69 lines
1.4 KiB
YAML
69 lines
1.4 KiB
YAML
server:
|
|
envFromSecret: vault-oidc-secret
|
|
|
|
dataStorage:
|
|
enabled: true
|
|
size: 1Gi
|
|
storageClass: nfs-client
|
|
|
|
standalone:
|
|
enabled: true
|
|
config: |
|
|
ui = true
|
|
|
|
storage "file" {
|
|
path = "/vault/data"
|
|
}
|
|
|
|
listener "tcp" {
|
|
address = "0.0.0.0:8200"
|
|
tls_disable = 1
|
|
}
|
|
|
|
disable_mlock = true
|
|
|
|
auth "oidc" {
|
|
config = {
|
|
oidc_discovery_url = "https://keycloak.dvirlabs.com/realms/lab"
|
|
oidc_client_id = "vault"
|
|
oidc_client_secret = "${VAULT_OIDC_CLIENT_SECRET}"
|
|
default_role = "vault-admins"
|
|
}
|
|
}
|
|
|
|
role "vault-admins" {
|
|
bound_audiences = "vault"
|
|
allowed_redirect_uris = "https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback"
|
|
user_claim = "sub"
|
|
groups_claim = "groups"
|
|
bound_claims = { "groups": "vault-admins" }
|
|
policies = ["vault-admin"]
|
|
}
|
|
|
|
extraEnvironmentVars:
|
|
VAULT_ADDR: http://127.0.0.1:8200
|
|
VAULT_OIDC_CLIENT_SECRET: ${VAULT_OIDC_CLIENT_SECRET}
|
|
|
|
ui:
|
|
enabled: true
|
|
|
|
ingress:
|
|
enabled: true
|
|
ingressClassName: traefik
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
|
hosts:
|
|
- host: vault.dvirlabs.com
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
tls:
|
|
- hosts:
|
|
- vault.dvirlabs.com
|
|
|
|
csi:
|
|
enabled: false
|
|
agent:
|
|
enabled: false
|