Expose Vault with a Service according to Vault's reference architecture

[macaptain]

Is your feature request related to a problem? Please describe. I'm trying to implement the Vault reference architecture. There are some recommendations which aren't possible to follow with this chart alone.

For exposing the Vault service outside of a dedicated cluster, none of the existing Services (vault, vault-standby, vault-active or vault-ui) are suitable:

• None of the services allow you to set spec.externalTrafficPolicy which should be set to "local"
• Only vault-ui is supported with type LoadBalancer (with chosen loadBalancerIP), but I may want to run my Vault cluster with ui=off. While the service would be fine, this would be quite misleading.

Note that Ingress is also recommended against.

Describe the solution you'd like I'd like if the chart defined an optional Service (perhaps named vault-lb) which is:

• type: "LoadBalancer"
• configurable loadBalancerIP
• spec.externalTrafficPolicy: "local"
• selects active Vault node

Happy to make a PR if this is considered desirable.

If all these settings were configurable with values.yaml, this Service would make it possible to deprecate vault-ui.

Describe alternatives you've considered Could add spec.externalTrafficPolicy to vault-ui, and then there's enough in values.yaml to configure it to meet the recommendations, but the name is misleading if you don't want to turn Vault's UI on. At the moment, I have to apply a manifest to define a Service as per the reference documentation after installing the chart.

[rvandegrift]

This would be useful for anyone else who's still working off the old incubator/vault chart.