223 lines
5.4 KiB
YAML
223 lines
5.4 KiB
YAML
# Default values for vault-secrets-webhook.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
replicaCount: 2
|
|
|
|
debug: false
|
|
|
|
certificate:
|
|
useCertManager: false
|
|
servingCertificate: null
|
|
generate: true
|
|
server:
|
|
tls:
|
|
crt:
|
|
key:
|
|
ca:
|
|
crt:
|
|
extraAltNames: []
|
|
# use extra names if you want use the webhook via an ingress or a loadbalancer
|
|
|
|
image:
|
|
repository: ghcr.io/banzaicloud/vault-secrets-webhook
|
|
# tag: ""
|
|
pullPolicy: IfNotPresent
|
|
imagePullSecrets: []
|
|
|
|
service:
|
|
name: vault-secrets-webhook
|
|
type: ClusterIP
|
|
externalPort: 443
|
|
internalPort: 8443
|
|
annotations: {}
|
|
# Annotate service
|
|
# This can be used for example if type is AWS LoadBalancer and you want to add security groups
|
|
|
|
ingress:
|
|
enabled: false
|
|
annotations: {}
|
|
# dns of ingress for vault-webhook
|
|
# host: example.com
|
|
|
|
webhookClientConfig:
|
|
# By default the mutating webhook uses the service of the webhook directly to contact webhook
|
|
# Use url if webhook should be contacted over loadbalancer or ingress instead of service object
|
|
useUrl: false
|
|
# set the url how the webhook should be contacted (including protocol https://)
|
|
# url: https://example.com
|
|
|
|
vaultEnv:
|
|
repository: ghcr.io/banzaicloud/vault-env
|
|
# tag: ""
|
|
|
|
env:
|
|
VAULT_IMAGE: vault:1.6.2
|
|
# VAULT_CAPATH: /vault/tls
|
|
# # Used when the pod that should get secret injected does not
|
|
# # specify an imagePullSecret
|
|
# DEFAULT_IMAGE_PULL_SECRET:
|
|
# DEFAULT_IMAGE_PULL_SECRET_NAMESPACE:
|
|
# DEFAULT_IMAGE_PULL_SECRET_SERVICE_ACCOUNT
|
|
# VAULT_CLIENT_TIMEOUT: 10s
|
|
# # define the webhook's role in Vault used for authentication,
|
|
# # if not defined individually in resources by annotations.
|
|
# VAULT_ROLE: vault-secrets-webhook
|
|
# Resource requests and limits for init containers
|
|
# VAULT_ENV_CPU_REQUEST:
|
|
# VAULT_ENV_MEMORY_REQUEST:
|
|
# VAULT_ENV_CPU_LIMIT:
|
|
# VAULT_ENV_MEMORY_LIMIT
|
|
# VAULT_ENV_LOG_SERVER:
|
|
|
|
initContainers: []
|
|
## Containers, which are run before the app containers are started.
|
|
# - name: init-myservice
|
|
# image: busybox
|
|
# command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']
|
|
|
|
metrics:
|
|
enabled: true
|
|
port: 8443
|
|
serviceMonitor:
|
|
enabled: true
|
|
scheme: https
|
|
tlsConfig:
|
|
insecureSkipVerify: true
|
|
|
|
securityContext:
|
|
runAsUser: 65534
|
|
allowPrivilegeEscalation: false
|
|
|
|
podSecurityContext: {}
|
|
|
|
volumes: []
|
|
# - name: vault-tls
|
|
# secret:
|
|
# secretName: vault-tls
|
|
|
|
volumeMounts: []
|
|
# - name: vault-tls
|
|
# mountPath: /vault/tls
|
|
|
|
podAnnotations: {}
|
|
|
|
labels: {}
|
|
# team: banzai
|
|
|
|
resources: {}
|
|
|
|
nodeSelector: {}
|
|
|
|
tolerations: []
|
|
|
|
affinity: {}
|
|
|
|
topologySpreadConstraints: {}
|
|
|
|
## Assign a PriorityClassName to pods if set
|
|
priorityClassName: ""
|
|
|
|
rbac:
|
|
psp:
|
|
enabled: false
|
|
authDelegatorRole:
|
|
enabled: false
|
|
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created
|
|
create: true
|
|
# Labels to add to the service account
|
|
labels: {}
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# Enables GKE workload identity
|
|
# iam.gke.io/gcp-service-account: gsa@project.iam.gserviceaccount.com
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name: ""
|
|
|
|
deployment:
|
|
# Strategy for the deployment
|
|
strategy: {}
|
|
|
|
# A list of Kubernetes resource types to mutate as well:
|
|
# Example: ["ingresses", "servicemonitors"]
|
|
customResourceMutations: []
|
|
|
|
customResourcesFailurePolicy: Ignore
|
|
|
|
# This can cause issues when used with Helm, so it is not enabled by default
|
|
configMapMutation: false
|
|
|
|
# Whether to mutate Secrets with values from Vault. Set to false in order to prevent secret values from being persisted in Kubernetes.
|
|
secretsMutation: true
|
|
|
|
configMapFailurePolicy: Ignore
|
|
|
|
podsFailurePolicy: Ignore
|
|
|
|
secretsFailurePolicy: Ignore
|
|
|
|
apiSideEffectValue: NoneOnDryRun
|
|
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: name
|
|
operator: NotIn
|
|
values:
|
|
- kube-system
|
|
# https://kubernetes.io/docs/reference/labels-annotations-taints/#kubernetes-io-metadata-name
|
|
- key: kubernetes.io/metadata.name
|
|
operator: NotIn
|
|
values:
|
|
- kube-system
|
|
# matchLabels:
|
|
# vault-injection: enabled
|
|
|
|
# In case of the K8s cluster version is above 1.15 objectSelector is usable
|
|
objectSelector: {}
|
|
# matchExpressions:
|
|
# - key: security.banzaicloud.io/mutate
|
|
# operator: NotIn
|
|
# values:
|
|
# - skip
|
|
# matchLabels:
|
|
# vault-injection: enabled
|
|
|
|
# objectSelector & namespaceSelector for secrets resource (overrides `objectSelector`); Requires K8s 1.15+
|
|
secrets:
|
|
objectSelector: {}
|
|
namespaceSelector: {}
|
|
|
|
# objectSelector & namespaceSelector for pods resource (overrides `objectSelector`); Requires K8s 1.15+
|
|
pods:
|
|
objectSelector: {}
|
|
namespaceSelector: {}
|
|
|
|
# objectSelector & namespaceSelector for configmap resource (overrides `objectSelector`); Requires K8s 1.15+
|
|
configMaps:
|
|
objectSelector: {}
|
|
namespaceSelector: {}
|
|
|
|
# objectSelector & namespaceSelector for customResource resource (overrides `objectSelector`); Requires K8s 1.15+
|
|
customResources:
|
|
objectSelector: {}
|
|
namespaceSelector: {}
|
|
|
|
podDisruptionBudget:
|
|
enabled: true
|
|
minAvailable: 1
|
|
# maxUnavailable: 1
|
|
|
|
timeoutSeconds: false
|
|
|
|
hostNetwork: false
|
|
|
|
# If you're using celium (CNI) and you are required to set hostNetwork to true
|
|
# then pods with webhooks must set the dnsPolicy to "ClusterFirstWithHostNet"
|
|
dnsPolicy: ""
|
|
|
|
# Override cluster version
|
|
kubeVersion: ""
|