---
# ConfigMap for SecretumVault configuration
apiVersion: v1
kind: ConfigMap
metadata:
  name: vault-config
  namespace: secretumvault
data:
  svault.toml: |
    [vault]
    crypto_backend = "openssl"

    [server]
    address = "0.0.0.0"
    port = 8200

    [storage]
    # Use etcd backend deployed in the cluster
    backend = "etcd"

    [storage.etcd]
    # Connect to etcd service via Kubernetes DNS
    endpoints = ["http://vault-etcd:2379"]

    [storage.surrealdb]
    url = "ws://vault-surrealdb:8000"

    [storage.postgresql]
    connection_string = "postgres://vault:${DB_PASSWORD}@vault-postgres:5432/secretumvault"

    [crypto]
    # Using OpenSSL backend (stable)

    [seal]
    seal_type = "shamir"

    [seal.shamir]
    threshold = 2
    shares = 3

    [engines.kv]
    path = "secret/"
    versioned = true

    [engines.transit]
    path = "transit/"
    versioned = true

    [engines.pki]
    path = "pki/"
    versioned = false

    [engines.database]
    path = "database/"
    versioned = false

    [logging]
    level = "info"
    format = "json"
    ansi = true

    [telemetry]
    prometheus_port = 9090
    enable_trace = false

    [auth]
    default_ttl = 24