github-personal/vaultwarden
1
0
Fork 0
mirror of https://github.com/outbackdingo/vaultwarden.git synced 2026-01-27 02:20:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial Helm chart release

Browse Source
This commit is contained in:
Lester Guerzon
2022-03-19 17:01:51 +01:00
committed by GitHub
parent 0e3df8db52
commit 89c3885ef2
15 changed files with 948 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored Normal file
View File

@@ -0,0 +1,5 @@
*.tgz
/.idea/*
.vscode
.DS_Store
testing-values.yaml

21
.helmignore Normal file
View File

@@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

31
CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,31 @@
# Contributing Guide
## Requirements
1. Fork this repository, develop, and test your changes.
2. Submit a pull request.
### Technical Requirements
When submitting a PR make sure that it:
- The PR follow [Helm best practices](https://helm.sh/docs/chart_best_practices/).
- Any change to a chart requires a version bump following [semver](https://semver.org/) principles.
- The tables of parameters are generated based on the metadata information from the `values.yaml` file, by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).
The easiest way to do this is to run the tool via Docker:
```bash
# Clone and build:
git clone https://github.com/bitnami-labs/readme-generator-for-helm
cd readme-generator-for-helm/
docker build -t readme-gen .
# Run the tool and mount the current project directory.
cd <this-project-dir>
docker run --rm -d -it --name readmegen -v $(pwd):/mnt readme-gen bash
docker exec -it readmegen bash
```

15
Chart.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v2
name: vaultwarden
description: vaultwarden is an unofficial Bitwarden-compatibnle server written in Rust
keywords:
- Rust
- vaultwarden
sources:
- https://github.com/guerzon/vaultwarden-helm
- https://github.com/dani-garcia/vaultwarden
appVersion: 1.24.0
maintainers:
- name: Lester Guerzon
email: lester@pidnull.io
url: https://github.com/guerzon
version: 0.2.0

333
README.md Normal file
View File

@@ -0,0 +1,333 @@
# Helm chart for vaultwarden
[![MIT Licensed](https://img.shields.io/github/license/guerzon/vaultwarden.svg)](https://github.com/guerzon/vaultwarden/blob/develop/LICENSE)
[![Helm Release](https://img.shields.io/docker/v/vaultwarden/server/1.24.0)](https://img.shields.io/docker/v/vaultwarden/server/1.24.0)
[vaultwarden](https://github.com/dani-garcia/vaultwarden), formerly known as **Bitwarden_RS**, is an alternative implementation of the Bitwarden server API and is written in Rust.
## TL;DR
```bash
git clone https://github.com/guerzon/vaultwarden
cd vaultwarden
helm install my-vaultwarden-release .
```
## Description
### Short intro
In 2020, I built a simple project for deploying **Bitwarden_RS** to Kubernetes, which can be found [here](https://github.com/guerzon/bitwarden-kubernetes). That project is made up of various YAML files which have to be edited manually when adding required customizations.
The aim of this project is to deploy `vaultwarden` with a stable configuration to Kubernetes clusters using [Helm](https://helm.sh/docs/).
The upstream repository for the `vaultwarden` project can be found [here](https://github.com/dani-garcia/vaultwarden).
To learn more about Vaultwarden, please visit the [wiki](https://github.com/dani-garcia/vaultwarden/wiki).
## Prerequisites
- Kubernetes 1.12+
- Helm 3.1.0
## Usage
To deploy the chart with the release name `vaultwarden-release`:
```bash
export NAMESPACE=vaultwarden
export DOMAIN_NAME=pass.company.com
helm install vaultwarden-release . \
--namespace $NAMESPACE \
--set "ingress.enabled=true" \
--set "ingress.hostname=$DOMAIN_NAME"
```
To deploy the chart to another namespace using custom values in the file `demo.yaml`:
```bash
export NAMESPACE=vaultwarden-demo
export RELEASE_NAME=vaultwarden-demo
helm upgrade -i \
-n $NAMESPACE $RELEASE_NAME . \
-f demo.yaml
```
### General configuration
This chart deploys `vaultwarden` from pre-built images on [Docker Hub](https://hub.docker.com/r/vaultwarden/server/tags): `vaultwarden/server`. The image can be defined by specifying the tag with `image.tag`.
Example that uses the Alpine-based image `1.24.0-alpine` and an existing secret that contains registry credentials:
```yaml
image:
tag: "1.24.0-alpine"
pullSecrets:
- myRegKey
```
**Important**: specify the URL used by users with the `domain` variable, otherwise, some functionalities might not work:
```yaml
domain: "https://vaultwarden.contoso.com:9443/"
```
Detailed configuration options can be found in the [Vaultwarden settings](#vaultwarden-settings) section below.
### Database options
By default, `vaultwarden` uses a SQLite database located in `/data/db.sqlite3`. However, it is also possible to make use of an external database, in particular either [MySQL](https://www.mysql.com/downloads/) or [PostgreSQL](https://www.postgresql.org).
To configure an external database, set `database.type` to either `mysql` or `postgresql` and specify the datase connection information.
Example for using an external MySQL database:
```yaml
database:
type: mysql
host: database.contoso.eu
username: appuser
password: apppassword
dbName: prodapp
```
You can also specify the connection string:
```yaml
database:
type: postgresql
uriOverride: "postgresql://appuser:apppassword@pg.contoso.eu:5433/qualdb"
```
Detailed configuration options can be found in the [Database Configuration](#database-configuration) section below.
### SSL and Ingress
This chart supports the usage of existing Ingress Controllers for exposing the `vaultwarden` deployment.
#### nginx-ingress
Nginx ingress controller can be installed by following [this](https://kubernetes.github.io/ingress-nginx/deploy/) guide. An SSL certificate can be added as a secret with a few commands:
```bash
cd <dir-containing-the-certs>
kubectl create secret -n vaultwarden \
tls vw-constoso-com-crt \
--key privkey.pem \
--cert fullchain.pem
```
Once both prerequisites are ready, values can be set as follows:
```yaml
ingress:
enabled: true
class: "nginx"
tlsSecret: vw-constoso-com-crt
hostname: vaultwarden.contoso.com
allowList: "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16"
```
#### AWS LB Controller
When using AWS, the [AWS Load Balancer controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/installation/) can be used together with [ACM](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/ingress/cert_discovery/).
Example for AWS:
```yaml
ingress:
enabled: true
class: "alb"
hostname: vaultwarden.contoso.com
additionalAnnotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/tags: Environment=dev,Team=test
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:eu-central-1:ACCOUNT:certificate/LONGID"
```
Detailed configuration options can be found in the [Exposure Parameters](#exposure-parameters) section below.
### Security
An admin token can be generated with: `openssl rand -base64 48`.
Detailed configuration options can be found in the [Security Settings](#security-settings) section below.
By default, the chart deploys a [service account](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/) called `vaultwarden-svc`.
```yaml
serviceAccount:
create: true
name: "vaultwarden-svc"
```
Detailed configuration options can be found in the [Security settings](#security-settings) section below.
### Mail settings
To enable the SMTP service, make sure that at a minimum, `smtp.host` and `smtp.from` are set.
```yaml
smtp:
host: mx01.contoso.com
from: no-reply@contoso.com
fromName: "Vault Administrator"
username: admin
password: password
acceptInvalidHostnames: "true"
acceptInvalidCerts: "true"
```
Detailed configuration options can be found in the [SMTP Configuration](#smtp-configuration) section below.
### Storage
To use persistent storage using a claim, set `storage.enabled` to `true`. The following example sets the storage class to an already-installed Rancher's [local path storage](https://github.com/rancher/local-path-provisioner) provisioner.
```yaml
storage:
enabled: true
size: "10Gi"
class: "local-path"
```
Example for AWS:
```yaml
storage:
enabled: true
size: "10Gi"
class: "gp2"
```
Detailed configuration options can be found in the [Storage Configuration](#storage-configuration) section below.
## Parameters
### Vaultwarden settings
| Name | Description | Value |
| ------------------- | --------------------------------------------- | -------------------- |
| `image.registry` | Vaultwarden image registry | `docker.io` |
| `image.repository` | Vaultwarden image repository | `vaultwarden/server` |
| `image.tag` | Vaultwarden image tag | `1.24.0` |
| `image.pullPolicy` | Vaultwarden image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names | `[]` |
| `domain` | Domain name where the application is accessed | `""` |
| `websocket.enabled` | Enable websocket notifications | `true` |
| `websocket.address` | Websocket listen address | `0.0.0.0` |
| `websocket.port` | Websocket listen port | `3012` |
| `rocket.port` | Rocket port | `8080` |
| `rocket.workers` | Rocket number of workers | `10` |
| `webVaultEnabled` | Enable Web Vault | `true` |
### Security settings
| Name | Description | Value |
| ----------------------- | ------------------------------------------------------------------- | ------------------- |
| `adminToken` | The admin token used for /admin | `R@ndomToken$tring` |
| `signupDomains` | List of domain names for users allowed to register | `contoso.com` |
| `signupsVerify` | Whether to require account verification for newly-registered users. | `true` |
| `showPassHint` | Whether a password hint should be shown in the page. | `false` |
| `fullnameOverride` | String to override the application name. | `""` |
| `serviceAccount.create` | Create a service account | `true` |
| `serviceAccount.name` | Name of the service account to create | `vaultwarden-svc` |
### Exposure Parameters
| Name | Description | Value |
| ------------------------------- | ------------------------------------------------------------------------------ | ------------------------ |
| `ingress.enabled` | Deploy an ingress resource. | `false` |
| `ingress.class` | Ingress resource class | `nginx` |
| `ingress.additionalAnnotations` | Additional annotations for the ingress resource. | `{}` |
| `ingress.tls` | Enable TLS on the ingress resource. | `true` |
| `ingress.hostname` | Hostname for the ingress. | `warden.contoso.com` |
| `ingress.path` | Default application path for the ingress | `/` |
| `ingress.pathWs` | Path for the websocket ingress | `/notifications/hub` |
| `ingress.pathType` | Path type for the ingress | `ImplementationSpecific` |
| `ingress.pathTypeWs` | Path type for the ingress | `ImplementationSpecific` |
| `ingress.tlsSecret` | Kubernetes secret containing the SSL certificate when using the "nginx" class. | `""` |
| `ingress.nginxAllowList` | Comma-separated list of IP addresses and subnets to allow. | `""` |
| `service.type` | Service type | `ClusterIP` |
| `service.annotations` | Additional annotations for the vaultwarden service | `{}` |
### Database Configuration
| Name | Description | Value |
| ---------------------- | ----------------------------------------- | --------- |
| `database.type` | Database type, either mysql or postgresql | `default` |
| `database.host` | Database hostname or IP address | `""` |
| `database.port` | Database port | `""` |
| `database.username` | Database username | `""` |
| `database.password` | Database password | `""` |
| `database.dbName` | Database name | `""` |
| `database.uriOverride` | Manually specify the DB connection string | `""` |
### SMTP Configuration
| Name | Description | Value |
| ----------------------------- | ------------------------------------- | ---------- |
| `smtp.host` | SMTP host | `""` |
| `smtp.security` | SMTP Encryption method | `starttls` |
| `smtp.port` | SMTP port | `25` |
| `smtp.from` | SMTP sender email address | `""` |
| `smtp.fromName` | SMTP sender FROM | `""` |
| `smtp.username` | Username for the SMTP authentication. | `""` |
| `smtp.password` | Password for the SMTP service. | `""` |
| `smtp.authMechanism` | SMTP authentication mechanism | `Plain` |
| `smtp.acceptInvalidHostnames` | Accept Invalid Hostnames | `false` |
| `smtp.acceptInvalidCerts` | Accept Invalid Certificates | `false` |
| `smtp.debug` | SMTP debugging | `false` |
### Storage Configuration
| Name | Description | Value |
| ----------------- | ------------------------------------------- | --------- |
| `storage.enabled` | Enable configuration for persistent storage | `false` |
| `storage.size` | Storage size for /data | `15Gi` |
| `storage.class` | Specify the storage class | `default` |
| `storage.dataDir` | Specify the data directory | `/data` |
## Uninstall
To uninstall/delete the `vaultwarden-demo` release:
```console
export NAMESPACE=vaultwarden
export RELEASE_NAME=vaultwarden-demo
helm -n $NAMESPACE uninstall $RELEASE_NAME
```
## Notes
I initially built this Helm chart for the purposes of learning Helm chart development, brush up on my Kubernetes skills, and in general, learn how to better manage application releases in Kubernetes.
Thus, I have to mention that this chart has to be tested more thoroughly before it is used in a production environment.
Nevertheless, if you find any issues while using this chart, or have any suggestions, I would appreciate it if you would [submit an issue](https://github.com/guerzon/vaultwarden/issues/new).
### Todo
1. Implement more configuration options.
2. Prometheus metrics scraping would be nice to have.
3. Automated testing, CI
## License
[MIT](./LICENSE).
## Author
This Helm chart was created and is being maintained by [Lester Guerzon](https://pidnull.io).
### Credits
- The `vaultwarden` project can be found [here](https://github.com/dani-garcia/vaultwarden)
- Further information about `Bitwarden` and 8bit Solutions LLC can be found [here](https://bitwarden.com/)

17
demo.yaml Normal file
View File

@@ -0,0 +1,17 @@
domain: "https://vaultwarden.constoso.com"
ingress:
enabled: true
hostname: vaultwarden.contoso.com
class: "alb"
additionalAnnotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/tags: Environment=dev,Team=test
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:eu-central-1:ACCOUNT:certificate/LONGID"
adminToken: "khit9gYQV6ax9LKTTm+s6QbZi5oiuR+3s1PEn9q3IRmCl9IQn7LmBpmFCOYTb7Mr"
image:
pullSecrets:
- myRegKey

7
templates/NOTES.txt Normal file
View File

@@ -0,0 +1,7 @@
** Please be patient while the chart is being deployed **
Thanks for installing {{ .Chart.Name }}.
You have named your release: {{ .Release.Name }}.
Vaultwarden is accessible here: {{ .Values.ingress.hostname }}

31
templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,31 @@
{{/*
Return a default application name.
*/}}
{{- define "vaultwarden.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 20 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 20 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 20 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "dbPort" -}}
{{- if .Values.database.port }}
{{- printf "%s%s" ":" .Values.database.port }}
{{- else }}
{{- printf "%s" "" }}
{{- end }}
{{- end }}
{{/*
Return the database string
*/}}
{{ define "dbString" }}
{{- $var := print .Values.database.type "://" .Values.database.username ":" .Values.database.password "@" .Values.database.host (include "dbPort" . ) "/" .Values.database.dbName }}
{{- printf "%s" $var }}
{{- end -}}

39
templates/configmap.yaml Normal file
View File

@@ -0,0 +1,39 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "vaultwarden.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: vaultwarden
data:
DOMAIN: {{ .Values.domain | quote }}
{{- if ne "default" .Values.database.type }}
{{- if .Values.database.uriOverride }}
DATABASE_URL: {{ .Values.database.uriOverride }}
{{- else }}
DATABASE_URL: {{ include "dbString" . | quote }}
{{- end }}
{{- end }}
{{- if and .Values.smtp.host .Values.smtp.from | quote }}
SMTP_HOST: {{ .Values.smtp.host | quote }}
SMTP_SECURITY: {{ .Values.smtp.security | quote }}
SMTP_PORT: {{ .Values.smtp.port | quote }}
SMTP_AUTH_MECHANISM: {{ .Values.smtp.authMechanism | quote }}
SMTP_FROM: {{ .Values.smtp.from | quote }}
SMTP_FROM_NAME: {{ default "Vaultwarden" .Values.smtp.fromName | quote }}
SMTP_DEBUG: {{ .Values.smtp.debug | quote }}
SMTP_ACCEPT_INVALID_HOSTNAMES: {{ .Values.smtp.acceptInvalidHostnames | quote }}
SMTP_ACCEPT_INVALID_CERTS: {{ .Values.smtp.acceptInvalidCerts | quote }}
{{- end }}
{{- if .Values.websocket.enabled }}
WEBSOCKET_ENABLED: "true"
WEBSOCKET_ADDRESS: {{ .Values.websocket.address | quote }}
WEBSOCKET_PORT: {{ .Values.websocket.port | quote }}
{{- end }}
DATA_FOLDER: {{ .Values.storage.dataDir | quote }}
ROCKET_PORT: {{ .Values.rocket.port | quote }}
ROCKET_WORKERS: {{ .Values.rocket.workers | quote }}
SHOW_PASSWORD_HINT: {{ .Values.showPassHint | quote }}
SIGNUPS_DOMAINS_WHITELIST: {{ .Values.signupDomains | quote }}
SIGNUPS_VERIFY: {{ .Values.signupsVerify | quote }}
WEB_VAULT_ENABLED: {{ .Values.webVaultEnabled | quote }}

71
templates/ingress.yaml Normal file
View File

@@ -0,0 +1,71 @@
{{- if .Values.ingress.enabled }}
{{- $newAPIversion := .Capabilities.APIVersions.Has "networking.k8s.io/v1" }}
{{- if $newAPIversion }}
apiVersion: networking.k8s.io/v1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ include "vaultwarden.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: vaultwarden
annotations:
ingress.kubernetes.io/rewrite-target: /
{{- if .Values.ingress.tls }}
ingress.kubernetes.io/ssl-redirect: "true"
{{- end }}
{{- if .Values.ingress.additionalAnnotations }}
{{- toYaml .Values.ingress.additionalAnnotations | nindent 4 }}
{{- end }}
{{- if eq "nginx" .Values.ingress.class }}
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Request-Id: $req_id";
nginx.ingress.kubernetes.io/connection-proxy-header: "keep-alive"
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/limit-connections: "25"
nginx.ingress.kubernetes.io/limit-rps: "15"
nginx.ingress.kubernetes.io/proxy-body-size: 1024m
nginx.ingress.kubernetes.io/proxy-connect-timeout: "10"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
{{- if .Values.ingress.nginxAllowList }}
nginx.ingress.kubernetes.io/whitelist-source-range: {{ .Values.ingress.nginxAllowList }}
{{- end }}
{{- end }}
spec:
{{- if .Values.ingress.class }}
ingressClassName: {{ .Values.ingress.class | quote }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
- hosts:
- {{ .Values.ingress.hostname | quote }}
{{- if eq "nginx" .Values.ingress.class }}
secretName: {{ .Values.ingress.tlsSecret }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.ingress.hostname | quote }}
http:
paths:
- path: {{ .Values.ingress.path }}
pathType: {{ .Values.ingress.pathType }}
backend:
service:
name: {{ include "vaultwarden.fullname" . }}
port:
name: "http"
{{- if .Values.websocket.enabled }}
- path: {{ .Values.ingress.pathWs }}
pathType: {{ .Values.ingress.pathTypeWs }}
backend:
service:
name: {{ include "vaultwarden.fullname" . }}
port:
name: "websocket"
{{- end }}
{{- end }}

48
templates/rbac.yaml Normal file
View File

@@ -0,0 +1,48 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: vaultwarden
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "vaultwarden.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: vaultwarden
rules:
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "vaultwarden.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: vaultwarden
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "vaultwarden.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount.name }}
{{- end }}

12
templates/secrets.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ include "vaultwarden.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: vaultwarden
type: Opaque
data:
SMTP_USERNAME: {{ .Values.smtp.username | b64enc | quote }}
SMTP_PASSWORD: {{ .Values.smtp.password | b64enc | quote }}
ADMIN_TOKEN: {{ .Values.adminToken | b64enc | quote }}

26
templates/service.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "vaultwarden.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: vaultwarden
{{- if .Values.service.annotations }}
annotations:
{{- toYaml .Values.service.annotations | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type | quote }}
selector:
app.kubernetes.io/component: vaultwarden
ports:
- name: "http"
port: 80
protocol: TCP
targetPort: 8080
{{- if .Values.websocket.enabled }}
- name: "websocket"
port: 3012
protocol: TCP
targetPort: {{ .Values.websocket.port }}
{{- end }}

77
templates/statefulset.yaml Normal file
View File

@@ -0,0 +1,77 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "vaultwarden.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: vaultwarden
spec:
serviceName: vaultwarden
replicas: 1
selector:
matchLabels:
app: vaultwarden
app.kubernetes.io/component: vaultwarden
template:
metadata:
labels:
app: vaultwarden
app.kubernetes.io/component: vaultwarden
spec:
containers:
- image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: vaultwarden
envFrom:
- configMapRef:
name: {{ include "vaultwarden.fullname" . }}
env:
- name: SMTP_USERNAME
valueFrom:
secretKeyRef:
name: {{ include "vaultwarden.fullname" . }}
key: SMTP_USERNAME
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "vaultwarden.fullname" . }}
key: SMTP_PASSWORD
- name: ADMIN_TOKEN
valueFrom:
secretKeyRef:
name: {{ include "vaultwarden.fullname" . }}
key: ADMIN_TOKEN
ports:
- containerPort: 8080
name: http
protocol: TCP
- containerPort: {{ .Values.websocket.port }}
name: websocket
protocol: TCP
{{- if .Values.storage.enabled }}
volumeMounts:
- name: vaultwarden-data
mountPath: {{ .Values.storage.dataDir }}
{{- end }}
resources:
limits:
cpu: 300m
memory: 1Gi
requests:
cpu: 50m
memory: 256Mi
{{- if .Values.serviceAccount.create }}
serviceAccountName: {{ .Values.serviceAccount.name }}
{{- end }}
{{- if .Values.storage.enabled }}
volumeClaimTemplates:
- metadata:
name: vaultwarden-data
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: {{ .Values.storage.size }}
storageClassName: {{ default "default" .Values.storage.class }}
{{- end }}

215
values.yaml Normal file
View File

@@ -0,0 +1,215 @@
## @section Vaultwarden settings
##
image:
## @param image.registry Vaultwarden image registry
##
registry: docker.io
## @param image.repository Vaultwarden image repository
##
repository: vaultwarden/server
##
## @param image.tag Vaultwarden image tag
## Ref: https://hub.docker.com/r/vaultwarden/server/tags
##
tag: "1.24.0"
## @param image.pullPolicy Vaultwarden image pull policy
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## @param image.pullSecrets Specify docker-registry secret names
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Example:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## @param domain Domain name where the application is accessed
## Example: https://warden.contoso.com:8443
##
domain: ""
## @param websocket.enabled Enable websocket notifications
## @param websocket.address Websocket listen address
## @param websocket.port Websocket listen port
##
websocket:
enabled: true
address: "0.0.0.0"
port: 3012
## @param rocket.port Rocket port
## @param rocket.workers Rocket number of workers
##
rocket:
port: "8080"
workers: "10"
## @param webVaultEnabled Enable Web Vault
##
webVaultEnabled: "true"
## @section Security settings
##
## @param adminToken The admin token used for /admin
##
adminToken: "R@ndomToken$tring"
## @param signupDomains List of domain names for users allowed to register
##
signupDomains: "contoso.com"
## @param signupsVerify Whether to require account verification for newly-registered users.
##
signupsVerify: "true"
## @param showPassHint Whether a password hint should be shown in the page.
##
showPassHint: "false"
## @param fullnameOverride String to override the application name.
##
fullnameOverride: ""
## @param serviceAccount.create Create a service account
## @param serviceAccount.name Name of the service account to create
##
serviceAccount:
create: true
name: "vaultwarden-svc"
## @section Exposure Parameters
##
## Ingress configuration
## Refer to the README for some examples
##
ingress:
## @param ingress.enabled Deploy an ingress resource.
##
enabled: false
## @param ingress.class Ingress resource class
## To use ingress-nginx, set class to "nginx", or "alb" for AWS LB controller.
#
class: "nginx"
## @param ingress.additionalAnnotations Additional annotations for the ingress resource.
##
additionalAnnotations: {}
## @param ingress.tls Enable TLS on the ingress resource.
##
tls: true
## @param ingress.hostname Hostname for the ingress.
##
hostname: "warden.contoso.com"
## @param ingress.path Default application path for the ingress
##
path: "/"
## @param ingress.pathWs Path for the websocket ingress
##
pathWs: "/notifications/hub"
## @param ingress.pathType Path type for the ingress
## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
##
pathType: "ImplementationSpecific"
## @param ingress.pathTypeWs Path type for the ingress
## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
##
pathTypeWs: "ImplementationSpecific"
## @param ingress.tlsSecret Kubernetes secret containing the SSL certificate when using the "nginx" class.
##
tlsSecret: ""
## @param ingress.nginxAllowList Comma-separated list of IP addresses and subnets to allow.
##
nginxAllowList: ""
## TODO:
## - Add support for using cert-manager.
## - Support for multiple TLS hostnames.
##
## Service configuration
service:
## @param service.type Service type
##
type: "ClusterIP"
## @param service.annotations Additional annotations for the vaultwarden service
##
annotations: {}
## @section Database Configuration
##
database:
## @param database.type Database type, either mysql or postgresql
## Default is a sqlite database.
##
type: "default"
## @param database.host Database hostname or IP address
##
host: ""
## @param database.port Database port
## Default for MySQL is 3306, default for PostgreSQL is 5432
port: ""
## @param database.username Database username
##
username: ""
## @param database.password Database password
##
password: ""
## @param database.dbName Database name
##
dbName: ""
## @param database.uriOverride Manually specify the DB connection string
##
uriOverride: ""
## @section SMTP Configuration
##
smtp:
## @param smtp.host SMTP host
##
host: ""
## @param smtp.security SMTP Encryption method
## Possible values:
## - starttls: explicit TLS using ports 587 or 25
## - force_tls: implicit TLS using port 465
## - off: no encryption, using port 25, unless using STARTTLS
##
security: "starttls"
## @param smtp.port SMTP port
##
port: 25
## @param smtp.from SMTP sender email address
## Example: juan.delacruz@gmail.com
##
from: ""
## @param smtp.fromName SMTP sender FROM
##
fromName: ""
## @param smtp.username Username for the SMTP authentication.
## Example: juan
##
username: ""
## @param smtp.password Password for the SMTP service.
##
password: ""
## @param smtp.authMechanism SMTP authentication mechanism
## Possible values: "Plain", "Login", "Xoauth2"
## Multiple options need to be separated by a comma. (not tested)
##
authMechanism: "Plain"
## @param smtp.acceptInvalidHostnames Accept Invalid Hostnames
##
acceptInvalidHostnames: "false"
## @param smtp.acceptInvalidCerts Accept Invalid Certificates
##
acceptInvalidCerts: "false"
## @param smtp.debug SMTP debugging
##
debug: false
## @section Storage Configuration
##
storage:
## @param storage.enabled Enable configuration for persistent storage
##
enabled: false
## @param storage.size Storage size for /data
##
size: "15Gi"
## @param storage.class Specify the storage class
##
class: "default"
## @param storage.dataDir Specify the data directory
##
dataDir: "/data"