server:
  dataStorage:
    enabled: true
    size: 1Gi
    storageClass: nfs-client

  standalone:
    enabled: true
    config: |
      ui = true

      storage "file" {
        path = "/vault/data"
      }

      listener "tcp" {
        address     = "0.0.0.0:8200"
        tls_disable = 1
      }

      disable_mlock = true

  extraEnvironmentVars:
    VAULT_ADDR: http://127.0.0.1:8200

  postStart:
    command:
      - /bin/sh
      - -c
      - |
        export VAULT_ADDR=http://127.0.0.1:8200
        vault auth enable oidc

        vault write auth/oidc/config \
          oidc_discovery_url="https://keycloack/realms/lab" \
          oidc_client_id="vault" \
          oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
          default_role="vault-role"

        vault write auth/oidc/role/vault-role \
          bound_audiences="vault" \
          allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
          user_claim="preferred_username" \
          groups_claim="groups" \
          oidc_scopes="profile email groups" \
          policies="default" \
          ttl="1h"

ui:
  enabled: true

ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
  hosts:
    - host: vault.dvirlabs.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - hosts:
        - vault.dvirlabs.com