helm-vault-overrides.yaml

# Vault Helm Chart Value Overrides
global:
  enabled: true
  tlsDisable: false

injector:
  enabled: false
  # # Use the Vault K8s Image https://github.com/hashicorp/vault-k8s/
  # image:
  #   repository: "hashicorp/vault-k8s"
  #   tag: "latest"

  # resources:
  #     requests:
  #       memory: 256Mi
  #       cpu: 250m
  #     limits:
  #       memory: 256Mi
  #       cpu: 250m

server:
  # Use the Enterprise Image
  image:
    repository: "hashicorp/vault-enterprise"
    tag: "1.7.0_ent"

  # These Resource Limits are in line with node requirements in the
  # Vault Reference Architecture for a Small Cluster
  # resources:
  #   requests:
  #     memory: 8Gi
  #     cpu: 2000m
  #   limits:
  #     memory: 16Gi
  #     cpu: 2000m

  # For HA configuration and because we need to manually init the vault,
  # we need to define custom readiness/liveness Probe settings
  readinessProbe:
    enabled: false
    path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
  livenessProbe:
    enabled: false
    path: "/v1/sys/health?standbyok=true"
    initialDelaySeconds: 60

  # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
  # used to include variables required for auto-unseal.
  extraEnvironmentVars:
    VAULT_CACERT: /vault/userconfig/tls-secret/ca.crt

  # extraVolumes is a list of extra volumes to mount. These will be exposed
  # to Vault in the path `/vault/userconfig/<name>/`.
  extraVolumes:
    - type: secret
      name: tls-secret
    # - type: secret
    #   name: kms-creds

  # This configures the Vault Statefulset to create a PVC for audit logs.
  # See https://www.vaultproject.io/docs/audit/index.html to know more
  auditStorage:
    enabled: true

  standalone:
    enabled: false

  # Run Vault in "dev" mode. This requires no further setup, no state management,
  # and no initialization. This is useful for experimenting with Vault without
  # needing to unseal, store keys, et. al. All data is lost on restart - do not
  # use dev mode for anything other than experimenting.
  # See https://www.vaultproject.io/docs/concepts/dev-server.html to know more
  dev:
    enabled: false

    # Set VAULT_DEV_ROOT_TOKEN_ID value
    devRootToken: "root"

  # Run Vault in "HA" mode.
  ha:
    enabled: true
    replicas: 5
    raft:
      enabled: true
      setNodeId: true

      config: |
        ui = true
        listener "tcp" {
          address = "[::]:8200"
          cluster_address = "[::]:8201"
          tls_cert_file = "/vault/userconfig/tls-secret/tls.crt"
          tls_key_file = "/vault/userconfig/tls-secret/tls.key"
          tls_ca_cert_file = "/vault/userconfig/tls-secret/ca.crt"
        }

        storage "raft" {
          path = "/vault/data"
            retry_join {
            leader_api_addr = "https://vault-0.vault-internal:8200"
            leader_ca_cert_file = "/vault/userconfig/tls-secret/ca.crt"
            leader_client_cert_file = "/vault/userconfig/tls-secret/tls.crt"
            leader_client_key_file = "/vault/userconfig/tls-secret/tls.key"
          }
          retry_join {
            leader_api_addr = "https://vault-1.vault-internal:8200"
            leader_ca_cert_file = "/vault/userconfig/tls-secret/ca.crt"
            leader_client_cert_file = "/vault/userconfig/tls-secret/tls.crt"
            leader_client_key_file = "/vault/userconfig/tls-secret/tls.key"
          }
          retry_join {
            leader_api_addr = "https://vault-2.vault-internal:8200"
            leader_ca_cert_file = "/vault/userconfig/tls-secret/ca.crt"
            leader_client_cert_file = "/vault/userconfig/tls-secret/tls.crt"
            leader_client_key_file = "/vault/userconfig/tls-secret/tls.key"
          }
          retry_join {
              leader_api_addr = "https://vault-3.vault-internal:8200"
              leader_ca_cert_file = "/vault/userconfig/tls-secret/ca.crt"
              leader_client_cert_file = "/vault/userconfig/tls-secret/tls.crt"
              leader_client_key_file = "/vault/userconfig/tls-secret/tls.key"
          }
          retry_join {
              leader_api_addr = "https://vault-4.vault-internal:8200"
              leader_ca_cert_file = "/vault/userconfig/tls-secret/ca.crt"
              leader_client_cert_file = "/vault/userconfig/tls-secret/tls.crt"
              leader_client_key_file = "/vault/userconfig/tls-secret/tls.key"
          }
        }

        service_registration "kubernetes" {}

# Vault UI
ui:
  enabled: true
  serviceType: "LoadBalancer"
  serviceNodePort: null
  externalPort: 8200

  # For Added Security, edit the below
  #loadBalancerSourceRanges:
  #   - < Your IP RANGE Ex. 10.0.0.0/16 >
  #   - < YOUR SINGLE IP Ex. 1.78.23.3/32 >