Parameters
The parent key for all of the following parameters is vault.
namespace
| type |
string |
| default |
|
The namespace in which to deploy this component.
Two intances of vault can be deployed in the same namespace, but the two instances will have access to each others unseal secrets.
kubernetes_version
| type |
string |
| default |
|
The Kubernetes version of the cluster the component is deployed to. This parameter is passed to Helm when rendering the Helm chart. The default chart version used by the component requires Kubernetes 1.20 or newer.
We recommend setting this parameter based on the cluster’s kubernetesVersion dynamic fact.
ingress.host
| type |
string |
| default |
|
Defines the FQDN of the ingress, should be overwritten on the cluster level.
ingress.annotations
| type |
dict |
| default |
{} |
The annotations added to the created ingress Needs to be set according to the deployed ingress controller.
Example:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
kubernetes.io/ingress.class: nginxresources
| type |
dict |
| default |
|
The resource requests and limits.
podManagementPolicy
| type |
string |
| default |
|
The podManagementPolicy for the vault statefulset
Setting this to Parallel might cause a race condition during initial setup.
This parameter can’t be changed after the initial deployment of the component.
|
x_forwarded_for
This section allows users to configure how Vault uses the information in the X-Forwarded-For header in client connections.
authorized_addrs
| type |
string |
| default |
|
This parameter allows users to specify the list of source IP CIDRs for which an X-Forwarded-For header will be trusted.
Since Vault doesn’t accept the empty string as a valid option, we set the parameter to only trust X-Forwarded-For headers from 127.0.0.1/32 by default.
To avoid issues with parameter interpolation, multiple entries should be specified as a comma-separated list.
If you want to use functionality in Vault which requires the real source IP of requests, you should set this parameter to a CIDR which includes the IPs of your ingress controller.
Also see the Vault documentation.
hop_skips
| type |
number |
| default |
|
The number of entries in the X-Forwarded-For header to skip.
You may have to set this parameter, if you’re deploying this component on a cluster which is behind multiple HTTP load balancers.
See the Vault documentation for more details.
reject_not_authorized
| type |
bool |
| default |
|
By default, if there’s an X-Forwarded-For header in a connection from an address which isn’t in x_forwarded_for_authorized_addrs, the header will be ignored and the client address is used as-is.
If this is set to true, such client connections are rejected instead.
We default this parameter to false to provide an usable setup out of the box.
If you expect that all valid client connections will have an X-Forwarded-For header, we strongly recommend setting it to true if you configure x_forwarded_for_authorized_addrs.
reject_not_present
| type |
bool |
| default |
|
By default, if there is no X-Forwarded-For header in a connection from an address which isn’t in x_forwarded_For_authorized_addrs or if the header is empty, the client address will be used as-is.
If this parameter is set to true, such client connections are rejected instead.
We default this parameter to false to provide an usable setup out of the box.
If you expect that all valid client connections will have an X-Forwarded-For header, we strongly recommend setting it to true if you configure x_forwarded_for_authorized_addrs.
config
| type |
dict |
| default |
|
The configuration for vault. The default configuration adds a general key-value secret store and a default backup user. If this backup user isn’t present, backups using k8up won’t succeed. This configuration may directly contain secret references (see example below) as it will be stored in a secret.
Example LDAP configuration:
auth:
- type: kubernetes
roles:
- name: backup
bound_service_account_names: vault-backup
bound_service_account_namespaces: vault
policies: backup
ttl: 1h
- type: ldap
description: LDAP auth
options:
listing_visibility: "unauth"
config:
url: ldaps://ldap.todo.com:636
binddn: "uid=vault-service,ou=Users,dc=todo,dc=com"
bindpass: ?{vaultkv:${cluster:tenant}/${cluster:name}/vault/ldap/password}
userattr: uid
userdn: "ou=vault,ou=Service Access,ou=Views,dc=todo,dc=com"
groupdn: "ou=Groups,dc=todo,dc=com"
groupattr: cn
groups:
Vault root:
policies: vault-rootbackup.password
| type |
string |
| default |
|
The password for the backup.
backup.bucket
| type |
dict |
| default |
|
The connection information for the S3 bucket to write to.