Configuration

Lieutenant Operator is configured via environment variables:

Environment Variable Description Default

Environment Variable	Description	Default
VAULT_ADDR	Sets the address to the Vault instance
VAULT_TOKEN	Sets the Vault token to be used, only recommended for testing. In production the K8s authentication should be used by omitting the setting.
VAULT_AUTH_PATH	Sets the mount path where the auth method is enabled, without the `auth/` prefix.	`kubernetes`
VAULT_SECRET_ENGINE_PATH	Configures the mount path of the KV secret engine to be used.	`kv`
SKIP_VAULT_SETUP	Doesn’t create any Vault secrets. Recommended for testing only.	false
DEFAULT_DELETION_POLICY	Sets what deletion policy for external resources (Git, Vault) should be used by default. One of `Archive`, `Delete`, `Retain`. See Explanation/Object Deletion for more information.	Archive
DEFAULT_CREATION_POLICY	Sets what creation policy for Git repositories should be used by default. One of `Create` or `Adopt`. See Object Adoption for more information.	Create
LIEUTENANT_DELETE_PROTECTION	Defines whether the annotation to protect for accidental deletion should be set by default. See Explanation/Object Deletion for more information.	true
LIEUTENANT_SYNC_DURATION	Defines with what frequency the CRs will be synced	5m
DEFAULT_GLOBAL_GIT_REPO_URL	URL of the default global configuration git repository. Its value will be applied to `tenant.Spec.GlobalGitRepoURL` if not set otherwise. If left empty, the `GlobalGitRepoURL` field will remain untouched.
LIEUTENANT_CREATE_SERVICEACCOUNT_TOKEN_SECRET	Defines whether the operator should manage ServiceAccount token secrets for the Tenant and Cluster ServiceAccounts as documented for creating additional API tokens in the upstream Kubernetes documentation. This must be set to `true` on Kubernetes 1.24+ to ensure that API access tokens for new clusters are generated correctly.	false

VAULT_ADDR

Sets the address to the Vault instance

VAULT_TOKEN

Sets the Vault token to be used, only recommended for testing. In production the K8s authentication should be used by omitting the setting.

VAULT_AUTH_PATH

Sets the mount path where the auth method is enabled, without the auth/ prefix.

kubernetes

VAULT_SECRET_ENGINE_PATH

Configures the mount path of the KV secret engine to be used.

kv

SKIP_VAULT_SETUP

Doesn’t create any Vault secrets. Recommended for testing only.

false

DEFAULT_DELETION_POLICY

Sets what deletion policy for external resources (Git, Vault) should be used by default. One of Archive, Delete, Retain. See Explanation/Object Deletion for more information.

Archive

DEFAULT_CREATION_POLICY

Sets what creation policy for Git repositories should be used by default. One of Create or Adopt. See Object Adoption for more information.

Create

LIEUTENANT_DELETE_PROTECTION

Defines whether the annotation to protect for accidental deletion should be set by default. See Explanation/Object Deletion for more information.

true

LIEUTENANT_SYNC_DURATION

Defines with what frequency the CRs will be synced

DEFAULT_GLOBAL_GIT_REPO_URL

URL of the default global configuration git repository. Its value will be applied to tenant.Spec.GlobalGitRepoURL if not set otherwise. If left empty, the GlobalGitRepoURL field will remain untouched.

LIEUTENANT_CREATE_SERVICEACCOUNT_TOKEN_SECRET

Defines whether the operator should manage ServiceAccount token secrets for the Tenant and Cluster ServiceAccounts as documented for creating additional API tokens in the upstream Kubernetes documentation. This must be set to true on Kubernetes 1.24+ to ensure that API access tokens for new clusters are generated correctly.

false