-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvalues.yaml
More file actions
94 lines (87 loc) · 3.82 KB
/
values.yaml
File metadata and controls
94 lines (87 loc) · 3.82 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
---
# -- Settings for app-level SecretProviderClass rendering
# @default -- see nested keys
ocpSecretsStoreCsiVault:
# -- Optional key under `clusterGroup.applications` used to resolve workload
# auth attributes (`ssCsiWorkloadAuth`).
applicationKey: ""
# -- Index into `clusterGroup.applications[applicationKey].ssCsiWorkloadAuth`
# when multiple entries are present.
workloadAuthIndex: 0
secretProviderClass:
# -- When true, render SecretProviderClass manifests from this chart.
enabled: true
# -- When true, render default SPC manifests from
# `templates/install-default-manifests.yaml`.
installDefaultManifests: false
# -- metadata.name of the SecretProviderClass (referenced from pod
# volumeAttributes)
name: vault-hub-secrets
# -- Namespace where the SecretProviderClass is created
namespace: ""
vault:
# -- If non-empty, used as `spec.parameters.vaultAddress` (external Vault
# endpoint).
externalAddress: ""
# -- Optional override for hub-style `vaultKubernetesMountPath`. Empty
# defaults to `hub` when
# `global.localClusterDomain == global.hubClusterDomain`, else
# `global.clusterDomain`.
hubMountPath: ""
auth:
# -- Vault auth method for SecretProviderClass `spec.parameters.authType`.
# Defaults to `kubernetes`.
method: kubernetes
# -- Vault Kubernetes auth role name for hub-style auth (used when
# `auth.method` is `kubernetes`).
roleName: hub-role
# -- Extra auth parameters merged into `spec.parameters` for non-kubernetes
# methods (for example AppRole, JWT, token). Keys/values are passed through
# as provided.
extraParameters: { }
# -- KV objects to expose as files under the CSI mount (Vault CSI `objects`
# list)
# @default -- example placeholder; replace with your paths
objects:
- objectName: example-password
secretPath: secret/data/example/app
secretKey: password
# -- Optional: sync mounted objects into native Kubernetes Secrets (CSI
# `secretObjects`)
secretObjects: [ ]
# -- TLS options for the Vault CSI provider. This chart only references an
# existing trust path and does not create CA material.
tls:
vaultSkipTLSVerify: "false"
# -- Explicit PEM path on the CSI provider pod. When non-empty, wins over
# `projectedClusterCa`.
vaultCACertPath: ""
vaultTLSServerName: ""
# -- When `enabled` is true and `vaultCACertPath` is empty, set
# `vaultCACertPath` to the bundle file under **openshift-sscsi-vault**
# defaults (CNO proxy merge `ca-bundle.crt` vs PEM `vault-tls-ca.pem`).
# Align these fields with
# `ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap` on that chart.
projectedClusterCa:
enabled: false
mountDir: "/etc/pki/vault-ca"
injectTrustedCabundle: true
trustedCabundleDataKey: "ca-bundle.crt"
keyInConfigMap: "vault-tls-ca.pem"
# -- Global values aligned with openshift-external-secrets chart patterns
global:
# -- Hub Vault route host suffix (`vault-vault.<hubClusterDomain>`). Use the apps/API
# ingress form (for example `apps.hub.example.com`), same style as localClusterDomain.
hubClusterDomain: hub.example.com
# -- Vault Kubernetes auth role prefix on spokes (`<clusterDomain>-role`,
# `<clusterDomain>-sscsi-<slug>`). In validated patterns this matches
# **clustergroup-chart** `global.clusterDomain`: cluster FQDN **without** the
# `apps.` component (framework-set). See `localClusterDomain` for the apps form.
clusterDomain: foo.example.com
# -- Apps/API ingress FQDN (with `apps.`). Compared to `hubClusterDomain` for
# hub vs spoke detection; when equal to `hubClusterDomain`, spoke
# `vaultKubernetesMountPath` is `hub`. Spoke mount path is otherwise
# `global.clusterDomain` (without `apps.`), not this field.
localClusterDomain: ""
clusterGroup:
applications: { }