jonny/charts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Bump vaultwarden

Browse Source
This commit is contained in:
Jonny Ervine 2025-01-29 21:25:25 +08:00
parent 1633d8e3dd
commit 1ce9887229
26 changed files with 1700 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
vaultwarden-1.27/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

14
vaultwarden-1.27/Chart.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v2
appVersion: 1.27.0
description: Unofficial Bitwarden compatible server written in Rust
home: https://github.com/dani-garcia/vaultwarden - bitwarden - bitwarden_rs - password
- vaultwarden
icon: https://upload.wikimedia.org/wikipedia/commons/0/03/Bitwarden_Logo.png
maintainers:
- email: silvio@gissilabs.com
name: Silvio Gissi
name: vaultwarden
sources:
- https://github.com/dani-garcia/vaultwarden
type: application
version: 1.0.0

189
vaultwarden-1.27/README.md Normal file
View File

@ -0,0 +1,189 @@
# Gissilabs Helm Charts
## Upgrade from bitwardenrs Helm Chart
The upstream project changed its name from bitwarden_rs to Vaultwarden on April 27th, 2021. If you are using the bitwardenrs chart, the following changes are needed to use this chart:
- Change chart name from gissilabs/bitwardenrs to gissilabs/vaultwarden
- If using custom values, update top-level "bitwardenrs" option to "vaultwarden"
Chart and application version numbers are the same across both charts.
## Vaultwarden
Vaultwarden (previously known as bitwarden_rs) is an unofficial Bitwarden compatible server written in Rust. For more information, check the project on Github: <https://github.com/dani-garcia/vaultwarden>
## Helm Chart
The default installation will deploy one Vaultwarden instance using a SQLite database without persistence. All data will be lost if the pod is deleted.
```bash
# Uncomment below if the Gissilabs repository is not yet added to Helm
#helm repo add gissilabs https://gissilabs.github.io/charts/
helm install myvaultwarden gissilabs/vaultwarden
```
See options below to customize the deployment.
## **Database**
Option | Description | Format | Default
------ | ----------- | ------ | -------
database.type | Backend database type | sqlite, mysql or postgresql | sqlite
database.wal | Enable SQLite Write-Ahead-Log, ignored for external databases | true / false | true
database.url | URL of external database (MySQL/PostgreSQL) | \[mysql\|postgresql\]://user:pass@host:port\[/database\] | Empty
database.existingSecret | Use existing secret for database URL, key 'database-url' | Secret name | Not defined
database.maxConnections | Set the size of the database connection pool | Number | 10
database.retries | Connection retries during startup, 0 for infinite. 1 second between retries | Number | 15
## **Main application**
Option | Description | Format | Default
------ | ----------- | ------ | -------
vaultwarden.domain | Bitwarden URL. Mandatory for invitations over email | http\[s\]://hostname | Not defined
vaultwarden.allowSignups | Allow any user to sign-up. [More information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users) | true / false | true
vaultwarden.signupDomains | Whitelist domains allowed to sign-up. 'allowSignups' is ignored if set | domain1,domain2 | Not defined
vaultwarden.verifySignup | Verify e-mail before login is enabled. SMTP must be enabled | true / false | false
vaultwarden.requireEmail | Require that an e-mail is sucessfully sent before login. SMTP must be enabled | true / false | false
vaultwarden.emailAttempts | Maximum attempts before an email token is reset and a new email will need to be sent | Number | 3
vaultwarden.emailTokenExpiration | Email token validity in seconds | Number | 600
vaultwarden.allowInvitation | Allow invited users to sign-up even feature is disabled. [More information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations) | true / false | true
vaultwarden.invitationExpiration | Number of hours after which tokens expire (organization invite, emergency access, email verification and deletion request | Number (minimum 1) | 120
vaultwarden.defaultInviteName | Default organization name in invitation e-mails that are not coming from a specific organization. | Text | Vaultwarden
vaultwarden.passwordHintsAllowed | Allow users to set password hints. Applies to all users. | true / false | true
vaultwarden.showPasswordHint | Show password hints. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display) | true / false | false
vaultwarden.enableWebsockets | Enable Websockets for notification. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications). If using Ingress controllers, "notifications/hub" URL is redirected to websocket port | true / false | true
vaultwarden.enableWebVault | Enable Web Vault static site. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting). | true / false | true
vaultwarden.enableSends | Enable Bitwarden Sends globally. | true / false | true
vaultwarden.orgCreationUsers | Restrict creation of orgs. | 'all', 'none' or a comma-separated list of users. | all
vaultwarden.attachmentLimitOrg | Limit attachment disk usage in Kb per organization | Number | Not defined
vaultwarden.attachmentLimitUser | Limit attachment disk usage in Kb per user | Number | Not defined
vaultwarden.hibpApiKey | API Key to use HaveIBeenPwned service. Can be purchased at [here](https://haveibeenpwned.com/API/Key) | Text | Not defined
vaultwarden.autoDeleteDays | Number of days to auto-delete trashed items. | Number | Empty (never auto-delete)
vaultwarden.orgEvents | Enable Organization event logging | true / false | false
vaultwarden.orgEventsRetention | Organization event log retention in days | Number | Empty (never delete)
vaultwarden.extraEnv | Pass extra environment variables | Map | Not defined
vaultwarden.log.file | Filename to log to disk. [More information](https://github.com/dani-garcia/vaultwarden/wiki/Logging) | File path | Empty
vaultwarden.log.level | Change log level | trace, debug, info, warn, error or off | Empty
vaultwarden.log.timeFormat | Log timestamp | Rust chrono [format](https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html). | Time in milliseconds | Empty
## **Application Features**
:warning: SMTP SSL/TLS settings changed following Vaultwarden v1.25 release, see [Upgrade](#upgrade)
Option | Description | Format | Default
------ | ----------- | ------ | -------
vaultwarden.admin.enabled | Enable admin portal. Change settings in the portal will overwrite chart options. | true / false | false
vaultwarden.admin.disableAdminToken | Disabling the admin token will make the admin portal accessible to anyone, use carefully. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token) | true / false | false
vaultwarden.admin.token | Token for admin login, will be generated if not defined. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page) | Text | Auto-generated
vaultwarden.admin.existingSecret | Use existing secret for the admin token. Key is 'admin-token' | Secret name | Not defined
|||
vaultwarden.emergency.enabled | Allow any user to enable emergency access. | true / false | true
vaultwarden.emergency.reminder | Schedule to send expiration reminders to emergency access grantors. | Cron schedule format, blank to disable | "0 3 \* \* \* \*" (hourly 3 minutes after the hour)
vaultwarden.emergency.timeout | Schedule to grant emergency access requests that have met the required wait time. | Cron schedule format, blank to disable | "0 3 \* \* \* \*" (hourly 3 minutes after the hour)
|||
vaultwarden.smtp.enabled | Enable SMTP | true / false | false
vaultwarden.smtp.host | SMTP hostname **required** | Hostname | Empty
vaultwarden.smtp.from | SMTP sender e-mail address **required** | E-mail | Empty
vaultwarden.smtp.fromName | SMTP sender name | Text | Vaultwarden
vaultwarden.smtp.security | Set SMTP connection security [More Information](https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration) | starttls / force_tls / off | starttls
vaultwarden.smtp.port | SMTP TCP port | Number | Security off: 25, starttls: 587, force_tls: 465
vaultwarden.smtp.authMechanism | SMTP Authentication Mechanisms | Comma-separated list: 'Plain', 'Login', 'Xoauth2' | Plain
vaultwarden.smtp.heloName | Hostname to be sent for SMTP HELO | Text | Pod name
vaultwarden.smtp.timeout | SMTP connection timeout in seconds | Number | 15
vaultwarden.smtp.invalidHostname | Accept valid certificates even if hostnames does not match. DANGEROUS! | true / false | false
vaultwarden.smtp.invalidCertificate | Accept invalid certificates. DANGEROUS! | true / false | false
vaultwarden.smtp.user | SMTP username | Text | Not defined
vaultwarden.smtp.password | SMTP password. Required is user is specified | Text | Not defined
vaultwarden.smtp.existingSecret | Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password' | Secret name | Not defined
vaultwarden.smtp.embedImages | Embed images as email attachments | true / false | false
|||
vaultwarden.yubico.enabled | Enable Yubikey support | true / false | false
vaultwarden.yubico.server | Yubico server | Hostname | YubiCloud
vaultwarden.yubico.clientId | Yubico ID | Text | Not defined
vaultwarden.yubico.secretKey | Yubico Secret Key | Text | Not defined
vaultwarden.yubico.existingSecret | Use existing secret for ID and Secret. Keys are 'yubico-client-id' and 'yubico-secret-key' | Secret name | Not defined
|||
vaultwarden.icons.service | Service to fetch icons from | "internal", "bitwarden", "duckduckgo", "google" or custom URL | internal
vaultwarden.icons.disableDownload | Disables download of external icons, icons in cache will still be served | true / false | false
vaultwarden.icons.cache | Cache time-to-live for icons fetched. 0 means no purging | Number | 2592000. If download is disabled, defaults to 0
vaultwarden.icons.cacheFailed | Cache time-to-live for icons that were not available. 0 means no purging | Number | 2592000
vaultwarden.icons.redirectCode | HTTP code to use for redirects to an external icon service | true / false | 302
## **Network**
Option | Description | Format | Default
------ | ----------- | ------ | -------
service.type | Service Type. [More Information](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) | Type | ClusterIP
service.httpPort | Service port for HTTP server | Number | 80
service.websocketPort | Service port for Websocket server, if enabled | Number | 3012
service.externalTrafficPolicy | External Traffic Policy. [More Information](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | Local / Cluster| Cluster
service.loadBalancerIP | Manually select IP when type is LoadBalancer | IP address | Not defined
service.nodePorts.http | Manually select node port for http | Number | Empty
service.nodePorts.websocket | Manually select node port for websocker, if enabled | Number | Empty
|||
ingress.enabled | Enable Ingress | true / false | false
ingress.className | Name of the ingress class | string | Empty
ingress.host | Ingress hostname **required** | Hostname | Empty
ingress.annotations | Ingress annotations | Map | Empty
ingress.tls | Ingress TLS options | Array of Maps | Empty
|||
ingressRoute.enabled | Enable Traefik IngressRoute CRD | true / false | false
ingressRoute.host | Ingress route hostname **required** | Hostname | Empty
ingressRoute.middlewares | Enable middlewares | Map | Empty
ingressRoute.entrypoints | List of Traefik endpoints | Array of Text | \[websecure\]
ingressRoute.tls | Ingress route TLS options | Map | Empty
## **Storage**
Option | Description | Format | Default
------ | ----------- | ------ | -------
persistence.enabled | Create persistent volume (PVC). Holds attachments, icon cache and, if used, the SQLite database | true / false | false
persistence.size | Size of volume | Size | 1Gi
persistence.accessMode | Volume access mode | Text | ReadWriteOnce
persistence.storageClass | Storage Class | Text | Not defined. Use "-" for default class
persistence.existingClaim | Use existing PVC | Name of PVC | Not defined
customVolume | Use custom volume definition. Cannot be used with persistence | Map | Empty
## **Image**
Option | Description | Format | Default
------ | ----------- | ------ | -------
image.tag | Docker image tag | Text | Chart appVersion (Chart.yaml)
image.repository | Docker image | Text | vaultwarden/server
imagePullSecrets | Image pull secrets | Array | Empty
## **General Kubernetes/Helm**
Option | Description | Format | Default
------ | ----------- | ------ | -------
strategy | Deployment Strategy options | sub-tree | Empty
replicaCount | Number of pod replicas | Number | 1
nameOverride | Name override | Text | Empty
fullnameOverride | Full name override | Text | Empty
serviceAccount.create | Create Service Account | true / false | false
serviceAccount.annotations | Annotations service account | Map | Empty
serviceAccount.name | Service Account name | Text | Generated from template
deploymentAnnotations | Deployment Annotations | Map | Empty
sidecars | Sidecar container definition [Spec](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) | Array | Empty
podAnnotations | Pod Annotations | Map | Empty
podLabels | Extra Pod Labels | Map | Empty
podSecurityContext | Pod-level Security Context | Map | {fsGroup:65534}
securityContext | Container-level Security Context | Map | {runAsUser:65534, runAsGroup:65534}
resources | Deployment Resources | Map | Empty
nodeSelector | Node selector | Map | Empty
tolerations | Tolerations | Array | Empty
affinity | Affinity | Map | Empty
## Upgrade
### From 0.x to 1.x
Vaultwarden version before v1.25.0 had a [bug/mislabelled](https://github.com/dani-garcia/vaultwarden/issues/851) configuration setting regarding SSL and TLS. This has been fixed in testing and newer released versions. When image version is 1.25 or higher, use vaultwarden.smtp.security instead of vaultwarden.smtp.ssl/vaultwarden.smtp.explicitTLS.
ssl | explicitTLS | security equivalent
--- | ----------- | -------------------
false | false | off
false | true | off
true | false | starttls
true | true | force_tls

25
vaultwarden-1.27/templates/NOTES.txt Normal file
View File

@ -0,0 +1,25 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.host }}/
{{- else if .Values.ingressRoute.enabled }}
http{{ if $.Values.ingressRoute.tls }}s{{ end }}://{{ .Values.ingressRoute.host }}/
{{- else }}
{{- if eq .Values.vaultwarden.enableWebsockets true }}
NOTE: the websocket listens on a different port and might not work unless /notifications/hub is redirected externally.
{{- end }}
{{- if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "vaultwarden.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "vaultwarden.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "vaultwarden.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.httpPort }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "vaultwarden.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:8080
{{- end }}
{{- end }}

105
vaultwarden-1.27/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,105 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "vaultwarden.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "vaultwarden.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "vaultwarden.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "vaultwarden.labels" -}}
helm.sh/chart: {{ include "vaultwarden.chart" . }}
{{ include "vaultwarden.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "vaultwarden.selectorLabels" -}}
app.kubernetes.io/name: {{ include "vaultwarden.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "vaultwarden.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "vaultwarden.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Ensure valid DB type is select, defaults to SQLite
*/}}
{{- define "vaultwarden.dbTypeValid" -}}
{{- if not (or (eq .Values.database.type "postgresql") (eq .Values.database.type "mysql") (eq .Values.database.type "sqlite")) }}
{{- required "Invalid database type" nil }}
{{- end -}}
{{- end -}}
{{/*
Ensure log type is valid
*/}}
{{- define "vaultwarden.logLevelValid" -}}
{{- if not (or (eq .Values.vaultwarden.log.level "trace") (eq .Values.vaultwarden.log.level "debug") (eq .Values.vaultwarden.log.level "info") (eq .Values.vaultwarden.log.level "warn") (eq .Values.vaultwarden.log.level "error") (eq .Values.vaultwarden.log.level "off")) }}
{{- required "Invalid log level" nil }}
{{- end }}
{{- end }}
{{/*
Ensure SMTP Security setting is valid
*/}}
{{- define "vaultwarden.smtpSecurityValid" -}}
{{- if or (hasKey .Values.vaultwarden.smtp "ssl") (hasKey .Values.vaultwarden.smtp "explicitTLS") }}
{{- required "SMTP options ssl and explicitTLS are deprecated for Vaulwarden 1.25 or newer, see documentation" nil }}
{{- end }}
{{- if not (or (eq .Values.vaultwarden.smtp.security "off") (eq .Values.vaultwarden.smtp.security "starttls") (eq .Values.vaultwarden.smtp.security "force_tls") ) }}
{{- required "Invalid SMTP security setting, valid options are: off, starttls and force_tls" nil }}
{{- end }}
{{- end }}
{{- define "vaultwarden.domainSubPath" -}}
{{- if .Values.vaultwarden.domain }}
{{- if not (regexMatch "https?:\\/\\/.*?(\\/|$)" .Values.vaultwarden.domain) }}
{{- required "Invalid domain, must start with http or https" nil }}
{{- end }}
{{- $subpath := regexReplaceAll "https?:\\/\\/.*?(\\/|$)" .Values.vaultwarden.domain "" -}}/{{ $subpath }}
{{- else }}/
{{- end }}
{{- end -}}

342
vaultwarden-1.27/templates/deployment.yaml Normal file
View File

@ -0,0 +1,342 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "vaultwarden.fullname" . }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
{{- with .Values.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with .Values.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "vaultwarden.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "vaultwarden.selectorLabels" . | nindent 8 }}
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "vaultwarden.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: ROCKET_PORT
value: "8080"
- name: SIGNUPS_ALLOWED
value: {{ .Values.vaultwarden.allowSignups | quote }}
{{- if .Values.vaultwarden.signupDomains }}
- name: SIGNUPS_DOMAINS_WHITELIST
value: {{ join "," .Values.vaultwarden.signupDomains | quote }}
{{- end }}
{{- if and (eq .Values.vaultwarden.verifySignup true) (eq .Values.vaultwarden.smtp.enabled false) }}{{ required "Signup verification requires SMTP to be enabled" nil}}{{end}}
- name: SIGNUPS_VERIFY
value: {{ .Values.vaultwarden.verifySignup | quote }}
{{- if and (eq .Values.vaultwarden.requireEmail true) (eq .Values.vaultwarden.smtp.enabled false) }}{{ required "Requiring emails for login depends on SMTP" nil}}{{end}}
- name: REQUIRE_DEVICE_EMAIL
value: {{ .Values.vaultwarden.requireEmail | quote }}
{{- if .Values.vaultwarden.emailAttempts }}
- name: EMAIL_ATTEMPTS_LIMIT
value: {{ .Values.vaultwarden.emailAttempts | quote }}
{{- end }}
{{- if .Values.vaultwarden.emailTokenExpiration }}
- name: EMAIL_EXPIRATION_TIME
value: {{ .Values.vaultwarden.emailTokenExpiration | quote }}
{{- end }}
- name: INVITATIONS_ALLOWED
value: {{ .Values.vaultwarden.allowInvitation | quote }}
{{- if .Values.vaultwarden.invitationExpiration }}
- name: INVITATION_EXPIRATION_HOURS
value: {{ .Values.vaultwarden.invitationExpiration | quote }}
{{- end }}
{{- if .Values.vaultwarden.defaultInviteName }}
- name: INVITATION_ORG_NAME
value: {{ .Values.vaultwarden.defaultInviteName | quote }}
{{- end }}
{{- if hasKey .Values.vaultwarden "passwordHintsAllowed" }}
- name: PASSWORD_HINTS_ALLOWED
value: {{ .Values.vaultwarden.passwordHintsAllowed | quote }}
{{- end }}
- name: SHOW_PASSWORD_HINT
value: {{ .Values.vaultwarden.showPasswordHint | quote }}
- name: WEBSOCKET_ENABLED
value: {{ .Values.vaultwarden.enableWebsockets | quote }}
- name: WEB_VAULT_ENABLED
value: {{ .Values.vaultwarden.enableWebVault | quote }}
- name: SENDS_ALLOWED
value: {{ .Values.vaultwarden.enableSends | quote }}
- name: ORG_CREATION_USERS
value: {{ .Values.vaultwarden.orgCreationUsers | quote }}
{{- if .Values.vaultwarden.attachmentLimitOrg }}
- name: ORG_ATTACHMENT_LIMIT
value: {{ .Values.vaultwarden.attachmentLimitOrg | quote }}
{{- end }}
{{- if .Values.vaultwarden.attachmentLimitUser }}
- name: USER_ATTACHMENT_LIMIT
value: {{ .Values.vaultwarden.attachmentLimitUser | quote }}
{{- end }}
{{- if .Values.vaultwarden.hibpApiKey }}
- name: HIBP_API_KEY
value: {{ .Values.vaultwarden.hibpApiKey | quote }}
{{- end }}
{{- if .Values.vaultwarden.autoDeleteDays }}
- name: TRASH_AUTO_DELETE_DAYS
value: {{ .Values.vaultwarden.autoDeleteDays | quote }}
{{- end }}
{{- if hasKey .Values.vaultwarden "orgEvents" }}
- name: ORG_EVENTS_ENABLED
value: {{ .Values.vaultwarden.orgEvents | quote }}
{{- end }}
{{- if hasKey .Values.vaultwarden "orgEventsRetention" }}
- name: EVENTS_DAYS_RETAIN
value: {{ .Values.vaultwarden.orgEventsRetention | quote }}
{{- end }}
{{- if .Values.vaultwarden.extraEnv }}
{{- range $key, $val := .Values.vaultwarden.extraEnv }}
- name: {{ $key }}
value: {{ $val | quote }}
{{- end }}
{{- end }}
{{- include "vaultwarden.dbTypeValid" . }}
{{- if .Values.database.retries }}
- name: DB_CONNECTION_RETRIES
value: {{ .Values.database.retries | quote }}
{{- end }}
{{- if .Values.database.maxConnections }}
- name: DATABASE_MAX_CONNS
value: {{ .Values.database.maxConnections | quote }}
{{- end }}
{{- if eq .Values.database.type "sqlite" }}
- name: ENABLE_DB_WAL
value: {{ .Values.database.wal | quote }}
{{- else }}
- name: ENABLE_DB_WAL
value: "false"
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: {{ if .Values.database.existingSecret }}{{ .Values.database.existingSecret }}{{else}}{{ include "vaultwarden.fullname" . }}{{end}}
key: database-url
{{- end }}
{{- if .Values.vaultwarden.domain }}
- name: DOMAIN
value: {{ .Values.vaultwarden.domain | quote }}
{{- end }}
{{- if eq .Values.vaultwarden.admin.enabled true }}
{{- if eq .Values.vaultwarden.admin.disableAdminToken true }}
- name: DISABLE_ADMIN_TOKEN
value: "true"
{{- else }}
- name: ADMIN_TOKEN
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.admin.existingSecret | default (include "vaultwarden.fullname" .) }}
key: admin-token
{{- end }}
{{- end }}
- name: EMERGENCY_ACCESS_ALLOWED
value: {{ .Values.vaultwarden.emergency.enabled | quote }}
{{- if eq .Values.vaultwarden.emergency.enabled true }}
{{- if not (kindIs "invalid" .Values.vaultwarden.emergency.reminder) }}
- name: EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE
value: {{ .Values.vaultwarden.emergency.reminder | quote }}
{{- end }}
{{- if not (kindIs "invalid" .Values.vaultwarden.emergency.timeout) }}
- name: EMERGENCY_REQUEST_TIMEOUT_SCHEDULE
value: {{ .Values.vaultwarden.emergency.timeout | quote }}
{{- end }}
{{- end }}
{{- if eq .Values.vaultwarden.smtp.enabled true }}
- name: SMTP_HOST
value: {{ required "SMTP host is required to enable SMTP" .Values.vaultwarden.smtp.host | quote }}
- name: SMTP_FROM
value: {{ required "SMTP sender address ('from') is required to enable SMTP" .Values.vaultwarden.smtp.from | quote }}
{{- if .Values.vaultwarden.smtp.fromName }}
- name: SMTP_FROM_NAME
value: {{ .Values.vaultwarden.smtp.fromName | quote }}
{{- end }}
{{- if semverCompare "<1.25.0" (.Values.image.tag | default .Chart.AppVersion) }}
- name: SMTP_SSL
value: {{ required "Value smtp.ssl required for Vaultwarden prior to 1.25" .Values.vaultwarden.smtp.ssl | quote }}
{{- if required "Value smtp.explictTLS required for Vaultwarden prior to 1.25" .Values.vaultwarden.smtp.explicitTLS }}
{{- if (eq .Values.vaultwarden.smtp.ssl false) }}
{{- required "Explicit TLS requires SSL to be enabled" nil }}
{{- end }}
- name: SMTP_EXPLICIT_TLS
value: {{ .Values.vaultwarden.smtp.explicitTLS | quote }}
{{- end}}
{{- else }}
{{- include "vaultwarden.smtpSecurityValid" . }}
- name: SMTP_SECURITY
value: {{ .Values.vaultwarden.smtp.security | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.port }}
- name: SMTP_PORT
value: {{ .Values.vaultwarden.smtp.port | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.authMechanism }}
- name: SMTP_AUTH_MECHANISM
value: {{ .Values.vaultwarden.smtp.authMechanism | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.heloName }}
- name: HELO_NAME
value: {{ .Values.vaultwarden.smtp.heloName | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.timeout }}
- name: SMTP_TIMEOUT
value: {{ .Values.vaultwarden.smtp.timeout | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.invalidHostname }}
- name: SMTP_ACCEPT_INVALID_HOSTNAMES
value: {{ .Values.vaultwarden.smtp.invalidHostname | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.invalidCertificate }}
- name: SMTP_ACCEPT_INVALID_CERTS
value: {{ .Values.vaultwarden.smtp.invalidCertificate | quote }}
{{- end }}
{{- if or .Values.vaultwarden.smtp.existingSecret .Values.vaultwarden.smtp.user }}
- name: SMTP_USERNAME
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.smtp.existingSecret | default (include "vaultwarden.fullname" .) }}
key: smtp-user
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.smtp.existingSecret | default (include "vaultwarden.fullname" .) }}
key: smtp-password
{{- end }}
{{- if hasKey .Values.vaultwarden.smtp "embedImages" }}
- name: SMTP_EMBED_IMAGES
value: {{ .Values.vaultwarden.smtp.embedImages | quote }}
{{- end }}
{{- end }}{{/*SMTP*/}}
{{- if eq .Values.vaultwarden.yubico.enabled true }}
{{- if .Values.vaultwarden.yubico.server }}
- name: YUBICO_SERVER
value: {{ .Values.vaultwarden.yubico.server | quote }}
{{- end }}
- name: YUBICO_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.yubico.existingSecret | default (include "vaultwarden.fullname" .) }}
key: yubico-client-id
- name: YUBICO_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.yubico.existingSecret | default (include "vaultwarden.fullname" .) }}
key: yubico-secret-key
{{- end }}
{{- if .Values.vaultwarden.log.file }}
- name: LOG_FILE
value: {{ .Values.vaultwarden.log.file | quote }}
{{- end }}
{{- if or .Values.vaultwarden.log.level .Values.vaultwarden.log.timeFormat }}
- name: EXTENDED_LOGGING
value: "true"
{{- end }}
{{- if .Values.vaultwarden.log.level }}
{{- include "vaultwarden.logLevelValid" . }}
- name: LOG_LEVEL
value: {{ .Values.vaultwarden.log.level | quote }}
{{- end }}
{{- if .Values.vaultwarden.log.timeFormat }}
- name: LOG_TIMESTAMP_FORMAT
value: {{ .Values.vaultwarden.log.timeFormat | quote }}
{{- end }}
{{- if hasKey .Values.vaultwarden.icons "service" }}
- name: ICON_SERVICE
value: {{ .Values.vaultwarden.icons.service | quote }}
{{- end }}
{{- if .Values.vaultwarden.icons.disableDownload }}
- name: DISABLE_ICON_DOWNLOAD
value: {{ .Values.vaultwarden.icons.disableDownload | quote }}
{{- if and (not .Values.vaultwarden.icons.cache) (eq .Values.vaultwarden.icons.disableDownload "true") }}
- name: ICON_CACHE_TTL
value: 0
{{- end }}
{{- end }}
{{- if .Values.vaultwarden.icons.cache }}
- name: ICON_CACHE_TTL
value: {{ .Values.vaultwarden.icons.cache }}
{{- end }}
{{- if .Values.vaultwarden.icons.cacheFailed }}
- name: ICON_CACHE_NEGTTL
value: {{ .Values.vaultwarden.icons.cacheFailed }}
{{- end }}
{{- if hasKey .Values.vaultwarden.icons "redirectCode" }}
- name: ICON_REDIRECT_CODE
value: {{ .Values.vaultwarden.icons.redirectCode | quote }}
{{- end }}
ports:
- name: http
containerPort: 8080
protocol: TCP
{{- if .Values.vaultwarden.enableWebsockets }}
- name: websocket
containerPort: 3012
protocol: TCP
{{- end }}
livenessProbe:
httpGet:
path: {{ include "vaultwarden.domainSubPath" . }}
port: http
readinessProbe:
httpGet:
path: {{ include "vaultwarden.domainSubPath" . }}
port: http
volumeMounts:
- name: {{ include "vaultwarden.fullname" . }}
mountPath: /data
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- if .Values.sidecars }}
{{- toYaml .Values.sidecars | nindent 8 }}
{{- end }}
volumes:
- name: {{ include "vaultwarden.fullname" . }}
{{- if and .Values.persistence.enabled .Values.customVolume }}
{{ required "customVolume cannot be used if persistence is enabled." nil }}
{{- end }}
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim | quote }}{{- else }}{{ include "vaultwarden.fullname" . }}{{- end }}
{{- else if .Values.customVolume }}
{{- toYaml .Values.customVolume | nindent 8 }}
{{- else }}
emptyDir: {}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

67
vaultwarden-1.27/templates/ingress.yaml Normal file
View File

@ -0,0 +1,67 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "vaultwarden.fullname" . -}}
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
apiVersion: networking.k8s.io/v1
{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.className }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ required "Host required for ingress" .Values.ingress.host | quote }}
http:
paths:
{{- if .Values.vaultwarden.enableWebsockets }}
- path: "/notifications/hub"
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
pathType: Prefix
{{- end }}
backend:
{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
service:
name: {{ $fullName }}
port:
number: {{ .Values.service.websocketPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ .Values.service.websocketPort }}
{{- end }}
{{- end }}
- path: "/"
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
pathType: Prefix
{{- end }}
backend:
{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
service:
name: {{ $fullName }}
port:
number: {{ .Values.service.httpPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ .Values.service.httpPort }}
{{- end }}
{{- end }}

40
vaultwarden-1.27/templates/ingressroute.yaml Normal file
View File

@ -0,0 +1,40 @@
{{- if .Values.ingressRoute.enabled -}}
{{- $fullName := include "vaultwarden.fullname" . -}}
{{- $host := (required "Host required for IngressRoute" .Values.ingressRoute.host ) -}}
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: {{ $fullName }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
spec:
entryPoints:
{{- range .Values.ingressRoute.entrypoints }}
- {{ . | quote }}
{{- end }}
routes:
{{- if .Values.vaultwarden.enableWebsockets }}
- match: Host(`{{ $host }}`) && PathPrefix(`/notifications/hub`)
kind: Rule
{{- if .Values.ingressRoute.middlewares }}
middlewares:
{{- toYaml .Values.ingressRoute.middlewares | nindent 6 }}
{{- end }}
services:
- name: {{ $fullName }}
port: {{ .Values.service.websocketPort }}
{{- end }}
- match: Host(`{{ $host }}`)
kind: Rule
{{- if .Values.ingressRoute.middlewares }}
middlewares:
{{- toYaml .Values.ingressRoute.middlewares | nindent 6 }}
{{- end }}
services:
- name: {{ $fullName }}
port: {{ .Values.service.httpPort }}
{{- if .Values.ingressRoute.tls }}
tls:
{{- toYaml .Values.ingressRoute.tls | nindent 4 }}
{{- end }}
{{- end }}

15
vaultwarden-1.27/templates/pvc.yaml Normal file
View File

@ -0,0 +1,15 @@
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ include "vaultwarden.fullname" . }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
storageClassName: {{ .Values.persistence.storageClass | quote }}
{{- end }}
{{- end -}}

43
vaultwarden-1.27/templates/secret.yaml Normal file
View File

@ -0,0 +1,43 @@
{{- $adminToken := "" }}
{{- if and (eq .Values.vaultwarden.admin.enabled true) (not .Values.vaultwarden.admin.existingSecret) }}
{{- $adminToken = .Values.vaultwarden.admin.token | default (randAlphaNum 48) | b64enc | quote }}
{{- end -}}
{{- $databaseUrl := "" }}
{{- if and (ne .Values.database.type "sqlite") (not .Values.database.existingSecret) }}
{{- $databaseUrl = required "External databases need either URL or existing secret" .Values.database.url | b64enc | quote }}
{{- end -}}
{{- $smtpUser := "" }}
{{- if and (eq .Values.vaultwarden.smtp.enabled true ) (not .Values.vaultwarden.smtp.existingSecret) (.Values.vaultwarden.smtp.user) }}
{{- $smtpUser = .Values.vaultwarden.smtp.user | b64enc | quote }}
{{- end -}}
{{- $yubicoClientId := "" }}
{{- if and (eq .Values.vaultwarden.yubico.enabled true ) (not .Values.vaultwarden.yubico.existingSecret) }}
{{- $yubicoClientId = required "Yubico Client ID required" .Values.vaultwarden.yubico.clientId | toString | b64enc | quote }}
{{- end -}}
{{- if or (ne $adminToken "") (ne $databaseUrl "") (ne $smtpUser "" ) (ne $yubicoClientId "") }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "vaultwarden.fullname" . }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
data:
{{- if ne $adminToken "" }}
admin-token: {{ $adminToken }}
{{- end }}
{{- if ne $databaseUrl "" }}
database-url: {{ $databaseUrl }}
{{- end }}
{{- if ne $smtpUser "" }}
smtp-user: {{ $smtpUser }}
smtp-password: {{ required "Must specify SMTP password" .Values.vaultwarden.smtp.password | b64enc | quote }}
{{- end }}
{{- if ne $yubicoClientId "" }}
yubico-client-id: {{ $yubicoClientId }}
yubico-secret-key: {{ required "Yubico Secret Key required" .Values.vaultwarden.yubico.secretKey | b64enc | quote }}
{{- end }}
{{- end }}

33
vaultwarden-1.27/templates/service.yaml Normal file
View File

@ -0,0 +1,33 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "vaultwarden.fullname" . }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
{{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if eq .Values.service.type "LoadBalancer" }}
loadBalancerIP: {{ default "" .Values.service.loadBalancerIP }}
{{- end }}
ports:
- name: http
port: {{ .Values.service.httpPort }}
targetPort: http
protocol: TCP
{{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePorts.http)))}}
nodePort: {{ .Values.service.nodePorts.http }}
{{- end }}
{{- if .Values.vaultwarden.enableWebsockets }}
- name: websocket
port: {{ .Values.service.websocketPort }}
targetPort: websocket
protocol: TCP
{{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePorts.websocket)))}}
nodePort: {{ .Values.service.nodePorts.websocket }}
{{- end }}
{{- end }}
selector:
{{- include "vaultwarden.selectorLabels" . | nindent 4 }}

12
vaultwarden-1.27/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "vaultwarden.serviceAccountName" . }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

15
vaultwarden-1.27/templates/tests/test-connection.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "vaultwarden.fullname" . }}-test-connection"
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "vaultwarden.fullname" . }}:{{ .Values.service.httpPort }}']
restartPolicy: Never

273
vaultwarden-1.27/values.home.yaml Normal file
View File

@ -0,0 +1,273 @@
# Default values for vaultwarden.
database:
# Database type, must be one of: 'sqlite', 'mysql' or 'postgresql'.
type: postgresql
# Enable DB Write-Ahead-Log for SQLite, disabled for other databases. https://github.com/dani-garcia/vaultwarden/wiki/Running-without-WAL-enabled
wal: true
## URL for external databases (mysql://user:pass@host:port/database-name or postgresql://user:pass@host:port/database-name).
url: "postgresql://vaultwarden:0UnBYmhT7LZ1GePohx13zRxIKM30TZA0m3GZTjgFh0dBiwENwOtZZqcPlyhMXIUD@home-postgres.db.svc.cluster.local:5432/vw"
## Use existing secret for database URL, key 'database-url'.
existingSecret: vw-home-vaultwarden
## Set the size of the database connection pool.
#maxConnections: 10
## Connection retries during startup, 0 for infinite. 1 second between retries.
#retries: 15
# Set vaultwarden application variables
vaultwarden:
## Set Bitwarden URL, mandatory for invitations over email. Recommended if using a reverse proxy / ingress. Format is https://name or http://name
#domain:
# Allow any user to sign-up: https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users
allowSignups: true
## Whitelist domains allowed to sign-up. 'allowSignups' is ignored if set.
#signupDomains:
# - domain.tld
# Verify e-mail before login is enabled. SMTP must be enabled.
verifySignup: false
# When a user logs in an email is required to be sent. If sending the email fails the login attempt will fail. SMTP must be enabled.
requireEmail: false
## Maximum attempts before an email token is reset and a new email will need to be sent.
#emailAttempts: 3
## Email token validity in seconds.
#emailTokenExpiration: 600
# Allow invited users to sign-up even feature is disabled: https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations
allowInvitation: true
## Number of hours after which an organization invite token, emergency access invite token,
## email verification token and deletion request token will expire
#invitationExpiration: 120
## Allow users to set password hints. Applies to all users.
#passwordHintsAllowed: true
# Show password hints: https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display
showPasswordHint: false
## Default organization name in invitation e-mails that are not coming from a specific organization.
#defaultInviteName: ""
# Enable Websockets for notification. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications
# Redirect HTTP path "/notifications/hub" to port 3012. Ingress/IngressRoute controllers are automatically configured.
enableWebsockets: true
# Enable Web Vault (static content). https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting
enableWebVault: true
# Enable Bitwarden Sends globally
enableSends: true
# Restrict creation of orgs. Options are: 'all', 'none' or a comma-separated list of users.
orgCreationUsers: all
## Limit attachment disk usage per organization.
#attachmentLimitOrg:
## Limit attachment disk usage per user.
#attachmentLimitUser:
## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key.
#hibpApiKey:
## Number of days to auto-delete trashed items. By default iteams are not auto-deleted.
#autoDeleteDays:
## Organization event logging
#orgEvents: false
## Organization event retation. Leave empty to not delete.
#orgEventsRetention: ""
## Map of custom environment variables. Use carefully.
#extraEnv:
# IP_HEADER: CF-Connecting-IP
# ALLOWED_IFRAME_ANCESTORS: myintranet.local
admin:
# Enable admin portal.
enabled: true
# Disabling the admin token will make the admin portal accessible to anyone, use carefully: https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token
disableAdminToken: false
## Token for admin login, will be generated if not defined. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page
#token:
## Use existing secret for the admin token. Key is 'admin-token'.
#existingSecret:
emergency:
# Allow any user to enable emergency access.
enabled: true
## Schedule to send expiration reminders to emergency access grantors. Cron schedule format.
#reminder: "0 3 * * * *"
## Schedule to grant emergency access requests that have met the required wait time. Cron schedule format.
#timeout: "0 3 * * * *"
# Enable SMTP. https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
smtp:
enabled: false
# SMTP hostname, required if SMTP is enabled.
host: ""
# SMTP sender e-mail address, required if SMTP is enabled.
from: ""
## SMTP sender name, defaults to 'Vaultwarden'.
#fromName: ""
# Enable secure SSL connection. Options are: "starttls", "force_tls" and "off"
# Users migrating from 1.24 or lower using ssl/explicitTLS settings:
# ssl = false -> "off"
# ssl = true and explicitTLS = false -> "starttls"
# ssl = true and explicitTLS = true -> "force_tls"
security: starttls
## SMTP port. Defaults depends on security: 465 for "force_tls", 587 for "starttls" and 25 for "off"
#port: 587
## SMTP Authentication Mechanisms. Comma-separated options: 'Plain', 'Login' and 'Xoauth2'. Defaults to 'Plain'.
#authMechanism: Plain
## Hostname to be sent for SMTP HELO. Defaults to pod name.
#heloName: ""
## SMTP timeout.
#timeout: 15
## Accept SSL session if certificate is valid but hostname doesn't match. DANGEROUS, vulnerable to men-in-the-middle attacks!
#invalidHostname: false
## Accept invalid certificates. DANGEROUS, vulnerable to men-in-the-middle attacks!
#invalidCertificate: false
## SMTP username.
#user: ""
## SMTP password. Required is user is specified, ignored if no user provided.
#password: ""
## Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password'.
#existingSecret:
## Embed images as email attachments
#embedImages: false
## Enable Yubico OPT authentication. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication
yubico:
enabled: false
## Yubico server. Defaults to YubiCloud.
#server:
## Yubico ID and Secret Key.
#clientId:
#secretKey:
## Use existing secret for Yubico. Keys are 'yubico-client-id' and 'yubico-secret-key'.
#existingSecret:
## Logging options. https://github.com/dani-garcia/vaultwarden/wiki/Logging
log:
# Log to file.
file: ""
# Log level. Options are "trace", "debug", "info", "warn", "error" or "off".
level: ""
## Log timestamp format. See https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html. Defaults to time in milliseconds.
#timeFormat: ""
icons:
## Icon download service. "internal" to fetch icons directly, otherwise options are: "bitwarden", "duckduckgo" or "google"
#service: internal
# Disables download of external icons on internal service. Setting to true will still serve icons from cache (/data/icon_cache). TTL will default to zero.
disableDownload: false
## Cache time-to-live for icons fetched. 0 means no purging.
#cache: 2592000
## Cache time-to-live for icons that were not available. 0 means no purging.
#cacheFailed: 259200
## HTTP code for redirect to external icon service
#redirectCode: 302
service:
type: ClusterIP
httpPort: 80
websocketPort: 3012
externalTrafficPolicy: Cluster
# loadBalancerIP:
nodePorts:
# Choose NodePorts manually
http: ""
websocket: ""
# Kubernetes Ingress
ingress:
enabled: true
className: nginx
host: "warden.ervine.cloud"
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
- secretName: warden-ervine-cloud-tls
hosts:
- warden.ervine.cloud
# Traefik IngressRoute CRD
ingressRoute:
enabled: false
# Mandatory to enable IngressRoute
host: ""
entrypoints:
- websecure
## Enable Traefik middlewares
middlewares: {}
# - name: my_middleware
# namespace: default
tls: {}
#certResolver: letsencrypt
persistence:
enabled: true
size: 1Gi
accessMode: ReadWriteOnce
## Persistent Volume storage class
# storageClass: "-"
## Use existing Persistent Volume Claim
existingClaim: vw-home-vaultwarden
# Use custom volume definition. Cannot be used with persistence.
customVolume: {}
#hostPath:
# path: "/examplefolder/vaultwarden"
image:
pullPolicy: IfNotPresent
repository: vaultwarden/server
tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
replicaCount: 1
serviceAccount:
# Specifies whether a service account should be created
create: false
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podLabels: {}
# Annotations to add to the Deployment
deploymentAnnotations: {}
# Sidecar containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)
# No templating possible, values need to be hardcoded
sidecars: []
# - name: sidecar
# image: sidecarimage:1.2.3
# env:
# - name: SIDECAR_END
# value: "sidecar"
# volumeMounts:
# - name: vaultwarden
# mountPath: /data
podSecurityContext:
fsGroup: 65534
securityContext:
runAsUser: 65534
runAsGroup: 65534
strategy: {}
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}

273
vaultwarden-1.27/values.yaml Normal file
View File

@ -0,0 +1,273 @@
# Default values for vaultwarden.
database:
# Database type, must be one of: 'sqlite', 'mysql' or 'postgresql'.
type: sqlite
# Enable DB Write-Ahead-Log for SQLite, disabled for other databases. https://github.com/dani-garcia/vaultwarden/wiki/Running-without-WAL-enabled
wal: true
## URL for external databases (mysql://user:pass@host:port/database-name or postgresql://user:pass@host:port/database-name).
#url: ""
## Use existing secret for database URL, key 'database-url'.
#existingSecret:
## Set the size of the database connection pool.
#maxConnections: 10
## Connection retries during startup, 0 for infinite. 1 second between retries.
#retries: 15
# Set vaultwarden application variables
vaultwarden:
## Set Bitwarden URL, mandatory for invitations over email. Recommended if using a reverse proxy / ingress. Format is https://name or http://name
#domain:
# Allow any user to sign-up: https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users
allowSignups: true
## Whitelist domains allowed to sign-up. 'allowSignups' is ignored if set.
#signupDomains:
# - domain.tld
# Verify e-mail before login is enabled. SMTP must be enabled.
verifySignup: false
# When a user logs in an email is required to be sent. If sending the email fails the login attempt will fail. SMTP must be enabled.
requireEmail: false
## Maximum attempts before an email token is reset and a new email will need to be sent.
#emailAttempts: 3
## Email token validity in seconds.
#emailTokenExpiration: 600
# Allow invited users to sign-up even feature is disabled: https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations
allowInvitation: true
## Number of hours after which an organization invite token, emergency access invite token,
## email verification token and deletion request token will expire
#invitationExpiration: 120
## Allow users to set password hints. Applies to all users.
#passwordHintsAllowed: true
# Show password hints: https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display
showPasswordHint: false
## Default organization name in invitation e-mails that are not coming from a specific organization.
#defaultInviteName: ""
# Enable Websockets for notification. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications
# Redirect HTTP path "/notifications/hub" to port 3012. Ingress/IngressRoute controllers are automatically configured.
enableWebsockets: true
# Enable Web Vault (static content). https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting
enableWebVault: true
# Enable Bitwarden Sends globally
enableSends: true
# Restrict creation of orgs. Options are: 'all', 'none' or a comma-separated list of users.
orgCreationUsers: all
## Limit attachment disk usage per organization.
#attachmentLimitOrg:
## Limit attachment disk usage per user.
#attachmentLimitUser:
## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key.
#hibpApiKey:
## Number of days to auto-delete trashed items. By default iteams are not auto-deleted.
#autoDeleteDays:
## Organization event logging
#orgEvents: false
## Organization event retation. Leave empty to not delete.
#orgEventsRetention: ""
## Map of custom environment variables. Use carefully.
#extraEnv:
# IP_HEADER: CF-Connecting-IP
# ALLOWED_IFRAME_ANCESTORS: myintranet.local
admin:
# Enable admin portal.
enabled: false
# Disabling the admin token will make the admin portal accessible to anyone, use carefully: https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token
disableAdminToken: false
## Token for admin login, will be generated if not defined. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page
#token:
## Use existing secret for the admin token. Key is 'admin-token'.
#existingSecret:
emergency:
# Allow any user to enable emergency access.
enabled: true
## Schedule to send expiration reminders to emergency access grantors. Cron schedule format.
#reminder: "0 3 * * * *"
## Schedule to grant emergency access requests that have met the required wait time. Cron schedule format.
#timeout: "0 3 * * * *"
# Enable SMTP. https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
smtp:
enabled: false
# SMTP hostname, required if SMTP is enabled.
host: ""
# SMTP sender e-mail address, required if SMTP is enabled.
from: ""
## SMTP sender name, defaults to 'Vaultwarden'.
#fromName: ""
# Enable secure SSL connection. Options are: "starttls", "force_tls" and "off"
# Users migrating from 1.24 or lower using ssl/explicitTLS settings:
# ssl = false -> "off"
# ssl = true and explicitTLS = false -> "starttls"
# ssl = true and explicitTLS = true -> "force_tls"
security: starttls
## SMTP port. Defaults depends on security: 465 for "force_tls", 587 for "starttls" and 25 for "off"
#port: 587
## SMTP Authentication Mechanisms. Comma-separated options: 'Plain', 'Login' and 'Xoauth2'. Defaults to 'Plain'.
#authMechanism: Plain
## Hostname to be sent for SMTP HELO. Defaults to pod name.
#heloName: ""
## SMTP timeout.
#timeout: 15
## Accept SSL session if certificate is valid but hostname doesn't match. DANGEROUS, vulnerable to men-in-the-middle attacks!
#invalidHostname: false
## Accept invalid certificates. DANGEROUS, vulnerable to men-in-the-middle attacks!
#invalidCertificate: false
## SMTP username.
#user: ""
## SMTP password. Required is user is specified, ignored if no user provided.
#password: ""
## Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password'.
#existingSecret:
## Embed images as email attachments
#embedImages: false
## Enable Yubico OPT authentication. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication
yubico:
enabled: false
## Yubico server. Defaults to YubiCloud.
#server:
## Yubico ID and Secret Key.
#clientId:
#secretKey:
## Use existing secret for Yubico. Keys are 'yubico-client-id' and 'yubico-secret-key'.
#existingSecret:
## Logging options. https://github.com/dani-garcia/vaultwarden/wiki/Logging
log:
# Log to file.
file: ""
# Log level. Options are "trace", "debug", "info", "warn", "error" or "off".
level: ""
## Log timestamp format. See https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html. Defaults to time in milliseconds.
#timeFormat: ""
icons:
## Icon download service. "internal" to fetch icons directly, otherwise options are: "bitwarden", "duckduckgo" or "google"
#service: internal
# Disables download of external icons on internal service. Setting to true will still serve icons from cache (/data/icon_cache). TTL will default to zero.
disableDownload: false
## Cache time-to-live for icons fetched. 0 means no purging.
#cache: 2592000
## Cache time-to-live for icons that were not available. 0 means no purging.
#cacheFailed: 259200
## HTTP code for redirect to external icon service
#redirectCode: 302
service:
type: ClusterIP
httpPort: 80
websocketPort: 3012
externalTrafficPolicy: Cluster
# loadBalancerIP:
nodePorts:
# Choose NodePorts manually
http: ""
websocket: ""
# Kubernetes Ingress
ingress:
enabled: false
# className: nginx
host: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls: []
# - secretName: vaultwarden-tls
# hosts:
# - vaultwarden.local
# Traefik IngressRoute CRD
ingressRoute:
enabled: false
# Mandatory to enable IngressRoute
host: ""
entrypoints:
- websecure
## Enable Traefik middlewares
middlewares: {}
# - name: my_middleware
# namespace: default
tls: {}
#certResolver: letsencrypt
persistence:
enabled: false
size: 1Gi
accessMode: ReadWriteOnce
## Persistent Volume storage class
# storageClass: "-"
## Use existing Persistent Volume Claim
# existingClaim:
# Use custom volume definition. Cannot be used with persistence.
customVolume: {}
#hostPath:
# path: "/examplefolder/vaultwarden"
image:
pullPolicy: IfNotPresent
repository: vaultwarden/server
tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
replicaCount: 1
serviceAccount:
# Specifies whether a service account should be created
create: false
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podLabels: {}
# Annotations to add to the Deployment
deploymentAnnotations: {}
# Sidecar containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)
# No templating possible, values need to be hardcoded
sidecars: []
# - name: sidecar
# image: sidecarimage:1.2.3
# env:
# - name: SIDECAR_END
# value: "sidecar"
# volumeMounts:
# - name: vaultwarden
# mountPath: /data
podSecurityContext:
fsGroup: 65534
securityContext:
runAsUser: 65534
runAsGroup: 65534
strategy: {}
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}

14
vaultwarden/Chart.yaml
View File

@ -1,9 +1,13 @@
apiVersion: v2 apiVersion: v2
appVersion: 1.27.0 appVersion: 1.32.7
description: Unofficial Bitwarden compatible server written in Rust description: Unofficial Bitwarden compatible server written in Rust
home: https://github.com/dani-garcia/vaultwarden - bitwarden - bitwarden_rs - password home: https://github.com/dani-garcia/vaultwarden
- vaultwarden icon: https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/resources/vaultwarden-icon.svg
icon: https://upload.wikimedia.org/wikipedia/commons/0/03/Bitwarden_Logo.png keywords:
- bitwarden
- bitwarden_rs
- password
- vaultwarden
maintainers: maintainers:
- email: silvio@gissilabs.com - email: silvio@gissilabs.com
name: Silvio Gissi name: Silvio Gissi
@ -11,4 +15,4 @@ name: vaultwarden
sources: sources:
- https://github.com/dani-garcia/vaultwarden - https://github.com/dani-garcia/vaultwarden
type: application type: application
version: 1.0.0 version: 1.2.5

34
vaultwarden/README.md
View File

@ -33,6 +33,7 @@ database.type | Backend database type | sqlite, mysql or postgresql | sqlite
database.wal | Enable SQLite Write-Ahead-Log, ignored for external databases | true / false | true database.wal | Enable SQLite Write-Ahead-Log, ignored for external databases | true / false | true
database.url | URL of external database (MySQL/PostgreSQL) | \[mysql\|postgresql\]://user:pass@host:port\[/database\] | Empty database.url | URL of external database (MySQL/PostgreSQL) | \[mysql\|postgresql\]://user:pass@host:port\[/database\] | Empty
database.existingSecret | Use existing secret for database URL, key 'database-url' | Secret name | Not defined database.existingSecret | Use existing secret for database URL, key 'database-url' | Secret name | Not defined
database.existingSecretKey | Use different key for existing secret for database URL. If defined, `database.existingSecret` has to be defined as well | Secret name | Not defined
database.maxConnections | Set the size of the database connection pool | Number | 10 database.maxConnections | Set the size of the database connection pool | Number | 10
database.retries | Connection retries during startup, 0 for infinite. 1 second between retries | Number | 15 database.retries | Connection retries during startup, 0 for infinite. 1 second between retries | Number | 15
@ -52,20 +53,21 @@ vaultwarden.invitationExpiration | Number of hours after which tokens expire (or
vaultwarden.defaultInviteName | Default organization name in invitation e-mails that are not coming from a specific organization. | Text | Vaultwarden vaultwarden.defaultInviteName | Default organization name in invitation e-mails that are not coming from a specific organization. | Text | Vaultwarden
vaultwarden.passwordHintsAllowed | Allow users to set password hints. Applies to all users. | true / false | true vaultwarden.passwordHintsAllowed | Allow users to set password hints. Applies to all users. | true / false | true
vaultwarden.showPasswordHint | Show password hints. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display) | true / false | false vaultwarden.showPasswordHint | Show password hints. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display) | true / false | false
vaultwarden.enableWebsockets | Enable Websockets for notification. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications). If using Ingress controllers, "notifications/hub" URL is redirected to websocket port | true / false | true
vaultwarden.enableWebVault | Enable Web Vault static site. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting). | true / false | true vaultwarden.enableWebVault | Enable Web Vault static site. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting). | true / false | true
vaultwarden.enableSends | Enable Bitwarden Sends globally. | true / false | true vaultwarden.enableSends | Enable Bitwarden Sends globally. | true / false | true
vaultwarden.orgCreationUsers | Restrict creation of orgs. | 'all', 'none' or a comma-separated list of users. | all vaultwarden.orgCreationUsers | Restrict creation of orgs. | 'all', 'none' or a comma-separated list of users. | all
vaultwarden.attachmentLimitOrg | Limit attachment disk usage in Kb per organization | Number | Not defined vaultwarden.attachmentLimitOrg | Limit attachment disk usage in Kb per organization | Number | Not defined
vaultwarden.attachmentLimitUser | Limit attachment disk usage in Kb per user | Number | Not defined vaultwarden.attachmentLimitUser | Limit attachment disk usage in Kb per user | Number | Not defined
vaultwarden.sendLimitUser | Limit send disk usage in Kb per user | Number | Not defined
vaultwarden.hibpApiKey | API Key to use HaveIBeenPwned service. Can be purchased at [here](https://haveibeenpwned.com/API/Key) | Text | Not defined vaultwarden.hibpApiKey | API Key to use HaveIBeenPwned service. Can be purchased at [here](https://haveibeenpwned.com/API/Key) | Text | Not defined
vaultwarden.autoDeleteDays | Number of days to auto-delete trashed items. | Number | Empty (never auto-delete) vaultwarden.autoDeleteDays | Number of days to auto-delete trashed items. | Number | Empty (never auto-delete)
vaultwarden.orgEvents | Enable Organization event logging | true / false | false vaultwarden.orgEvents | Enable Organization event logging | true / false | false
vaultwarden.orgEventsRetention | Organization event log retention in days | Number | Empty (never delete) vaultwarden.orgEventsRetention | Organization event log retention in days | Number | Empty (never delete)
vaultwarden.extraEnv | Pass extra environment variables | Map | Not defined vaultwarden.emailChangeAllowed | Allow users to change their email. | true / false | true
vaultwarden.extraEnv | Pass extra environment variables, either as key-value pairs or as key-reference pairs | Map | Not defined
vaultwarden.log.file | Filename to log to disk. [More information](https://github.com/dani-garcia/vaultwarden/wiki/Logging) | File path | Empty vaultwarden.log.file | Filename to log to disk. [More information](https://github.com/dani-garcia/vaultwarden/wiki/Logging) | File path | Empty
vaultwarden.log.level | Change log level | trace, debug, info, warn, error or off | Empty vaultwarden.log.level | Change log level | trace, debug, info, warn, error or off | Empty
vaultwarden.log.timeFormat | Log timestamp | Rust chrono [format](https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html). | Time in milliseconds | Empty vaultwarden.log.timeFormat | Log timestamp | Rust chrono [format](https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html). | Empty
## **Application Features** ## **Application Features**
@ -96,7 +98,7 @@ vaultwarden.smtp.invalidCertificate | Accept invalid certificates. DANGEROUS! |
vaultwarden.smtp.user | SMTP username | Text | Not defined vaultwarden.smtp.user | SMTP username | Text | Not defined
vaultwarden.smtp.password | SMTP password. Required is user is specified | Text | Not defined vaultwarden.smtp.password | SMTP password. Required is user is specified | Text | Not defined
vaultwarden.smtp.existingSecret | Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password' | Secret name | Not defined vaultwarden.smtp.existingSecret | Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password' | Secret name | Not defined
vaultwarden.smtp.embedImages | Embed images as email attachments | true / false | false vaultwarden.smtp.embedImages | Embed images as email attachments | true / false | true
||| |||
vaultwarden.yubico.enabled | Enable Yubikey support | true / false | false vaultwarden.yubico.enabled | Enable Yubikey support | true / false | false
vaultwarden.yubico.server | Yubico server | Hostname | YubiCloud vaultwarden.yubico.server | Yubico server | Hostname | YubiCloud
@ -109,6 +111,13 @@ vaultwarden.icons.disableDownload | Disables download of external icons, icons i
vaultwarden.icons.cache | Cache time-to-live for icons fetched. 0 means no purging | Number | 2592000. If download is disabled, defaults to 0 vaultwarden.icons.cache | Cache time-to-live for icons fetched. 0 means no purging | Number | 2592000. If download is disabled, defaults to 0
vaultwarden.icons.cacheFailed | Cache time-to-live for icons that were not available. 0 means no purging | Number | 2592000 vaultwarden.icons.cacheFailed | Cache time-to-live for icons that were not available. 0 means no purging | Number | 2592000
vaultwarden.icons.redirectCode | HTTP code to use for redirects to an external icon service | true / false | 302 vaultwarden.icons.redirectCode | HTTP code to use for redirects to an external icon service | true / false | 302
|||
vaultwarden.push.enabled | Enable Push notifications | true / false | false
vaultwarden.push.installationId | Installation ID from Bitwarden | Text | Empty
vaultwarden.push.installationKey | Installation Key from Bitwarden | Text | Empty
vaultwarden.push.relayUri | Relay URI, should not need to change | URL | https://push.bitwarden.com
vaultwarden.push.identityUri | Identity URI, should not need to change | URL | https://push.bitwarden.com
vaultwarden.push.existingSecret | Use existing secret for Push notifications. Keys are 'push-id' and 'push-key' | Secret name | Not defined
## **Network** ## **Network**
@ -116,19 +125,18 @@ Option | Description | Format | Default
------ | ----------- | ------ | ------- ------ | ----------- | ------ | -------
service.type | Service Type. [More Information](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) | Type | ClusterIP service.type | Service Type. [More Information](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) | Type | ClusterIP
service.httpPort | Service port for HTTP server | Number | 80 service.httpPort | Service port for HTTP server | Number | 80
service.websocketPort | Service port for Websocket server, if enabled | Number | 3012
service.externalTrafficPolicy | External Traffic Policy. [More Information](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | Local / Cluster| Cluster service.externalTrafficPolicy | External Traffic Policy. [More Information](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | Local / Cluster| Cluster
service.loadBalancerIP | Manually select IP when type is LoadBalancer | IP address | Not defined service.loadBalancerIP | Manually select IP when type is LoadBalancer | IP address | Not defined
service.nodePorts.http | Manually select node port for http | Number | Empty service.nodePorts.http | Manually select node port for http | Number | Empty
service.nodePorts.websocket | Manually select node port for websocker, if enabled | Number | Empty
||| |||
ingress.enabled | Enable Ingress | true / false | false ingress.enabled | Enable Ingress | true / false | false
ingress.className | Name of the ingress class | string | Empty ingress.className | Name of the ingress class | Text | Empty
ingress.host | Ingress hostname **required** | Hostname | Empty ingress.host | Ingress hostname **required** | Hostname | Empty
ingress.annotations | Ingress annotations | Map | Empty ingress.annotations | Ingress annotations | Map | Empty
ingress.tls | Ingress TLS options | Array of Maps | Empty ingress.tls | Ingress TLS options | Array of Maps | Empty
||| |||
ingressRoute.enabled | Enable Traefik IngressRoute CRD | true / false | false ingressRoute.enabled | Enable Traefik IngressRoute CRD | true / false | false
ingressRoute.newCRD | Traefik 2.10 and above uses a new CRD namespace (traefik.io) | true / false | false
ingressRoute.host | Ingress route hostname **required** | Hostname | Empty ingressRoute.host | Ingress route hostname **required** | Hostname | Empty
ingressRoute.middlewares | Enable middlewares | Map | Empty ingressRoute.middlewares | Enable middlewares | Map | Empty
ingressRoute.entrypoints | List of Traefik endpoints | Array of Text | \[websecure\] ingressRoute.entrypoints | List of Traefik endpoints | Array of Text | \[websecure\]
@ -143,7 +151,9 @@ persistence.size | Size of volume | Size | 1Gi
persistence.accessMode | Volume access mode | Text | ReadWriteOnce persistence.accessMode | Volume access mode | Text | ReadWriteOnce
persistence.storageClass | Storage Class | Text | Not defined. Use "-" for default class persistence.storageClass | Storage Class | Text | Not defined. Use "-" for default class
persistence.existingClaim | Use existing PVC | Name of PVC | Not defined persistence.existingClaim | Use existing PVC | Name of PVC | Not defined
persistence.annotations | PVC annotations | Map | Empty
customVolume | Use custom volume definition. Cannot be used with persistence | Map | Empty customVolume | Use custom volume definition. Cannot be used with persistence | Map | Empty
additionalVolumes | Additional volumes definitions, to be used by sidecars [Spec](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes) | Array | Empty
## **Image** ## **Image**
@ -165,6 +175,8 @@ serviceAccount.create | Create Service Account | true / false | false
serviceAccount.annotations | Annotations service account | Map | Empty serviceAccount.annotations | Annotations service account | Map | Empty
serviceAccount.name | Service Account name | Text | Generated from template serviceAccount.name | Service Account name | Text | Generated from template
deploymentAnnotations | Deployment Annotations | Map | Empty deploymentAnnotations | Deployment Annotations | Map | Empty
probes.liveness | Liveness options [Spec](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes) | Map | Empty
probes.readiness | Readiness options [Spec](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes) | Map | Empty
sidecars | Sidecar container definition [Spec](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) | Array | Empty sidecars | Sidecar container definition [Spec](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) | Array | Empty
podAnnotations | Pod Annotations | Map | Empty podAnnotations | Pod Annotations | Map | Empty
podLabels | Extra Pod Labels | Map | Empty podLabels | Extra Pod Labels | Map | Empty
@ -177,6 +189,14 @@ affinity | Affinity | Map | Empty
## Upgrade ## Upgrade
### From 1.1 to 1.2
Dropped support for Ingress on Kubernetes versions 1.18 or older. [More details](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingressclass-v122). Since Vaultwarden 1.29, WebSockets no longer uses separate port, support for that has been removed as well.
### From 1.0 to 1.1
The default value for Embed Images on email option changed from false to true.
### From 0.x to 1.x ### From 0.x to 1.x
Vaultwarden version before v1.25.0 had a [bug/mislabelled](https://github.com/dani-garcia/vaultwarden/issues/851) configuration setting regarding SSL and TLS. This has been fixed in testing and newer released versions. When image version is 1.25 or higher, use vaultwarden.smtp.security instead of vaultwarden.smtp.ssl/vaultwarden.smtp.explicitTLS. Vaultwarden version before v1.25.0 had a [bug/mislabelled](https://github.com/dani-garcia/vaultwarden/issues/851) configuration setting regarding SSL and TLS. This has been fixed in testing and newer released versions. When image version is 1.25 or higher, use vaultwarden.smtp.security instead of vaultwarden.smtp.ssl/vaultwarden.smtp.explicitTLS.

4
vaultwarden/templates/NOTES.txt
View File

@ -4,10 +4,6 @@
{{- else if .Values.ingressRoute.enabled }} {{- else if .Values.ingressRoute.enabled }}
http{{ if $.Values.ingressRoute.tls }}s{{ end }}://{{ .Values.ingressRoute.host }}/ http{{ if $.Values.ingressRoute.tls }}s{{ end }}://{{ .Values.ingressRoute.host }}/
{{- else }} {{- else }}
{{- if eq .Values.vaultwarden.enableWebsockets true }}
NOTE: the websocket listens on a different port and might not work unless /notifications/hub is redirected externally.
{{- end }}
{{- if contains "NodePort" .Values.service.type }} {{- if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "vaultwarden.fullname" . }}) export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "vaultwarden.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")

64
vaultwarden/templates/deployment.yaml
View File

@ -36,6 +36,10 @@ spec:
serviceAccountName: {{ include "vaultwarden.serviceAccountName" . }} serviceAccountName: {{ include "vaultwarden.serviceAccountName" . }}
securityContext: securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }} {{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- if .Values.initContainers }}
initContainers:
{{- toYaml .Values.initContainers | nindent 8 }}
{{- end }}
containers: containers:
- name: {{ .Chart.Name }} - name: {{ .Chart.Name }}
securityContext: securityContext:
@ -81,8 +85,6 @@ spec:
{{- end }} {{- end }}
- name: SHOW_PASSWORD_HINT - name: SHOW_PASSWORD_HINT
value: {{ .Values.vaultwarden.showPasswordHint | quote }} value: {{ .Values.vaultwarden.showPasswordHint | quote }}
- name: WEBSOCKET_ENABLED
value: {{ .Values.vaultwarden.enableWebsockets | quote }}
- name: WEB_VAULT_ENABLED - name: WEB_VAULT_ENABLED
value: {{ .Values.vaultwarden.enableWebVault | quote }} value: {{ .Values.vaultwarden.enableWebVault | quote }}
- name: SENDS_ALLOWED - name: SENDS_ALLOWED
@ -97,6 +99,10 @@ spec:
- name: USER_ATTACHMENT_LIMIT - name: USER_ATTACHMENT_LIMIT
value: {{ .Values.vaultwarden.attachmentLimitUser | quote }} value: {{ .Values.vaultwarden.attachmentLimitUser | quote }}
{{- end }} {{- end }}
{{- if .Values.vaultwarden.sendLimitUser }}
- name: USER_SEND_LIMIT
value: {{ .Values.vaultwarden.sendLimitUser | quote }}
{{- end }}
{{- if .Values.vaultwarden.hibpApiKey }} {{- if .Values.vaultwarden.hibpApiKey }}
- name: HIBP_API_KEY - name: HIBP_API_KEY
value: {{ .Values.vaultwarden.hibpApiKey | quote }} value: {{ .Values.vaultwarden.hibpApiKey | quote }}
@ -113,10 +119,22 @@ spec:
- name: EVENTS_DAYS_RETAIN - name: EVENTS_DAYS_RETAIN
value: {{ .Values.vaultwarden.orgEventsRetention | quote }} value: {{ .Values.vaultwarden.orgEventsRetention | quote }}
{{- end }} {{- end }}
{{- if hasKey .Values.vaultwarden "emailChangeAllowed" }}
- name: EMAIL_CHANGE_ALLOWED
value: {{ .Values.vaultwarden.emailChangeAllowed | quote }}
{{- end }}
{{- if .Values.vaultwarden.extraEnv }} {{- if .Values.vaultwarden.extraEnv }}
{{- range $key, $val := .Values.vaultwarden.extraEnv }} {{- range $key, $val := .Values.vaultwarden.extraEnv }}
- name: {{ $key }} - name: {{ $key }}
{{- if kindIs "string" $val }}
value: {{ $val | quote }} value: {{ $val | quote }}
{{- else if or (hasKey $val "secretKeyRef") (hasKey $val "configMapKeyRef") }}
valueFrom:
{{- $val | toYaml | nindent 16 }}
{{- else }}
{{- fail "Items in extraEnv must be either text or contain a valueFrom key (configMapKeyRef or secretKeyRef)" }}
{{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- include "vaultwarden.dbTypeValid" . }} {{- include "vaultwarden.dbTypeValid" . }}
@ -138,7 +156,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ if .Values.database.existingSecret }}{{ .Values.database.existingSecret }}{{else}}{{ include "vaultwarden.fullname" . }}{{end}} name: {{ if .Values.database.existingSecret }}{{ .Values.database.existingSecret }}{{else}}{{ include "vaultwarden.fullname" . }}{{end}}
key: database-url key: {{ if and .Values.database.existingSecret .Values.database.existingSecretKey }}{{ .Values.database.existingSecretKey }}{{else}}database-url{{end}}
{{- end }} {{- end }}
{{- if .Values.vaultwarden.domain }} {{- if .Values.vaultwarden.domain }}
- name: DOMAIN - name: DOMAIN
@ -273,9 +291,9 @@ spec:
{{- if .Values.vaultwarden.icons.disableDownload }} {{- if .Values.vaultwarden.icons.disableDownload }}
- name: DISABLE_ICON_DOWNLOAD - name: DISABLE_ICON_DOWNLOAD
value: {{ .Values.vaultwarden.icons.disableDownload | quote }} value: {{ .Values.vaultwarden.icons.disableDownload | quote }}
{{- if and (not .Values.vaultwarden.icons.cache) (eq .Values.vaultwarden.icons.disableDownload "true") }} {{- if and (not .Values.vaultwarden.icons.cache) (.Values.vaultwarden.icons.disableDownload) }}
- name: ICON_CACHE_TTL - name: ICON_CACHE_TTL
value: 0 value: "0"
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.vaultwarden.icons.cache }} {{- if .Values.vaultwarden.icons.cache }}
@ -289,24 +307,45 @@ spec:
{{- if hasKey .Values.vaultwarden.icons "redirectCode" }} {{- if hasKey .Values.vaultwarden.icons "redirectCode" }}
- name: ICON_REDIRECT_CODE - name: ICON_REDIRECT_CODE
value: {{ .Values.vaultwarden.icons.redirectCode | quote }} value: {{ .Values.vaultwarden.icons.redirectCode | quote }}
{{- end }} {{- end }}
{{- if eq .Values.vaultwarden.push.enabled true }}
- name: PUSH_INSTALLATION_ID
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.push.existingSecret | default (include "vaultwarden.fullname" .) }}
key: push-id
- name: PUSH_INSTALLATION_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.push.existingSecret | default (include "vaultwarden.fullname" .) }}
key: push-key
{{- if hasKey .Values.vaultwarden.push "relayUri" }}
- name: PUSH_RELAY_URI
value: {{ .Values.vaultwarden.push.relayUri | quote }}
{{- end }}
{{- if hasKey .Values.vaultwarden.push "identityUri" }}
- name: PUSH_IDENTITY_URI
value: {{ .Values.vaultwarden.push.identityUri | quote }}
{{- end }}
{{- end }}{{/* Push */}}
ports: ports:
- name: http - name: http
containerPort: 8080 containerPort: 8080
protocol: TCP protocol: TCP
{{- if .Values.vaultwarden.enableWebsockets }}
- name: websocket
containerPort: 3012
protocol: TCP
{{- end }}
livenessProbe: livenessProbe:
httpGet: httpGet:
path: {{ include "vaultwarden.domainSubPath" . }} path: {{ include "vaultwarden.domainSubPath" . }}
port: http port: http
{{- if .Values.probes.liveness }}
{{- toYaml .Values.probes.liveness | nindent 12 }}
{{- end }}
readinessProbe: readinessProbe:
httpGet: httpGet:
path: {{ include "vaultwarden.domainSubPath" . }} path: {{ include "vaultwarden.domainSubPath" . }}
port: http port: http
{{- if .Values.probes.readiness }}
{{- toYaml .Values.probes.readiness | nindent 12 }}
{{- end }}
volumeMounts: volumeMounts:
- name: {{ include "vaultwarden.fullname" . }} - name: {{ include "vaultwarden.fullname" . }}
mountPath: /data mountPath: /data
@ -328,6 +367,9 @@ spec:
{{- else }} {{- else }}
emptyDir: {} emptyDir: {}
{{- end }} {{- end }}
{{- if .Values.additionalVolumes }}
{{- toYaml .Values.additionalVolumes | nindent 6 }}
{{- end }}
{{- with .Values.nodeSelector }} {{- with .Values.nodeSelector }}
nodeSelector: nodeSelector:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}

31
vaultwarden/templates/ingress.yaml
View File

@ -1,12 +1,6 @@
{{- if .Values.ingress.enabled -}} {{- if .Values.ingress.enabled -}}
{{- $fullName := include "vaultwarden.fullname" . -}} {{- $fullName := include "vaultwarden.fullname" . -}}
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress kind: Ingress
metadata: metadata:
name: {{ $fullName }} name: {{ $fullName }}
@ -34,34 +28,11 @@ spec:
- host: {{ required "Host required for ingress" .Values.ingress.host | quote }} - host: {{ required "Host required for ingress" .Values.ingress.host | quote }}
http: http:
paths: paths:
{{- if .Values.vaultwarden.enableWebsockets }}
- path: "/notifications/hub"
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
pathType: Prefix
{{- end }}
backend:
{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
service:
name: {{ $fullName }}
port:
number: {{ .Values.service.websocketPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ .Values.service.websocketPort }}
{{- end }}
{{- end }}
- path: "/" - path: "/"
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
pathType: Prefix pathType: Prefix
{{- end }}
backend: backend:
{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
service: service:
name: {{ $fullName }} name: {{ $fullName }}
port: port:
number: {{ .Values.service.httpPort }} name: http
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ .Values.service.httpPort }}
{{- end }}
{{- end }} {{- end }}

15
vaultwarden/templates/ingressroute.yaml
View File

@ -1,7 +1,11 @@
{{- if .Values.ingressRoute.enabled -}} {{- if .Values.ingressRoute.enabled -}}
{{- $fullName := include "vaultwarden.fullname" . -}} {{- $fullName := include "vaultwarden.fullname" . -}}
{{- $host := (required "Host required for IngressRoute" .Values.ingressRoute.host ) -}} {{- $host := (required "Host required for IngressRoute" .Values.ingressRoute.host ) -}}
{{- if .Values.ingressRoute.newCRD }}
apiVersion: traefik.io/v1alpha1
{{- else }}
apiVersion: traefik.containo.us/v1alpha1 apiVersion: traefik.containo.us/v1alpha1
{{- end }}
kind: IngressRoute kind: IngressRoute
metadata: metadata:
name: {{ $fullName }} name: {{ $fullName }}
@ -13,17 +17,6 @@ spec:
- {{ . | quote }} - {{ . | quote }}
{{- end }} {{- end }}
routes: routes:
{{- if .Values.vaultwarden.enableWebsockets }}
- match: Host(`{{ $host }}`) && PathPrefix(`/notifications/hub`)
kind: Rule
{{- if .Values.ingressRoute.middlewares }}
middlewares:
{{- toYaml .Values.ingressRoute.middlewares | nindent 6 }}
{{- end }}
services:
- name: {{ $fullName }}
port: {{ .Values.service.websocketPort }}
{{- end }}
- match: Host(`{{ $host }}`) - match: Host(`{{ $host }}`)
kind: Rule kind: Rule
{{- if .Values.ingressRoute.middlewares }} {{- if .Values.ingressRoute.middlewares }}

4
vaultwarden/templates/pvc.yaml
View File

@ -3,6 +3,10 @@ kind: PersistentVolumeClaim
apiVersion: v1 apiVersion: v1
metadata: metadata:
name: {{ include "vaultwarden.fullname" . }} name: {{ include "vaultwarden.fullname" . }}
{{- with .Values.persistence.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec: spec:
accessModes: accessModes:
- {{ .Values.persistence.accessMode | quote }} - {{ .Values.persistence.accessMode | quote }}

11
vaultwarden/templates/secret.yaml
View File

@ -18,7 +18,12 @@
{{- $yubicoClientId = required "Yubico Client ID required" .Values.vaultwarden.yubico.clientId | toString | b64enc | quote }} {{- $yubicoClientId = required "Yubico Client ID required" .Values.vaultwarden.yubico.clientId | toString | b64enc | quote }}
{{- end -}} {{- end -}}
{{- if or (ne $adminToken "") (ne $databaseUrl "") (ne $smtpUser "" ) (ne $yubicoClientId "") }} {{- $pushId := "" }}
{{- if and (eq .Values.vaultwarden.push.enabled true ) (not .Values.vaultwarden.push.existingSecret) }}
{{- $pushId = required "Push Installation ID required" .Values.vaultwarden.push.installationId | toString | b64enc | quote }}
{{- end -}}
{{- if or (ne $adminToken "") (ne $databaseUrl "") (ne $smtpUser "" ) (ne $yubicoClientId "") (ne $pushId "") }}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
@ -40,4 +45,8 @@ data:
yubico-client-id: {{ $yubicoClientId }} yubico-client-id: {{ $yubicoClientId }}
yubico-secret-key: {{ required "Yubico Secret Key required" .Values.vaultwarden.yubico.secretKey | b64enc | quote }} yubico-secret-key: {{ required "Yubico Secret Key required" .Values.vaultwarden.yubico.secretKey | b64enc | quote }}
{{- end }} {{- end }}
{{- if ne $pushId "" }}
push-id: {{ $pushId }}
push-key: {{ required "Push Installation Key required" .Values.vaultwarden.push.installationKey | b64enc | quote }}
{{- end }}
{{- end }} {{- end }}

9
vaultwarden/templates/service.yaml
View File

@ -20,14 +20,5 @@ spec:
{{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePorts.http)))}} {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePorts.http)))}}
nodePort: {{ .Values.service.nodePorts.http }} nodePort: {{ .Values.service.nodePorts.http }}
{{- end }} {{- end }}
{{- if .Values.vaultwarden.enableWebsockets }}
- name: websocket
port: {{ .Values.service.websocketPort }}
targetPort: websocket
protocol: TCP
{{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePorts.websocket)))}}
nodePort: {{ .Values.service.nodePorts.websocket }}
{{- end }}
{{- end }}
selector: selector:
{{- include "vaultwarden.selectorLabels" . | nindent 4 }} {{- include "vaultwarden.selectorLabels" . | nindent 4 }}

71
vaultwarden/values.home.yaml
View File

@ -9,6 +9,8 @@ database:
url: "postgresql://vaultwarden:0UnBYmhT7LZ1GePohx13zRxIKM30TZA0m3GZTjgFh0dBiwENwOtZZqcPlyhMXIUD@home-postgres.db.svc.cluster.local:5432/vw" url: "postgresql://vaultwarden:0UnBYmhT7LZ1GePohx13zRxIKM30TZA0m3GZTjgFh0dBiwENwOtZZqcPlyhMXIUD@home-postgres.db.svc.cluster.local:5432/vw"
## Use existing secret for database URL, key 'database-url'. ## Use existing secret for database URL, key 'database-url'.
existingSecret: vw-home-vaultwarden existingSecret: vw-home-vaultwarden
## Use a different key for the existing secret.
#existingSecretKey:
## Set the size of the database connection pool. ## Set the size of the database connection pool.
#maxConnections: 10 #maxConnections: 10
## Connection retries during startup, 0 for infinite. 1 second between retries. ## Connection retries during startup, 0 for infinite. 1 second between retries.
@ -42,9 +44,6 @@ vaultwarden:
showPasswordHint: false showPasswordHint: false
## Default organization name in invitation e-mails that are not coming from a specific organization. ## Default organization name in invitation e-mails that are not coming from a specific organization.
#defaultInviteName: "" #defaultInviteName: ""
# Enable Websockets for notification. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications
# Redirect HTTP path "/notifications/hub" to port 3012. Ingress/IngressRoute controllers are automatically configured.
enableWebsockets: true
# Enable Web Vault (static content). https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting # Enable Web Vault (static content). https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting
enableWebVault: true enableWebVault: true
# Enable Bitwarden Sends globally # Enable Bitwarden Sends globally
@ -55,6 +54,8 @@ vaultwarden:
#attachmentLimitOrg: #attachmentLimitOrg:
## Limit attachment disk usage per user. ## Limit attachment disk usage per user.
#attachmentLimitUser: #attachmentLimitUser:
## Limit send disk usage per user.
#sendLimitUser:
## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key. ## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key.
#hibpApiKey: #hibpApiKey:
## Number of days to auto-delete trashed items. By default iteams are not auto-deleted. ## Number of days to auto-delete trashed items. By default iteams are not auto-deleted.
@ -63,14 +64,24 @@ vaultwarden:
#orgEvents: false #orgEvents: false
## Organization event retation. Leave empty to not delete. ## Organization event retation. Leave empty to not delete.
#orgEventsRetention: "" #orgEventsRetention: ""
## Allow users to change their email.
#emailChangeAllowed: true
## Map of custom environment variables. Use carefully. ## Map of custom environment variables. Use carefully.
#extraEnv: #extraEnv:
# IP_HEADER: CF-Connecting-IP # IP_HEADER: CF-Connecting-IP
# ALLOWED_IFRAME_ANCESTORS: myintranet.local # ALLOWED_IFRAME_ANCESTORS: myintranet.local
# COOL_VARIABLE:
# secretKeyRef:
# name: my-secret
# key: my-secret-key
# ANOTHER_VARIABLE:
# configMapKeyRef:
# name: my-config-map
# key: my-config-map-key
admin: admin:
# Enable admin portal. # Enable admin portal.
enabled: true enabled: admin
# Disabling the admin token will make the admin portal accessible to anyone, use carefully: https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token # Disabling the admin token will make the admin portal accessible to anyone, use carefully: https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token
disableAdminToken: false disableAdminToken: false
## Token for admin login, will be generated if not defined. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page ## Token for admin login, will be generated if not defined. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page
@ -120,7 +131,7 @@ vaultwarden:
## Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password'. ## Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password'.
#existingSecret: #existingSecret:
## Embed images as email attachments ## Embed images as email attachments
#embedImages: false #embedImages: true
## Enable Yubico OPT authentication. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication ## Enable Yubico OPT authentication. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication
yubico: yubico:
@ -154,21 +165,33 @@ vaultwarden:
## HTTP code for redirect to external icon service ## HTTP code for redirect to external icon service
#redirectCode: 302 #redirectCode: 302
# Push notifications. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification
push:
enabled: false
## Installation ID from Bitwarden.
#installationId:
## Installation Key from Bitwarden.
#installationKey:
## Relay URI
#relayUri:
## Identity URI
#identityUri:
## Use existing secret for Push notifications. Keys are 'push-id' and 'push-key'.
#existingSecret:
service: service:
type: ClusterIP type: ClusterIP
httpPort: 80 httpPort: 80
websocketPort: 3012
externalTrafficPolicy: Cluster externalTrafficPolicy: Cluster
# loadBalancerIP: # loadBalancerIP:
nodePorts: nodePorts:
# Choose NodePorts manually # Choose NodePorts manually
http: "" http: ""
websocket: ""
# Kubernetes Ingress # Kubernetes Ingress
ingress: ingress:
enabled: true enabled: true
className: nginx className: "nginx"
host: "warden.ervine.cloud" host: "warden.ervine.cloud"
annotations: {} annotations: {}
# kubernetes.io/ingress.class: nginx # kubernetes.io/ingress.class: nginx
@ -181,6 +204,8 @@ ingress:
# Traefik IngressRoute CRD # Traefik IngressRoute CRD
ingressRoute: ingressRoute:
enabled: false enabled: false
# Starting on Traefik 2.10, the IngressRoute CRD moved to traefik.io namespace
newCRD: false
# Mandatory to enable IngressRoute # Mandatory to enable IngressRoute
host: "" host: ""
entrypoints: entrypoints:
@ -200,13 +225,17 @@ persistence:
# storageClass: "-" # storageClass: "-"
## Use existing Persistent Volume Claim ## Use existing Persistent Volume Claim
existingClaim: vw-home-vaultwarden existingClaim: vw-home-vaultwarden
## Annotations to add to the Persistent Volume Claim
annotations: {}
# Use custom volume definition. Cannot be used with persistence. # Use custom volume definition. Cannot be used with persistence.
customVolume: {} customVolume: {}
#hostPath: #hostPath:
# path: "/examplefolder/vaultwarden" # path: "/examplefolder/vaultwarden"
# Additional volumes, to be used by sidecars
#additionalVolumes: []
image: image:
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
repository: vaultwarden/server repository: vaultwarden/server
@ -232,6 +261,30 @@ podLabels: {}
# Annotations to add to the Deployment # Annotations to add to the Deployment
deploymentAnnotations: {} deploymentAnnotations: {}
# Readiness and Liveness probes
probes: {}
#liveness:
#timeoutSeconds: 1
#periodSeconds: 10
#successThreshold: 1
#failureThreshold: 3
#readiness:
#timeoutSeconds: 1
#periodSeconds: 10
#successThreshold: 1
#failureThreshold: 3
# initContainers containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)
# No templating possible, values need to be hardcoded
initContainers: []
# - name: initcontainer
# image: initcontainer:1.2.3
# env:
# - name: INITCONTAINER_END
# value: "initcontainer"
# volumeMounts:
# - name: vaultwarden
# mountPath: /data
# Sidecar containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) # Sidecar containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)
# No templating possible, values need to be hardcoded # No templating possible, values need to be hardcoded

69
vaultwarden/values.yaml
View File

@ -9,6 +9,8 @@ database:
#url: "" #url: ""
## Use existing secret for database URL, key 'database-url'. ## Use existing secret for database URL, key 'database-url'.
#existingSecret: #existingSecret:
## Use a different key for the existing secret.
#existingSecretKey:
## Set the size of the database connection pool. ## Set the size of the database connection pool.
#maxConnections: 10 #maxConnections: 10
## Connection retries during startup, 0 for infinite. 1 second between retries. ## Connection retries during startup, 0 for infinite. 1 second between retries.
@ -42,9 +44,6 @@ vaultwarden:
showPasswordHint: false showPasswordHint: false
## Default organization name in invitation e-mails that are not coming from a specific organization. ## Default organization name in invitation e-mails that are not coming from a specific organization.
#defaultInviteName: "" #defaultInviteName: ""
# Enable Websockets for notification. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications
# Redirect HTTP path "/notifications/hub" to port 3012. Ingress/IngressRoute controllers are automatically configured.
enableWebsockets: true
# Enable Web Vault (static content). https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting # Enable Web Vault (static content). https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting
enableWebVault: true enableWebVault: true
# Enable Bitwarden Sends globally # Enable Bitwarden Sends globally
@ -55,6 +54,8 @@ vaultwarden:
#attachmentLimitOrg: #attachmentLimitOrg:
## Limit attachment disk usage per user. ## Limit attachment disk usage per user.
#attachmentLimitUser: #attachmentLimitUser:
## Limit send disk usage per user.
#sendLimitUser:
## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key. ## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key.
#hibpApiKey: #hibpApiKey:
## Number of days to auto-delete trashed items. By default iteams are not auto-deleted. ## Number of days to auto-delete trashed items. By default iteams are not auto-deleted.
@ -63,10 +64,20 @@ vaultwarden:
#orgEvents: false #orgEvents: false
## Organization event retation. Leave empty to not delete. ## Organization event retation. Leave empty to not delete.
#orgEventsRetention: "" #orgEventsRetention: ""
## Allow users to change their email.
#emailChangeAllowed: true
## Map of custom environment variables. Use carefully. ## Map of custom environment variables. Use carefully.
#extraEnv: #extraEnv:
# IP_HEADER: CF-Connecting-IP # IP_HEADER: CF-Connecting-IP
# ALLOWED_IFRAME_ANCESTORS: myintranet.local # ALLOWED_IFRAME_ANCESTORS: myintranet.local
# COOL_VARIABLE:
# secretKeyRef:
# name: my-secret
# key: my-secret-key
# ANOTHER_VARIABLE:
# configMapKeyRef:
# name: my-config-map
# key: my-config-map-key
admin: admin:
# Enable admin portal. # Enable admin portal.
@ -120,7 +131,7 @@ vaultwarden:
## Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password'. ## Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password'.
#existingSecret: #existingSecret:
## Embed images as email attachments ## Embed images as email attachments
#embedImages: false #embedImages: true
## Enable Yubico OPT authentication. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication ## Enable Yubico OPT authentication. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication
yubico: yubico:
@ -154,21 +165,33 @@ vaultwarden:
## HTTP code for redirect to external icon service ## HTTP code for redirect to external icon service
#redirectCode: 302 #redirectCode: 302
# Push notifications. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification
push:
enabled: false
## Installation ID from Bitwarden.
#installationId:
## Installation Key from Bitwarden.
#installationKey:
## Relay URI
#relayUri:
## Identity URI
#identityUri:
## Use existing secret for Push notifications. Keys are 'push-id' and 'push-key'.
#existingSecret:
service: service:
type: ClusterIP type: ClusterIP
httpPort: 80 httpPort: 80
websocketPort: 3012
externalTrafficPolicy: Cluster externalTrafficPolicy: Cluster
# loadBalancerIP: # loadBalancerIP:
nodePorts: nodePorts:
# Choose NodePorts manually # Choose NodePorts manually
http: "" http: ""
websocket: ""
# Kubernetes Ingress # Kubernetes Ingress
ingress: ingress:
enabled: false enabled: false
# className: nginx className: ""
host: "" host: ""
annotations: {} annotations: {}
# kubernetes.io/ingress.class: nginx # kubernetes.io/ingress.class: nginx
@ -181,6 +204,8 @@ ingress:
# Traefik IngressRoute CRD # Traefik IngressRoute CRD
ingressRoute: ingressRoute:
enabled: false enabled: false
# Starting on Traefik 2.10, the IngressRoute CRD moved to traefik.io namespace
newCRD: false
# Mandatory to enable IngressRoute # Mandatory to enable IngressRoute
host: "" host: ""
entrypoints: entrypoints:
@ -200,13 +225,17 @@ persistence:
# storageClass: "-" # storageClass: "-"
## Use existing Persistent Volume Claim ## Use existing Persistent Volume Claim
# existingClaim: # existingClaim:
## Annotations to add to the Persistent Volume Claim
annotations: {}
# Use custom volume definition. Cannot be used with persistence. # Use custom volume definition. Cannot be used with persistence.
customVolume: {} customVolume: {}
#hostPath: #hostPath:
# path: "/examplefolder/vaultwarden" # path: "/examplefolder/vaultwarden"
# Additional volumes, to be used by sidecars
#additionalVolumes: []
image: image:
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
repository: vaultwarden/server repository: vaultwarden/server
@ -232,6 +261,30 @@ podLabels: {}
# Annotations to add to the Deployment # Annotations to add to the Deployment
deploymentAnnotations: {} deploymentAnnotations: {}
# Readiness and Liveness probes
probes: {}
#liveness:
#timeoutSeconds: 1
#periodSeconds: 10
#successThreshold: 1
#failureThreshold: 3
#readiness:
#timeoutSeconds: 1
#periodSeconds: 10
#successThreshold: 1
#failureThreshold: 3
# initContainers containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)
# No templating possible, values need to be hardcoded
initContainers: []
# - name: initcontainer
# image: initcontainer:1.2.3
# env:
# - name: INITCONTAINER_END
# value: "initcontainer"
# volumeMounts:
# - name: vaultwarden
# mountPath: /data
# Sidecar containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) # Sidecar containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)
# No templating possible, values need to be hardcoded # No templating possible, values need to be hardcoded