vault: fullnameOverride: vault server: standalone: enabled: false ha: enabled: true replicas: 3 raft: enabled: true setNodeId: true # https://github.com/hashicorp/vault/issues/21478 # Vault no longer respects AWS_ROLE_ARN # or AWS_WEB_IDENTITY_TOKEN_FILE for AWS KMS config: | ui = true listener "tcp" { address = "[::]:8200" cluster_address = "[::]:8201" tls_disable = 1 } storage "raft" { path = "/vault/data" retry_join { leader_api_addr = "http://vault-0.vault-internal:8200" } retry_join { leader_api_addr = "http://vault-1.vault-internal:8200" } retry_join { leader_api_addr = "http://vault-2.vault-internal:8200" } } service_registration "kubernetes" {} seal "awskms" { region = "eu-central-1" kms_key_id = "KMS_KEY_ID" role_arn = "arn:aws:iam::012345678910:role/AWSIRSA_Shared_Vault" web_identity_token_file = "/var/run/secrets/eks.amazonaws.com/serviceaccount/token" } serviceAccount: annotations: eks.amazonaws.com/role-arn: arn:aws:iam::012345678910:role/AWSIRSA_Shared_Vault dataStorage: enabled: true size: 1Gi ingress: enabled: true hosts: - host: vault.example.com paths: - / ui: enabled: true job: clusterApiUrl: "https://cluster-api.com" keycloakUrl: "https://keycloak.example.com/auth/realms/shared" vaultUrl: "vault.example.com" # Configuration for setting up resources in Keycloak to enable OIDC authentication. # Prerequisite: Ensure that the Keycloak Operator is installed and integrated with Keycloak. # Refer to the installation guide for the Keycloak Operator: # https://github.com/epam/edp-cluster-add-ons/tree/main/clusters/core/addons/keycloak-operator # # Additionally, necessary Keycloak resources such as realms, roles, and groups must be created # to support component functionality. This can be done using the provided add-ons or manually: # https://github.com/epam/edp-cluster-add-ons/tree/main/clusters/core/addons/kuberocketci-rbac oidc: enabled: false # This section enables configuration for using External Secrets Operator (ESO) as the secret manager. # Prerequisite: Ensure that ESO is installed in the cluster. # Refer to the EDP cluster add-on for ESO installation and setup: # https://github.com/epam/edp-cluster-add-ons/tree/main/clusters/core/addons/external-secrets # # Ensure that you have created the necessary roles for ESO integration. # Follow the detailed instructions here: # https://docs.kuberocketci.io/docs/operator-guide/secrets-management/external-secrets-operator-integration#aws-parameter-store-scenario-in-kuberocketci eso: # -- Install components of the ESO. enabled: true # -- Defines provider type. One of `aws` or `generic`. type: "aws" # -- Defines Secret Store name. secretStoreName: "aws-parameterstore" # -- Value name in AWS ParameterStore, AWS SecretsManager or other Secret Store. secretName: "/infra/core/addons/vault" # -- Role ARN for the ExternalSecretOperator to assume. roleArn: arn:aws:iam::012345678910:role/AWSIRSA_Shared_ExternalSecretOperatorAccess # Defines Secret Store configuration. Used when eso.type is set to "generic". generic: secretStore: # -- Defines SecretStore provider configuration. providerConfig: {} # gcpsm: # projectID: "alphabet-123"