kms-vault-operator
KMS Vault operator
Values
| Key | Type | Default | Description |
|---|---|---|---|
| authMethodVariables | list | [{"name":"VAULT_K8S_ROLE","value":"kms-vault-operator"},{"name":"VAULT_K8S_LOGIN_ENDPOINT","value":"auth/kubernetes/login"}] |
The set of environment variables required to configure the authentication to be used by the operator. The set of variables will vary depending on the value of vaultAuthenticationMethod and they’re documented here. |
| aws | object | {"iamCredentialsSecrets":null,"region":"us-east-1"} |
The value to set on the AWS_DEFAULT_REGION environment variable. |
| aws.iamCredentialsSecrets | string | nil |
A list of environment variables and their references to Secrets that need to be added as environment variables to the operator for KMS operations. Typically either this or .podAnnotations (and/or .validatingWebhook.podAnnotations) is required for AWS authentication. |
| global.imagePullPolicy | string | "IfNotPresent" |
The imagePullPolicy to be used on both the operator and webhook. |
| global.imageVersion | string | "v0.15.0" |
(string) The image version used for both the operator and webhook. |
| global.podAnnotations | object | {} |
A map of annotations to be set on both the operator and webhook pods. Useful if using an annotation-based system like kube2iam for dynamically injecting credentials. |
| global.prometheusMonitoring.enable | bool | false |
Controls whether the ServiceMonitor objects are created for both the operator and the webhook. |
| global.prometheusMonitoring.serviceMonitor.customLabels | string | nil |
Custom lables to add to the ServiceMonitor objects. |
| global.resources | string | nil |
Map of cpu/memory resources and limits, to be set on both the operator and the webhook. |
| imagePullPolicy | string | nil |
The imagePullPolicy to be used on the operator. Defaults to .global.imagePullPolicy |
| imageVersion | string | nil |
The image version used for the operator. Defaults to .global.imageVersion. |
| podAnnotations | string | nil |
A map of annotations to be set on the operator pods. Useful if using an annotation-based system like kube2iam for dynamically injecting credentials. Typically, either this or .aws.iamCredentialsSecrets is required for AWS authentication. |
| prometheusMonitoring.enable | string | nil |
Create the Service and ServiceMonitor objects to enable Prometheus monitoring on the operator. Defaults to .global.prometheusMonitoring.enable. |
| prometheusMonitoring.serviceMonitor.customLabels | string | nil |
Custom lables to add to the operator ServiceMonitor object. |
| resources | string | nil |
Map of cpu/memory resources and limits, to be set on the operator |
| serviceAccount.name | string | "kms-vault-operator" |
The name of the ServiceAccount to be created. |
| syncPeriodSeconds | int | 120 |
The value to be set on the --sync-period-seconds flag. |
| tls.certFileName | string | "ca.crt" |
The name of the private cert file mounted on .validatingWebhook.tls.mountPath. The default of tls.cert corresponds to the file name generated by cert-manager. |
| tls.enable | bool | false |
Controls whether the operator Vault client should use TLS when talking to the target Vault server. |
| tls.mountPath | string | "/tls" |
The path where the CA cert from the secret should be mounted. |
| tls.secretName | string | nil |
The name of the Secret from which the CA cert will be mounted. This is required if tls.enable is set to true. |
| validatingWebhook.affinity | string | nil |
Affinity/anti-affinity rules for pod scheduling the webhook according to the documentation. This map will be set as is on the Deployment object. |
| validatingWebhook.caBundle | string | "Cg==" |
The base64-encoded public CA certificate to be set on the ValidatingWebhookConfiguration. Note that it defaults to Cg== which is a base64-encoded empty string. If this value is not automatically set by cert-manager, or some other mutating webhook, this should be set explicitly. |
| validatingWebhook.certManager.apiVersion | string | "cert-manager.io/v1alpha2" |
The apiVersion of the Certificate object created by the chart. It depends on the versions made available by the specific cert-manager running on the cluster. |
| validatingWebhook.certManager.duration | string | "2160h" |
The value to be set directly on the duration field of the Certificate. |
| validatingWebhook.certManager.injectSecret | bool | true |
Enables auto-injection of a certificate managed by cert-manager. |
| validatingWebhook.certManager.issuerRef | object | {"kind":"ClusterIssuer","name":"selfsigning-issuer"} |
The name and kind of the cert-manager issuer to be used. |
| validatingWebhook.certManager.renewBefore | string | "360h" |
The value to be set directly on the renewBefore field of the Certificate. |
| validatingWebhook.enabled | bool | false |
Deploy the resources to enable the webhook used for custom resource validation. The rest of the settings under validatingWebhook are ignored if this is set to false. |
| validatingWebhook.failurePolicy | string | "Fail" |
The value to set directly on the failurePolicy of the ValidatingWebhookConfiguration. Valid values are Fail or Ignore. |
| validatingWebhook.imagePullPolicy | string | nil |
The imagePullPolicy to be used on the webhook. Defaults to .global.imagePullPolicy |
| validatingWebhook.imageVersion | string | nil |
The image version used for the webhook. Defaults to .global.imageVersion. |
| validatingWebhook.namespaceSelectorExpressions | list | [{"key":"kms-vault-operator","operator":"DoesNotExist"}] |
A label selector expression to determine what namespaces should be in scope for the validating webhook. |
| validatingWebhook.podAnnotations | string | nil |
A map of annotations to be set on the webhook pods. Useful if using an annotation-based system like kube2iam for dynamically injecting credentials. |
| validatingWebhook.prometheusMonitoring.enable | string | nil |
Create the Service and ServiceMonitor objects to enable Prometheus monitoring on the webhook. Defaults to .global.prometheusMonitoring.enable. |
| validatingWebhook.prometheusMonitoring.serviceMonitor.customLabels | string | nil |
Custom lables to add to the webhook ServiceMonitor object. |
| validatingWebhook.replicas | int | 1 |
Number of replicas of the validating webhook to deploy. |
| validatingWebhook.resources | string | nil |
Map of cpu/memory resources and limits, to be set on the webhook |
| validatingWebhook.tls.certFileName | string | "tls.crt" |
|
| validatingWebhook.tls.mountPath | string | "/tls" |
The path where the certificate key pair will be mounted. |
| validatingWebhook.tls.privateKeyFileName | string | "tls.key" |
|
| validatingWebhook.tls.secretName | string | "kms-vault-validating-webhook" |
The name of the Secret that contains the certificate key pair to be used by the webhook. This is only used if validatingWebhook.certManager.injectSecret is set to false. |
| vault.address | string | "https://vault:8200" |
The API endpoint of the target Vault cluster. |
| vaultAuthenticationMethod | string | "k8s" |
The value to be set on the --vault-authentication-method flag. |
| watchNamespace | string | "" |
The value to be set on the WATCH_NAMESPACE environment variable. |