-
Notifications
You must be signed in to change notification settings - Fork 0
/
helm-values.yaml
225 lines (179 loc) · 5.51 KB
/
helm-values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
# Default values for vault-secrets-webhook.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 2
debug: false
certificate:
useCertManager: false
servingCertificate: null
generate: true
server:
tls:
crt:
key:
ca:
crt:
extraAltNames: []
# use extra names if you want use the webhook via an ingress or a loadbalancer
image:
repository: ghcr.io/bank-vaults/vault-secrets-webhook
tag: v1.20.0
pullPolicy: IfNotPresent
imagePullSecrets: []
service:
name: vault-secrets-webhook
type: ClusterIP
externalPort: 443
internalPort: 8443
annotations: {}
# Annotate service
# This can be used for example if type is AWS LoadBalancer and you want to add security groups
ingress:
enabled: false
annotations: {}
# dns of ingress for vault-webhook
# host: example.com
webhookClientConfig:
# By default the mutating webhook uses the service of the webhook directly to contact webhook
# Use url if webhook should be contacted over loadbalancer or ingress instead of service object
useUrl: false
# set the url how the webhook should be contacted (including protocol https://)
# url: https://example.com
vaultEnv:
repository: ghcr.io/bank-vaults/vault-env
tag: v1.20.1
env:
VAULT_ENV_PASSTHROUGH: "VAULT_ADDR,VAULT_NAMESPACE,VAULT_PATH,VAULT_ROLE"
VAULT_IMAGE: vault:1.13.2
# VAULT_CAPATH: /vault/tls
# # Used when the pod that should get secret injected does not
# # specify an imagePullSecret
# DEFAULT_IMAGE_PULL_SECRET:
# DEFAULT_IMAGE_PULL_SECRET_NAMESPACE:
# DEFAULT_IMAGE_PULL_SECRET_SERVICE_ACCOUNT
VAULT_CLIENT_TIMEOUT: 30s
# # define the webhook's role in Vault used for authentication,
# # if not defined individually in resources by annotations.
# VAULT_ROLE: vault-secrets-webhook
# Resource requests and limits for init containers
# VAULT_ENV_CPU_REQUEST:
# VAULT_ENV_MEMORY_REQUEST:
# VAULT_ENV_CPU_LIMIT:
# VAULT_ENV_MEMORY_LIMIT
# VAULT_ENV_LOG_SERVER:
initContainers: []
## Containers, which are run before the app containers are started.
# - name: init-myservice
# image: busybox
# command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']
metrics:
enabled: true
port: 8443
serviceMonitor:
enabled: false
scheme: https
tlsConfig:
insecureSkipVerify: true
securityContext:
runAsUser: 65534
allowPrivilegeEscalation: false
podSecurityContext: {}
volumes: []
# - name: vault-tls
# secret:
# secretName: vault-tls
volumeMounts: []
# - name: vault-tls
# mountPath: /vault/tls
podAnnotations: {}
labels: {}
# team: banzai
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: {}
## Assign a PriorityClassName to pods if set
priorityClassName: ""
rbac:
psp:
enabled: false
authDelegatorRole:
enabled: false
serviceAccount:
# Specifies whether a service account should be created
create: true
# Labels to add to the service account
labels: {}
# Annotations to add to the service account
annotations: {}
# Enables GKE workload identity
# iam.gke.io/gcp-service-account: [email protected]
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# SA_NAME@PROJECT_ID.iam.gserviceaccount.com
name: ""
deployment:
# Strategy for the deployment
strategy: {}
# A list of Kubernetes resource types to mutate as well:
# Example: ["ingresses", "servicemonitors"]
customResourceMutations: []
customResourcesFailurePolicy: Ignore
# This can cause issues when used with Helm, so it is not enabled by default
configMapMutation: true
# Whether to mutate Secrets with values from Vault. Set to false in order to prevent secret values from being persisted in Kubernetes.
secretsMutation: true
configMapFailurePolicy: Ignore
podsFailurePolicy: Ignore
secretsFailurePolicy: Ignore
apiSideEffectValue: NoneOnDryRun
namespaceSelector:
matchExpressions:
- key: name
operator: NotIn
values:
- kube-system
# https://kubernetes.io/docs/reference/labels-annotations-taints/#kubernetes-io-metadata-name
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
# matchLabels:
# vault-injection: enabled
# In case of the K8s cluster version is above 1.15 objectSelector is usable
objectSelector: {}
# matchExpressions:
# - key: security.banzaicloud.io/mutate
# operator: NotIn
# values:
# - skip
# matchLabels:
# vault-injection: enabled
# objectSelector & namespaceSelector for secrets resource (overrides `objectSelector`); Requires K8s 1.15+
secrets:
objectSelector: {}
namespaceSelector: {}
# objectSelector & namespaceSelector for pods resource (overrides `objectSelector`); Requires K8s 1.15+
pods:
objectSelector: {}
namespaceSelector: {}
# objectSelector & namespaceSelector for configmap resource (overrides `objectSelector`); Requires K8s 1.15+
configMaps:
objectSelector: {}
namespaceSelector: {}
# objectSelector & namespaceSelector for customResource resource (overrides `objectSelector`); Requires K8s 1.15+
customResources:
objectSelector: {}
namespaceSelector: {}
podDisruptionBudget:
enabled: true
minAvailable: 1
# maxUnavailable: 1
timeoutSeconds: false
hostNetwork: false
# If you're using cilium (CNI) and you are required to set hostNetwork to true
# then pods with webhooks must set the dnsPolicy to "ClusterFirstWithHostNet"
dnsPolicy: ""
# Override cluster version
kubeVersion: ""