secretumvault/helm/values.yaml

---
# SecretumVault Helm Chart Values

# Global settings
global:
  namespace: secretumvault

# Vault Deployment settings
vault:
  replicas: 1
  image:
    repository: secretumvault
    tag: latest
    pullPolicy: IfNotPresent

  # Configuration
  config:
    cryptoBackend: openssl  # openssl | aws-lc
    storageBackend: etcd    # etcd | surrealdb | filesystem
    sealType: shamir        # shamir | auto

    # Seal configuration (Shamir Secret Sharing)
    seal:
      threshold: 2
      shares: 3

    # Secrets engines to mount
    engines:
      kv: true
      transit: true
      pki: true
      database: true

    # Logging configuration
    logging:
      level: info
      format: json
      ansi: true

    # Telemetry configuration
    telemetry:
      prometheusPort: 9090
      enableTrace: false

    # Authentication
    auth:
      defaultTtl: 24
      cedarpolicies:
        enabled: true
        policiesDir: /etc/secretumvault/policies

  # Resource requests and limits
  resources:
    requests:
      cpu: 250m
      memory: 256Mi
    limits:
      cpu: 500m
      memory: 512Mi

  # Service configuration
  service:
    type: ClusterIP
    port: 8200
    metricsPort: 9090
    annotations: {}

  # Security context
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false

  # Health check probes
  livenessProbe:
    initialDelaySeconds: 15
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 3

  readinessProbe:
    initialDelaySeconds: 10
    periodSeconds: 5
    timeoutSeconds: 3
    failureThreshold: 3

  startupProbe:
    initialDelaySeconds: 5
    periodSeconds: 5
    failureThreshold: 30

  # Pod anti-affinity
  affinity:
    podAntiAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 100
        podAffinityTerm:
          labelSelector:
            matchExpressions:
            - key: app
              operator: In
              values:
              - vault
          topologyKey: kubernetes.io/hostname

  # Ingress configuration
  ingress:
    enabled: false
    className: nginx
    annotations: {}
    hosts:
      - host: vault.example.com
        paths:
          - path: /
            pathType: Prefix
    tls: []

  # TLS Configuration
  tls:
    enabled: false
    certManager:
      enabled: false
      issuer: letsencrypt-prod
    # If not using cert-manager, provide certificate and key files
    cert: ""
    key: ""
    clientCa: ""

# etcd storage backend configuration
etcd:
  enabled: true
  replicas: 3
  image:
    repository: quay.io/coreos/etcd
    tag: v3.5.9
    pullPolicy: IfNotPresent

  resources:
    requests:
      cpu: 100m
      memory: 256Mi
    limits:
      cpu: 250m
      memory: 512Mi

  storage:
    size: 10Gi
    storageClass: ""

  auth:
    enabled: false
    username: ""
    password: ""

# SurrealDB storage backend configuration
surrealdb:
  enabled: false
  replicas: 1
  image:
    repository: surrealdb/surrealdb
    tag: latest
    pullPolicy: IfNotPresent

  resources:
    requests:
      cpu: 100m
      memory: 256Mi
    limits:
      cpu: 250m
      memory: 512Mi

  storage:
    size: 5Gi
    storageClass: ""

  auth:
    enabled: true
    password: "change-me-in-production"

# PostgreSQL database configuration
postgresql:
  enabled: false
  image:
    repository: postgres
    tag: 15-alpine
    pullPolicy: IfNotPresent

  resources:
    requests:
      cpu: 100m
      memory: 256Mi
    limits:
      cpu: 250m
      memory: 512Mi

  storage:
    size: 10Gi
    storageClass: ""

  auth:
    username: vault
    password: "change-me-in-production"
    database: secretumvault

# Monitoring and Prometheus configuration
monitoring:
  enabled: false
  prometheus:
    enabled: false
    image:
      repository: prom/prometheus
      tag: latest
    retention: 15d
    storageSize: 10Gi

  grafana:
    enabled: false
    image:
      repository: grafana/grafana
      tag: latest
    adminPassword: "change-me-in-production"
    storageSize: 2Gi

# RBAC configuration
rbac:
  create: true
  serviceAccountName: vault

# Pod Security Policy
podSecurityPolicy:
  enabled: false
  name: restricted

# Network Policy
networkPolicy:
  enabled: false
  policyTypes:
    - Ingress
    - Egress
chore: source code, docs and tools 2025-12-22 21:34:01 +00:00			`---`
			`# SecretumVault Helm Chart Values`

			`# Global settings`
			`global:`
			`namespace: secretumvault`

			`# Vault Deployment settings`
			`vault:`
			`replicas: 1`
			`image:`
			`repository: secretumvault`
			`tag: latest`
			`pullPolicy: IfNotPresent`

			`# Configuration`
			`config:`
			`cryptoBackend: openssl # openssl \| aws-lc`
			`storageBackend: etcd # etcd \| surrealdb \| filesystem`
			`sealType: shamir # shamir \| auto`

			`# Seal configuration (Shamir Secret Sharing)`
			`seal:`
			`threshold: 2`
			`shares: 3`

			`# Secrets engines to mount`
			`engines:`
			`kv: true`
			`transit: true`
			`pki: true`
			`database: true`

			`# Logging configuration`
			`logging:`
			`level: info`
			`format: json`
			`ansi: true`

			`# Telemetry configuration`
			`telemetry:`
			`prometheusPort: 9090`
			`enableTrace: false`

			`# Authentication`
			`auth:`
			`defaultTtl: 24`
			`cedarpolicies:`
			`enabled: true`
			`policiesDir: /etc/secretumvault/policies`

			`# Resource requests and limits`
			`resources:`
			`requests:`
			`cpu: 250m`
			`memory: 256Mi`
			`limits:`
			`cpu: 500m`
			`memory: 512Mi`

			`# Service configuration`
			`service:`
			`type: ClusterIP`
			`port: 8200`
			`metricsPort: 9090`
			`annotations: {}`

			`# Security context`
			`securityContext:`
			`runAsNonRoot: true`
			`runAsUser: 1000`
			`fsGroup: 1000`
			`readOnlyRootFilesystem: true`
			`allowPrivilegeEscalation: false`

			`# Health check probes`
			`livenessProbe:`
			`initialDelaySeconds: 15`
			`periodSeconds: 10`
			`timeoutSeconds: 5`
			`failureThreshold: 3`

			`readinessProbe:`
			`initialDelaySeconds: 10`
			`periodSeconds: 5`
			`timeoutSeconds: 3`
			`failureThreshold: 3`

			`startupProbe:`
			`initialDelaySeconds: 5`
			`periodSeconds: 5`
			`failureThreshold: 30`

			`# Pod anti-affinity`
			`affinity:`
			`podAntiAffinity:`
			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 100`
			`podAffinityTerm:`
			`labelSelector:`
			`matchExpressions:`
			`- key: app`
			`operator: In`
			`values:`
			`- vault`
			`topologyKey: kubernetes.io/hostname`

			`# Ingress configuration`
			`ingress:`
			`enabled: false`
			`className: nginx`
			`annotations: {}`
			`hosts:`
			`- host: vault.example.com`
			`paths:`
			`- path: /`
			`pathType: Prefix`
			`tls: []`

			`# TLS Configuration`
			`tls:`
			`enabled: false`
			`certManager:`
			`enabled: false`
			`issuer: letsencrypt-prod`
			`# If not using cert-manager, provide certificate and key files`
			`cert: ""`
			`key: ""`
			`clientCa: ""`

			`# etcd storage backend configuration`
			`etcd:`
			`enabled: true`
			`replicas: 3`
			`image:`
			`repository: quay.io/coreos/etcd`
			`tag: v3.5.9`
			`pullPolicy: IfNotPresent`

			`resources:`
			`requests:`
			`cpu: 100m`
			`memory: 256Mi`
			`limits:`
			`cpu: 250m`
			`memory: 512Mi`

			`storage:`
			`size: 10Gi`
			`storageClass: ""`

			`auth:`
			`enabled: false`
			`username: ""`
			`password: ""`

			`# SurrealDB storage backend configuration`
			`surrealdb:`
			`enabled: false`
			`replicas: 1`
			`image:`
			`repository: surrealdb/surrealdb`
			`tag: latest`
			`pullPolicy: IfNotPresent`

			`resources:`
			`requests:`
			`cpu: 100m`
			`memory: 256Mi`
			`limits:`
			`cpu: 250m`
			`memory: 512Mi`

			`storage:`
			`size: 5Gi`
			`storageClass: ""`

			`auth:`
			`enabled: true`
			`password: "change-me-in-production"`

			`# PostgreSQL database configuration`
			`postgresql:`
			`enabled: false`
			`image:`
			`repository: postgres`
			`tag: 15-alpine`
			`pullPolicy: IfNotPresent`

			`resources:`
			`requests:`
			`cpu: 100m`
			`memory: 256Mi`
			`limits:`
			`cpu: 250m`
			`memory: 512Mi`

			`storage:`
			`size: 10Gi`
			`storageClass: ""`

			`auth:`
			`username: vault`
			`password: "change-me-in-production"`
			`database: secretumvault`

			`# Monitoring and Prometheus configuration`
			`monitoring:`
			`enabled: false`
			`prometheus:`
			`enabled: false`
			`image:`
			`repository: prom/prometheus`
			`tag: latest`
			`retention: 15d`
			`storageSize: 10Gi`

			`grafana:`
			`enabled: false`
			`image:`
			`repository: grafana/grafana`
			`tag: latest`
			`adminPassword: "change-me-in-production"`
			`storageSize: 2Gi`

			`# RBAC configuration`
			`rbac:`
			`create: true`
			`serviceAccountName: vault`

			`# Pod Security Policy`
			`podSecurityPolicy:`
			`enabled: false`
			`name: restricted`

			`# Network Policy`
			`networkPolicy:`
			`enabled: false`
			`policyTypes:`
			`- Ingress`
			`- Egress`