server:
  dataStorage:
    enabled: true
    size: 1Gi
    storageClass: nfs-client

  standalone:
    enabled: true
    config: |
      ui = true

      storage "file" {
        path = "/vault/data"
      }

      listener "tcp" {
        address     = "0.0.0.0:8200"
        tls_disable = 1
      }

      disable_mlock = true

  extraEnvironmentVars:
    VAULT_ADDR: http://127.0.0.1:8200

  # extraInitContainers:
  #   - name: configure-oidc
  #     image: hashicorp/vault:1.15.5
  #     command:
  #       - /bin/sh
  #       - -c
  #       - |
  #         echo "Waiting for Vault to initialize..."
  #         until curl -s http://vault:8200/v1/sys/health | grep '"initialized":true'; do
  #           sleep 2
  #         done

  #         export VAULT_ADDR=http://vault:8200
  #         vault auth enable oidc || true

  #         vault write auth/oidc/config \
  #           oidc_discovery_url="https://keycloack.dvirlabs.com/realms/lab" \
  #           oidc_client_id="vault" \
  #           oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
  #           default_role="vault-role"

  #         vault policy write oidc-ui-access - <<EOF
  #         path "auth/oidc/role/vault-role" {
  #           capabilities = ["read"]
  #         }
  #         EOF

  #         vault write auth/oidc/role/vault-role \
  #           bound_audiences="vault" \
  #           allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
  #           user_claim="preferred_username" \
  #           groups_claim="groups" \
  #           oidc_scopes="profile email groups" \
  #           policies="default" \
  #           token_policies="oidc-ui-access" \
  #           ttl="1h"


  #     env:
  #       - name: VAULT_TOKEN
  #         valueFrom:
  #           secretKeyRef:
  #             name: vault-init
  #             key: root-token

ui:
  enabled: true

ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
  hosts:
    - host: vault.dvirlabs.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - hosts:
        - vault.dvirlabs.com

csi:
  agent:
    enabled: false