openshift-sscsi-vault-chart/values.yaml at main · validatedpatterns/openshift-sscsi-vault-chart · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
---
# -- Settings for cluster-wide Vault CSI support components
# @default -- see nested keys
ocpSecretsStoreCsiVault:
  clusterWide:
    # -- When true, install cluster-wide manifests owned by this chart (currently the optional Vault CSI TLS CA sync ConfigMap).
    installDefaultManifests: true

  # -- HashiCorp Vault Helm subchart: deploys the Vault CSI provider DaemonSet and related RBAC when enabled. Disable if you only render trust `ConfigMap` templates from another release (not recommended for new installs).
  vaultCsiProvider:
    enabled: true
    # -- When true with CSI enabled on OpenShift, grant the provider ServiceAccount the `privileged` SCC.
    openshiftPrivilegedSCCRoleBinding:
      enabled: true

  # -- Provider trust-bundle sourcing for Vault CSI. Supports CNO injected trust, inline PEM, or optional cluster lookup-based copy flows for hub/spoke patterns. Nested: `syncProviderCaConfigMap`, `hostCluster`, `clientCluster`.
  caProvider:
    # -- Enables CA source resolution helpers and optional synced ConfigMap rendering.
    enabled: true
    # -- Controls generation of the provider-namespace ConfigMap used to mount trust material into Vault CSI provider pods.
    syncProviderCaConfigMap:
      # -- Enables synced trust ConfigMap behavior and template helpers.
      enabled: true
      # -- When true with `createConfigMap` true (default), render a ConfigMap with label `config.openshift.io/inject-trusted-cabundle: "true"` and empty `data` so the Cluster Network Operator injects the cluster merged CA bundle. Mutually exclusive with rendered PEM content; set false to use PEM/`lookup` or an out-of-band ConfigMap.
      injectTrustedCabundle: true
      # -- Data key populated by OpenShift after injection (see "Certificate injection using Operators" / custom PKI docs).
      trustedCabundleDataKey: ca-bundle.crt
      # -- When `injectTrustedCabundle` and this chart renders the TLS ConfigMap: set `argocd.argoproj.io/ignore-differences` to a YAML snippet with `jsonPointers` `/data` and `jqPathExpressions` `.data` so Argo ignores CNO-managed bundle content. Honor depends on Argo / OpenShift GitOps version—duplicate under Application `spec.ignoreDifferences` if needed (see README).
      argocdIgnoreInjectedTrustedCabundleData: true
      # -- Extra annotations merged onto the rendered sync TLS ConfigMap (overrides `argocdIgnoreInjectedTrustedCabundleData` annotation keys when the same key is set).
      configMapAnnotations: {}
      # -- Inline PEM (full bundle). GitOps-friendly: SOPS-encrypted values, Argo CD helm parameters, or a pattern override file. When set, used instead of cluster lookup for CM content when `createConfigMap` is true.
      pemLiteral: ""
      # -- When true, use helm lookup() against the live API (hub ingress CA, ESO-style hub-ca, etc.). False by default because Argo CD client-side render has no API.
      useLookup: false
      # -- When true, Helm emits the ConfigMap (injection-labeled or PEM from `pemLiteral`/`useLookup`). When false, GitOps/Ansible must create `configMapName`.
      createConfigMap: true
      # -- Namespace for the synced ConfigMap when `createConfigMap` is true (Vault CSI provider namespace in typical patterns).
      targetNamespace: vault
      # -- ConfigMap name; must match **rhvp.cluster_utils** `vault_ss_csi_route_ca_configmap_name` default (`openshift-sscsi-vault-vault-tls-ca`).
      configMapName: openshift-sscsi-vault-vault-tls-ca
      # -- Directory on the Vault CSI provider pod where the ConfigMap is mounted (must match HashiCorp Vault chart `csi.volumeMounts`).
      mountDir: /etc/pki/vault-ca
      # -- Key within the ConfigMap whose value is the PEM file; must match **rhvp.cluster_utils** `vault_ss_csi_route_ca_configmap_key` default (`vault-tls-ca.pem`).
      keyInConfigMap: vault-tls-ca.pem
      # -- Preset for `useLookup` only: `auto` (hub vs spoke), `ingressrouterca`, `esohubkuberootca`, `esospokehubca`.
      preset: auto
      # -- Router CA ConfigMap reference when preset resolves to ingress router CA (`useLookup` path).
      ingressRouterCa:
        namespace: openshift-ingress
        name: router-ca
        key: ca-bundle.crt
    hostCluster:
      type: ConfigMap
      name: kube-root-ca.crt
      key: ca.crt
      namespace: external-secrets
      # -- Default CA bundle path convention for hub-style deployments.
      defaultVaultCACertPath: /etc/pki/vault-ca/kube-root-ca.crt
    clientCluster:
      type: Secret
      name: hub-ca
      key: hub-kube-root-ca.crt
      namespace: external-secrets
      defaultVaultCACertPath: /etc/pki/vault-ca/hub-kube-root-ca.crt

# -- Global values aligned with openshift-external-secrets chart patterns
global:
  hubClusterDomain: hub.example.com
  clusterDomain: foo.example.com
  localClusterDomain: ""

clusterGroup:
  applications: {}

# -- HashiCorp `vault` subchart (https://github.com/hashicorp/vault-helm). Defaults: CSI provider only (no Vault server), OpenShift paths and UBI images. Keep `csi.volumes` ConfigMap `name` aligned with `ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap.configMapName` (Helm values do not cross-reference keys). Install this Helm release into the **same namespace** as that ConfigMap (default `vault`) so the projected volume can mount it.
# @default -- see nested keys
vault:
  global:
    openshift: true
    # -- Hub Vault API URL for CSI `VAULT_ADDR` when `csi.agent.enabled` is false (required on spokes unless you set it from the clustergroup layer). Example: `https://vault-vault.apps.<hubClusterDomain>`.
    externalVaultAddr: ""
  injector:
    enabled: false
  server:
    enabled: false
  ui:
    enabled: false
  csi:
    enabled: true
    agent:
      enabled: false
    daemonSet:
      providersDir: /etc/kubernetes/secrets-store-csi-providers
    image:
      repository: registry.connect.redhat.com/hashicorp/vault-csi-provider
      tag: 1.7.0-ubi
      pullPolicy: IfNotPresent
    volumes:
      - name: openshift-sscsi-vault-ca
        projected:
          defaultMode: 420
          sources:
            - configMap:
                name: openshift-sscsi-vault-vault-tls-ca
                optional: true
    volumeMounts:
      - name: openshift-sscsi-vault-ca
        mountPath: /etc/pki/vault-ca
        readOnly: true