# HashiCorp Vault — noble (standalone, file storage on Longhorn; TLS disabled on listener for in-cluster HTTP).
#
# helm repo add hashicorp https://helm.releases.hashicorp.com
# helm repo update
# kubectl apply -f clusters/noble/apps/vault/namespace.yaml
# helm upgrade --install vault hashicorp/vault -n vault \
#   --version 0.32.0 -f clusters/noble/apps/vault/values.yaml --wait --timeout 15m
#
# Post-install: initialize, store unseal key in Secret, apply optional unseal CronJob — see README.md
#
global:
  tlsDisable: true

injector:
  enabled: true

server:
  enabled: true
  dataStorage:
    enabled: true
    size: 10Gi
    storageClass: longhorn
    accessMode: ReadWriteOnce
  ha:
    enabled: false
  standalone:
    enabled: true
    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }

      storage "file" {
        path = "/vault/data"
      }

  # Allow pod Ready before init/unseal so Helm --wait succeeds (see Vault /v1/sys/health docs).
  readinessProbe:
    enabled: true
    path: "/v1/sys/health?uninitcode=204&sealedcode=204&standbyok=true"
    port: 8200

  # LAN: TLS terminates at Traefik + cert-manager; listener stays HTTP (global.tlsDisable).
  ingress:
    enabled: true
    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    hosts:
      - host: vault.apps.noble.lab.pcenicni.dev
        paths: []
    tls:
      - secretName: vault-apps-noble-tls
        hosts:
          - vault.apps.noble.lab.pcenicni.dev

ui:
  enabled: true