# Available parameters and their default values for the Vault chart.

global:
  enabled: true
  imagePullSecrets:
    - name: sncr-docker-registry-secret
  tlsDisable: true

injector:
  enabled: false
  image:
    repository: "<our-internal-docker-repo>"
    tag: "0.3.0"
  agentImage:
    repository: "<our-internal-docker-repo>"
    tag: "1.4.0"

  resources:
    requests:
      memory: 256Mi
      cpu: 250m
    limits:
      memory: 256Mi
      cpu: 250m

server:

  image:
    repository: "<our-internal-docker-repo>"
    tag: "1.4.0"

  resources:
    requests:
      memory: 256Mi
      cpu: 250m
    limits:
      memory: 256Mi
      cpu: 250m

  ingress:
    enabled: true
    labels: {}
    annotations: |
      external-dns.alpha.kubernetes.io/hostname: vault.poc.dots.synchronoss.net
      kubernetes.io/ingress.class: alb
      alb.ingress.kubernetes.io/listen-ports: "[{\"HTTPS\":443}, {\"HTTPS\":8200}]"
      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:XXXXXXXXXX:certificate/YYYYYYYYYYYYYYYYYYY
      alb.ingress.kubernetes.io/subnets: subnet-xxxxxx,subnet-yyyyy
      alb.ingress.kubernetes.io/scheme: internal
      alb.ingress.kubernetes.io/backend-protocol: HTTP
      alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
      alb.ingress.kubernetes.io/healthcheck-path: /v1/sys/health?standbyok=true
      alb.ingress.kubernetes.io/load-balancer-attributes:  access_logs.s3.enabled=true,access_logs.s3.bucket=dots.nonprod.eks.poc.access.logs,access_logs.s3.prefix=vault

    hosts:
      - host:  vault.poc.dots.synchronoss.net
        paths:
          - /*
  readinessProbe:
    enabled: true
    #path: /v1/sys/health?standbyok=true
  livenessProbe:
    enabled: true
    #path: /v1/sys/health?standbyok=true

  service:
    enabled: true
    type: NodePort
    port: 8200
    targetPort: 8200

  dataStorage:
    enabled: true
    size: 10Gi
    storageClass: null
    accessMode: ReadWriteOnce

  auditStorage:
    enabled: false

  dev:
    enabled: false

  standalone:
    enabled: false

  ha:
    enabled: true
    replicas: 2
    raft:
      enabled: true
      config: |
        ui = true
        log_level = "trace"

        listener "tcp" {
          tls_disable = 1
          address = "[::]:8200"
          cluster_address = "[::]:8201"
        }

        storage "raft" {
          path = "/vault/data"

          retry_join {
            leader_api_addr = "http://vault-0.vault-internal:8200"
          }

          retry_join {
            leader_api_addr = "http://vault-1.vault-internal:8200"
          }
        }

        seal "awskms" {
         region     = "us-east-1"
         kms_key_id = "<key-id>"
        }

        service_registration "kubernetes" {}

  serviceAccount:
    annotations: |
     eks.amazonaws.com/role-arn: arn:aws:iam::XXXXXXXXXXX:role/vault-kms

# Vault UI
ui:
  enabled: true
  serviceType: "NodePort"
  serviceNodePort: null
  externalPort: 8200