A configuration helm chart to setup Vault within Kubernetes using Bank Vaults Vault Operator. It will render any number of Vault custom resource definitions that the Bank Vault operator will use to install instances of Vault.
The provided examples demonstrate setting up Vault with the following characteristics
- TLS enabled for all traffic
- Integrated Storage (raft)
- Raft cluster auto discover / joining using K8s service discovery
- Vault Engine install
- Vault Policy install
- Vault Auth method install
The chart data structure uses an array of Vault configuration blocks plus a default block. This allows for installing any number of distinct Vault instances.
To see configuration samples / references check the Bank Vault Operator repo
All defaults are overridable in the vaults array elements.
vaultOperator:
defaults:
apiVersion: "vault.banzaicloud.com/v1alpha1"
bankVaultsImage: ghcr.io/bank-vaults/bank-vaults:latest
# Explicitly set namespace
# or let it pick it up from helm install
# namespace: "vault"
size: 1
version: "1.15.4"
istioEnabled: false
serviceAccount: "vault-sa"
serviceMonitorEnabled: false
serviceRegistrationEnabled: false
serviceType: ClusterIP
statsdDisabled: true
veleroEnabled: false
vaultEnvsConfig:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespacevaultOperator:
vaults:
- name: "vault01"
size: 3
version: "1.15.4"
namespace: altvault
caNamespaces:
- "*"
- name: "vault02"
size: 1
version: "1.14.4"
namespace: "testvault
The Bank Vaults operator supports creating a single ingress. This chart supports that config in addtion there is the ability to create any number of native K8s Ingress objects and or Istio Virtual Services objects.
See ingress and istio sample files.
vaultOperator:
networks:
ingress:
- name: vault-public
labels: []
annotations: []
spec: {}
- name: vault-internal
labels: []
annotations: []
spec: {}
vservice:
- name: vault-public
labels: []
annotations: []
- name: vault-internal
labels: []
annotations: []
spec: {}