jonny/charts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add vault-operator

Browse Source
This commit is contained in:
Jonny Ervine 2023-10-06 21:32:19 +08:00
parent 494a256132
commit 75d720a37a
14 changed files with 10326 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
vault-operator/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

14
vault-operator/Chart.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v2
appVersion: 1.19.0
description: A Helm chart for banzaicloud/bank-vaults Vault operator
home: https://banzaicloud.com/products/bank-vaults/
icon: https://raw.githubusercontent.com/banzaicloud/bank-vaults/main/docs/images/logo/bank-vaults-logo.svg
maintainers:
- email: info@banzaicloud.com
name: Banzai Cloud
name: vault-operator
sources:
- https://github.com/hashicorp/vault
- https://github.com/banzaicloud/bank-vaults
type: application
version: 1.19.0

112
vault-operator/README.md Normal file
View File

@ -0,0 +1,112 @@
# Vault Operator Helm Chart
This directory contains a Kubernetes Helm chart to deploy the Banzai Cloud Vault Operator.
## Prerequisites Details
* Kubernetes 1.6+
* Helm 3
## Chart Details
This chart will do the following:
* Install the Vault operator
Please note that a backend service for Vault (for example, Consul) must
be deployed beforehand and configured with the `vault.config` option. YAML
provided under this option will be converted to JSON for the final vault
`config.json` file.
> See https://github.com/banzaicloud/bank-vaults/tree/main/operator for more information on the Operator
> See https://www.vaultproject.io/docs/configuration/ for more information on storage options for Vault.
## Installing the Chart
### Fresh install
To install the chart on a fresh cluster, use the following:
```bash
helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com
helm upgrade --install vault-operator banzaicloud-stable/vault-operator
```
**Please note that the etcd-operator has been deprecated for a long time (chart and code as well), and the last version of the chart is not installable on Kubernetes 1.22 and onwards. We don't offer any kind of support for etcd-operator and automated etcd installations from now.**
### Helm2 -> Helm3 migration
If you have installed the chart with Helm 2 and now you are trying to upgrade it with Helm3 you have to be careful because Helm 3 will delete the Vault CRD from your cluster during the upgrade from Helm 2 (see https://github.com/helm/helm/issues/7279). To avoid that follow these steps:
```bash
# Make sure you are using Helm 3
helm version
# version.BuildInfo{Version:"v3.3.4", GitCommit:"a61ce5633af99708171414353ed49547cf05013d", GitTreeState:"clean", GoVersion:"go1.14.9"}
# Get the latest vault-operator chart
helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com
helm repo update
# Delete all Helm2 releases of the vault-operator manually wit kubectl to keep the resources in the cluster
kubectl delete configmaps -n kube-system vault-operator.v1
# Delete all resources except the Vault CRD
helm template vault-operator banzaicloud-stable/vault-operator | kubectl delete -f -
# Install the new Helm3 version of the chart
helm upgrade --install vault-operator banzaicloud-stable/charts/vault-operator
```
## Configuration
The following table lists the configurable parameters of the vault chart and their default values.
| Parameter | Description | Default |
| ---------------------------- | -------------------------------------------------------- | ---------------------------- |
| `image.pullPolicy` | Container pull policy | `IfNotPresent` |
| `image.repository` | Container image to use | `banzaicloud/vault-operator` |
| `image.bankVaultsRepository` | Container image to use for Bank-Vaults | `banzaicloud/bank-vaults` |
| `image.tag` | Container image tag to deploy operator in | `.Chart.AppVersion` |
| `image.bankVaultsTag` | Container image tag to deploy bank-vaults in | `.Chart.AppVersion` |
| `image.imagePullSecrets` | Image pull secrets for private repositories | `[]` |
| `replicaCount` | k8s replicas | `1` |
| `resources.requests.cpu` | Container requested CPU | `100m` |
| `resources.requests.memory` | Container requested memory | `128Mi` |
| `resources.limits.cpu` | Container CPU limit | `100m` |
| `resources.limits.memory` | Container memory limit | `256Mi` |
| `crdAnnotations` | Annotations for the Vault CRD | `{}` |
| `securityContext` | Container security context for vault-operator deployment | `{}` |
| `podSecurityContext` | Pod security context for vault-operator deployment | `{}` |
| `psp.enabled` | Deploy PSP resources | `false` |
| `psp.vaultSA` | Used service account for vault | `vault` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
## Using Vault Operator
To deploy different Vault configurations (single node, HA, with AWS unsealing, with etcd backend, ...) see: https://github.com/banzaicloud/bank-vaults/tree/main/operator/deploy for more examples.
```bash
kubectl apply -f https://raw.githubusercontent.com/banzaicloud/bank-vaults/main/operator/deploy/rbac.yaml
kubectl apply -f https://raw.githubusercontent.com/banzaicloud/bank-vaults/main/operator/deploy/cr-raft.yaml
```
Once the Vault pods are ready (in HA setup always one is ready), it can be accessed using a `kubectl port-forward`:
```bash
$ kubectl port-forward vault-pod 8200
$ export VAULT_ADDR=https://127.0.0.1:8200
$ export VAULT_SKIP_VERIFY=true
$ vault status
```
Using as a subchart in helm v2 requires that the CRD be installed first. You can accomplish this by setting crdAnnotations as follows.
```yaml
vault-operator:
crdAnnotations:
"helm.sh/hook": crd-install
```
## Credits
Thanks to Cosmin Cojocar for the original Vault Operator Helm chart!

9498
vault-operator/crds/crd.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

77
vault-operator/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,77 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "vault-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "vault-operator.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "vault-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Overrideable version for container image tags.
*/}}
{{- define "vault-operator.vault-operator.version" -}}
{{- .Values.image.tag | default (printf "%s" .Chart.AppVersion) -}}
{{- end -}}
{{- define "vault-operator.bank-vaults.version" -}}
{{- .Values.image.bankVaultsTag | default (printf "%s" .Chart.AppVersion) -}}
{{- end -}}
{{/*
Image pull secrets
*/}}
{{- define "vault-operator.imagePullSecrets" -}}
{{- if .Values.global }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- else if .Values.image.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.image.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- else if .Values.image.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.image.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "vault-operator.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "vault-operator.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

97
vault-operator/templates/deployment.yaml Normal file
View File

@ -0,0 +1,97 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "vault-operator.fullname" . }}
labels:
helm.sh/chart: {{ include "vault-operator.chart" . }}
app.kubernetes.io/name: {{ include "vault-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
strategy:
type: Recreate
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "vault-operator.name" . }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "vault-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ include "vault-operator.vault-operator.version" . }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- vault-operator
- -sync_period
- {{ .Values.syncPeriod }}
env:
- name: WATCH_NAMESPACE
value: {{ .Values.watchNamespace | quote }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: {{ include "vault-operator.name" . }}
- name: OPERATOR_LOG_LEVEL
value: debug
- name: BANK_VAULTS_IMAGE
value: "{{ .Values.image.bankVaultsRepository }}:{{ include "vault-operator.bank-vaults.version" . }}"
ports:
- containerPort: {{ .Values.service.internalPort }}
- containerPort: 8383
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
livenessProbe:
httpGet:
path: "/"
port: {{ .Values.service.internalPort }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
readinessProbe:
httpGet:
path: "/ready"
port: {{ .Values.service.internalPort }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
affinity:
{{- toYaml .Values.affinity | nindent 8 }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "vault-operator.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- include "vault-operator.imagePullSecrets" . | indent 6 }}

69
vault-operator/templates/psp.yaml Normal file
View File

@ -0,0 +1,69 @@
{{- if .Values.psp.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "vault-operator.fullname" . }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ .Values.psp.vaultSA }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- IPC_LOCK
- SETFCAP
volumes:
- 'configMap'
- 'emptyDir'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
- 'projected'
hostNetwork: false
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
{{- end }}

125
vault-operator/templates/role.yaml Normal file
View File

@ -0,0 +1,125 @@
{{- if .Values.serviceAccount.create -}}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "vault-operator.fullname" . }}
labels:
helm.sh/chart: {{ include "vault-operator.chart" . }}
rules:
- apiGroups:
- vault.banzaicloud.com
resources:
- "*"
verbs:
- "*"
- apiGroups:
- ""
resources:
- events
- pods
- services
- configmaps
- secrets
verbs:
- "*"
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
- extensions
resources:
- replicasets
verbs:
- get
- apiGroups:
- apps
- extensions
resources:
- deployments
- deployments/finalizers
- statefulsets
verbs:
- "*"
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1/Route" }}
- apiGroups:
- route.openshift.io
resources:
- routes
- routes/custom-host
verbs:
- list
- get
- create
- update
- watch
{{- end }}
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
verbs:
- list
- get
- create
- update
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- update
- list
- get
- create
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- "*"
{{- end }}
{{- if .Values.psp.enabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: psp:{{ include "vault-operator.fullname" . }}
rules:
- apiGroups:
- policy
resourceNames:
- {{ include "vault-operator.fullname" . }}
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: psp:{{ .Values.psp.vaultSA }}
rules:
- apiGroups:
- policy
resourceNames:
- {{ .Values.psp.vaultSA }}
resources:
- podsecuritypolicies
verbs:
- use
{{- end }}

46
vault-operator/templates/rolebinding.yaml Normal file
View File

@ -0,0 +1,46 @@
{{- if .Values.serviceAccount.create -}}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "vault-operator.fullname" . }}
labels:
helm.sh/chart: {{ include "vault-operator.chart" . }}
subjects:
- kind: ServiceAccount
name: {{ include "vault-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ include "vault-operator.fullname" . }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
{{- if .Values.psp.enabled }}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:{{ include "vault-operator.fullname" . }}
labels:
helm.sh/chart: {{ include "vault-operator.chart" . }}
subjects:
- kind: ServiceAccount
name: {{ include "vault-operator.serviceAccountName" . }}
roleRef:
kind: Role
name: psp:{{ include "vault-operator.fullname" . }}
apiGroup: rbac.authorization.k8s.io
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:{{ .Values.psp.vaultSA }}
labels:
helm.sh/chart: {{ include "vault-operator.chart" . }}
subjects:
- kind: ServiceAccount
name: {{ .Values.psp.vaultSA }}
roleRef:
kind: Role
name: psp:{{ .Values.psp.vaultSA }}
apiGroup: rbac.authorization.k8s.io
{{- end }}

15
vault-operator/templates/sa.yaml Normal file
View File

@ -0,0 +1,15 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "vault-operator.serviceAccountName" . }}
labels:
helm.sh/chart: {{ include "vault-operator.chart" . }}
app.kubernetes.io/name: {{ include "vault-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

25
vault-operator/templates/service.yaml Normal file
View File

@ -0,0 +1,25 @@
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.service.name | default (include "vault-operator.fullname" .)}}
labels:
helm.sh/chart: {{ include "vault-operator.chart" . }}
app.kubernetes.io/name: {{ include "vault-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: {{ .Values.service.internalPort }}
protocol: TCP
name: http
- port: 8383
protocol: TCP
name: http-metrics
selector:
app.kubernetes.io/name: {{ include "vault-operator.name" . }}

32
vault-operator/templates/servicemonitor.yaml Normal file
View File

@ -0,0 +1,32 @@
{{ if .Values.monitoring.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "vault-operator.fullname" . }}
labels:
helm.sh/chart: {{ include "vault-operator.chart" . }}
app.kubernetes.io/name: {{ include "vault-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.monitoring.serviceMonitor.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ include "vault-operator.name" . }}
endpoints:
- port: http-metrics
path: /metrics
{{- with .Values.monitoring.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.monitoring.serviceMonitor.relabelings }}
relabelings:
{{- toYaml . | nindent 6 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
{{- end }}

97
vault-operator/values.home.yaml Normal file
View File

@ -0,0 +1,97 @@
# Default values for vault-operator.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
bankVaultsRepository: ghcr.io/banzaicloud/bank-vaults
repository: ghcr.io/banzaicloud/vault-operator
# tag: ""
pullPolicy: IfNotPresent
imagePullSecrets: [] # global.imagePullSecrets is also supported
service:
name: ""
type: ClusterIP
externalPort: 80
internalPort: 8080
annotations: {}
nameOverride: ""
fullnameOverride: ""
crdAnnotations: {}
# The namespace where the operator watches for vault CRD objects, if not defined
# all namespaces are watched
watchNamespace: ""
syncPeriod: "1m"
labels: {}
# team: banzai
podLabels: {}
# team: banzai
podAnnotations: {}
# team: banzai
resources:
limits:
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
affinity: {}
# # if tolerations are used inside cluster, define tolerations as well
tolerations: []
# - effect: NoSchedule
# key: node_role
# operator: Equal
# value: custom_worker
# # If needed, define nodeSelector for vault operator
nodeSelector: {}
# "node-role.kubernetes.io/custom_worker": "true"
podSecurityContext: {}
securityContext: {}
## Assign a PriorityClassName to pods if set
priorityClassName: ""
terminationGracePeriodSeconds: 10
livenessProbe:
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
psp:
enabled: false
vaultSA: "vault"
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
monitoring:
# Create a Vault Operator ServiceMonitor object
serviceMonitor:
enabled: true
additionalLabels: {}
metricRelabelings: []
relabelings: []

98
vault-operator/values.yaml Normal file
View File

@ -0,0 +1,98 @@
# Default values for vault-operator.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
bankVaultsRepository: ghcr.io/banzaicloud/bank-vaults
repository: ghcr.io/banzaicloud/vault-operator
# tag: ""
pullPolicy: IfNotPresent
imagePullSecrets: [] # global.imagePullSecrets is also supported
service:
name: ""
type: ClusterIP
externalPort: 80
internalPort: 8080
annotations: {}
nameOverride: ""
fullnameOverride: ""
crdAnnotations: {}
# The namespace where the operator watches for vault CRD objects, if not defined
# all namespaces are watched
watchNamespace: ""
syncPeriod: "1m"
labels: {}
# team: banzai
podLabels: {}
# team: banzai
podAnnotations: {}
# team: banzai
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
affinity: {}
# # if tolerations are used inside cluster, define tolerations as well
tolerations: []
# - effect: NoSchedule
# key: node_role
# operator: Equal
# value: custom_worker
# # If needed, define nodeSelector for vault operator
nodeSelector: {}
# "node-role.kubernetes.io/custom_worker": "true"
podSecurityContext: {}
securityContext: {}
## Assign a PriorityClassName to pods if set
priorityClassName: ""
terminationGracePeriodSeconds: 10
livenessProbe:
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
psp:
enabled: false
vaultSA: "vault"
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
monitoring:
# Create a Vault Operator ServiceMonitor object
serviceMonitor:
enabled: false
additionalLabels: {}
metricRelabelings: []
relabelings: []