values.yaml

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

# Available parameters and their default values for the vHSM chart.

global:
  # enabled is the master enabled switch. Setting this to true or false
  # will enable or disable all the components within this chart by default.
  enabled: true
  # The namespace to deploy to. Defaults to the `helm` installation namespace.
  namespace: ""
  # Image pull secret to use for registry authentication.
  # Alternatively, the value may be specified as an array of strings.
  imagePullSecrets: []
  # imagePullSecrets:
  #   - name: image-pull-secret

  # TLS for end-to-end encrypted transport
  tlsDisable: true
  # If deploying to OpenShift
  openshift: false
  # @schema
  # type: object
  # @schema
  # Create PodSecurityPolicy for pods
  psp:
    enable: false
    # @schema
    # type: [object, string]
    # @schema
    # Annotation for PodSecurityPolicy.
    # This is a multi-line templated string map, and can also be set as YAML.
    annotations: |
      seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
      apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
      seccomp.security.alpha.kubernetes.io/defaultProfileName:  runtime/default
      apparmor.security.beta.kubernetes.io/defaultProfileName:  runtime/default
  serverTelemetry:
    # Enable integration with the Prometheus Operator
    # See the top level serverTelemetry section below before enabling this feature.
    prometheusOperator: false

server:
  # @schema
  # type: [boolean, string]
  # @schema
  # If true, or "-" with global.enabled true, Vault server will be installed.
  # See vault.mode in _helpers.tpl for implementation details.
  enabled: "-"
  # Resource requests, limits, etc. for the server cluster placement. This
  # should map directly to the value of the resources field for a PodSpec.
  # By default no direct resource request is made.
  image:
    repository: "harbor.enclaive.cloud/vhsm/vhsm"
    tag: "v1.4.6-0"
    # Overrides the default Image Pull Policy
    pullPolicy: IfNotPresent
  # Configure the Update Strategy Type for the StatefulSet
  # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
  updateStrategyType: "OnDelete"
  # Configure the logging verbosity for the Vault server.
  # Supported log levels include: trace, debug, info, warn, error
  logLevel: ""
  # Configure the logging format for the Vault server.
  # Supported log formats include: standard, json
  logFormat: ""
  resources: {}
  # resources:
  #   requests:
  #     memory: 256Mi
  #     cpu: 250m
  #   limits:
  #     memory: 256Mi
  #     cpu: 250m

  # Ingress allows ingress services to be created to allow external access
  # from Kubernetes to access Vault pods.
  # If deployment is on OpenShift, the following block is ignored.
  # In order to expose the service, use the route section below
  ingress:
    enabled: false
    # @schema
    # type: object
    # @schema
    labels: {}
    # @schema
    # type: [object, string]
    # @schema
    # traffic: external
    annotations: {}
    # |
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
    #   or
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"

    # Optionally use ingressClassName instead of deprecated annotation.
    # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation
    ingressClassName: ""
    # As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases.
    # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values.
    pathType: Prefix
    # When HA mode is enabled and K8s service registration is being used,
    # configure the ingress to point to the Vault active service.
    activeService: true
    # @schema
    # type: array
    # items:
    #   type: object
    #   properties:
    #     host:
    #       type: string
    #     paths:
    #       type: array
    # @schema
    hosts:
      - host: chart-example.local
        paths: []
    ## Extra paths to prepend to the host configuration. This is useful when working with annotation based services.
    extraPaths: []
    # - path: /*
    #   backend:
    #     service:
    #       name: ssl-redirect
    #       port:
    #         number: use-annotation
    tls: []
    #  - secretName: chart-example-tls
    #    hosts:
    #      - chart-example.local
  # hostAliases is a list of aliases to be added to /etc/hosts. Specified as a YAML list.
  hostAliases: []
  # - ip: 127.0.0.1
  #   hostnames:
  #     - chart-example.local

  # OpenShift only - create a route to expose the service
  # By default the created route will be of type passthrough
  route:
    enabled: false
    # When HA mode is enabled and K8s service registration is being used,
    # configure the route to point to the Vault active service.
    activeService: true
    # @schema
    # type: object
    # @schema
    labels: {}
    # @schema
    # type: [object, string]
    # @schema
    annotations: {}
    host: chart-example.local
    # @schema
    # type: object
    # properties: {}
    # @schema
    # tls will be passed directly to the route's TLS config, which
    # can be used to configure other termination methods that terminate
    # TLS at the router
    tls:
      termination: passthrough
  # authDelegator enables a cluster role binding to be attached to the service
  # account.  This cluster role binding can be used to setup Kubernetes auth
  # method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes
  authDelegator:
    enabled: true
  # @schema
  # type: [null, array]
  # @schema
  # extraInitContainers is a list of init containers. Specified as a YAML list.
  # This is useful if you need to run a script to provision TLS certificates or
  # write out configuration files in a dynamic way.
  extraInitContainers: null
  # # This example installs a plugin pulled from github into the /usr/local/libexec/vhsm/oauthapp folder,
  # # which is defined in the volumes value.
  # - name: oauthapp
  #   image: "alpine"
  #   command: [sh, -c]
  #   args:
  #     - cd /tmp &&
  #       wget https://github.com/puppetlabs/vault-plugin-secrets-oauthapp/releases/download/v1.2.0/vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64.tar.xz -O oauthapp.xz &&
  #       tar -xf oauthapp.xz &&
  #       mv vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64 /usr/local/libexec/vhsm/oauthapp &&
  #       chmod +x /usr/local/libexec/vhsm/oauthapp
  #   volumeMounts:
  #     - name: plugins
  #       mountPath: /usr/local/libexec/vhsm

  # @schema
  # type: [null, array]
  # @schema
  # extraContainers is a list of sidecar containers. Specified as a YAML list.
  extraContainers: null
  # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
  # This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation
  shareProcessNamespace: false
  # extraArgs is a string containing additional Vault server arguments.
  extraArgs: ""
  # @schema
  # type: [null, array]
  # @schema
  # extraPorts is a list of extra ports. Specified as a YAML list.
  # This is useful if you need to add additional ports to the statefulset in dynamic way.
  extraPorts: null
  # - containerPort: 8300
  #   name: http-monitoring

  # Used to define custom readinessProbe settings
  readinessProbe:
    enabled: true
    # If you need to use a http path instead of the default exec
    # path: /v1/sys/health?standbyok=true

    # Port number on which readinessProbe will be checked.
    port: 8200
    # When a probe fails, Kubernetes will try failureThreshold times before giving up
    failureThreshold: 2
    # Number of seconds after the container has started before probe initiates
    initialDelaySeconds: 5
    # How often (in seconds) to perform the probe
    periodSeconds: 5
    # Minimum consecutive successes for the probe to be considered successful after having failed
    successThreshold: 1
    # Number of seconds after which the probe times out.
    timeoutSeconds: 3
  # Used to enable a livenessProbe for the pods
  livenessProbe:
    enabled: false
    # Used to define a liveness exec command. If provided, exec is preferred to httpGet (path) as the livenessProbe handler.
    execCommand: []
    # - /bin/sh
    # - -c
    # - /vault/userconfig/mylivenessscript/run.sh
    # Path for the livenessProbe to use httpGet as the livenessProbe handler
    path: "/v1/sys/health?standbyok=true"
    # Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler
    port: 8200
    # When a probe fails, Kubernetes will try failureThreshold times before giving up
    failureThreshold: 2
    # Number of seconds after the container has started before probe initiates
    initialDelaySeconds: 60
    # How often (in seconds) to perform the probe
    periodSeconds: 5
    # Minimum consecutive successes for the probe to be considered successful after having failed
    successThreshold: 1
    # Number of seconds after which the probe times out.
    timeoutSeconds: 3
  # Optional duration in seconds the pod needs to terminate gracefully.
  # See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  terminationGracePeriodSeconds: 10
  # Used to set the sleep time during the preStop step
  preStopSleepSeconds: 5
  # Used to define commands to run after the pod is ready.
  # This can be used to automate processes such as initialization
  # or boostrapping auth methods.
  postStart: []
  # - /bin/sh
  # - -c
  # - /vault/userconfig/myscript/run.sh

  # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
  # used to include variables required for auto-unseal.
  extraEnvironmentVars: {}
  # GOOGLE_REGION: global
  # GOOGLE_PROJECT: myproject
  # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json

  # @schema
  # type: array
  # @schema
  # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set.
  # These variables take value from existing Secret objects.
  extraSecretEnvironmentVars: []
  # - envName: AWS_SECRET_ACCESS_KEY
  #   secretName: vault
  #   secretKey: AWS_SECRET_ACCESS_KEY

  # @schema
  # type: array
  # @schema
  # Deprecated: please use 'volumes' instead.
  # extraVolumes is a list of extra volumes to mount. These will be exposed
  # to Vault in the path `/vault/userconfig/<name>/`. The value below is
  # an array of objects, examples are shown below.
  extraVolumes: []
  # - type: secret (or "configMap")
  #   name: my-secret
  #   path: null # default is `/vault/userconfig`

  # @schema
  # type: [null, array]
  # @schema
  # volumes is a list of volumes made available to all containers. These are rendered
  # via toYaml rather than pre-processed like the extraVolumes value.
  # The purpose is to make it easy to share volumes between containers.
  volumes: null
  #   - name: plugins
  #     emptyDir: {}

  # @schema
  # type: [null, array]
  # @schema
  # volumeMounts is a list of volumeMounts for the main server container. These are rendered
  # via toYaml rather than pre-processed like the extraVolumes value.
  # The purpose is to make it easy to share volumes between containers.
  volumeMounts: null
  #   - mountPath: /usr/local/libexec/vhsm
  #     name: plugins
  #     readOnly: true

  # @schema
  # type: [object, string]
  # @schema
  # Affinity Settings
  # Commenting out or setting as empty the affinity variable, will allow
  # deployment to single node services such as Minikube
  # This should be either a multi-line string or YAML matching the PodSpec's affinity field.
  affinity: |
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchLabels:
              app.kubernetes.io/name: {{ template "vault.name" . }}
              app.kubernetes.io/instance: "{{ .Release.Name }}"
              component: server
          topologyKey: kubernetes.io/hostname
  # @schema
  # type: [null, array, string]
  # @schema
  # Topology settings for server pods
  # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
  # This should be either a multi-line string or YAML matching the topologySpreadConstraints array
  # in a PodSpec.
  topologySpreadConstraints: []
  # @schema
  # type: [null, array, string]
  # @schema
  # Toleration Settings for server pods
  # This should be either a multi-line string or YAML matching the Toleration array
  # in a PodSpec.
  tolerations: []
  # @schema
  # type: [null, object, string]
  # @schema
  # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map.
  # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
  # Example:
  # nodeSelector:
  #   beta.kubernetes.io/arch: amd64
  nodeSelector: {}
  # Enables network policy for server pods
  networkPolicy:
    enabled: false
    egress: []
    # egress:
    # - to:
    #   - ipBlock:
    #       cidr: 10.0.0.0/24
    #   ports:
    #   - protocol: TCP
    #     port: 443
    # @schema
    # type: array
    # items: {}
    # @schema
    ingress:
      - from:
          - namespaceSelector: {}
        ports:
          - port: 8200
            protocol: TCP
          - port: 8201
            protocol: TCP
  # Priority class for server pods
  priorityClassName: ""
  # Extra labels to attach to the server pods
  # This should be a YAML map of the labels to apply to the server pods
  extraLabels: {}
  # @schema
  # type: [object, string]
  # @schema
  # Extra annotations to attach to the server pods
  # This can either be YAML or a YAML-formatted multi-line templated string map
  # of the annotations to apply to the server pods
  annotations: {}
  # Add an annotation to the server configmap and the statefulset pods,
  # vaultproject.io/config-checksum, that is a hash of the Vault configuration.
  # This can be used together with an OnDelete deployment strategy to help
  # identify which pods still need to be deleted during a deployment to pick up
  # any configuration changes.
  configAnnotation: false
  # Enables a headless service to be used by the Vault Statefulset
  service:
    enabled: true
    # Enable or disable the vault-active service, which selects Vault pods that
    # have labeled themselves as the cluster leader with `vault-active: "true"`.
    active:
      enabled: true
      # @schema
      # type: [object, string]
      # @schema
      # Extra annotations for the service definition. This can either be YAML or a
      # YAML-formatted multi-line templated string map of the annotations to apply
      # to the active service.
      annotations: {}
    # Enable or disable the vault-standby service, which selects Vault pods that
    # have labeled themselves as a cluster follower with `vault-active: "false"`.
    standby:
      enabled: true
      # @schema
      # type: [object, string]
      # @schema
      # Extra annotations for the service definition. This can either be YAML or a
      # YAML-formatted multi-line templated string map of the annotations to apply
      # to the standby service.
      annotations: {}
    # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}`
    # When disabled, services may select Vault pods not deployed from the chart.
    # Does not affect the headless vault-internal service with `ClusterIP: None`
    instanceSelector:
      enabled: true
    # clusterIP controls whether a Cluster IP address is attached to the
    # Vault service within Kubernetes.  By default, the Vault service will
    # be given a Cluster IP address, set to None to disable.  When disabled
    # Kubernetes will create a "headless" service.  Headless services can be
    # used to communicate with pods directly through DNS instead of a round-robin
    # load balancer.
    # clusterIP: None

    # Configures the service type for the main Vault service.  Can be ClusterIP
    # or NodePort.
    #type: ClusterIP

    # The IP family and IP families options are to set the behaviour in a dual-stack environment.
    # Omitting these values will let the service fall back to whatever the CNI dictates the defaults
    # should be.
    # These are only supported for kubernetes versions >=1.23.0
    #
    # Configures the service's supported IP family policy, can be either:
    #     SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range.
    #     PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service.
    #     RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges.
    ipFamilyPolicy: ""
    # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well.
    # Can be IPv4 and/or IPv6.
    ipFamilies: []
    # Do not wait for pods to be ready before including them in the services'
    # targets. Does not apply to the headless service, which is used for
    # cluster-internal communication.
    publishNotReadyAddresses: true
    # The externalTrafficPolicy can be set to either Cluster or Local
    # and is only valid for LoadBalancer and NodePort service types.
    # The default value is Cluster.
    # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy
    externalTrafficPolicy: Cluster
    # If type is set to "NodePort", a specific nodePort value can be configured,
    # will be random if left blank.
    #nodePort: 30000

    # When HA mode is enabled
    # If type is set to "NodePort", a specific nodePort value can be configured,
    # will be random if left blank.
    #activeNodePort: 30001

    # Deprecation: unused value
    # When HA mode is enabled
    # If type is set to "NodePort", a specific nodePort value can be configured,
    # will be random if left blank.
    #standbyNodePort: 30002

    # Port on which Vault server is listening
    port: 8200
    # @schema
    # type: integer
    # @schema
    # Target port to which the service should be mapped to
    targetPort: 8200
    # @schema
    # type: [object, string]
    # @schema
    # Extra annotations for the service definition. This can either be YAML or a
    # YAML-formatted multi-line templated string map of the annotations to apply
    # to the service.
    annotations: {}
  # This configures the Vault Statefulset to create a PVC for data
  # storage when using the file or raft backend storage engines.
  # See https://developer.hashicorp.com/vault/docs/configuration/storage to know more
  dataStorage:
    # @schema
    # type: [boolean, string]
    # @schema
    enabled: true
    # Size of the PVC created
    size: 10Gi
    # Location where the PVC will be mounted.
    mountPath: "/vault/data"
    # @schema
    # type: [null, string]
    # @schema
    # Name of the storage class to use.  If null it will use the
    # configured default Storage Class.
    storageClass: null
    # Access Mode of the storage device being used for the PVC
    accessMode: ReadWriteOnce
    # @schema
    # type: [object, string]
    # @schema
    # Annotations to apply to the PVC
    annotations: {}
    # @schema
    # type: [object, string]
    # @schema
    # Labels to apply to the PVC
    labels: {}
  # @schema
  # type: object
  # properties:
  #   whenDeleted:
  #     type: string
  #   whenScaled:
  #     type: string
  # @schema
  # Persistent Volume Claim (PVC) retention policy
  # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
  # Example:
  # persistentVolumeClaimRetentionPolicy:
  #   whenDeleted: Retain
  #   whenScaled: Retain
  persistentVolumeClaimRetentionPolicy: {}
  # This configures the Vault Statefulset to create a PVC for audit
  # logs.  Once Vault is deployed, initialized, and unsealed, Vault must
  # be configured to use this for audit logs.  This will be mounted to
  # /vault/audit
  # See https://developer.hashicorp.com/vault/docs/audit to know more
  auditStorage:
    # @schema
    # type: [boolean, string]
    # @schema
    enabled: false
    # Size of the PVC created
    size: 10Gi
    # Location where the PVC will be mounted.
    mountPath: "/vault/audit"
    # @schema
    # type: [null, string]
    # @schema
    # Name of the storage class to use.  If null it will use the
    # configured default Storage Class.
    storageClass: null
    # Access Mode of the storage device being used for the PVC
    accessMode: ReadWriteOnce
    # @schema
    # type: [object, string]
    # @schema
    # Annotations to apply to the PVC
    annotations: {}
    # @schema
    # type: [object, string]
    # @schema
    # Labels to apply to the PVC
    labels: {}
  # Run Vault in "dev" mode. This requires no further setup, no state management,
  # and no initialization. This is useful for experimenting with Vault without
  # needing to unseal, store keys, et. al. All data is lost on restart - do not
  # use dev mode for anything other than experimenting.
  # See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more
  dev:
    enabled: false
    # Set VAULT_DEV_ROOT_TOKEN_ID value
    devRootToken: "root"
  # Run Vault in "standalone" mode. This is the default mode that will deploy if
  # no arguments are given to helm. This requires a PVC for data storage to use
  # the "file" backend.  This mode is not highly available and should not be scaled
  # past a single replica.
  standalone:
    # @schema
    # type: [string, boolean]
    # @schema
    enabled: "-"
    # config is a raw string of default configuration when using a Stateful
    # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
    # and store data there. This is only used when using a Replica count of 1, and
    # using a stateful set. This should be HCL.

    # @schema
    # type: [string, object]
    # @schema
    # Note: Configuration files are stored in ConfigMaps so sensitive data
    # such as passwords should be either mounted through extraSecretEnvironmentVars
    # or through a Kube secret.  For more information see:
    # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
        # Enable unauthenticated metrics access (necessary for Prometheus Operator)
        #telemetry {
        #  unauthenticated_metrics_access = "true"
        #}
      }
      storage "file" {
        path = "/vault/data"
      }

      # Example configuration for using auto-unseal, using Google Cloud KMS. The
      # GKMS keys must already exist, and the cluster must have a service account
      # that is authorized to access GCP KMS.
      #seal "gcpckms" {
      #   project     = "vhsm-helm-dev"
      #   region      = "global"
      #   key_ring    = "vhsm-helm-unseal-kr"
      #   crypto_key  = "vhsm-helm-unseal-key"
      #}

      # Example configuration for enabling Prometheus metrics in your config.
      #telemetry {
      #  prometheus_retention_time = "30s"
      #  disable_hostname = true
      #}
  # Run Vault in "HA" mode. There are no storage requirements unless the audit log
  # persistence is required.  In HA mode Vault will configure itself to use Consul
  # for its storage backend.  The default configuration provided will work the Consul
  # Helm project by default.  It is possible to manually configure Vault to use a
  # different HA backend.
  ha:
    enabled: false
    # @schema
    # type: integer
    # required: false
    # @schema
    replicas: 3
    # @schema
    # type: [null, string]
    # @schema
    # Set the api_addr configuration for Vault HA
    # See https://developer.hashicorp.com/vault/docs/configuration#api_addr
    # If set to null, this will be set to the Pod IP Address
    apiAddr: null
    # @schema
    # type: [null, string]
    # @schema
    # Set the cluster_addr confuguration for Vault HA
    # See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr
    # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201
    clusterAddr: null
    # Enables Vault's integrated Raft storage.  Unlike the typical HA modes where
    # Vault's persistence is external (such as Consul), enabling Raft mode will create
    # persistent volumes for Vault to store data according to the configuration under server.dataStorage.
    # The Vault cluster will coordinate leader elections and failovers internally.
    raft:
      # Enables Raft integrated storage
      enabled: false
      # Set the Node Raft ID to the name of the pod
      setNodeId: false
      # @schema
      # type: [string, object]
      # @schema
      # Note: Configuration files are stored in ConfigMaps so sensitive data
      # such as passwords should be either mounted through extraSecretEnvironmentVars
      # or through a Kube secret.  For more information see:
      # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
      config: |
        ui = true

        listener "tcp" {
          tls_disable = 1
          address = "[::]:8200"
          cluster_address = "[::]:8201"
          # Enable unauthenticated metrics access (necessary for Prometheus Operator)
          #telemetry {
          #  unauthenticated_metrics_access = "true"
          #}
        }

        storage "raft" {
          path = "/vault/data"
        }

        service_registration "kubernetes" {}
    # config is a raw string of default configuration when using a Stateful
    # deployment. Default is to use a Consul for its HA storage backend.
    # This should be HCL.

    # @schema
    # type: [string, object]
    # @schema
    # Note: Configuration files are stored in ConfigMaps so sensitive data
    # such as passwords should be either mounted through extraSecretEnvironmentVars
    # or through a Kube secret.  For more information see:
    # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }
      storage "consul" {
        path = "vault"
        address = "HOST_IP:8500"
      }

      service_registration "kubernetes" {}

      # Example configuration for using auto-unseal, using Google Cloud KMS. The
      # GKMS keys must already exist, and the cluster must have a service account
      # that is authorized to access GCP KMS.
      #seal "gcpckms" {
      #   project     = "vhsm-helm-dev-246514"
      #   region      = "global"
      #   key_ring    = "vhsm-helm-unseal-kr"
      #   crypto_key  = "vhsm-helm-unseal-key"
      #}

      # Example configuration for enabling Prometheus metrics.
      # If you are using Prometheus Operator you can enable a ServiceMonitor resource below.
      # You may wish to enable unauthenticated metrics in the listener block above.
      #telemetry {
      #  prometheus_retention_time = "30s"
      #  disable_hostname = true
      #}
    # A disruption budget limits the number of pods of a replicated application
    # that are down simultaneously from voluntary disruptions
    disruptionBudget:
      enabled: true
      # @schema
      # type: [null, integer]
      # @schema
      # maxUnavailable will default to (n/2)-1 where n is the number of
      # replicas. If you'd like a custom value, you can specify an override here.
      maxUnavailable: null
  # Definition of the serviceAccount used to run Vault.
  # These options are also used when using an external Vault server to validate
  # Kubernetes tokens.
  serviceAccount:
    # Specifies whether a service account should be created
    create: true
    # The name of the service account to use.
    # If not set and create is true, a name is generated using the fullname template
    name: ""
    # Create a Secret API object to store a non-expiring token for the service account.
    # Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default.
    # Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible.
    # For more details, see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets
    # serviceAccount.create must be equal to 'true' in order to use this feature.
    createSecret: false
    # @schema
    # type: [object, string]
    # @schema
    # Extra annotations for the serviceAccount definition. This can either be
    # YAML or a YAML-formatted multi-line templated string map of the
    # annotations to apply to the serviceAccount.
    annotations: {}
    # Extra labels to attach to the serviceAccount
    # This should be a YAML map of the labels to apply to the serviceAccount
    extraLabels: {}
    # Enable or disable a service account role binding with the permissions required for
    # Vault's Kubernetes service_registration config option.
    # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes
    serviceDiscovery:
      enabled: true
  # Settings for the statefulSet used to run Vault.
  statefulSet:
    # @schema
    # type: [object, string]
    # @schema
    # Extra annotations for the statefulSet. This can either be YAML or a
    # YAML-formatted multi-line templated string map of the annotations to apply
    # to the statefulSet.
    annotations: {}
    # Set the pod and container security contexts.
    # If not set, these will default to, and for *not* OpenShift:
    # pod:
    #   runAsNonRoot: true
    #   runAsGroup: {{ .Values.server.gid | default 1000 }}
    #   runAsUser: {{ .Values.server.uid | default 999 }}
    #   fsGroup: {{ .Values.server.gid | default 1000 }}
    # container:
    #   allowPrivilegeEscalation: false
    #
    # If not set, these will default to, and for OpenShift:
    # pod: {}
    # container: {}
    securityContext:
      # @schema
      # type: [object, string]
      # @schema
      pod: {}
      # @schema
      # type: [object, string]
      # @schema
      container: {}
  # Should the server pods run on the host network
  hostNetwork: false
# vHSM UI
ui:
  # @schema
  # type: [boolean, string]
  # @schema
  # True if you want to create a Service entry for the Vault UI.
  #
  # serviceType can be used to control the type of service created. For
  # example, setting this to "LoadBalancer" will create an external load
  # balancer (for supported K8S installations) to access the UI.
  enabled: false
  publishNotReadyAddresses: true
  # The service should only contain selectors for active Vault pod
  activeVaultPodOnly: false
  serviceType: "ClusterIP"
  # @schema
  # type: [null, integer]
  # @schema
  serviceNodePort: null
  externalPort: 8200
  targetPort: 8200
  # The IP family and IP families options are to set the behaviour in a dual-stack environment.
  # Omitting these values will let the service fall back to whatever the CNI dictates the defaults
  # should be.
  # These are only supported for kubernetes versions >=1.23.0
  #
  # Configures the service's supported IP family, can be either:
  #     SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range.
  #     PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service.
  #     RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges.
  serviceIPFamilyPolicy: ""
  # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well
  # Can be IPv4 and/or IPv6.
  serviceIPFamilies: []
  # The externalTrafficPolicy can be set to either Cluster or Local
  # and is only valid for LoadBalancer and NodePort service types.
  # The default value is Cluster.
  # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy
  externalTrafficPolicy: Cluster
  #loadBalancerSourceRanges:
  #   - 10.0.0.0/16
  #   - 1.78.23.3/32

  # loadBalancerIP:

  # @schema
  # type: [object, string]
  # @schema
  # Extra annotations to attach to the ui service
  # This can either be YAML or a YAML-formatted multi-line templated string map
  # of the annotations to apply to the ui service
  annotations: {}

# Vault is able to collect and publish various runtime metrics.
# Enabling this feature requires setting adding `telemetry{}` stanza to
# the Vault configuration. There are a few examples included in the `config` sections above.
#
# For more information see:
# https://developer.hashicorp.com/vault/docs/configuration/telemetry
# https://developer.hashicorp.com/vault/docs/internals/telemetry
serverTelemetry:
  # Enable support for the Prometheus Operator. Currently, this chart does not support
  # authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included
  # in the `listener "tcp"{}` stanza
  #  telemetry {
  #    unauthenticated_metrics_access = "true"
  #  }
  #
  # See the `standalone.config` for a more complete example of this.
  #
  # In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration:
  #
  # example:
  #  telemetry {
  #    prometheus_retention_time = "30s"
  #    disable_hostname = true
  #  }
  #
  # Configuration for monitoring the Vault server.
  serviceMonitor:
    # The Prometheus operator *must* be installed before enabling this feature,
    # if not the chart will fail to install due to missing CustomResourceDefinitions
    # provided by the operator.
    #
    # Instructions on how to install the Helm chart can be found here:
    #  https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
    # More information can be found here:
    #  https://github.com/prometheus-operator/prometheus-operator
    #  https://github.com/prometheus-operator/kube-prometheus

    # Enable deployment of the Vault Server ServiceMonitor CustomResource.
    enabled: false
    tlsConfig: {}
    authorization: {}
    # Selector labels to add to the ServiceMonitor.
    # When empty, defaults to:
    #  release: prometheus
    selectors: {}
    # Interval at which Prometheus scrapes metrics
    interval: 30s
    # Timeout for Prometheus scrapes
    scrapeTimeout: 10s
  prometheusRules:
    # The Prometheus operator *must* be installed before enabling this feature,
    # if not the chart will fail to install due to missing CustomResourceDefinitions
    # provided by the operator.

    # Deploy the PrometheusRule custom resource for AlertManager based alerts.
    # Requires that AlertManager is properly deployed.
    enabled: false
    # Selector labels to add to the PrometheusRules.
    # When empty, defaults to:
    #  release: prometheus
    selectors: {}
    # Some example rules.
    rules: []
    #  - alert: vault-HighResponseTime
    #    annotations:
    #      message: The response time of Vault is over 500ms on average over the last 5 minutes.
    #    expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
    #    for: 5m
    #    labels:
    #      severity: warning
    #  - alert: vault-HighResponseTime
    #    annotations:
    #      message: The response time of Vault is over 1s on average over the last 5 minutes.
    #    expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
    #    for: 5m
    #    labels:
    #      severity: critical