") - The name of the key file within the
ui- Values that configure the Vault UI.
boolean: false) - If true, the UI will be enabled. The UI will only be enabled on Vault servers. If
server.enabledis false, then this setting has no effect. To expose the UI in some way, you must configure
int: null) - Sets the Node Port value when using
serviceType: NodePorton the Vault UI service.
int: 8200) - Sets the external port value of the service.
string) - This value defines additional source CIDRs when using
serviceType: LoadBalancer. This should be formatted as a multi-line string.
loadBalancerSourceRanges: - 10.0.0.0/16 - 126.96.36.199/32
string) - This value defines the IP address of the load balancer when using
string) - This value defines additional annotations for the UI service. This should be a formatted as a multi-line string.
annotations: | "sample/annotation1": "foo" "sample/annotation2": "bar"