80 lines
1.9 KiB
YAML
80 lines
1.9 KiB
YAML
server:
|
|
dataStorage:
|
|
enabled: true
|
|
size: 1Gi
|
|
storageClass: nfs-client
|
|
|
|
standalone:
|
|
enabled: true
|
|
config: |
|
|
ui = true
|
|
|
|
storage "file" {
|
|
path = "/vault/data"
|
|
}
|
|
|
|
listener "tcp" {
|
|
address = "0.0.0.0:8200"
|
|
tls_disable = 1
|
|
}
|
|
|
|
disable_mlock = true
|
|
|
|
extraEnvironmentVars:
|
|
VAULT_ADDR: http://127.0.0.1:8200
|
|
|
|
extraInitContainers:
|
|
- name: configure-oidc
|
|
image: hashicorp/vault:1.15.5
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- |
|
|
echo "Waiting for Vault to initialize..."
|
|
until curl -s http://vault:8200/v1/sys/health | grep '"initialized":true'; do
|
|
sleep 2
|
|
done
|
|
|
|
export VAULT_ADDR=http://vault:8200
|
|
vault auth enable oidc || true
|
|
|
|
vault write auth/oidc/config \
|
|
oidc_discovery_url="https://keycloack.dvirlabs.com/realms/lab" \
|
|
oidc_client_id="vault" \
|
|
oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
|
|
default_role="vault-role"
|
|
|
|
vault write auth/oidc/role/vault-role \
|
|
bound_audiences="vault" \
|
|
allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
|
|
user_claim="preferred_username" \
|
|
groups_claim="groups" \
|
|
oidc_scopes="profile email groups" \
|
|
policies="default" \
|
|
ttl="1h"
|
|
|
|
env:
|
|
- name: VAULT_TOKEN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: vault-init
|
|
key: root-token
|
|
|
|
ui:
|
|
enabled: true
|
|
|
|
ingress:
|
|
enabled: true
|
|
ingressClassName: traefik
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
|
hosts:
|
|
- host: vault.dvirlabs.com
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
tls:
|
|
- hosts:
|
|
- vault.dvirlabs.com
|