global:
  enabled: true

server:

  extraSecretEnvironmentVars:
    - envName: VAULT_TOKEN
      secretName: auto-unseal-token
      secretKey: VAULT_TOKEN

  ha:
    enabled: true
    raft:
      enabled: true
      config: |
        ui = true

        listener "tcp" {
          tls_disable = 1
          address = "[::]:8200"
          cluster_address = "[::]:8201"
        }

        seal "transit" {
          address = "http://3.14.3.104:8200"
          disable_renewal = "false"
          key_name = "autounseal"
          mount_path = "transit/"
          tls_skip_verify = "true"
        }

        storage "raft" {
          path = "/vault/data"
        }

        service_registration "kubernetes" {}

  dataStorage:
    enabled: true
    size: 32Gi
    storageClass: null
    accessMode: ReadWriteOnce

  ingress:
    enabled: true
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
      kubernetes.io/ingress.class: nginx
    hosts:
      - host: vault.ducoterra.net
        paths:
          - /

    tls:
    - hosts:
      - vault.ducoterra.net
      secretName: vault-tls-cert

ui:
  enabled: true
  serviceType: ClusterIP