Helm chart for Vaultwarden
Vaultwarden, formerly known as Bitwarden_RS, is an "alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal."
TL;DR
helm repo add vaultwarden https://guerzon.github.io/vaultwarden
helm install my-vaultwarden-release vaultwarden/vaultwarden
Description
This Helm chart is used to deploy vaultwarden with a stable configuration to Kubernetes clusters.
The upstream repository for the vaultwarden project can be found here. To learn more about Vaultwarden, please visit the wiki.
Prerequisites
- Kubernetes 1.12+
- Helm 3.1.0
Usage
To deploy the chart with the release name vaultwarden-release:
export NAMESPACE=vaultwarden
export DOMAIN_NAME=pass.company.com
helm repo add vaultwarden https://guerzon.github.io/vaultwarden
helm install vaultwarden-release vaultwarden/vaultwarden \
--namespace $NAMESPACE \
--set "ingress.enabled=true" \
--set "ingress.hostname=$DOMAIN_NAME"
To deploy the chart to another namespace using custom values in the file demo.yaml:
export NAMESPACE=vaultwarden-demo
export RELEASE_NAME=vaultwarden-demo
helm upgrade -i \
-n $NAMESPACE $RELEASE_NAME vaultwarden/vaultwarden \
-f demo.yaml
General configuration
This chart deploys vaultwarden from pre-built images on Docker Hub: vaultwarden/server. The image can be defined by specifying the tag with image.tag.
Example that uses the Alpine-based image 1.24.0-alpine and an existing secret that contains registry credentials:
image:
tag: "1.24.0-alpine"
pullSecrets:
- myRegKey
Important: specify the URL used by users with the domain variable, otherwise, some functionalities might not work:
domain: "https://vaultwarden.contoso.com:9443/"
Detailed configuration options can be found in the Vaultwarden settings section.
Database options
By default, vaultwarden uses a SQLite database located in /data/db.sqlite3. However, it is also possible to make use of an external database, in particular either MySQL or PostgreSQL.
To configure an external database, set database.type to either mysql or postgresql and specify the datase connection information.
Example for using an external MySQL database:
database:
type: mysql
host: database.contoso.eu
username: appuser
password: apppassword
dbName: prodapp
You can also specify the connection string:
database:
type: postgresql
uriOverride: "postgresql://appuser:apppassword@pg.contoso.eu:5433/qualdb"
Alternatively, you could create a Kubernetes secret containing the database URI:
DB_STRING="postgresql://appuser:apppassword@pg.contoso.eu:5433/qualdb"
kubectl -n vaultwarden create secret generic prod-db-creds --from-literal=secret-uri=$DB_STRING
Then pass the name of the secret and the key to the chart:
database:
type: postgresql
existingSecret: "prod-db-creds"
existingSecretKey: "secret-uri"
Detailed configuration options can be found in the Database Configuration section.
SSL and Ingress
This chart supports the usage of existing Ingress Controllers for exposing the vaultwarden deployment.
nginx-ingress
Nginx ingress controller can be installed by following this guide. An SSL certificate can be added as a secret with a few commands:
cd <dir-containing-the-certs>
kubectl create secret -n vaultwarden \
tls vw-constoso-com-crt \
--key privkey.pem \
--cert fullchain.pem
Once both prerequisites are ready, values can be set as follows:
ingress:
enabled: true
class: "nginx"
tlsSecret: vw-constoso-com-crt
hostname: vaultwarden.contoso.com
allowList: "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16"
AWS LB Controller
When using AWS, the AWS Load Balancer controller can be used together with ACM.
Example for AWS:
ingress:
enabled: true
class: "alb"
hostname: vaultwarden.contoso.com
additionalAnnotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/tags: Environment=dev,Team=test
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:eu-central-1:ACCOUNT:certificate/LONGID"
Detailed configuration options can be found in the Exposure Parameters section.
Security
An admin token can be generated with: openssl rand -base64 48.
By default, the chart deploys a service account called vaultwarden-svc.
serviceAccount:
create: true
name: "vaultwarden-svc"
Detailed configuration options can be found in the Security settings section.
Mail settings
To enable the SMTP service, make sure that at a minimum, smtp.host and smtp.from are set.
smtp:
host: mx01.contoso.com
from: no-reply@contoso.com
fromName: "Vault Administrator"
username: admin
password: password
acceptInvalidHostnames: "true"
acceptInvalidCerts: "true"
Detailed configuration options can be found in the SMTP Configuration section.
Storage
To use persistent storage using a claim, set storage.enabled to true. The following example sets the storage class to an already-installed Rancher's local path storage provisioner.
storage:
enabled: true
size: "10Gi"
class: "local-path"
Example for AWS:
storage:
enabled: true
size: "10Gi"
class: "gp2"
Detailed configuration options can be found in the Storage Configuration section.
Deployment in GKE
I have written a detailed post about deploying Vaultwarden in Google Kubernetes Engine here.
Parameters
Refer to the detailed parameter documentation here.
Uninstall
To uninstall/delete the vaultwarden-demo release:
export NAMESPACE=vaultwarden
export RELEASE_NAME=vaultwarden-demo
helm -n $NAMESPACE uninstall $RELEASE_NAME
Disclaimer
Please do your due-diligence before using this chart for a production deployment.
Nevertheless, if you find any issues while using this chart, or have any suggestions, I would appreciate it if you would submit an issue. Alternatively, PRs are appreciated!
License
MIT.
Author
This Helm chart was created and is being maintained by Lester Guerzon.