# Default values for vault-secrets-webhook.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 2

debug: false

certificate:
  useCertManager: false
  servingCertificate: null
  generate: true
  server:
    tls:
      crt:
      key:
  ca:
    crt:
  extraAltNames: []
  # use extra names if you want use the webhook via an ingress or a loadbalancer

image:
  repository: ghcr.io/banzaicloud/vault-secrets-webhook
  # tag: ""
  pullPolicy: IfNotPresent
  imagePullSecrets: []

service:
  name: vault-secrets-webhook
  type: ClusterIP
  externalPort: 443
  internalPort: 8443
  annotations: {}
  # Annotate service
  # This can be used for example if type is AWS LoadBalancer and you want to add security groups

ingress:
  enabled: false
  annotations: {}
  # dns of ingress for vault-webhook
  # host: example.com

webhookClientConfig:
  # By default the mutating webhook uses the service of the webhook directly to contact webhook
  # Use url if webhook should be contacted over loadbalancer or ingress instead of service object
  useUrl: false
  # set the url how the webhook should be contacted (including protocol https://)
  # url: https://example.com

vaultEnv:
  repository: ghcr.io/banzaicloud/vault-env
  # tag: ""

env:
  VAULT_IMAGE: vault:1.6.2
  # VAULT_CAPATH: /vault/tls
  # # Used when the pod that should get secret injected does not
  # # specify an imagePullSecret
  # DEFAULT_IMAGE_PULL_SECRET:
  # DEFAULT_IMAGE_PULL_SECRET_NAMESPACE:
  # DEFAULT_IMAGE_PULL_SECRET_SERVICE_ACCOUNT
  # VAULT_CLIENT_TIMEOUT: 10s
  # # define the webhook's role in Vault used for authentication,
  # # if not defined individually in resources by annotations.
  # VAULT_ROLE: vault-secrets-webhook
  # Resource requests and limits for init containers
  # VAULT_ENV_CPU_REQUEST:
  # VAULT_ENV_MEMORY_REQUEST:
  # VAULT_ENV_CPU_LIMIT:
  # VAULT_ENV_MEMORY_LIMIT
  # VAULT_ENV_LOG_SERVER:

initContainers: []
  ## Containers, which are run before the app containers are started.
  # - name: init-myservice
  #   image: busybox
  #   command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']

metrics:
  enabled: false
  port: 8443
  serviceMonitor:
    enabled: false
    scheme: https
    tlsConfig:
      insecureSkipVerify: true

securityContext:
  runAsUser: 65534
  allowPrivilegeEscalation: false

podSecurityContext: {}

volumes: []
# - name: vault-tls
#   secret:
#     secretName: vault-tls

volumeMounts: []
# - name: vault-tls
#   mountPath: /vault/tls

podAnnotations: {}

labels: {}
  #  team: banzai

resources: {}

nodeSelector: {}

tolerations: []

affinity: {}

topologySpreadConstraints: {}

## Assign a PriorityClassName to pods if set
priorityClassName: ""

rbac:
  psp:
    enabled: false
  authDelegatorRole:
    enabled: false

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Labels to add to the service account
  labels: {}
  # Annotations to add to the service account
  annotations: {}
  # Enables GKE workload identity
  #  iam.gke.io/gcp-service-account: gsa@project.iam.gserviceaccount.com
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

deployment:
  # Strategy for the deployment
  strategy: {}

# A list of Kubernetes resource types to mutate as well:
# Example: ["ingresses", "servicemonitors"]
customResourceMutations: []

customResourcesFailurePolicy: Ignore

# This can cause issues when used with Helm, so it is not enabled by default
configMapMutation: false

# Whether to mutate Secrets with values from Vault. Set to false in order to prevent secret values from being persisted in Kubernetes.
secretsMutation: true

configMapFailurePolicy: Ignore

podsFailurePolicy: Ignore

secretsFailurePolicy: Ignore

apiSideEffectValue: NoneOnDryRun

namespaceSelector:
  matchExpressions:
    - key: name
      operator: NotIn
      values:
        - kube-system
    # https://kubernetes.io/docs/reference/labels-annotations-taints/#kubernetes-io-metadata-name
    - key: kubernetes.io/metadata.name
      operator: NotIn
      values:
        - kube-system
  # matchLabels:
  #   vault-injection: enabled

# In case of the K8s cluster version is above 1.15 objectSelector is usable
objectSelector: {}
  # matchExpressions:
  # - key: security.banzaicloud.io/mutate
  #   operator: NotIn
  #   values:
  #   - skip
  # matchLabels:
  #   vault-injection: enabled

# objectSelector & namespaceSelector for secrets resource (overrides `objectSelector`); Requires K8s 1.15+
secrets:
  objectSelector: {}
  namespaceSelector: {}

# objectSelector & namespaceSelector for pods resource (overrides `objectSelector`); Requires K8s 1.15+
pods:
  objectSelector: {}
  namespaceSelector: {}

# objectSelector & namespaceSelector for configmap resource (overrides `objectSelector`); Requires K8s 1.15+
configMaps:
  objectSelector: {}
  namespaceSelector: {}

# objectSelector & namespaceSelector for customResource resource (overrides `objectSelector`); Requires K8s 1.15+
customResources:
  objectSelector: {}
  namespaceSelector: {}

podDisruptionBudget:
  enabled: true
  minAvailable: 1
  # maxUnavailable: 1

timeoutSeconds: false

hostNetwork: false

# If you're using celium (CNI) and you are required to set hostNetwork to true
# then pods with webhooks must set the dnsPolicy to "ClusterFirstWithHostNet"
dnsPolicy: ""

# Override cluster version
kubeVersion: ""