{"id":50881786,"url":"https://github.com/validatedpatterns/openshift-sscsi-vault-chart","last_synced_at":"2026-06-15T13:31:15.050Z","repository":{"id":354660647,"uuid":"1224602847","full_name":"validatedpatterns/openshift-sscsi-vault-chart","owner":"validatedpatterns","description":"Chart to use SSCSI machinery in OpenShift for Validated Patterns","archived":false,"fork":false,"pushed_at":"2026-05-06T16:31:27.000Z","size":133,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-06T17:08:31.270Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go Template","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/validatedpatterns.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-29T12:51:26.000Z","updated_at":"2026-05-06T16:31:32.000Z","dependencies_parsed_at":"2026-04-29T15:04:49.702Z","dependency_job_id":null,"html_url":"https://github.com/validatedpatterns/openshift-sscsi-vault-chart","commit_stats":null,"previous_names":["validatedpatterns/openshift-sscsi-vault-chart"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/validatedpatterns/openshift-sscsi-vault-chart","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/validatedpatterns%2Fopenshift-sscsi-vault-chart","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/validatedpatterns%2Fopenshift-sscsi-vault-chart/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/validatedpatterns%2Fopenshift-sscsi-vault-chart/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/validatedpatterns%2Fopenshift-sscsi-vault-chart/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/validatedpatterns","download_url":"https://codeload.github.com/validatedpatterns/openshift-sscsi-vault-chart/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/validatedpatterns%2Fopenshift-sscsi-vault-chart/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34365596,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-15T02:00:07.085Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-15T13:31:14.226Z","updated_at":"2026-06-15T13:31:15.043Z","avatar_url":"https://github.com/validatedpatterns.png","language":"Go Template","funding_links":[],"categories":[],"sub_categories":[],"readme":"# openshift-sscsi-vault\n\n![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square)\n\nOpenShift Vault Secrets Store CSI: optional synced TLS trust ConfigMap for the provider, HashiCorp Vault CSI provider DaemonSet (hub or spoke), projected trust mount, and OpenShift SCC wiring. Per-application SecretProviderClass manifests use the vp-sscsi-spc library chart.\n\nThis chart is used by the Validated Patterns to configure cluster-wide Vault CSI support.\n\n### Scope and chart split\n\nThis chart owns **cluster-wide Vault SSCSI infrastructure** on OpenShift:\n\n- Optional synced TLS trust **`ConfigMap`** for the provider (`caProvider.syncProviderCaConfigMap`) and named-template helpers (`vaultTlsCaPemFromCluster`, `renderSyncCaConfigMap`, and related).\n- **Vault CSI provider** DaemonSet and upstream CSI RBAC via the bundled **HashiCorp `vault` Helm subchart** (`vault` values), when **`ocpSecretsStoreCsiVault.vaultCsiProvider.enabled`** is **true** (default).\n- **Projected trust volume** on the provider pods (`vault.csi.volumes` / `volumeMounts`), defaulting to the same **`ConfigMap`** name as **`caProvider.syncProviderCaConfigMap.configMapName`** so the bundle this chart manages is mounted at **`/etc/pki/vault-ca`**.\n- **`privileged` SCC** `RoleBinding` for the provider ServiceAccount on OpenShift when **`vaultCsiProvider.openshiftPrivilegedSCCRoleBinding.enabled`** is **true** (default).\n\nIt does **not** run the Vault **server** by default (`vault.server.enabled: false`). Enable server-related values only when you intentionally colocate a server with this release.\n\n**Per-application** `SecretProviderClass` objects stay in the **`vp-sscsi-spc`** library (**per app**, with **`applicationKey`** / **`ssCsiWorkloadAuth`** on Validated Patterns where used).\n\n### Cluster-wide usage\n\nInstall this chart as the single owner of provider trust material:\n\n```yaml\nocpSecretsStoreCsiVault:\n  clusterWide:\n    installDefaultManifests: true\n```\n\nSet `installDefaultManifests: false` when reusing only named templates.\n\nSet **`ocpSecretsStoreCsiVault.vaultCsiProvider.enabled: false`** only if you want trust **`ConfigMap`** templates without installing the Vault CSI provider from this chart (unusual for new installs).\n\n### Hub, spoke, and clusters without a local Vault server\n\n**Trust `ConfigMap`** is still **cluster-local** (CNO-injected bundle, PEM, or lookup modes as before). **Vault CSI provider** pods in this release read that material via **`vault.csi`** volume projection.\n\n**Where it runs**\n\n- Install on **each** cluster (hub and relevant spokes) that runs the Vault CSI **provider** for SSCSI workloads.\n- Spokes without a local Vault **server** must set **`vault.global.externalVaultAddr`** to the reachable hub Vault URL (for example **`https://vault-vault.apps.\u003chubClusterDomain\u003e`**, consistent with **openshift-external-secrets** `ClusterSecretStore` when **`vault.externalAddress`** is empty). Derive this in **clustergroup** values so spokes do not hand-maintain a separate file.\n\n**Helm release namespace and the trust ConfigMap**\n\n- The synced trust **`ConfigMap`** is created in **`caProvider.syncProviderCaConfigMap.targetNamespace`** (default **`vault`**).\n- With **`vaultCsiProvider.enabled: true`** (default), the **HashiCorp `vault` subchart** deploys the CSI **DaemonSet into the Helm release namespace**. Projected `ConfigMap` volumes **cannot** reference another namespace, so **install this Application into `vault`** (or set **`targetNamespace`** and **`vault.csi.volumes`** / names together so the `ConfigMap` and DaemonSet share one namespace).\n- Legacy layouts that applied only the **`ConfigMap`** from a **config** namespace while the provider lived elsewhere should either **move this Application to `vault`** or disable **`vaultCsiProvider`** here and manage the provider separately.\n\n**Validated Patterns**\n\n- Hub and spoke: add **`clusterGroup.applications`** and overrides; merge **`vault.global.externalVaultAddr`** for spokes from **`global.hubClusterDomain`** (or equivalent) in clustergroup.\n\n### Validated Patterns clustergroup application\n\nDeclare this chart under `clusterGroup.applications` in your pattern cluster values (for example `values-hub.yaml`). The clustergroup chart renders an Argo CD `Application` per entry.\n\n**1. Chart published in the pattern Helm repo (multi-source)**\n\n```yaml\nclusterGroup:\n  namespaces:\n    vault: {}\n  argoProjects:\n    - hub\n  applications:\n    openshift-sscsi-vault:\n      name: openshift-sscsi-vault-cluster\n      namespace: vault\n      argoProject: hub\n      chart: openshift-sscsi-vault\n      chartVersion: 0.2.*\n      extraValueFiles:\n        - $patternref/overrides/values-openshift-sscsi-vault-cluster.yaml\n      ignoreDifferences:\n        - group: \"\"\n          kind: ConfigMap\n          name: openshift-sscsi-vault-vault-tls-ca\n          namespace: vault\n          jsonPointers:\n            - /data\n          jqPathExpressions:\n            - .data\n```\n\nUse **`namespace: vault`** so the bundled CSI provider can project the trust `ConfigMap` rendered into **`vault`**. Adjust `name`, `argoProject`, and overrides to your pattern. The `ignoreDifferences` block matches the default CNO-injected trust `ConfigMap` when you use `injectTrustedCabundle`.\n\n**2. Chart in its own Git repository (multi-source)**\n\n```yaml\nclusterGroup:\n  applications:\n    openshift-sscsi-vault:\n      name: openshift-sscsi-vault-cluster\n      namespace: vault\n      argoProject: hub\n      repoURL: https://github.com/yourorg/openshift-sscsi-vault-chart.git\n      path: \".\"\n      chartVersion: main\n      extraValueFiles:\n        - $patternref/overrides/values-openshift-sscsi-vault-cluster.yaml\n```\n\nEnsure **`vault`** (or your chosen release namespace) exists under `clusterGroup.namespaces` and the Argo `AppProject` is listed under `clusterGroup.argoProjects`.\n\n### Named templates\n\n- **`openshift_sscsi_vault.syncProviderVaultCACertPath`** — single filesystem path for the CA PEM the **SecretProviderClass** should use (`vaultCACertPath`) when trust is mounted by this chart: **`mountDir`/`trustedCabundleDataKey`** if **`injectTrustedCabundle`** is true (CNO cluster/proxy bundle), else **`mountDir`/`keyInConfigMap`**. Parent charts that render SPCs outside **vp-sscsi-spc** can `include` this helper so paths stay aligned with **`syncProviderCaConfigMap`**.\n- **`openshift_sscsi_vault.vaultTlsCaPemFromCluster`** — PEM for the synced bundle: **`syncProviderCaConfigMap.pemLiteral`** first (Argo CD / `helm template` safe), else optional **`useLookup: true`** cluster copy (ESO-style hub/spoke presets; hub ingress `router-ca` / `router-ca-certs` plus optional `kube-root-ca.crt` concat). Default **`useLookup: false`** because Argo renders manifests without a live API.\n- **`openshift_sscsi_vault.syncVaultCsiTlsCaConfigMapYaml`** — ConfigMap manifest when sync is enabled, **`createConfigMap`** is true, and either PEM from **`vaultTlsCaPemFromCluster`** is non-empty **or** **`syncProviderCaConfigMap.injectTrustedCabundle`** is true (OpenShift `config.openshift.io/inject-trusted-cabundle` label; CNO fills **`trustedCabundleDataKey`**, default **`ca-bundle.crt`**).\n- **`openshift_sscsi_vault.renderSyncCaConfigMap`** — ConfigMap + trailing `---` when non-empty (convenience).\n\nWith **`vaultCsiProvider.enabled: true`**, this chart sets **`vault.csi.volumes`** / **`volumeMounts`** to project the default trust **`ConfigMap`** at **`/etc/pki/vault-ca`**. Override **`vault.csi`** if you use a different bundle name or proxy-only **`ConfigMap`** layout; keep names aligned with **`caProvider.syncProviderCaConfigMap`**.\n\n### Namespaces\n\nThe trust **`ConfigMap`** is created in **`caProvider.syncProviderCaConfigMap.targetNamespace`**. The CSI **DaemonSet** uses the **Helm release namespace**; for the default projected volume to work, those must match (see **Helm release namespace and the trust ConfigMap** above).\n\n### Argo CD and TLS CA material\n\nArgo CD (and plain **`helm template`**) runs **client-side**: **`helm lookup()`** does not see the cluster API. By default **`syncProviderCaConfigMap.enabled: true`**, **`createConfigMap: true`**, and **`injectTrustedCabundle: true`**: the chart renders a **`ConfigMap`** labeled **`config.openshift.io/inject-trusted-cabundle: \"true\"`** (empty **`data`** until the Cluster Network Operator fills **`trustedCabundleDataKey`**, default **`ca-bundle.crt`**). The ConfigMap includes **`argocd.argoproj.io/ignore-differences`** as a small **YAML** document with **`jsonPointers`** (`/data`) and **`jqPathExpressions`** (`.data`) so drift tooling ignores the CNO-managed trust bundle map. Disable with **`argocdIgnoreInjectedTrustedCabundleData: false`**. If your Argo / OpenShift GitOps build does not honor per-resource ignore rules, duplicate both entries under the **Application** **`spec.ignoreDifferences`** for that **`ConfigMap`** and use sync option **`RespectIgnoreDifferences=true`**. Mount only that key on the Vault CSI DaemonSet with a **`projected`** volume (**`configMap.items`** + **`optional: true`**) so the pod tolerates the key appearing after CNO injection. For the previous **rhvp.cluster_utils** flow (Ansible creates **`vault-tls-ca.pem`**), set **`injectTrustedCabundle: false`**, **`createConfigMap: false`**, and avoid duplicate applies for the same **`configMapName`**. Alternatively set **`pemLiteral`** or **`createConfigMap: true`** with **`useLookup: true`** for cluster-side Helm only.\n\n### Notable changes\n\n* v0.0.2: Initial release\n* v0.0.3: Provide default CAs to avoid skipping TLS verify\n* v0.0.9: Normalize `vaultSkipTLSVerify` to `\"true\"`/`\"false\"` strings for HashiCorp vault-csi-provider (`strconv.ParseBool`)\n* v0.0.11: Handle injection of CA material\n* v0.0.12: CA sync via optional `lookup` (`caProvider.syncProviderCaConfigMap`), `renderSyncCaConfigMap`, hub ingress CA fallbacks; parent charts use includes only\n* v0.0.13: Argo-safe TLS CA - `pemLiteral`, `useLookup` (default false), `createConfigMap`; `vaultCACertPath` when PEM is supplied or the ConfigMap is managed out-of-band\n* v0.0.14: Default **`syncProviderCaConfigMap.enabled: true`**, **`createConfigMap: false`**, and **`vaultSkipTLSVerify: \"false\"`** so strict TLS targets the ConfigMap name/key that **rhvp.cluster_utils** provisions; set **`syncProviderCaConfigMap.enabled: false`** to fall back to hub/spoke **`defaultVaultCACertPath`** only\n* v0.0.15: **`injectTrustedCabundle`** defaults to **true** in chart **`values.yaml`** and in named templates when the key is absent or non-boolean (CNO-injected trust bundle aligned with cluster **`Proxy`** / **`trustedCA`**); set **`injectTrustedCabundle: false`** (and typically **`createConfigMap: false`**) for legacy **rhvp.cluster_utils** **`vault-tls-ca.pem`**, **`pemLiteral`**, or **`useLookup`** PEM paths\n* v0.0.16: CNO inject **`ConfigMap`** defaults **`argocd.argoproj.io/ignore-differences`** to **`/data/\u003ctrustedCabundleDataKey\u003e`** (toggle **`argocdIgnoreInjectedTrustedCabundleData`**); optional **`configMapAnnotations`**\n* v0.0.17: **`argocd.argoproj.io/ignore-differences`** now embeds **`jsonPointers`** and **`jqPathExpressions`** for the injected data key (correct jq for keys like **`ca-bundle.crt`**)\n* v0.0.18: Default injected trust drift ignore now targets full **`/data`** (**`jqPathExpressions: [.data]`**) to reduce persistent OutOfSync when injected keys vary\n* v0.1.0: Split responsibilities by scope: this chart now focuses on cluster-wide Vault CSI trust/config components only; app-level SecretProviderClass rendering moves to a dedicated SPC chart\n* v0.2.0: Bundle HashiCorp **`vault`** subchart for Vault **CSI provider**, default projected trust mount aligned with synced **`ConfigMap`**, OpenShift **`privileged`** SCC **RoleBinding**; install release in **`vault`** namespace by default so projection works\n\n## Requirements\n\n| Repository | Name | Version |\n|------------|------|---------|\n| https://helm.releases.hashicorp.com | vault | 0.32.0 |\n\n## Values\n\n| Key | Type | Default | Description |\n|-----|------|---------|-------------|\n| clusterGroup.applications | object | `{}` |  |\n| global | object | `{\"clusterDomain\":\"foo.example.com\",\"hubClusterDomain\":\"hub.example.com\",\"localClusterDomain\":\"\"}` | Global values aligned with openshift-external-secrets chart patterns |\n| ocpSecretsStoreCsiVault | object | see nested keys | Settings for cluster-wide Vault CSI support components |\n| ocpSecretsStoreCsiVault.caProvider | object | `{\"clientCluster\":{\"defaultVaultCACertPath\":\"/etc/pki/vault-ca/hub-kube-root-ca.crt\",\"key\":\"hub-kube-root-ca.crt\",\"name\":\"hub-ca\",\"namespace\":\"external-secrets\",\"type\":\"Secret\"},\"enabled\":true,\"hostCluster\":{\"defaultVaultCACertPath\":\"/etc/pki/vault-ca/kube-root-ca.crt\",\"key\":\"ca.crt\",\"name\":\"kube-root-ca.crt\",\"namespace\":\"external-secrets\",\"type\":\"ConfigMap\"},\"syncProviderCaConfigMap\":{\"argocdIgnoreInjectedTrustedCabundleData\":true,\"configMapAnnotations\":{},\"configMapName\":\"openshift-sscsi-vault-vault-tls-ca\",\"createConfigMap\":true,\"enabled\":true,\"ingressRouterCa\":{\"key\":\"ca-bundle.crt\",\"name\":\"router-ca\",\"namespace\":\"openshift-ingress\"},\"injectTrustedCabundle\":true,\"keyInConfigMap\":\"vault-tls-ca.pem\",\"mountDir\":\"/etc/pki/vault-ca\",\"pemLiteral\":\"\",\"preset\":\"auto\",\"targetNamespace\":\"vault\",\"trustedCabundleDataKey\":\"ca-bundle.crt\",\"useLookup\":false}}` | Provider trust-bundle sourcing for Vault CSI. Supports CNO injected trust, inline PEM, or optional cluster lookup-based copy flows for hub/spoke patterns. Nested: `syncProviderCaConfigMap`, `hostCluster`, `clientCluster`. |\n| ocpSecretsStoreCsiVault.caProvider.enabled | bool | `true` | Enables CA source resolution helpers and optional synced ConfigMap rendering. |\n| ocpSecretsStoreCsiVault.caProvider.hostCluster.defaultVaultCACertPath | string | `\"/etc/pki/vault-ca/kube-root-ca.crt\"` | Default CA bundle path convention for hub-style deployments. |\n| ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap | object | `{\"argocdIgnoreInjectedTrustedCabundleData\":true,\"configMapAnnotations\":{},\"configMapName\":\"openshift-sscsi-vault-vault-tls-ca\",\"createConfigMap\":true,\"enabled\":true,\"ingressRouterCa\":{\"key\":\"ca-bundle.crt\",\"name\":\"router-ca\",\"namespace\":\"openshift-ingress\"},\"injectTrustedCabundle\":true,\"keyInConfigMap\":\"vault-tls-ca.pem\",\"mountDir\":\"/etc/pki/vault-ca\",\"pemLiteral\":\"\",\"preset\":\"auto\",\"targetNamespace\":\"vault\",\"trustedCabundleDataKey\":\"ca-bundle.crt\",\"useLookup\":false}` | Controls generation of the provider-namespace ConfigMap used to mount trust material into Vault CSI provider pods. |\n| ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap.argocdIgnoreInjectedTrustedCabundleData | bool | `true` | When `injectTrustedCabundle` and this chart renders the TLS ConfigMap: set `argocd.argoproj.io/ignore-differences` to a YAML snippet with `jsonPointers` `/data` and `jqPathExpressions` `.data` so Argo ignores CNO-managed bundle content. Honor depends on Argo / OpenShift GitOps version—duplicate under Application `spec.ignoreDifferences` if needed (see README). |\n| ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap.configMapAnnotations | object | `{}` | Extra annotations merged onto the rendered sync TLS ConfigMap (overrides `argocdIgnoreInjectedTrustedCabundleData` annotation keys when the same key is set). |\n| ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap.configMapName | string | `\"openshift-sscsi-vault-vault-tls-ca\"` | ConfigMap name; must match **rhvp.cluster_utils** `vault_ss_csi_route_ca_configmap_name` default (`openshift-sscsi-vault-vault-tls-ca`). |\n| ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap.createConfigMap | bool | `true` | When true, Helm emits the ConfigMap (injection-labeled or PEM from `pemLiteral`/`useLookup`). When false, GitOps/Ansible must create `configMapName`. |\n| ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap.enabled | bool | `true` | Enables synced trust ConfigMap behavior and template helpers. |\n| ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap.ingressRouterCa | object | `{\"key\":\"ca-bundle.crt\",\"name\":\"router-ca\",\"namespace\":\"openshift-ingress\"}` | Router CA ConfigMap reference when preset resolves to ingress router CA (`useLookup` path). |\n| ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap.injectTrustedCabundle | bool | `true` | When true with `createConfigMap` true (default), render a ConfigMap with label `config.openshift.io/inject-trusted-cabundle: \"true\"` and empty `data` so the Cluster Network Operator injects the cluster merged CA bundle. Mutually exclusive with rendered PEM content; set false to use PEM/`lookup` or an out-of-band ConfigMap. |\n| ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap.keyInConfigMap | string | `\"vault-tls-ca.pem\"` | Key within the ConfigMap whose value is the PEM file; must match **rhvp.cluster_utils** `vault_ss_csi_route_ca_configmap_key` default (`vault-tls-ca.pem`). |\n| ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap.mountDir | string | `\"/etc/pki/vault-ca\"` | Directory on the Vault CSI provider pod where the ConfigMap is mounted (must match HashiCorp Vault chart `csi.volumeMounts`). |\n| ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap.pemLiteral | string | `\"\"` | Inline PEM (full bundle). GitOps-friendly: SOPS-encrypted values, Argo CD helm parameters, or a pattern override file. When set, used instead of cluster lookup for CM content when `createConfigMap` is true. |\n| ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap.preset | string | `\"auto\"` | Preset for `useLookup` only: `auto` (hub vs spoke), `ingressrouterca`, `esohubkuberootca`, `esospokehubca`. |\n| ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap.targetNamespace | string | `\"vault\"` | Namespace for the synced ConfigMap when `createConfigMap` is true (Vault CSI provider namespace in typical patterns). |\n| ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap.trustedCabundleDataKey | string | `\"ca-bundle.crt\"` | Data key populated by OpenShift after injection (see \"Certificate injection using Operators\" / custom PKI docs). |\n| ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap.useLookup | bool | `false` | When true, use helm lookup() against the live API (hub ingress CA, ESO-style hub-ca, etc.). False by default because Argo CD client-side render has no API. |\n| ocpSecretsStoreCsiVault.clusterWide.installDefaultManifests | bool | `true` | When true, install cluster-wide manifests owned by this chart (currently the optional Vault CSI TLS CA sync ConfigMap). |\n| ocpSecretsStoreCsiVault.vaultCsiProvider | object | `{\"enabled\":true,\"openshiftPrivilegedSCCRoleBinding\":{\"enabled\":true}}` | HashiCorp Vault Helm subchart: deploys the Vault CSI provider DaemonSet and related RBAC when enabled. Disable if you only render trust `ConfigMap` templates from another release (not recommended for new installs). |\n| ocpSecretsStoreCsiVault.vaultCsiProvider.openshiftPrivilegedSCCRoleBinding | object | `{\"enabled\":true}` | When true with CSI enabled on OpenShift, grant the provider ServiceAccount the `privileged` SCC. |\n| vault | object | see nested keys | HashiCorp `vault` subchart (https://github.com/hashicorp/vault-helm). Defaults: CSI provider only (no Vault server), OpenShift paths and UBI images. Keep `csi.volumes` ConfigMap `name` aligned with `ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap.configMapName` (Helm values do not cross-reference keys). Install this Helm release into the **same namespace** as that ConfigMap (default `vault`) so the projected volume can mount it. |\n| vault.global.externalVaultAddr | string | `\"\"` | Hub Vault API URL for CSI `VAULT_ADDR` when `csi.agent.enabled` is false (required on spokes unless you set it from the clustergroup layer). Example: `https://vault-vault.apps.\u003chubClusterDomain\u003e`. |\n\n----------------------------------------------\nAutogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvalidatedpatterns%2Fopenshift-sscsi-vault-chart","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvalidatedpatterns%2Fopenshift-sscsi-vault-chart","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvalidatedpatterns%2Fopenshift-sscsi-vault-chart/lists"}