vault
Secrets management and data protection platform
Component Information
| Property | Value |
|---|---|
| Chart Version | latest |
| Chart Type | application |
| Upstream Project | vault |
| Maintainers | Platform Engineering Team (repo) |
Why Vault?
Using cloud provider secret managers creates vendor lock-in and forces the platform to handle provider-specific APIs. Vault provides a provider-agnostic secrets backend that runs anywhere Kubernetes runs.
Benefits of this approach:
- No Vendor Lock-In: Vault works the same on AWS, GCP, Azure, or bare metal
- Centralized Management: Single source of truth for all secrets across the platform
- Automated Rotation: Supports dynamic secrets and automatic rotation
- Audit Trail: Every secret access is logged
- Developer-Friendly: Applications consume standard Kubernetes Secrets, not Vault’s API directly
Architecture Role
Vault sits at Layer 1 of the platform, the Platform Services layer. It’s a cross-cutting service that nearly every component depends on for credentials.
Key integration points:
- External Secrets Operator: Syncs secrets from Vault into Kubernetes Secrets
- ArgoCD: Consumes Vault secrets for repository credentials
- Grafana: Uses Vault-sourced secrets for admin passwords and datasource credentials
- Applications: Consume secrets via standard Kubernetes Secrets, decoupled from Vault’s API
The configuration here uses dev mode for the demo (data stored in memory, auto-unsealed).
In production, Vault would run in ha mode with persistent storage and external unseal keys.
The architecture supports both without changes to dependent components.
See Secrets Management for the complete secrets flow.
Configuration Values
vault
Component Information
| Property | Value |
|---|---|
| Chart Version | 0.31.0 |
| Chart Type | `` |
| Upstream Project | N/A |
Configuration Values
The following table lists the configurable parameters:
Values
| Key | Type | Default | Description |
|---|---|---|---|
| server.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key | string | "node-role.kubernetes.io/control-plane" |
|
| server.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator | string | "Exists" |
|
| server.affinity.podAntiAffinity | string | nil |
|
| server.dataStorage.enabled | bool | true |
Enable persistence |
| server.dataStorage.size | string | "1Gi" |
Storage size |
| server.livenessProbe.enabled | bool | false |
Enable liveness probe |
| server.livenessProbe.execCommand | list | [] |
Exec command |
| server.livenessProbe.failureThreshold | int | 2 |
Failure threshold |
| server.livenessProbe.initialDelaySeconds | int | 5 |
Initial delay seconds |
| server.livenessProbe.periodSeconds | int | 2 |
Period seconds |
| server.livenessProbe.successThreshold | int | 1 |
Success threshold |
| server.livenessProbe.timeoutSeconds | int | 5 |
Timeout seconds |
| server.priorityClassName | string | "platform-infrastructure" |
Priority class for Vault pods |
| server.readinessProbe.enabled | bool | true |
Enable readiness probe |
| server.readinessProbe.failureThreshold | int | 2 |
Failure threshold |
| server.readinessProbe.initialDelaySeconds | int | 5 |
Initial delay seconds |
| server.readinessProbe.path | string | "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204" |
Readiness probe path |
| server.resources.limits.cpu | string | "500m" |
CPU limit |
| server.resources.limits.memory | string | "512Mi" |
Memory limit |
| server.resources.requests.cpu | string | "250m" |
CPU request |
| server.resources.requests.memory | string | "256Mi" |
Memory request |
| server.serviceMonitor.enabled | bool | true |
Enable ServiceMonitor |
| server.serviceMonitor.interval | string | "60s" |
Scrape interval |
| server.serviceMonitor.scrapeTimeout | string | "40s" |
Scrape timeout |
| server.standalone.config | string | "storage \"raft\" {\n path = \"/vault/data\"\n node_id = \"vault-0\"\n}\nlistener \"tcp\" {\n address = \"0.0.0.0:8200\"\n tls_disable = \"true\"\n telemetry {\n unauthenticated_metrics_access = true\n }\n}\ntelemetry {\n prometheus_retention_time = \"30s\"\n disable_hostname = true\n}\naudit \"file\" {\n path = \"/vault/logs/audit.log\"\n}\n" |
HCL configuration for the Raft storage backend |
| server.standalone.enabled | bool | true |
Enables standalone server configuration |
| server.tolerations[0].effect | string | "NoSchedule" |
|
| server.tolerations[0].key | string | "node-role.kubernetes.io/control-plane" |
|
| server.tolerations[0].operator | string | "Exists" |
|
| server.updateStrategyType | string | "RollingUpdate" |
Update strategy for zero-downtime updates (StatefulSet) |
| ui.enabled | bool | true |
Enable Vault UI |
| ui.service.type | string | "ClusterIP" |
Service type |