# HashiCorp Vault Helm Values
# Chart: https://github.com/hashicorp/vault-helm

global:
  enabled: true
  tlsDisable: true  # 내부 클러스터에서는 TLS 비활성화

server:
  enabled: true

  # Production 모드
  dev:
    enabled: false

  # Standalone 비활성화 (HA 사용)
  standalone:
    enabled: false

  # HA 설정 - PostgreSQL storage (config from External Secret)
  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: false
    # Empty config - actual config is in vault-config-secret
    config: ""

  # PVC 비활성화 (PostgreSQL 사용)
  dataStorage:
    enabled: false

  # Config from External Secret
  volumes:
    - name: vault-config-secret
      secret:
        secretName: vault-config-secret

  volumeMounts:
    - name: vault-config-secret
      mountPath: /vault/userconfig
      readOnly: true

  # Extra args to use config from secret
  extraArgs: "-config=/vault/userconfig/extraconfig-from-values.hcl"

  # 리소스 제한
  resources:
    requests:
      cpu: 49m
      memory: 175Mi
    limits:
      memory: 175Mi

  # Ingress 설정
  ingress:
    enabled: true
    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    hosts:
      - host: vault0213.kro.kr
        paths:
          - /
    tls:
      - secretName: vault-tls
        hosts:
          - vault0213.kro.kr

  # 서비스 타입
  service:
    enabled: true
    type: ClusterIP
    port: 8200

  # Tolerations for control-plane node (keep for 3-replica HA)
  tolerations:
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Exists"
      effect: "NoSchedule"

  # High priority for critical secrets management
  priorityClassName: high-priority

# UI 활성화
ui:
  enabled: true
  serviceType: ClusterIP

# Injector (나중에 필요하면 활성화)
injector:
  enabled: false