server:
  envFromSecret: vault-oidc-secret

  dataStorage:
    enabled: true
    size: 1Gi
    storageClass: nfs-client

  standalone:
    enabled: true
    config: |
      ui = true

      storage "file" {
        path = "/vault/data"
      }

      listener "tcp" {
        address     = "0.0.0.0:8200"
        tls_disable = 1
      }

      disable_mlock = true

      auth "oidc" {
        config = {
          oidc_discovery_url = "https://keycloak.dvirlabs.com/realms/lab"
          oidc_client_id     = "vault"
          oidc_client_secret = "${VAULT_OIDC_CLIENT_SECRET}"
          default_role       = "vault-admins"
        }
      }

      role "vault-admins" {
        bound_audiences = "vault"
        allowed_redirect_uris = "https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback"
        user_claim = "sub"
        groups_claim = "groups"
        bound_claims = { "groups": "vault-admins" }
        policies = ["vault-admin"]
      }

  extraEnvironmentVars:
    VAULT_ADDR: http://127.0.0.1:8200
    VAULT_OIDC_CLIENT_SECRET: ${VAULT_OIDC_CLIENT_SECRET}

ui:
  enabled: true

ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
  hosts:
    - host: vault.dvirlabs.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - hosts:
        - vault.dvirlabs.com

csi:
  enabled: false
  agent:
    enabled: false

nodeSelector:
  node-role.kubernetes.io/worker: "true"