--- # SecretumVault Helm Chart Values # Global settings global: namespace: secretumvault # Vault Deployment settings vault: replicas: 1 image: repository: secretumvault tag: latest pullPolicy: IfNotPresent # Configuration config: cryptoBackend: openssl # openssl | aws-lc storageBackend: etcd # etcd | surrealdb | filesystem sealType: shamir # shamir | auto # Seal configuration (Shamir Secret Sharing) seal: threshold: 2 shares: 3 # Secrets engines to mount engines: kv: true transit: true pki: true database: true # Logging configuration logging: level: info format: json ansi: true # Telemetry configuration telemetry: prometheusPort: 9090 enableTrace: false # Authentication auth: defaultTtl: 24 cedarpolicies: enabled: true policiesDir: /etc/secretumvault/policies # Resource requests and limits resources: requests: cpu: 250m memory: 256Mi limits: cpu: 500m memory: 512Mi # Service configuration service: type: ClusterIP port: 8200 metricsPort: 9090 annotations: {} # Security context securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 readOnlyRootFilesystem: true allowPrivilegeEscalation: false # Health check probes livenessProbe: initialDelaySeconds: 15 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 3 failureThreshold: 3 startupProbe: initialDelaySeconds: 5 periodSeconds: 5 failureThreshold: 30 # Pod anti-affinity affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - vault topologyKey: kubernetes.io/hostname # Ingress configuration ingress: enabled: false className: nginx annotations: {} hosts: - host: vault.example.com paths: - path: / pathType: Prefix tls: [] # TLS Configuration tls: enabled: false certManager: enabled: false issuer: letsencrypt-prod # If not using cert-manager, provide certificate and key files cert: "" key: "" clientCa: "" # etcd storage backend configuration etcd: enabled: true replicas: 3 image: repository: quay.io/coreos/etcd tag: v3.5.9 pullPolicy: IfNotPresent resources: requests: cpu: 100m memory: 256Mi limits: cpu: 250m memory: 512Mi storage: size: 10Gi storageClass: "" auth: enabled: false username: "" password: "" # SurrealDB storage backend configuration surrealdb: enabled: false replicas: 1 image: repository: surrealdb/surrealdb tag: latest pullPolicy: IfNotPresent resources: requests: cpu: 100m memory: 256Mi limits: cpu: 250m memory: 512Mi storage: size: 5Gi storageClass: "" auth: enabled: true password: "change-me-in-production" # PostgreSQL database configuration postgresql: enabled: false image: repository: postgres tag: 15-alpine pullPolicy: IfNotPresent resources: requests: cpu: 100m memory: 256Mi limits: cpu: 250m memory: 512Mi storage: size: 10Gi storageClass: "" auth: username: vault password: "change-me-in-production" database: secretumvault # Monitoring and Prometheus configuration monitoring: enabled: false prometheus: enabled: false image: repository: prom/prometheus tag: latest retention: 15d storageSize: 10Gi grafana: enabled: false image: repository: grafana/grafana tag: latest adminPassword: "change-me-in-production" storageSize: 2Gi # RBAC configuration rbac: create: true serviceAccountName: vault # Pod Security Policy podSecurityPolicy: enabled: false name: restricted # Network Policy networkPolicy: enabled: false policyTypes: - Ingress - Egress