diff --git a/vaultwarden-1.27/.helmignore b/vaultwarden-1.27/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/vaultwarden-1.27/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/vaultwarden-1.27/Chart.yaml b/vaultwarden-1.27/Chart.yaml new file mode 100644 index 0000000..16b112b --- /dev/null +++ b/vaultwarden-1.27/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +appVersion: 1.27.0 +description: Unofficial Bitwarden compatible server written in Rust +home: https://github.com/dani-garcia/vaultwarden - bitwarden - bitwarden_rs - password + - vaultwarden +icon: https://upload.wikimedia.org/wikipedia/commons/0/03/Bitwarden_Logo.png +maintainers: +- email: silvio@gissilabs.com + name: Silvio Gissi +name: vaultwarden +sources: +- https://github.com/dani-garcia/vaultwarden +type: application +version: 1.0.0 diff --git a/vaultwarden-1.27/README.md b/vaultwarden-1.27/README.md new file mode 100644 index 0000000..c7e1de5 --- /dev/null +++ b/vaultwarden-1.27/README.md @@ -0,0 +1,189 @@ +# Gissilabs Helm Charts + +## Upgrade from bitwardenrs Helm Chart + +The upstream project changed its name from bitwarden_rs to Vaultwarden on April 27th, 2021. If you are using the bitwardenrs chart, the following changes are needed to use this chart: + +- Change chart name from gissilabs/bitwardenrs to gissilabs/vaultwarden +- If using custom values, update top-level "bitwardenrs" option to "vaultwarden" + +Chart and application version numbers are the same across both charts. + +## Vaultwarden + +Vaultwarden (previously known as bitwarden_rs) is an unofficial Bitwarden compatible server written in Rust. For more information, check the project on Github: + +## Helm Chart + +The default installation will deploy one Vaultwarden instance using a SQLite database without persistence. All data will be lost if the pod is deleted. + +```bash +# Uncomment below if the Gissilabs repository is not yet added to Helm +#helm repo add gissilabs https://gissilabs.github.io/charts/ +helm install myvaultwarden gissilabs/vaultwarden +``` + +See options below to customize the deployment. + +## **Database** + +Option | Description | Format | Default +------ | ----------- | ------ | ------- +database.type | Backend database type | sqlite, mysql or postgresql | sqlite +database.wal | Enable SQLite Write-Ahead-Log, ignored for external databases | true / false | true +database.url | URL of external database (MySQL/PostgreSQL) | \[mysql\|postgresql\]://user:pass@host:port\[/database\] | Empty +database.existingSecret | Use existing secret for database URL, key 'database-url' | Secret name | Not defined +database.maxConnections | Set the size of the database connection pool | Number | 10 +database.retries | Connection retries during startup, 0 for infinite. 1 second between retries | Number | 15 + +## **Main application** + +Option | Description | Format | Default +------ | ----------- | ------ | ------- +vaultwarden.domain | Bitwarden URL. Mandatory for invitations over email | http\[s\]://hostname | Not defined +vaultwarden.allowSignups | Allow any user to sign-up. [More information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users) | true / false | true +vaultwarden.signupDomains | Whitelist domains allowed to sign-up. 'allowSignups' is ignored if set | domain1,domain2 | Not defined +vaultwarden.verifySignup | Verify e-mail before login is enabled. SMTP must be enabled | true / false | false +vaultwarden.requireEmail | Require that an e-mail is sucessfully sent before login. SMTP must be enabled | true / false | false +vaultwarden.emailAttempts | Maximum attempts before an email token is reset and a new email will need to be sent | Number | 3 +vaultwarden.emailTokenExpiration | Email token validity in seconds | Number | 600 +vaultwarden.allowInvitation | Allow invited users to sign-up even feature is disabled. [More information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations) | true / false | true +vaultwarden.invitationExpiration | Number of hours after which tokens expire (organization invite, emergency access, email verification and deletion request | Number (minimum 1) | 120 +vaultwarden.defaultInviteName | Default organization name in invitation e-mails that are not coming from a specific organization. | Text | Vaultwarden +vaultwarden.passwordHintsAllowed | Allow users to set password hints. Applies to all users. | true / false | true +vaultwarden.showPasswordHint | Show password hints. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display) | true / false | false +vaultwarden.enableWebsockets | Enable Websockets for notification. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications). If using Ingress controllers, "notifications/hub" URL is redirected to websocket port | true / false | true +vaultwarden.enableWebVault | Enable Web Vault static site. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting). | true / false | true +vaultwarden.enableSends | Enable Bitwarden Sends globally. | true / false | true +vaultwarden.orgCreationUsers | Restrict creation of orgs. | 'all', 'none' or a comma-separated list of users. | all +vaultwarden.attachmentLimitOrg | Limit attachment disk usage in Kb per organization | Number | Not defined +vaultwarden.attachmentLimitUser | Limit attachment disk usage in Kb per user | Number | Not defined +vaultwarden.hibpApiKey | API Key to use HaveIBeenPwned service. Can be purchased at [here](https://haveibeenpwned.com/API/Key) | Text | Not defined +vaultwarden.autoDeleteDays | Number of days to auto-delete trashed items. | Number | Empty (never auto-delete) +vaultwarden.orgEvents | Enable Organization event logging | true / false | false +vaultwarden.orgEventsRetention | Organization event log retention in days | Number | Empty (never delete) +vaultwarden.extraEnv | Pass extra environment variables | Map | Not defined +vaultwarden.log.file | Filename to log to disk. [More information](https://github.com/dani-garcia/vaultwarden/wiki/Logging) | File path | Empty +vaultwarden.log.level | Change log level | trace, debug, info, warn, error or off | Empty +vaultwarden.log.timeFormat | Log timestamp | Rust chrono [format](https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html). | Time in milliseconds | Empty + +## **Application Features** + +:warning: SMTP SSL/TLS settings changed following Vaultwarden v1.25 release, see [Upgrade](#upgrade) + +Option | Description | Format | Default +------ | ----------- | ------ | ------- +vaultwarden.admin.enabled | Enable admin portal. Change settings in the portal will overwrite chart options. | true / false | false +vaultwarden.admin.disableAdminToken | Disabling the admin token will make the admin portal accessible to anyone, use carefully. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token) | true / false | false +vaultwarden.admin.token | Token for admin login, will be generated if not defined. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page) | Text | Auto-generated +vaultwarden.admin.existingSecret | Use existing secret for the admin token. Key is 'admin-token' | Secret name | Not defined +||| +vaultwarden.emergency.enabled | Allow any user to enable emergency access. | true / false | true +vaultwarden.emergency.reminder | Schedule to send expiration reminders to emergency access grantors. | Cron schedule format, blank to disable | "0 3 \* \* \* \*" (hourly 3 minutes after the hour) +vaultwarden.emergency.timeout | Schedule to grant emergency access requests that have met the required wait time. | Cron schedule format, blank to disable | "0 3 \* \* \* \*" (hourly 3 minutes after the hour) +||| +vaultwarden.smtp.enabled | Enable SMTP | true / false | false +vaultwarden.smtp.host | SMTP hostname **required** | Hostname | Empty +vaultwarden.smtp.from | SMTP sender e-mail address **required** | E-mail | Empty +vaultwarden.smtp.fromName | SMTP sender name | Text | Vaultwarden +vaultwarden.smtp.security | Set SMTP connection security [More Information](https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration) | starttls / force_tls / off | starttls +vaultwarden.smtp.port | SMTP TCP port | Number | Security off: 25, starttls: 587, force_tls: 465 +vaultwarden.smtp.authMechanism | SMTP Authentication Mechanisms | Comma-separated list: 'Plain', 'Login', 'Xoauth2' | Plain +vaultwarden.smtp.heloName | Hostname to be sent for SMTP HELO | Text | Pod name +vaultwarden.smtp.timeout | SMTP connection timeout in seconds | Number | 15 +vaultwarden.smtp.invalidHostname | Accept valid certificates even if hostnames does not match. DANGEROUS! | true / false | false +vaultwarden.smtp.invalidCertificate | Accept invalid certificates. DANGEROUS! | true / false | false +vaultwarden.smtp.user | SMTP username | Text | Not defined +vaultwarden.smtp.password | SMTP password. Required is user is specified | Text | Not defined +vaultwarden.smtp.existingSecret | Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password' | Secret name | Not defined +vaultwarden.smtp.embedImages | Embed images as email attachments | true / false | false +||| +vaultwarden.yubico.enabled | Enable Yubikey support | true / false | false +vaultwarden.yubico.server | Yubico server | Hostname | YubiCloud +vaultwarden.yubico.clientId | Yubico ID | Text | Not defined +vaultwarden.yubico.secretKey | Yubico Secret Key | Text | Not defined +vaultwarden.yubico.existingSecret | Use existing secret for ID and Secret. Keys are 'yubico-client-id' and 'yubico-secret-key' | Secret name | Not defined +||| +vaultwarden.icons.service | Service to fetch icons from | "internal", "bitwarden", "duckduckgo", "google" or custom URL | internal +vaultwarden.icons.disableDownload | Disables download of external icons, icons in cache will still be served | true / false | false +vaultwarden.icons.cache | Cache time-to-live for icons fetched. 0 means no purging | Number | 2592000. If download is disabled, defaults to 0 +vaultwarden.icons.cacheFailed | Cache time-to-live for icons that were not available. 0 means no purging | Number | 2592000 +vaultwarden.icons.redirectCode | HTTP code to use for redirects to an external icon service | true / false | 302 + +## **Network** + +Option | Description | Format | Default +------ | ----------- | ------ | ------- +service.type | Service Type. [More Information](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) | Type | ClusterIP +service.httpPort | Service port for HTTP server | Number | 80 +service.websocketPort | Service port for Websocket server, if enabled | Number | 3012 +service.externalTrafficPolicy | External Traffic Policy. [More Information](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | Local / Cluster| Cluster +service.loadBalancerIP | Manually select IP when type is LoadBalancer | IP address | Not defined +service.nodePorts.http | Manually select node port for http | Number | Empty +service.nodePorts.websocket | Manually select node port for websocker, if enabled | Number | Empty +||| +ingress.enabled | Enable Ingress | true / false | false +ingress.className | Name of the ingress class | string | Empty +ingress.host | Ingress hostname **required** | Hostname | Empty +ingress.annotations | Ingress annotations | Map | Empty +ingress.tls | Ingress TLS options | Array of Maps | Empty +||| +ingressRoute.enabled | Enable Traefik IngressRoute CRD | true / false | false +ingressRoute.host | Ingress route hostname **required** | Hostname | Empty +ingressRoute.middlewares | Enable middlewares | Map | Empty +ingressRoute.entrypoints | List of Traefik endpoints | Array of Text | \[websecure\] +ingressRoute.tls | Ingress route TLS options | Map | Empty + +## **Storage** + +Option | Description | Format | Default +------ | ----------- | ------ | ------- +persistence.enabled | Create persistent volume (PVC). Holds attachments, icon cache and, if used, the SQLite database | true / false | false +persistence.size | Size of volume | Size | 1Gi +persistence.accessMode | Volume access mode | Text | ReadWriteOnce +persistence.storageClass | Storage Class | Text | Not defined. Use "-" for default class +persistence.existingClaim | Use existing PVC | Name of PVC | Not defined +customVolume | Use custom volume definition. Cannot be used with persistence | Map | Empty + +## **Image** + +Option | Description | Format | Default +------ | ----------- | ------ | ------- +image.tag | Docker image tag | Text | Chart appVersion (Chart.yaml) +image.repository | Docker image | Text | vaultwarden/server +imagePullSecrets | Image pull secrets | Array | Empty + +## **General Kubernetes/Helm** + +Option | Description | Format | Default +------ | ----------- | ------ | ------- +strategy | Deployment Strategy options | sub-tree | Empty +replicaCount | Number of pod replicas | Number | 1 +nameOverride | Name override | Text | Empty +fullnameOverride | Full name override | Text | Empty +serviceAccount.create | Create Service Account | true / false | false +serviceAccount.annotations | Annotations service account | Map | Empty +serviceAccount.name | Service Account name | Text | Generated from template +deploymentAnnotations | Deployment Annotations | Map | Empty +sidecars | Sidecar container definition [Spec](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) | Array | Empty +podAnnotations | Pod Annotations | Map | Empty +podLabels | Extra Pod Labels | Map | Empty +podSecurityContext | Pod-level Security Context | Map | {fsGroup:65534} +securityContext | Container-level Security Context | Map | {runAsUser:65534, runAsGroup:65534} +resources | Deployment Resources | Map | Empty +nodeSelector | Node selector | Map | Empty +tolerations | Tolerations | Array | Empty +affinity | Affinity | Map | Empty + +## Upgrade + +### From 0.x to 1.x + +Vaultwarden version before v1.25.0 had a [bug/mislabelled](https://github.com/dani-garcia/vaultwarden/issues/851) configuration setting regarding SSL and TLS. This has been fixed in testing and newer released versions. When image version is 1.25 or higher, use vaultwarden.smtp.security instead of vaultwarden.smtp.ssl/vaultwarden.smtp.explicitTLS. + +ssl | explicitTLS | security equivalent +--- | ----------- | ------------------- +false | false | off +false | true | off +true | false | starttls +true | true | force_tls diff --git a/vaultwarden-1.27/templates/NOTES.txt b/vaultwarden-1.27/templates/NOTES.txt new file mode 100644 index 0000000..194c226 --- /dev/null +++ b/vaultwarden-1.27/templates/NOTES.txt @@ -0,0 +1,25 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.host }}/ +{{- else if .Values.ingressRoute.enabled }} + http{{ if $.Values.ingressRoute.tls }}s{{ end }}://{{ .Values.ingressRoute.host }}/ +{{- else }} + {{- if eq .Values.vaultwarden.enableWebsockets true }} + NOTE: the websocket listens on a different port and might not work unless /notifications/hub is redirected externally. + + {{- end }} + {{- if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "vaultwarden.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT + {{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "vaultwarden.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "vaultwarden.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.httpPort }} + {{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "vaultwarden.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:8080 +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vaultwarden-1.27/templates/_helpers.tpl b/vaultwarden-1.27/templates/_helpers.tpl new file mode 100644 index 0000000..acabb8c --- /dev/null +++ b/vaultwarden-1.27/templates/_helpers.tpl @@ -0,0 +1,105 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "vaultwarden.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "vaultwarden.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "vaultwarden.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "vaultwarden.labels" -}} +helm.sh/chart: {{ include "vaultwarden.chart" . }} +{{ include "vaultwarden.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "vaultwarden.selectorLabels" -}} +app.kubernetes.io/name: {{ include "vaultwarden.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "vaultwarden.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "vaultwarden.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Ensure valid DB type is select, defaults to SQLite +*/}} +{{- define "vaultwarden.dbTypeValid" -}} +{{- if not (or (eq .Values.database.type "postgresql") (eq .Values.database.type "mysql") (eq .Values.database.type "sqlite")) }} +{{- required "Invalid database type" nil }} +{{- end -}} +{{- end -}} + +{{/* +Ensure log type is valid +*/}} +{{- define "vaultwarden.logLevelValid" -}} +{{- if not (or (eq .Values.vaultwarden.log.level "trace") (eq .Values.vaultwarden.log.level "debug") (eq .Values.vaultwarden.log.level "info") (eq .Values.vaultwarden.log.level "warn") (eq .Values.vaultwarden.log.level "error") (eq .Values.vaultwarden.log.level "off")) }} +{{- required "Invalid log level" nil }} +{{- end }} +{{- end }} + +{{/* +Ensure SMTP Security setting is valid +*/}} + +{{- define "vaultwarden.smtpSecurityValid" -}} +{{- if or (hasKey .Values.vaultwarden.smtp "ssl") (hasKey .Values.vaultwarden.smtp "explicitTLS") }} +{{- required "SMTP options ssl and explicitTLS are deprecated for Vaulwarden 1.25 or newer, see documentation" nil }} +{{- end }} +{{- if not (or (eq .Values.vaultwarden.smtp.security "off") (eq .Values.vaultwarden.smtp.security "starttls") (eq .Values.vaultwarden.smtp.security "force_tls") ) }} +{{- required "Invalid SMTP security setting, valid options are: off, starttls and force_tls" nil }} +{{- end }} +{{- end }} + + +{{- define "vaultwarden.domainSubPath" -}} +{{- if .Values.vaultwarden.domain }} +{{- if not (regexMatch "https?:\\/\\/.*?(\\/|$)" .Values.vaultwarden.domain) }} +{{- required "Invalid domain, must start with http or https" nil }} +{{- end }} +{{- $subpath := regexReplaceAll "https?:\\/\\/.*?(\\/|$)" .Values.vaultwarden.domain "" -}}/{{ $subpath }} +{{- else }}/ +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/vaultwarden-1.27/templates/deployment.yaml b/vaultwarden-1.27/templates/deployment.yaml new file mode 100644 index 0000000..e83ad31 --- /dev/null +++ b/vaultwarden-1.27/templates/deployment.yaml @@ -0,0 +1,342 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "vaultwarden.fullname" . }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} + {{- with .Values.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "vaultwarden.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "vaultwarden.selectorLabels" . | nindent 8 }} + {{- if .Values.podLabels }} + {{- toYaml .Values.podLabels | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "vaultwarden.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: ROCKET_PORT + value: "8080" + - name: SIGNUPS_ALLOWED + value: {{ .Values.vaultwarden.allowSignups | quote }} + {{- if .Values.vaultwarden.signupDomains }} + - name: SIGNUPS_DOMAINS_WHITELIST + value: {{ join "," .Values.vaultwarden.signupDomains | quote }} + {{- end }} + {{- if and (eq .Values.vaultwarden.verifySignup true) (eq .Values.vaultwarden.smtp.enabled false) }}{{ required "Signup verification requires SMTP to be enabled" nil}}{{end}} + - name: SIGNUPS_VERIFY + value: {{ .Values.vaultwarden.verifySignup | quote }} + {{- if and (eq .Values.vaultwarden.requireEmail true) (eq .Values.vaultwarden.smtp.enabled false) }}{{ required "Requiring emails for login depends on SMTP" nil}}{{end}} + - name: REQUIRE_DEVICE_EMAIL + value: {{ .Values.vaultwarden.requireEmail | quote }} + {{- if .Values.vaultwarden.emailAttempts }} + - name: EMAIL_ATTEMPTS_LIMIT + value: {{ .Values.vaultwarden.emailAttempts | quote }} + {{- end }} + {{- if .Values.vaultwarden.emailTokenExpiration }} + - name: EMAIL_EXPIRATION_TIME + value: {{ .Values.vaultwarden.emailTokenExpiration | quote }} + {{- end }} + - name: INVITATIONS_ALLOWED + value: {{ .Values.vaultwarden.allowInvitation | quote }} + {{- if .Values.vaultwarden.invitationExpiration }} + - name: INVITATION_EXPIRATION_HOURS + value: {{ .Values.vaultwarden.invitationExpiration | quote }} + {{- end }} + {{- if .Values.vaultwarden.defaultInviteName }} + - name: INVITATION_ORG_NAME + value: {{ .Values.vaultwarden.defaultInviteName | quote }} + {{- end }} + {{- if hasKey .Values.vaultwarden "passwordHintsAllowed" }} + - name: PASSWORD_HINTS_ALLOWED + value: {{ .Values.vaultwarden.passwordHintsAllowed | quote }} + {{- end }} + - name: SHOW_PASSWORD_HINT + value: {{ .Values.vaultwarden.showPasswordHint | quote }} + - name: WEBSOCKET_ENABLED + value: {{ .Values.vaultwarden.enableWebsockets | quote }} + - name: WEB_VAULT_ENABLED + value: {{ .Values.vaultwarden.enableWebVault | quote }} + - name: SENDS_ALLOWED + value: {{ .Values.vaultwarden.enableSends | quote }} + - name: ORG_CREATION_USERS + value: {{ .Values.vaultwarden.orgCreationUsers | quote }} + {{- if .Values.vaultwarden.attachmentLimitOrg }} + - name: ORG_ATTACHMENT_LIMIT + value: {{ .Values.vaultwarden.attachmentLimitOrg | quote }} + {{- end }} + {{- if .Values.vaultwarden.attachmentLimitUser }} + - name: USER_ATTACHMENT_LIMIT + value: {{ .Values.vaultwarden.attachmentLimitUser | quote }} + {{- end }} + {{- if .Values.vaultwarden.hibpApiKey }} + - name: HIBP_API_KEY + value: {{ .Values.vaultwarden.hibpApiKey | quote }} + {{- end }} + {{- if .Values.vaultwarden.autoDeleteDays }} + - name: TRASH_AUTO_DELETE_DAYS + value: {{ .Values.vaultwarden.autoDeleteDays | quote }} + {{- end }} + {{- if hasKey .Values.vaultwarden "orgEvents" }} + - name: ORG_EVENTS_ENABLED + value: {{ .Values.vaultwarden.orgEvents | quote }} + {{- end }} + {{- if hasKey .Values.vaultwarden "orgEventsRetention" }} + - name: EVENTS_DAYS_RETAIN + value: {{ .Values.vaultwarden.orgEventsRetention | quote }} + {{- end }} + {{- if .Values.vaultwarden.extraEnv }} + {{- range $key, $val := .Values.vaultwarden.extraEnv }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + {{- end }} + {{- include "vaultwarden.dbTypeValid" . }} + {{- if .Values.database.retries }} + - name: DB_CONNECTION_RETRIES + value: {{ .Values.database.retries | quote }} + {{- end }} + {{- if .Values.database.maxConnections }} + - name: DATABASE_MAX_CONNS + value: {{ .Values.database.maxConnections | quote }} + {{- end }} + {{- if eq .Values.database.type "sqlite" }} + - name: ENABLE_DB_WAL + value: {{ .Values.database.wal | quote }} + {{- else }} + - name: ENABLE_DB_WAL + value: "false" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: {{ if .Values.database.existingSecret }}{{ .Values.database.existingSecret }}{{else}}{{ include "vaultwarden.fullname" . }}{{end}} + key: database-url + {{- end }} + {{- if .Values.vaultwarden.domain }} + - name: DOMAIN + value: {{ .Values.vaultwarden.domain | quote }} + {{- end }} + {{- if eq .Values.vaultwarden.admin.enabled true }} + {{- if eq .Values.vaultwarden.admin.disableAdminToken true }} + - name: DISABLE_ADMIN_TOKEN + value: "true" + {{- else }} + - name: ADMIN_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.vaultwarden.admin.existingSecret | default (include "vaultwarden.fullname" .) }} + key: admin-token + {{- end }} + {{- end }} + - name: EMERGENCY_ACCESS_ALLOWED + value: {{ .Values.vaultwarden.emergency.enabled | quote }} + {{- if eq .Values.vaultwarden.emergency.enabled true }} + {{- if not (kindIs "invalid" .Values.vaultwarden.emergency.reminder) }} + - name: EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE + value: {{ .Values.vaultwarden.emergency.reminder | quote }} + {{- end }} + {{- if not (kindIs "invalid" .Values.vaultwarden.emergency.timeout) }} + - name: EMERGENCY_REQUEST_TIMEOUT_SCHEDULE + value: {{ .Values.vaultwarden.emergency.timeout | quote }} + {{- end }} + {{- end }} + {{- if eq .Values.vaultwarden.smtp.enabled true }} + - name: SMTP_HOST + value: {{ required "SMTP host is required to enable SMTP" .Values.vaultwarden.smtp.host | quote }} + - name: SMTP_FROM + value: {{ required "SMTP sender address ('from') is required to enable SMTP" .Values.vaultwarden.smtp.from | quote }} + {{- if .Values.vaultwarden.smtp.fromName }} + - name: SMTP_FROM_NAME + value: {{ .Values.vaultwarden.smtp.fromName | quote }} + {{- end }} + {{- if semverCompare "<1.25.0" (.Values.image.tag | default .Chart.AppVersion) }} + - name: SMTP_SSL + value: {{ required "Value smtp.ssl required for Vaultwarden prior to 1.25" .Values.vaultwarden.smtp.ssl | quote }} + {{- if required "Value smtp.explictTLS required for Vaultwarden prior to 1.25" .Values.vaultwarden.smtp.explicitTLS }} + {{- if (eq .Values.vaultwarden.smtp.ssl false) }} + {{- required "Explicit TLS requires SSL to be enabled" nil }} + {{- end }} + - name: SMTP_EXPLICIT_TLS + value: {{ .Values.vaultwarden.smtp.explicitTLS | quote }} + {{- end}} + {{- else }} + {{- include "vaultwarden.smtpSecurityValid" . }} + - name: SMTP_SECURITY + value: {{ .Values.vaultwarden.smtp.security | quote }} + {{- end }} + {{- if .Values.vaultwarden.smtp.port }} + - name: SMTP_PORT + value: {{ .Values.vaultwarden.smtp.port | quote }} + {{- end }} + {{- if .Values.vaultwarden.smtp.authMechanism }} + - name: SMTP_AUTH_MECHANISM + value: {{ .Values.vaultwarden.smtp.authMechanism | quote }} + {{- end }} + {{- if .Values.vaultwarden.smtp.heloName }} + - name: HELO_NAME + value: {{ .Values.vaultwarden.smtp.heloName | quote }} + {{- end }} + {{- if .Values.vaultwarden.smtp.timeout }} + - name: SMTP_TIMEOUT + value: {{ .Values.vaultwarden.smtp.timeout | quote }} + {{- end }} + {{- if .Values.vaultwarden.smtp.invalidHostname }} + - name: SMTP_ACCEPT_INVALID_HOSTNAMES + value: {{ .Values.vaultwarden.smtp.invalidHostname | quote }} + {{- end }} + {{- if .Values.vaultwarden.smtp.invalidCertificate }} + - name: SMTP_ACCEPT_INVALID_CERTS + value: {{ .Values.vaultwarden.smtp.invalidCertificate | quote }} + {{- end }} + {{- if or .Values.vaultwarden.smtp.existingSecret .Values.vaultwarden.smtp.user }} + - name: SMTP_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.vaultwarden.smtp.existingSecret | default (include "vaultwarden.fullname" .) }} + key: smtp-user + - name: SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.vaultwarden.smtp.existingSecret | default (include "vaultwarden.fullname" .) }} + key: smtp-password + {{- end }} + {{- if hasKey .Values.vaultwarden.smtp "embedImages" }} + - name: SMTP_EMBED_IMAGES + value: {{ .Values.vaultwarden.smtp.embedImages | quote }} + {{- end }} + {{- end }}{{/*SMTP*/}} + {{- if eq .Values.vaultwarden.yubico.enabled true }} + {{- if .Values.vaultwarden.yubico.server }} + - name: YUBICO_SERVER + value: {{ .Values.vaultwarden.yubico.server | quote }} + {{- end }} + - name: YUBICO_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.vaultwarden.yubico.existingSecret | default (include "vaultwarden.fullname" .) }} + key: yubico-client-id + - name: YUBICO_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.vaultwarden.yubico.existingSecret | default (include "vaultwarden.fullname" .) }} + key: yubico-secret-key + {{- end }} + {{- if .Values.vaultwarden.log.file }} + - name: LOG_FILE + value: {{ .Values.vaultwarden.log.file | quote }} + {{- end }} + {{- if or .Values.vaultwarden.log.level .Values.vaultwarden.log.timeFormat }} + - name: EXTENDED_LOGGING + value: "true" + {{- end }} + {{- if .Values.vaultwarden.log.level }} + {{- include "vaultwarden.logLevelValid" . }} + - name: LOG_LEVEL + value: {{ .Values.vaultwarden.log.level | quote }} + {{- end }} + {{- if .Values.vaultwarden.log.timeFormat }} + - name: LOG_TIMESTAMP_FORMAT + value: {{ .Values.vaultwarden.log.timeFormat | quote }} + {{- end }} + {{- if hasKey .Values.vaultwarden.icons "service" }} + - name: ICON_SERVICE + value: {{ .Values.vaultwarden.icons.service | quote }} + {{- end }} + {{- if .Values.vaultwarden.icons.disableDownload }} + - name: DISABLE_ICON_DOWNLOAD + value: {{ .Values.vaultwarden.icons.disableDownload | quote }} + {{- if and (not .Values.vaultwarden.icons.cache) (eq .Values.vaultwarden.icons.disableDownload "true") }} + - name: ICON_CACHE_TTL + value: 0 + {{- end }} + {{- end }} + {{- if .Values.vaultwarden.icons.cache }} + - name: ICON_CACHE_TTL + value: {{ .Values.vaultwarden.icons.cache }} + {{- end }} + {{- if .Values.vaultwarden.icons.cacheFailed }} + - name: ICON_CACHE_NEGTTL + value: {{ .Values.vaultwarden.icons.cacheFailed }} + {{- end }} + {{- if hasKey .Values.vaultwarden.icons "redirectCode" }} + - name: ICON_REDIRECT_CODE + value: {{ .Values.vaultwarden.icons.redirectCode | quote }} + {{- end }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + {{- if .Values.vaultwarden.enableWebsockets }} + - name: websocket + containerPort: 3012 + protocol: TCP + {{- end }} + livenessProbe: + httpGet: + path: {{ include "vaultwarden.domainSubPath" . }} + port: http + readinessProbe: + httpGet: + path: {{ include "vaultwarden.domainSubPath" . }} + port: http + volumeMounts: + - name: {{ include "vaultwarden.fullname" . }} + mountPath: /data + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.sidecars }} + {{- toYaml .Values.sidecars | nindent 8 }} + {{- end }} + volumes: + - name: {{ include "vaultwarden.fullname" . }} + {{- if and .Values.persistence.enabled .Values.customVolume }} + {{ required "customVolume cannot be used if persistence is enabled." nil }} + {{- end }} + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim | quote }}{{- else }}{{ include "vaultwarden.fullname" . }}{{- end }} + {{- else if .Values.customVolume }} + {{- toYaml .Values.customVolume | nindent 8 }} + {{- else }} + emptyDir: {} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/vaultwarden-1.27/templates/ingress.yaml b/vaultwarden-1.27/templates/ingress.yaml new file mode 100644 index 0000000..53d4b62 --- /dev/null +++ b/vaultwarden-1.27/templates/ingress.yaml @@ -0,0 +1,67 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "vaultwarden.fullname" . -}} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}} +apiVersion: networking.k8s.io/v1 +{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + - host: {{ required "Host required for ingress" .Values.ingress.host | quote }} + http: + paths: + {{- if .Values.vaultwarden.enableWebsockets }} + - path: "/notifications/hub" + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + {{- end }} + backend: + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + service: + name: {{ $fullName }} + port: + number: {{ .Values.service.websocketPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ .Values.service.websocketPort }} + {{- end }} + {{- end }} + - path: "/" + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + {{- end }} + backend: + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + service: + name: {{ $fullName }} + port: + number: {{ .Values.service.httpPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ .Values.service.httpPort }} + {{- end }} +{{- end }} diff --git a/vaultwarden-1.27/templates/ingressroute.yaml b/vaultwarden-1.27/templates/ingressroute.yaml new file mode 100644 index 0000000..e2ec522 --- /dev/null +++ b/vaultwarden-1.27/templates/ingressroute.yaml @@ -0,0 +1,40 @@ +{{- if .Values.ingressRoute.enabled -}} +{{- $fullName := include "vaultwarden.fullname" . -}} +{{- $host := (required "Host required for IngressRoute" .Values.ingressRoute.host ) -}} +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: {{ $fullName }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} +spec: + entryPoints: + {{- range .Values.ingressRoute.entrypoints }} + - {{ . | quote }} + {{- end }} + routes: + {{- if .Values.vaultwarden.enableWebsockets }} + - match: Host(`{{ $host }}`) && PathPrefix(`/notifications/hub`) + kind: Rule + {{- if .Values.ingressRoute.middlewares }} + middlewares: + {{- toYaml .Values.ingressRoute.middlewares | nindent 6 }} + {{- end }} + services: + - name: {{ $fullName }} + port: {{ .Values.service.websocketPort }} + {{- end }} + - match: Host(`{{ $host }}`) + kind: Rule + {{- if .Values.ingressRoute.middlewares }} + middlewares: + {{- toYaml .Values.ingressRoute.middlewares | nindent 6 }} + {{- end }} + services: + - name: {{ $fullName }} + port: {{ .Values.service.httpPort }} + {{- if .Values.ingressRoute.tls }} + tls: + {{- toYaml .Values.ingressRoute.tls | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/vaultwarden-1.27/templates/pvc.yaml b/vaultwarden-1.27/templates/pvc.yaml new file mode 100644 index 0000000..6ef9c1e --- /dev/null +++ b/vaultwarden-1.27/templates/pvc.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ include "vaultwarden.fullname" . }} +spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.storageClass }} + storageClassName: {{ .Values.persistence.storageClass | quote }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/vaultwarden-1.27/templates/secret.yaml b/vaultwarden-1.27/templates/secret.yaml new file mode 100644 index 0000000..65f3156 --- /dev/null +++ b/vaultwarden-1.27/templates/secret.yaml @@ -0,0 +1,43 @@ +{{- $adminToken := "" }} +{{- if and (eq .Values.vaultwarden.admin.enabled true) (not .Values.vaultwarden.admin.existingSecret) }} +{{- $adminToken = .Values.vaultwarden.admin.token | default (randAlphaNum 48) | b64enc | quote }} +{{- end -}} + +{{- $databaseUrl := "" }} +{{- if and (ne .Values.database.type "sqlite") (not .Values.database.existingSecret) }} +{{- $databaseUrl = required "External databases need either URL or existing secret" .Values.database.url | b64enc | quote }} +{{- end -}} + +{{- $smtpUser := "" }} +{{- if and (eq .Values.vaultwarden.smtp.enabled true ) (not .Values.vaultwarden.smtp.existingSecret) (.Values.vaultwarden.smtp.user) }} +{{- $smtpUser = .Values.vaultwarden.smtp.user | b64enc | quote }} +{{- end -}} + +{{- $yubicoClientId := "" }} +{{- if and (eq .Values.vaultwarden.yubico.enabled true ) (not .Values.vaultwarden.yubico.existingSecret) }} +{{- $yubicoClientId = required "Yubico Client ID required" .Values.vaultwarden.yubico.clientId | toString | b64enc | quote }} +{{- end -}} + +{{- if or (ne $adminToken "") (ne $databaseUrl "") (ne $smtpUser "" ) (ne $yubicoClientId "") }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "vaultwarden.fullname" . }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} +data: + {{- if ne $adminToken "" }} + admin-token: {{ $adminToken }} + {{- end }} + {{- if ne $databaseUrl "" }} + database-url: {{ $databaseUrl }} + {{- end }} + {{- if ne $smtpUser "" }} + smtp-user: {{ $smtpUser }} + smtp-password: {{ required "Must specify SMTP password" .Values.vaultwarden.smtp.password | b64enc | quote }} + {{- end }} + {{- if ne $yubicoClientId "" }} + yubico-client-id: {{ $yubicoClientId }} + yubico-secret-key: {{ required "Yubico Secret Key required" .Values.vaultwarden.yubico.secretKey | b64enc | quote }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/vaultwarden-1.27/templates/service.yaml b/vaultwarden-1.27/templates/service.yaml new file mode 100644 index 0000000..c4b7e64 --- /dev/null +++ b/vaultwarden-1.27/templates/service.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "vaultwarden.fullname" . }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + {{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if eq .Values.service.type "LoadBalancer" }} + loadBalancerIP: {{ default "" .Values.service.loadBalancerIP }} + {{- end }} + ports: + - name: http + port: {{ .Values.service.httpPort }} + targetPort: http + protocol: TCP + {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePorts.http)))}} + nodePort: {{ .Values.service.nodePorts.http }} + {{- end }} + {{- if .Values.vaultwarden.enableWebsockets }} + - name: websocket + port: {{ .Values.service.websocketPort }} + targetPort: websocket + protocol: TCP + {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePorts.websocket)))}} + nodePort: {{ .Values.service.nodePorts.websocket }} + {{- end }} + {{- end }} + selector: + {{- include "vaultwarden.selectorLabels" . | nindent 4 }} diff --git a/vaultwarden-1.27/templates/serviceaccount.yaml b/vaultwarden-1.27/templates/serviceaccount.yaml new file mode 100644 index 0000000..6b2a67e --- /dev/null +++ b/vaultwarden-1.27/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "vaultwarden.serviceAccountName" . }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vaultwarden-1.27/templates/tests/test-connection.yaml b/vaultwarden-1.27/templates/tests/test-connection.yaml new file mode 100644 index 0000000..f42a8c1 --- /dev/null +++ b/vaultwarden-1.27/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "vaultwarden.fullname" . }}-test-connection" + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "vaultwarden.fullname" . }}:{{ .Values.service.httpPort }}'] + restartPolicy: Never diff --git a/vaultwarden-1.27/values.home.yaml b/vaultwarden-1.27/values.home.yaml new file mode 100644 index 0000000..03720c1 --- /dev/null +++ b/vaultwarden-1.27/values.home.yaml @@ -0,0 +1,273 @@ +# Default values for vaultwarden. + +database: + # Database type, must be one of: 'sqlite', 'mysql' or 'postgresql'. + type: postgresql + # Enable DB Write-Ahead-Log for SQLite, disabled for other databases. https://github.com/dani-garcia/vaultwarden/wiki/Running-without-WAL-enabled + wal: true + ## URL for external databases (mysql://user:pass@host:port/database-name or postgresql://user:pass@host:port/database-name). + url: "postgresql://vaultwarden:0UnBYmhT7LZ1GePohx13zRxIKM30TZA0m3GZTjgFh0dBiwENwOtZZqcPlyhMXIUD@home-postgres.db.svc.cluster.local:5432/vw" + ## Use existing secret for database URL, key 'database-url'. + existingSecret: vw-home-vaultwarden + ## Set the size of the database connection pool. + #maxConnections: 10 + ## Connection retries during startup, 0 for infinite. 1 second between retries. + #retries: 15 + +# Set vaultwarden application variables +vaultwarden: + ## Set Bitwarden URL, mandatory for invitations over email. Recommended if using a reverse proxy / ingress. Format is https://name or http://name + #domain: + # Allow any user to sign-up: https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users + allowSignups: true + ## Whitelist domains allowed to sign-up. 'allowSignups' is ignored if set. + #signupDomains: + # - domain.tld + # Verify e-mail before login is enabled. SMTP must be enabled. + verifySignup: false + # When a user logs in an email is required to be sent. If sending the email fails the login attempt will fail. SMTP must be enabled. + requireEmail: false + ## Maximum attempts before an email token is reset and a new email will need to be sent. + #emailAttempts: 3 + ## Email token validity in seconds. + #emailTokenExpiration: 600 + # Allow invited users to sign-up even feature is disabled: https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations + allowInvitation: true + ## Number of hours after which an organization invite token, emergency access invite token, + ## email verification token and deletion request token will expire + #invitationExpiration: 120 + ## Allow users to set password hints. Applies to all users. + #passwordHintsAllowed: true + # Show password hints: https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display + showPasswordHint: false + ## Default organization name in invitation e-mails that are not coming from a specific organization. + #defaultInviteName: "" + # Enable Websockets for notification. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications + # Redirect HTTP path "/notifications/hub" to port 3012. Ingress/IngressRoute controllers are automatically configured. + enableWebsockets: true + # Enable Web Vault (static content). https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting + enableWebVault: true + # Enable Bitwarden Sends globally + enableSends: true + # Restrict creation of orgs. Options are: 'all', 'none' or a comma-separated list of users. + orgCreationUsers: all + ## Limit attachment disk usage per organization. + #attachmentLimitOrg: + ## Limit attachment disk usage per user. + #attachmentLimitUser: + ## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key. + #hibpApiKey: + ## Number of days to auto-delete trashed items. By default iteams are not auto-deleted. + #autoDeleteDays: + ## Organization event logging + #orgEvents: false + ## Organization event retation. Leave empty to not delete. + #orgEventsRetention: "" + ## Map of custom environment variables. Use carefully. + #extraEnv: + # IP_HEADER: CF-Connecting-IP + # ALLOWED_IFRAME_ANCESTORS: myintranet.local + + admin: + # Enable admin portal. + enabled: true + # Disabling the admin token will make the admin portal accessible to anyone, use carefully: https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token + disableAdminToken: false + ## Token for admin login, will be generated if not defined. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page + #token: + ## Use existing secret for the admin token. Key is 'admin-token'. + #existingSecret: + + emergency: + # Allow any user to enable emergency access. + enabled: true + ## Schedule to send expiration reminders to emergency access grantors. Cron schedule format. + #reminder: "0 3 * * * *" + ## Schedule to grant emergency access requests that have met the required wait time. Cron schedule format. + #timeout: "0 3 * * * *" + + # Enable SMTP. https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration + smtp: + enabled: false + # SMTP hostname, required if SMTP is enabled. + host: "" + # SMTP sender e-mail address, required if SMTP is enabled. + from: "" + ## SMTP sender name, defaults to 'Vaultwarden'. + #fromName: "" + # Enable secure SSL connection. Options are: "starttls", "force_tls" and "off" + # Users migrating from 1.24 or lower using ssl/explicitTLS settings: + # ssl = false -> "off" + # ssl = true and explicitTLS = false -> "starttls" + # ssl = true and explicitTLS = true -> "force_tls" + security: starttls + ## SMTP port. Defaults depends on security: 465 for "force_tls", 587 for "starttls" and 25 for "off" + #port: 587 + ## SMTP Authentication Mechanisms. Comma-separated options: 'Plain', 'Login' and 'Xoauth2'. Defaults to 'Plain'. + #authMechanism: Plain + ## Hostname to be sent for SMTP HELO. Defaults to pod name. + #heloName: "" + ## SMTP timeout. + #timeout: 15 + ## Accept SSL session if certificate is valid but hostname doesn't match. DANGEROUS, vulnerable to men-in-the-middle attacks! + #invalidHostname: false + ## Accept invalid certificates. DANGEROUS, vulnerable to men-in-the-middle attacks! + #invalidCertificate: false + ## SMTP username. + #user: "" + ## SMTP password. Required is user is specified, ignored if no user provided. + #password: "" + ## Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password'. + #existingSecret: + ## Embed images as email attachments + #embedImages: false + + ## Enable Yubico OPT authentication. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication + yubico: + enabled: false + ## Yubico server. Defaults to YubiCloud. + #server: + ## Yubico ID and Secret Key. + #clientId: + #secretKey: + ## Use existing secret for Yubico. Keys are 'yubico-client-id' and 'yubico-secret-key'. + #existingSecret: + + ## Logging options. https://github.com/dani-garcia/vaultwarden/wiki/Logging + log: + # Log to file. + file: "" + # Log level. Options are "trace", "debug", "info", "warn", "error" or "off". + level: "" + ## Log timestamp format. See https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html. Defaults to time in milliseconds. + #timeFormat: "" + + icons: + ## Icon download service. "internal" to fetch icons directly, otherwise options are: "bitwarden", "duckduckgo" or "google" + #service: internal + # Disables download of external icons on internal service. Setting to true will still serve icons from cache (/data/icon_cache). TTL will default to zero. + disableDownload: false + ## Cache time-to-live for icons fetched. 0 means no purging. + #cache: 2592000 + ## Cache time-to-live for icons that were not available. 0 means no purging. + #cacheFailed: 259200 + ## HTTP code for redirect to external icon service + #redirectCode: 302 + +service: + type: ClusterIP + httpPort: 80 + websocketPort: 3012 + externalTrafficPolicy: Cluster + # loadBalancerIP: + nodePorts: + # Choose NodePorts manually + http: "" + websocket: "" + +# Kubernetes Ingress +ingress: + enabled: true + className: nginx + host: "warden.ervine.cloud" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + - secretName: warden-ervine-cloud-tls + hosts: + - warden.ervine.cloud + +# Traefik IngressRoute CRD +ingressRoute: + enabled: false + # Mandatory to enable IngressRoute + host: "" + entrypoints: + - websecure + ## Enable Traefik middlewares + middlewares: {} + # - name: my_middleware + # namespace: default + tls: {} + #certResolver: letsencrypt + +persistence: + enabled: true + size: 1Gi + accessMode: ReadWriteOnce + ## Persistent Volume storage class + # storageClass: "-" + ## Use existing Persistent Volume Claim + existingClaim: vw-home-vaultwarden + + +# Use custom volume definition. Cannot be used with persistence. +customVolume: {} + #hostPath: + # path: "/examplefolder/vaultwarden" + +image: + pullPolicy: IfNotPresent + repository: vaultwarden/server + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +replicaCount: 1 + +serviceAccount: + # Specifies whether a service account should be created + create: false + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} +podLabels: {} + +# Annotations to add to the Deployment +deploymentAnnotations: {} + +# Sidecar containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) +# No templating possible, values need to be hardcoded +sidecars: [] +# - name: sidecar +# image: sidecarimage:1.2.3 +# env: +# - name: SIDECAR_END +# value: "sidecar" +# volumeMounts: +# - name: vaultwarden +# mountPath: /data + +podSecurityContext: + fsGroup: 65534 + +securityContext: + runAsUser: 65534 + runAsGroup: 65534 + +strategy: {} + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/vaultwarden-1.27/values.yaml b/vaultwarden-1.27/values.yaml new file mode 100644 index 0000000..b4eca7b --- /dev/null +++ b/vaultwarden-1.27/values.yaml @@ -0,0 +1,273 @@ +# Default values for vaultwarden. + +database: + # Database type, must be one of: 'sqlite', 'mysql' or 'postgresql'. + type: sqlite + # Enable DB Write-Ahead-Log for SQLite, disabled for other databases. https://github.com/dani-garcia/vaultwarden/wiki/Running-without-WAL-enabled + wal: true + ## URL for external databases (mysql://user:pass@host:port/database-name or postgresql://user:pass@host:port/database-name). + #url: "" + ## Use existing secret for database URL, key 'database-url'. + #existingSecret: + ## Set the size of the database connection pool. + #maxConnections: 10 + ## Connection retries during startup, 0 for infinite. 1 second between retries. + #retries: 15 + +# Set vaultwarden application variables +vaultwarden: + ## Set Bitwarden URL, mandatory for invitations over email. Recommended if using a reverse proxy / ingress. Format is https://name or http://name + #domain: + # Allow any user to sign-up: https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users + allowSignups: true + ## Whitelist domains allowed to sign-up. 'allowSignups' is ignored if set. + #signupDomains: + # - domain.tld + # Verify e-mail before login is enabled. SMTP must be enabled. + verifySignup: false + # When a user logs in an email is required to be sent. If sending the email fails the login attempt will fail. SMTP must be enabled. + requireEmail: false + ## Maximum attempts before an email token is reset and a new email will need to be sent. + #emailAttempts: 3 + ## Email token validity in seconds. + #emailTokenExpiration: 600 + # Allow invited users to sign-up even feature is disabled: https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations + allowInvitation: true + ## Number of hours after which an organization invite token, emergency access invite token, + ## email verification token and deletion request token will expire + #invitationExpiration: 120 + ## Allow users to set password hints. Applies to all users. + #passwordHintsAllowed: true + # Show password hints: https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display + showPasswordHint: false + ## Default organization name in invitation e-mails that are not coming from a specific organization. + #defaultInviteName: "" + # Enable Websockets for notification. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications + # Redirect HTTP path "/notifications/hub" to port 3012. Ingress/IngressRoute controllers are automatically configured. + enableWebsockets: true + # Enable Web Vault (static content). https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting + enableWebVault: true + # Enable Bitwarden Sends globally + enableSends: true + # Restrict creation of orgs. Options are: 'all', 'none' or a comma-separated list of users. + orgCreationUsers: all + ## Limit attachment disk usage per organization. + #attachmentLimitOrg: + ## Limit attachment disk usage per user. + #attachmentLimitUser: + ## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key. + #hibpApiKey: + ## Number of days to auto-delete trashed items. By default iteams are not auto-deleted. + #autoDeleteDays: + ## Organization event logging + #orgEvents: false + ## Organization event retation. Leave empty to not delete. + #orgEventsRetention: "" + ## Map of custom environment variables. Use carefully. + #extraEnv: + # IP_HEADER: CF-Connecting-IP + # ALLOWED_IFRAME_ANCESTORS: myintranet.local + + admin: + # Enable admin portal. + enabled: false + # Disabling the admin token will make the admin portal accessible to anyone, use carefully: https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token + disableAdminToken: false + ## Token for admin login, will be generated if not defined. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page + #token: + ## Use existing secret for the admin token. Key is 'admin-token'. + #existingSecret: + + emergency: + # Allow any user to enable emergency access. + enabled: true + ## Schedule to send expiration reminders to emergency access grantors. Cron schedule format. + #reminder: "0 3 * * * *" + ## Schedule to grant emergency access requests that have met the required wait time. Cron schedule format. + #timeout: "0 3 * * * *" + + # Enable SMTP. https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration + smtp: + enabled: false + # SMTP hostname, required if SMTP is enabled. + host: "" + # SMTP sender e-mail address, required if SMTP is enabled. + from: "" + ## SMTP sender name, defaults to 'Vaultwarden'. + #fromName: "" + # Enable secure SSL connection. Options are: "starttls", "force_tls" and "off" + # Users migrating from 1.24 or lower using ssl/explicitTLS settings: + # ssl = false -> "off" + # ssl = true and explicitTLS = false -> "starttls" + # ssl = true and explicitTLS = true -> "force_tls" + security: starttls + ## SMTP port. Defaults depends on security: 465 for "force_tls", 587 for "starttls" and 25 for "off" + #port: 587 + ## SMTP Authentication Mechanisms. Comma-separated options: 'Plain', 'Login' and 'Xoauth2'. Defaults to 'Plain'. + #authMechanism: Plain + ## Hostname to be sent for SMTP HELO. Defaults to pod name. + #heloName: "" + ## SMTP timeout. + #timeout: 15 + ## Accept SSL session if certificate is valid but hostname doesn't match. DANGEROUS, vulnerable to men-in-the-middle attacks! + #invalidHostname: false + ## Accept invalid certificates. DANGEROUS, vulnerable to men-in-the-middle attacks! + #invalidCertificate: false + ## SMTP username. + #user: "" + ## SMTP password. Required is user is specified, ignored if no user provided. + #password: "" + ## Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password'. + #existingSecret: + ## Embed images as email attachments + #embedImages: false + + ## Enable Yubico OPT authentication. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication + yubico: + enabled: false + ## Yubico server. Defaults to YubiCloud. + #server: + ## Yubico ID and Secret Key. + #clientId: + #secretKey: + ## Use existing secret for Yubico. Keys are 'yubico-client-id' and 'yubico-secret-key'. + #existingSecret: + + ## Logging options. https://github.com/dani-garcia/vaultwarden/wiki/Logging + log: + # Log to file. + file: "" + # Log level. Options are "trace", "debug", "info", "warn", "error" or "off". + level: "" + ## Log timestamp format. See https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html. Defaults to time in milliseconds. + #timeFormat: "" + + icons: + ## Icon download service. "internal" to fetch icons directly, otherwise options are: "bitwarden", "duckduckgo" or "google" + #service: internal + # Disables download of external icons on internal service. Setting to true will still serve icons from cache (/data/icon_cache). TTL will default to zero. + disableDownload: false + ## Cache time-to-live for icons fetched. 0 means no purging. + #cache: 2592000 + ## Cache time-to-live for icons that were not available. 0 means no purging. + #cacheFailed: 259200 + ## HTTP code for redirect to external icon service + #redirectCode: 302 + +service: + type: ClusterIP + httpPort: 80 + websocketPort: 3012 + externalTrafficPolicy: Cluster + # loadBalancerIP: + nodePorts: + # Choose NodePorts manually + http: "" + websocket: "" + +# Kubernetes Ingress +ingress: + enabled: false + # className: nginx + host: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: [] + # - secretName: vaultwarden-tls + # hosts: + # - vaultwarden.local + +# Traefik IngressRoute CRD +ingressRoute: + enabled: false + # Mandatory to enable IngressRoute + host: "" + entrypoints: + - websecure + ## Enable Traefik middlewares + middlewares: {} + # - name: my_middleware + # namespace: default + tls: {} + #certResolver: letsencrypt + +persistence: + enabled: false + size: 1Gi + accessMode: ReadWriteOnce + ## Persistent Volume storage class + # storageClass: "-" + ## Use existing Persistent Volume Claim + # existingClaim: + + +# Use custom volume definition. Cannot be used with persistence. +customVolume: {} + #hostPath: + # path: "/examplefolder/vaultwarden" + +image: + pullPolicy: IfNotPresent + repository: vaultwarden/server + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +replicaCount: 1 + +serviceAccount: + # Specifies whether a service account should be created + create: false + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} +podLabels: {} + +# Annotations to add to the Deployment +deploymentAnnotations: {} + +# Sidecar containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) +# No templating possible, values need to be hardcoded +sidecars: [] +# - name: sidecar +# image: sidecarimage:1.2.3 +# env: +# - name: SIDECAR_END +# value: "sidecar" +# volumeMounts: +# - name: vaultwarden +# mountPath: /data + +podSecurityContext: + fsGroup: 65534 + +securityContext: + runAsUser: 65534 + runAsGroup: 65534 + +strategy: {} + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/vaultwarden/Chart.yaml b/vaultwarden/Chart.yaml index 16b112b..c9edc80 100644 --- a/vaultwarden/Chart.yaml +++ b/vaultwarden/Chart.yaml @@ -1,9 +1,13 @@ apiVersion: v2 -appVersion: 1.27.0 +appVersion: 1.32.7 description: Unofficial Bitwarden compatible server written in Rust -home: https://github.com/dani-garcia/vaultwarden - bitwarden - bitwarden_rs - password - - vaultwarden -icon: https://upload.wikimedia.org/wikipedia/commons/0/03/Bitwarden_Logo.png +home: https://github.com/dani-garcia/vaultwarden +icon: https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/resources/vaultwarden-icon.svg +keywords: +- bitwarden +- bitwarden_rs +- password +- vaultwarden maintainers: - email: silvio@gissilabs.com name: Silvio Gissi @@ -11,4 +15,4 @@ name: vaultwarden sources: - https://github.com/dani-garcia/vaultwarden type: application -version: 1.0.0 +version: 1.2.5 diff --git a/vaultwarden/README.md b/vaultwarden/README.md index c7e1de5..defe667 100644 --- a/vaultwarden/README.md +++ b/vaultwarden/README.md @@ -33,6 +33,7 @@ database.type | Backend database type | sqlite, mysql or postgresql | sqlite database.wal | Enable SQLite Write-Ahead-Log, ignored for external databases | true / false | true database.url | URL of external database (MySQL/PostgreSQL) | \[mysql\|postgresql\]://user:pass@host:port\[/database\] | Empty database.existingSecret | Use existing secret for database URL, key 'database-url' | Secret name | Not defined +database.existingSecretKey | Use different key for existing secret for database URL. If defined, `database.existingSecret` has to be defined as well | Secret name | Not defined database.maxConnections | Set the size of the database connection pool | Number | 10 database.retries | Connection retries during startup, 0 for infinite. 1 second between retries | Number | 15 @@ -52,20 +53,21 @@ vaultwarden.invitationExpiration | Number of hours after which tokens expire (or vaultwarden.defaultInviteName | Default organization name in invitation e-mails that are not coming from a specific organization. | Text | Vaultwarden vaultwarden.passwordHintsAllowed | Allow users to set password hints. Applies to all users. | true / false | true vaultwarden.showPasswordHint | Show password hints. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display) | true / false | false -vaultwarden.enableWebsockets | Enable Websockets for notification. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications). If using Ingress controllers, "notifications/hub" URL is redirected to websocket port | true / false | true vaultwarden.enableWebVault | Enable Web Vault static site. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting). | true / false | true vaultwarden.enableSends | Enable Bitwarden Sends globally. | true / false | true vaultwarden.orgCreationUsers | Restrict creation of orgs. | 'all', 'none' or a comma-separated list of users. | all vaultwarden.attachmentLimitOrg | Limit attachment disk usage in Kb per organization | Number | Not defined vaultwarden.attachmentLimitUser | Limit attachment disk usage in Kb per user | Number | Not defined +vaultwarden.sendLimitUser | Limit send disk usage in Kb per user | Number | Not defined vaultwarden.hibpApiKey | API Key to use HaveIBeenPwned service. Can be purchased at [here](https://haveibeenpwned.com/API/Key) | Text | Not defined vaultwarden.autoDeleteDays | Number of days to auto-delete trashed items. | Number | Empty (never auto-delete) vaultwarden.orgEvents | Enable Organization event logging | true / false | false vaultwarden.orgEventsRetention | Organization event log retention in days | Number | Empty (never delete) -vaultwarden.extraEnv | Pass extra environment variables | Map | Not defined +vaultwarden.emailChangeAllowed | Allow users to change their email. | true / false | true +vaultwarden.extraEnv | Pass extra environment variables, either as key-value pairs or as key-reference pairs | Map | Not defined vaultwarden.log.file | Filename to log to disk. [More information](https://github.com/dani-garcia/vaultwarden/wiki/Logging) | File path | Empty vaultwarden.log.level | Change log level | trace, debug, info, warn, error or off | Empty -vaultwarden.log.timeFormat | Log timestamp | Rust chrono [format](https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html). | Time in milliseconds | Empty +vaultwarden.log.timeFormat | Log timestamp | Rust chrono [format](https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html). | Empty ## **Application Features** @@ -96,7 +98,7 @@ vaultwarden.smtp.invalidCertificate | Accept invalid certificates. DANGEROUS! | vaultwarden.smtp.user | SMTP username | Text | Not defined vaultwarden.smtp.password | SMTP password. Required is user is specified | Text | Not defined vaultwarden.smtp.existingSecret | Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password' | Secret name | Not defined -vaultwarden.smtp.embedImages | Embed images as email attachments | true / false | false +vaultwarden.smtp.embedImages | Embed images as email attachments | true / false | true ||| vaultwarden.yubico.enabled | Enable Yubikey support | true / false | false vaultwarden.yubico.server | Yubico server | Hostname | YubiCloud @@ -109,6 +111,13 @@ vaultwarden.icons.disableDownload | Disables download of external icons, icons i vaultwarden.icons.cache | Cache time-to-live for icons fetched. 0 means no purging | Number | 2592000. If download is disabled, defaults to 0 vaultwarden.icons.cacheFailed | Cache time-to-live for icons that were not available. 0 means no purging | Number | 2592000 vaultwarden.icons.redirectCode | HTTP code to use for redirects to an external icon service | true / false | 302 +||| +vaultwarden.push.enabled | Enable Push notifications | true / false | false +vaultwarden.push.installationId | Installation ID from Bitwarden | Text | Empty +vaultwarden.push.installationKey | Installation Key from Bitwarden | Text | Empty +vaultwarden.push.relayUri | Relay URI, should not need to change | URL | https://push.bitwarden.com +vaultwarden.push.identityUri | Identity URI, should not need to change | URL | https://push.bitwarden.com +vaultwarden.push.existingSecret | Use existing secret for Push notifications. Keys are 'push-id' and 'push-key' | Secret name | Not defined ## **Network** @@ -116,19 +125,18 @@ Option | Description | Format | Default ------ | ----------- | ------ | ------- service.type | Service Type. [More Information](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) | Type | ClusterIP service.httpPort | Service port for HTTP server | Number | 80 -service.websocketPort | Service port for Websocket server, if enabled | Number | 3012 service.externalTrafficPolicy | External Traffic Policy. [More Information](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | Local / Cluster| Cluster service.loadBalancerIP | Manually select IP when type is LoadBalancer | IP address | Not defined service.nodePorts.http | Manually select node port for http | Number | Empty -service.nodePorts.websocket | Manually select node port for websocker, if enabled | Number | Empty ||| ingress.enabled | Enable Ingress | true / false | false -ingress.className | Name of the ingress class | string | Empty +ingress.className | Name of the ingress class | Text | Empty ingress.host | Ingress hostname **required** | Hostname | Empty ingress.annotations | Ingress annotations | Map | Empty ingress.tls | Ingress TLS options | Array of Maps | Empty ||| ingressRoute.enabled | Enable Traefik IngressRoute CRD | true / false | false +ingressRoute.newCRD | Traefik 2.10 and above uses a new CRD namespace (traefik.io) | true / false | false ingressRoute.host | Ingress route hostname **required** | Hostname | Empty ingressRoute.middlewares | Enable middlewares | Map | Empty ingressRoute.entrypoints | List of Traefik endpoints | Array of Text | \[websecure\] @@ -143,7 +151,9 @@ persistence.size | Size of volume | Size | 1Gi persistence.accessMode | Volume access mode | Text | ReadWriteOnce persistence.storageClass | Storage Class | Text | Not defined. Use "-" for default class persistence.existingClaim | Use existing PVC | Name of PVC | Not defined +persistence.annotations | PVC annotations | Map | Empty customVolume | Use custom volume definition. Cannot be used with persistence | Map | Empty +additionalVolumes | Additional volumes definitions, to be used by sidecars [Spec](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes) | Array | Empty ## **Image** @@ -165,6 +175,8 @@ serviceAccount.create | Create Service Account | true / false | false serviceAccount.annotations | Annotations service account | Map | Empty serviceAccount.name | Service Account name | Text | Generated from template deploymentAnnotations | Deployment Annotations | Map | Empty +probes.liveness | Liveness options [Spec](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes) | Map | Empty +probes.readiness | Readiness options [Spec](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes) | Map | Empty sidecars | Sidecar container definition [Spec](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) | Array | Empty podAnnotations | Pod Annotations | Map | Empty podLabels | Extra Pod Labels | Map | Empty @@ -177,6 +189,14 @@ affinity | Affinity | Map | Empty ## Upgrade +### From 1.1 to 1.2 + +Dropped support for Ingress on Kubernetes versions 1.18 or older. [More details](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingressclass-v122). Since Vaultwarden 1.29, WebSockets no longer uses separate port, support for that has been removed as well. + +### From 1.0 to 1.1 + +The default value for Embed Images on email option changed from false to true. + ### From 0.x to 1.x Vaultwarden version before v1.25.0 had a [bug/mislabelled](https://github.com/dani-garcia/vaultwarden/issues/851) configuration setting regarding SSL and TLS. This has been fixed in testing and newer released versions. When image version is 1.25 or higher, use vaultwarden.smtp.security instead of vaultwarden.smtp.ssl/vaultwarden.smtp.explicitTLS. diff --git a/vaultwarden/templates/NOTES.txt b/vaultwarden/templates/NOTES.txt index 194c226..e51513d 100644 --- a/vaultwarden/templates/NOTES.txt +++ b/vaultwarden/templates/NOTES.txt @@ -4,10 +4,6 @@ {{- else if .Values.ingressRoute.enabled }} http{{ if $.Values.ingressRoute.tls }}s{{ end }}://{{ .Values.ingressRoute.host }}/ {{- else }} - {{- if eq .Values.vaultwarden.enableWebsockets true }} - NOTE: the websocket listens on a different port and might not work unless /notifications/hub is redirected externally. - - {{- end }} {{- if contains "NodePort" .Values.service.type }} export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "vaultwarden.fullname" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") diff --git a/vaultwarden/templates/deployment.yaml b/vaultwarden/templates/deployment.yaml index e83ad31..0f6f630 100644 --- a/vaultwarden/templates/deployment.yaml +++ b/vaultwarden/templates/deployment.yaml @@ -36,6 +36,10 @@ spec: serviceAccountName: {{ include "vaultwarden.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.initContainers }} + initContainers: + {{- toYaml .Values.initContainers | nindent 8 }} + {{- end }} containers: - name: {{ .Chart.Name }} securityContext: @@ -81,8 +85,6 @@ spec: {{- end }} - name: SHOW_PASSWORD_HINT value: {{ .Values.vaultwarden.showPasswordHint | quote }} - - name: WEBSOCKET_ENABLED - value: {{ .Values.vaultwarden.enableWebsockets | quote }} - name: WEB_VAULT_ENABLED value: {{ .Values.vaultwarden.enableWebVault | quote }} - name: SENDS_ALLOWED @@ -97,6 +99,10 @@ spec: - name: USER_ATTACHMENT_LIMIT value: {{ .Values.vaultwarden.attachmentLimitUser | quote }} {{- end }} + {{- if .Values.vaultwarden.sendLimitUser }} + - name: USER_SEND_LIMIT + value: {{ .Values.vaultwarden.sendLimitUser | quote }} + {{- end }} {{- if .Values.vaultwarden.hibpApiKey }} - name: HIBP_API_KEY value: {{ .Values.vaultwarden.hibpApiKey | quote }} @@ -113,10 +119,22 @@ spec: - name: EVENTS_DAYS_RETAIN value: {{ .Values.vaultwarden.orgEventsRetention | quote }} {{- end }} + {{- if hasKey .Values.vaultwarden "emailChangeAllowed" }} + - name: EMAIL_CHANGE_ALLOWED + value: {{ .Values.vaultwarden.emailChangeAllowed | quote }} + {{- end }} + {{- if .Values.vaultwarden.extraEnv }} {{- range $key, $val := .Values.vaultwarden.extraEnv }} - name: {{ $key }} + {{- if kindIs "string" $val }} value: {{ $val | quote }} + {{- else if or (hasKey $val "secretKeyRef") (hasKey $val "configMapKeyRef") }} + valueFrom: + {{- $val | toYaml | nindent 16 }} + {{- else }} + {{- fail "Items in extraEnv must be either text or contain a valueFrom key (configMapKeyRef or secretKeyRef)" }} + {{- end }} {{- end }} {{- end }} {{- include "vaultwarden.dbTypeValid" . }} @@ -138,7 +156,7 @@ spec: valueFrom: secretKeyRef: name: {{ if .Values.database.existingSecret }}{{ .Values.database.existingSecret }}{{else}}{{ include "vaultwarden.fullname" . }}{{end}} - key: database-url + key: {{ if and .Values.database.existingSecret .Values.database.existingSecretKey }}{{ .Values.database.existingSecretKey }}{{else}}database-url{{end}} {{- end }} {{- if .Values.vaultwarden.domain }} - name: DOMAIN @@ -273,9 +291,9 @@ spec: {{- if .Values.vaultwarden.icons.disableDownload }} - name: DISABLE_ICON_DOWNLOAD value: {{ .Values.vaultwarden.icons.disableDownload | quote }} - {{- if and (not .Values.vaultwarden.icons.cache) (eq .Values.vaultwarden.icons.disableDownload "true") }} + {{- if and (not .Values.vaultwarden.icons.cache) (.Values.vaultwarden.icons.disableDownload) }} - name: ICON_CACHE_TTL - value: 0 + value: "0" {{- end }} {{- end }} {{- if .Values.vaultwarden.icons.cache }} @@ -289,24 +307,45 @@ spec: {{- if hasKey .Values.vaultwarden.icons "redirectCode" }} - name: ICON_REDIRECT_CODE value: {{ .Values.vaultwarden.icons.redirectCode | quote }} - {{- end }} + {{- end }} + {{- if eq .Values.vaultwarden.push.enabled true }} + - name: PUSH_INSTALLATION_ID + valueFrom: + secretKeyRef: + name: {{ .Values.vaultwarden.push.existingSecret | default (include "vaultwarden.fullname" .) }} + key: push-id + - name: PUSH_INSTALLATION_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.vaultwarden.push.existingSecret | default (include "vaultwarden.fullname" .) }} + key: push-key + {{- if hasKey .Values.vaultwarden.push "relayUri" }} + - name: PUSH_RELAY_URI + value: {{ .Values.vaultwarden.push.relayUri | quote }} + {{- end }} + {{- if hasKey .Values.vaultwarden.push "identityUri" }} + - name: PUSH_IDENTITY_URI + value: {{ .Values.vaultwarden.push.identityUri | quote }} + {{- end }} + {{- end }}{{/* Push */}} ports: - name: http containerPort: 8080 protocol: TCP - {{- if .Values.vaultwarden.enableWebsockets }} - - name: websocket - containerPort: 3012 - protocol: TCP - {{- end }} livenessProbe: httpGet: path: {{ include "vaultwarden.domainSubPath" . }} port: http + {{- if .Values.probes.liveness }} + {{- toYaml .Values.probes.liveness | nindent 12 }} + {{- end }} readinessProbe: httpGet: path: {{ include "vaultwarden.domainSubPath" . }} port: http + {{- if .Values.probes.readiness }} + {{- toYaml .Values.probes.readiness | nindent 12 }} + {{- end }} volumeMounts: - name: {{ include "vaultwarden.fullname" . }} mountPath: /data @@ -328,6 +367,9 @@ spec: {{- else }} emptyDir: {} {{- end }} + {{- if .Values.additionalVolumes }} + {{- toYaml .Values.additionalVolumes | nindent 6 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/vaultwarden/templates/ingress.yaml b/vaultwarden/templates/ingress.yaml index 53d4b62..22a9d34 100644 --- a/vaultwarden/templates/ingress.yaml +++ b/vaultwarden/templates/ingress.yaml @@ -1,12 +1,6 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "vaultwarden.fullname" . -}} -{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}} apiVersion: networking.k8s.io/v1 -{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} kind: Ingress metadata: name: {{ $fullName }} @@ -34,34 +28,11 @@ spec: - host: {{ required "Host required for ingress" .Values.ingress.host | quote }} http: paths: - {{- if .Values.vaultwarden.enableWebsockets }} - - path: "/notifications/hub" - {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} - pathType: Prefix - {{- end }} - backend: - {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} - service: - name: {{ $fullName }} - port: - number: {{ .Values.service.websocketPort }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ .Values.service.websocketPort }} - {{- end }} - {{- end }} - path: "/" - {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix - {{- end }} backend: - {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} service: name: {{ $fullName }} port: - number: {{ .Values.service.httpPort }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ .Values.service.httpPort }} - {{- end }} + name: http {{- end }} diff --git a/vaultwarden/templates/ingressroute.yaml b/vaultwarden/templates/ingressroute.yaml index e2ec522..df1fbd9 100644 --- a/vaultwarden/templates/ingressroute.yaml +++ b/vaultwarden/templates/ingressroute.yaml @@ -1,7 +1,11 @@ {{- if .Values.ingressRoute.enabled -}} {{- $fullName := include "vaultwarden.fullname" . -}} {{- $host := (required "Host required for IngressRoute" .Values.ingressRoute.host ) -}} +{{- if .Values.ingressRoute.newCRD }} +apiVersion: traefik.io/v1alpha1 +{{- else }} apiVersion: traefik.containo.us/v1alpha1 +{{- end }} kind: IngressRoute metadata: name: {{ $fullName }} @@ -13,17 +17,6 @@ spec: - {{ . | quote }} {{- end }} routes: - {{- if .Values.vaultwarden.enableWebsockets }} - - match: Host(`{{ $host }}`) && PathPrefix(`/notifications/hub`) - kind: Rule - {{- if .Values.ingressRoute.middlewares }} - middlewares: - {{- toYaml .Values.ingressRoute.middlewares | nindent 6 }} - {{- end }} - services: - - name: {{ $fullName }} - port: {{ .Values.service.websocketPort }} - {{- end }} - match: Host(`{{ $host }}`) kind: Rule {{- if .Values.ingressRoute.middlewares }} diff --git a/vaultwarden/templates/pvc.yaml b/vaultwarden/templates/pvc.yaml index 6ef9c1e..e8f889f 100644 --- a/vaultwarden/templates/pvc.yaml +++ b/vaultwarden/templates/pvc.yaml @@ -3,6 +3,10 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ include "vaultwarden.fullname" . }} + {{- with .Values.persistence.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: accessModes: - {{ .Values.persistence.accessMode | quote }} diff --git a/vaultwarden/templates/secret.yaml b/vaultwarden/templates/secret.yaml index 65f3156..8463416 100644 --- a/vaultwarden/templates/secret.yaml +++ b/vaultwarden/templates/secret.yaml @@ -18,7 +18,12 @@ {{- $yubicoClientId = required "Yubico Client ID required" .Values.vaultwarden.yubico.clientId | toString | b64enc | quote }} {{- end -}} -{{- if or (ne $adminToken "") (ne $databaseUrl "") (ne $smtpUser "" ) (ne $yubicoClientId "") }} +{{- $pushId := "" }} +{{- if and (eq .Values.vaultwarden.push.enabled true ) (not .Values.vaultwarden.push.existingSecret) }} +{{- $pushId = required "Push Installation ID required" .Values.vaultwarden.push.installationId | toString | b64enc | quote }} +{{- end -}} + +{{- if or (ne $adminToken "") (ne $databaseUrl "") (ne $smtpUser "" ) (ne $yubicoClientId "") (ne $pushId "") }} apiVersion: v1 kind: Secret metadata: @@ -40,4 +45,8 @@ data: yubico-client-id: {{ $yubicoClientId }} yubico-secret-key: {{ required "Yubico Secret Key required" .Values.vaultwarden.yubico.secretKey | b64enc | quote }} {{- end }} + {{- if ne $pushId "" }} + push-id: {{ $pushId }} + push-key: {{ required "Push Installation Key required" .Values.vaultwarden.push.installationKey | b64enc | quote }} + {{- end }} {{- end }} \ No newline at end of file diff --git a/vaultwarden/templates/service.yaml b/vaultwarden/templates/service.yaml index c4b7e64..92cde69 100644 --- a/vaultwarden/templates/service.yaml +++ b/vaultwarden/templates/service.yaml @@ -20,14 +20,5 @@ spec: {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePorts.http)))}} nodePort: {{ .Values.service.nodePorts.http }} {{- end }} - {{- if .Values.vaultwarden.enableWebsockets }} - - name: websocket - port: {{ .Values.service.websocketPort }} - targetPort: websocket - protocol: TCP - {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePorts.websocket)))}} - nodePort: {{ .Values.service.nodePorts.websocket }} - {{- end }} - {{- end }} selector: {{- include "vaultwarden.selectorLabels" . | nindent 4 }} diff --git a/vaultwarden/values.home.yaml b/vaultwarden/values.home.yaml index 03720c1..dca845f 100644 --- a/vaultwarden/values.home.yaml +++ b/vaultwarden/values.home.yaml @@ -9,6 +9,8 @@ database: url: "postgresql://vaultwarden:0UnBYmhT7LZ1GePohx13zRxIKM30TZA0m3GZTjgFh0dBiwENwOtZZqcPlyhMXIUD@home-postgres.db.svc.cluster.local:5432/vw" ## Use existing secret for database URL, key 'database-url'. existingSecret: vw-home-vaultwarden + ## Use a different key for the existing secret. + #existingSecretKey: ## Set the size of the database connection pool. #maxConnections: 10 ## Connection retries during startup, 0 for infinite. 1 second between retries. @@ -42,9 +44,6 @@ vaultwarden: showPasswordHint: false ## Default organization name in invitation e-mails that are not coming from a specific organization. #defaultInviteName: "" - # Enable Websockets for notification. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications - # Redirect HTTP path "/notifications/hub" to port 3012. Ingress/IngressRoute controllers are automatically configured. - enableWebsockets: true # Enable Web Vault (static content). https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting enableWebVault: true # Enable Bitwarden Sends globally @@ -55,6 +54,8 @@ vaultwarden: #attachmentLimitOrg: ## Limit attachment disk usage per user. #attachmentLimitUser: + ## Limit send disk usage per user. + #sendLimitUser: ## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key. #hibpApiKey: ## Number of days to auto-delete trashed items. By default iteams are not auto-deleted. @@ -63,14 +64,24 @@ vaultwarden: #orgEvents: false ## Organization event retation. Leave empty to not delete. #orgEventsRetention: "" + ## Allow users to change their email. + #emailChangeAllowed: true ## Map of custom environment variables. Use carefully. #extraEnv: # IP_HEADER: CF-Connecting-IP # ALLOWED_IFRAME_ANCESTORS: myintranet.local + # COOL_VARIABLE: + # secretKeyRef: + # name: my-secret + # key: my-secret-key + # ANOTHER_VARIABLE: + # configMapKeyRef: + # name: my-config-map + # key: my-config-map-key admin: # Enable admin portal. - enabled: true + enabled: admin # Disabling the admin token will make the admin portal accessible to anyone, use carefully: https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token disableAdminToken: false ## Token for admin login, will be generated if not defined. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page @@ -120,7 +131,7 @@ vaultwarden: ## Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password'. #existingSecret: ## Embed images as email attachments - #embedImages: false + #embedImages: true ## Enable Yubico OPT authentication. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication yubico: @@ -154,21 +165,33 @@ vaultwarden: ## HTTP code for redirect to external icon service #redirectCode: 302 + # Push notifications. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification + push: + enabled: false + ## Installation ID from Bitwarden. + #installationId: + ## Installation Key from Bitwarden. + #installationKey: + ## Relay URI + #relayUri: + ## Identity URI + #identityUri: + ## Use existing secret for Push notifications. Keys are 'push-id' and 'push-key'. + #existingSecret: + service: type: ClusterIP httpPort: 80 - websocketPort: 3012 externalTrafficPolicy: Cluster # loadBalancerIP: nodePorts: # Choose NodePorts manually http: "" - websocket: "" # Kubernetes Ingress ingress: enabled: true - className: nginx + className: "nginx" host: "warden.ervine.cloud" annotations: {} # kubernetes.io/ingress.class: nginx @@ -181,6 +204,8 @@ ingress: # Traefik IngressRoute CRD ingressRoute: enabled: false + # Starting on Traefik 2.10, the IngressRoute CRD moved to traefik.io namespace + newCRD: false # Mandatory to enable IngressRoute host: "" entrypoints: @@ -200,13 +225,17 @@ persistence: # storageClass: "-" ## Use existing Persistent Volume Claim existingClaim: vw-home-vaultwarden - + ## Annotations to add to the Persistent Volume Claim + annotations: {} # Use custom volume definition. Cannot be used with persistence. customVolume: {} #hostPath: # path: "/examplefolder/vaultwarden" +# Additional volumes, to be used by sidecars +#additionalVolumes: [] + image: pullPolicy: IfNotPresent repository: vaultwarden/server @@ -232,6 +261,30 @@ podLabels: {} # Annotations to add to the Deployment deploymentAnnotations: {} +# Readiness and Liveness probes +probes: {} + #liveness: + #timeoutSeconds: 1 + #periodSeconds: 10 + #successThreshold: 1 + #failureThreshold: 3 + #readiness: + #timeoutSeconds: 1 + #periodSeconds: 10 + #successThreshold: 1 + #failureThreshold: 3 + +# initContainers containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) +# No templating possible, values need to be hardcoded +initContainers: [] +# - name: initcontainer +# image: initcontainer:1.2.3 +# env: +# - name: INITCONTAINER_END +# value: "initcontainer" +# volumeMounts: +# - name: vaultwarden +# mountPath: /data # Sidecar containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) # No templating possible, values need to be hardcoded diff --git a/vaultwarden/values.yaml b/vaultwarden/values.yaml index b4eca7b..c7ee0e3 100644 --- a/vaultwarden/values.yaml +++ b/vaultwarden/values.yaml @@ -9,6 +9,8 @@ database: #url: "" ## Use existing secret for database URL, key 'database-url'. #existingSecret: + ## Use a different key for the existing secret. + #existingSecretKey: ## Set the size of the database connection pool. #maxConnections: 10 ## Connection retries during startup, 0 for infinite. 1 second between retries. @@ -42,9 +44,6 @@ vaultwarden: showPasswordHint: false ## Default organization name in invitation e-mails that are not coming from a specific organization. #defaultInviteName: "" - # Enable Websockets for notification. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications - # Redirect HTTP path "/notifications/hub" to port 3012. Ingress/IngressRoute controllers are automatically configured. - enableWebsockets: true # Enable Web Vault (static content). https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting enableWebVault: true # Enable Bitwarden Sends globally @@ -55,6 +54,8 @@ vaultwarden: #attachmentLimitOrg: ## Limit attachment disk usage per user. #attachmentLimitUser: + ## Limit send disk usage per user. + #sendLimitUser: ## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key. #hibpApiKey: ## Number of days to auto-delete trashed items. By default iteams are not auto-deleted. @@ -63,10 +64,20 @@ vaultwarden: #orgEvents: false ## Organization event retation. Leave empty to not delete. #orgEventsRetention: "" + ## Allow users to change their email. + #emailChangeAllowed: true ## Map of custom environment variables. Use carefully. #extraEnv: # IP_HEADER: CF-Connecting-IP # ALLOWED_IFRAME_ANCESTORS: myintranet.local + # COOL_VARIABLE: + # secretKeyRef: + # name: my-secret + # key: my-secret-key + # ANOTHER_VARIABLE: + # configMapKeyRef: + # name: my-config-map + # key: my-config-map-key admin: # Enable admin portal. @@ -120,7 +131,7 @@ vaultwarden: ## Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password'. #existingSecret: ## Embed images as email attachments - #embedImages: false + #embedImages: true ## Enable Yubico OPT authentication. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication yubico: @@ -154,21 +165,33 @@ vaultwarden: ## HTTP code for redirect to external icon service #redirectCode: 302 + # Push notifications. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification + push: + enabled: false + ## Installation ID from Bitwarden. + #installationId: + ## Installation Key from Bitwarden. + #installationKey: + ## Relay URI + #relayUri: + ## Identity URI + #identityUri: + ## Use existing secret for Push notifications. Keys are 'push-id' and 'push-key'. + #existingSecret: + service: type: ClusterIP httpPort: 80 - websocketPort: 3012 externalTrafficPolicy: Cluster # loadBalancerIP: nodePorts: # Choose NodePorts manually http: "" - websocket: "" # Kubernetes Ingress ingress: enabled: false - # className: nginx + className: "" host: "" annotations: {} # kubernetes.io/ingress.class: nginx @@ -181,6 +204,8 @@ ingress: # Traefik IngressRoute CRD ingressRoute: enabled: false + # Starting on Traefik 2.10, the IngressRoute CRD moved to traefik.io namespace + newCRD: false # Mandatory to enable IngressRoute host: "" entrypoints: @@ -200,13 +225,17 @@ persistence: # storageClass: "-" ## Use existing Persistent Volume Claim # existingClaim: - + ## Annotations to add to the Persistent Volume Claim + annotations: {} # Use custom volume definition. Cannot be used with persistence. customVolume: {} #hostPath: # path: "/examplefolder/vaultwarden" +# Additional volumes, to be used by sidecars +#additionalVolumes: [] + image: pullPolicy: IfNotPresent repository: vaultwarden/server @@ -232,6 +261,30 @@ podLabels: {} # Annotations to add to the Deployment deploymentAnnotations: {} +# Readiness and Liveness probes +probes: {} + #liveness: + #timeoutSeconds: 1 + #periodSeconds: 10 + #successThreshold: 1 + #failureThreshold: 3 + #readiness: + #timeoutSeconds: 1 + #periodSeconds: 10 + #successThreshold: 1 + #failureThreshold: 3 + +# initContainers containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) +# No templating possible, values need to be hardcoded +initContainers: [] +# - name: initcontainer +# image: initcontainer:1.2.3 +# env: +# - name: INITCONTAINER_END +# value: "initcontainer" +# volumeMounts: +# - name: vaultwarden +# mountPath: /data # Sidecar containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) # No templating possible, values need to be hardcoded