diff --git a/vaultwarden/.helmignore b/vaultwarden/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/vaultwarden/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/vaultwarden/Chart.yaml b/vaultwarden/Chart.yaml new file mode 100644 index 0000000..16b112b --- /dev/null +++ b/vaultwarden/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +appVersion: 1.27.0 +description: Unofficial Bitwarden compatible server written in Rust +home: https://github.com/dani-garcia/vaultwarden - bitwarden - bitwarden_rs - password + - vaultwarden +icon: https://upload.wikimedia.org/wikipedia/commons/0/03/Bitwarden_Logo.png +maintainers: +- email: silvio@gissilabs.com + name: Silvio Gissi +name: vaultwarden +sources: +- https://github.com/dani-garcia/vaultwarden +type: application +version: 1.0.0 diff --git a/vaultwarden/README.md b/vaultwarden/README.md new file mode 100644 index 0000000..c7e1de5 --- /dev/null +++ b/vaultwarden/README.md @@ -0,0 +1,189 @@ +# Gissilabs Helm Charts + +## Upgrade from bitwardenrs Helm Chart + +The upstream project changed its name from bitwarden_rs to Vaultwarden on April 27th, 2021. If you are using the bitwardenrs chart, the following changes are needed to use this chart: + +- Change chart name from gissilabs/bitwardenrs to gissilabs/vaultwarden +- If using custom values, update top-level "bitwardenrs" option to "vaultwarden" + +Chart and application version numbers are the same across both charts. + +## Vaultwarden + +Vaultwarden (previously known as bitwarden_rs) is an unofficial Bitwarden compatible server written in Rust. For more information, check the project on Github: + +## Helm Chart + +The default installation will deploy one Vaultwarden instance using a SQLite database without persistence. All data will be lost if the pod is deleted. + +```bash +# Uncomment below if the Gissilabs repository is not yet added to Helm +#helm repo add gissilabs https://gissilabs.github.io/charts/ +helm install myvaultwarden gissilabs/vaultwarden +``` + +See options below to customize the deployment. + +## **Database** + +Option | Description | Format | Default +------ | ----------- | ------ | ------- +database.type | Backend database type | sqlite, mysql or postgresql | sqlite +database.wal | Enable SQLite Write-Ahead-Log, ignored for external databases | true / false | true +database.url | URL of external database (MySQL/PostgreSQL) | \[mysql\|postgresql\]://user:pass@host:port\[/database\] | Empty +database.existingSecret | Use existing secret for database URL, key 'database-url' | Secret name | Not defined +database.maxConnections | Set the size of the database connection pool | Number | 10 +database.retries | Connection retries during startup, 0 for infinite. 1 second between retries | Number | 15 + +## **Main application** + +Option | Description | Format | Default +------ | ----------- | ------ | ------- +vaultwarden.domain | Bitwarden URL. Mandatory for invitations over email | http\[s\]://hostname | Not defined +vaultwarden.allowSignups | Allow any user to sign-up. [More information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users) | true / false | true +vaultwarden.signupDomains | Whitelist domains allowed to sign-up. 'allowSignups' is ignored if set | domain1,domain2 | Not defined +vaultwarden.verifySignup | Verify e-mail before login is enabled. SMTP must be enabled | true / false | false +vaultwarden.requireEmail | Require that an e-mail is sucessfully sent before login. SMTP must be enabled | true / false | false +vaultwarden.emailAttempts | Maximum attempts before an email token is reset and a new email will need to be sent | Number | 3 +vaultwarden.emailTokenExpiration | Email token validity in seconds | Number | 600 +vaultwarden.allowInvitation | Allow invited users to sign-up even feature is disabled. [More information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations) | true / false | true +vaultwarden.invitationExpiration | Number of hours after which tokens expire (organization invite, emergency access, email verification and deletion request | Number (minimum 1) | 120 +vaultwarden.defaultInviteName | Default organization name in invitation e-mails that are not coming from a specific organization. | Text | Vaultwarden +vaultwarden.passwordHintsAllowed | Allow users to set password hints. Applies to all users. | true / false | true +vaultwarden.showPasswordHint | Show password hints. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display) | true / false | false +vaultwarden.enableWebsockets | Enable Websockets for notification. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications). If using Ingress controllers, "notifications/hub" URL is redirected to websocket port | true / false | true +vaultwarden.enableWebVault | Enable Web Vault static site. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting). | true / false | true +vaultwarden.enableSends | Enable Bitwarden Sends globally. | true / false | true +vaultwarden.orgCreationUsers | Restrict creation of orgs. | 'all', 'none' or a comma-separated list of users. | all +vaultwarden.attachmentLimitOrg | Limit attachment disk usage in Kb per organization | Number | Not defined +vaultwarden.attachmentLimitUser | Limit attachment disk usage in Kb per user | Number | Not defined +vaultwarden.hibpApiKey | API Key to use HaveIBeenPwned service. Can be purchased at [here](https://haveibeenpwned.com/API/Key) | Text | Not defined +vaultwarden.autoDeleteDays | Number of days to auto-delete trashed items. | Number | Empty (never auto-delete) +vaultwarden.orgEvents | Enable Organization event logging | true / false | false +vaultwarden.orgEventsRetention | Organization event log retention in days | Number | Empty (never delete) +vaultwarden.extraEnv | Pass extra environment variables | Map | Not defined +vaultwarden.log.file | Filename to log to disk. [More information](https://github.com/dani-garcia/vaultwarden/wiki/Logging) | File path | Empty +vaultwarden.log.level | Change log level | trace, debug, info, warn, error or off | Empty +vaultwarden.log.timeFormat | Log timestamp | Rust chrono [format](https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html). | Time in milliseconds | Empty + +## **Application Features** + +:warning: SMTP SSL/TLS settings changed following Vaultwarden v1.25 release, see [Upgrade](#upgrade) + +Option | Description | Format | Default +------ | ----------- | ------ | ------- +vaultwarden.admin.enabled | Enable admin portal. Change settings in the portal will overwrite chart options. | true / false | false +vaultwarden.admin.disableAdminToken | Disabling the admin token will make the admin portal accessible to anyone, use carefully. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token) | true / false | false +vaultwarden.admin.token | Token for admin login, will be generated if not defined. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page) | Text | Auto-generated +vaultwarden.admin.existingSecret | Use existing secret for the admin token. Key is 'admin-token' | Secret name | Not defined +||| +vaultwarden.emergency.enabled | Allow any user to enable emergency access. | true / false | true +vaultwarden.emergency.reminder | Schedule to send expiration reminders to emergency access grantors. | Cron schedule format, blank to disable | "0 3 \* \* \* \*" (hourly 3 minutes after the hour) +vaultwarden.emergency.timeout | Schedule to grant emergency access requests that have met the required wait time. | Cron schedule format, blank to disable | "0 3 \* \* \* \*" (hourly 3 minutes after the hour) +||| +vaultwarden.smtp.enabled | Enable SMTP | true / false | false +vaultwarden.smtp.host | SMTP hostname **required** | Hostname | Empty +vaultwarden.smtp.from | SMTP sender e-mail address **required** | E-mail | Empty +vaultwarden.smtp.fromName | SMTP sender name | Text | Vaultwarden +vaultwarden.smtp.security | Set SMTP connection security [More Information](https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration) | starttls / force_tls / off | starttls +vaultwarden.smtp.port | SMTP TCP port | Number | Security off: 25, starttls: 587, force_tls: 465 +vaultwarden.smtp.authMechanism | SMTP Authentication Mechanisms | Comma-separated list: 'Plain', 'Login', 'Xoauth2' | Plain +vaultwarden.smtp.heloName | Hostname to be sent for SMTP HELO | Text | Pod name +vaultwarden.smtp.timeout | SMTP connection timeout in seconds | Number | 15 +vaultwarden.smtp.invalidHostname | Accept valid certificates even if hostnames does not match. DANGEROUS! | true / false | false +vaultwarden.smtp.invalidCertificate | Accept invalid certificates. DANGEROUS! | true / false | false +vaultwarden.smtp.user | SMTP username | Text | Not defined +vaultwarden.smtp.password | SMTP password. Required is user is specified | Text | Not defined +vaultwarden.smtp.existingSecret | Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password' | Secret name | Not defined +vaultwarden.smtp.embedImages | Embed images as email attachments | true / false | false +||| +vaultwarden.yubico.enabled | Enable Yubikey support | true / false | false +vaultwarden.yubico.server | Yubico server | Hostname | YubiCloud +vaultwarden.yubico.clientId | Yubico ID | Text | Not defined +vaultwarden.yubico.secretKey | Yubico Secret Key | Text | Not defined +vaultwarden.yubico.existingSecret | Use existing secret for ID and Secret. Keys are 'yubico-client-id' and 'yubico-secret-key' | Secret name | Not defined +||| +vaultwarden.icons.service | Service to fetch icons from | "internal", "bitwarden", "duckduckgo", "google" or custom URL | internal +vaultwarden.icons.disableDownload | Disables download of external icons, icons in cache will still be served | true / false | false +vaultwarden.icons.cache | Cache time-to-live for icons fetched. 0 means no purging | Number | 2592000. If download is disabled, defaults to 0 +vaultwarden.icons.cacheFailed | Cache time-to-live for icons that were not available. 0 means no purging | Number | 2592000 +vaultwarden.icons.redirectCode | HTTP code to use for redirects to an external icon service | true / false | 302 + +## **Network** + +Option | Description | Format | Default +------ | ----------- | ------ | ------- +service.type | Service Type. [More Information](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) | Type | ClusterIP +service.httpPort | Service port for HTTP server | Number | 80 +service.websocketPort | Service port for Websocket server, if enabled | Number | 3012 +service.externalTrafficPolicy | External Traffic Policy. [More Information](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | Local / Cluster| Cluster +service.loadBalancerIP | Manually select IP when type is LoadBalancer | IP address | Not defined +service.nodePorts.http | Manually select node port for http | Number | Empty +service.nodePorts.websocket | Manually select node port for websocker, if enabled | Number | Empty +||| +ingress.enabled | Enable Ingress | true / false | false +ingress.className | Name of the ingress class | string | Empty +ingress.host | Ingress hostname **required** | Hostname | Empty +ingress.annotations | Ingress annotations | Map | Empty +ingress.tls | Ingress TLS options | Array of Maps | Empty +||| +ingressRoute.enabled | Enable Traefik IngressRoute CRD | true / false | false +ingressRoute.host | Ingress route hostname **required** | Hostname | Empty +ingressRoute.middlewares | Enable middlewares | Map | Empty +ingressRoute.entrypoints | List of Traefik endpoints | Array of Text | \[websecure\] +ingressRoute.tls | Ingress route TLS options | Map | Empty + +## **Storage** + +Option | Description | Format | Default +------ | ----------- | ------ | ------- +persistence.enabled | Create persistent volume (PVC). Holds attachments, icon cache and, if used, the SQLite database | true / false | false +persistence.size | Size of volume | Size | 1Gi +persistence.accessMode | Volume access mode | Text | ReadWriteOnce +persistence.storageClass | Storage Class | Text | Not defined. Use "-" for default class +persistence.existingClaim | Use existing PVC | Name of PVC | Not defined +customVolume | Use custom volume definition. Cannot be used with persistence | Map | Empty + +## **Image** + +Option | Description | Format | Default +------ | ----------- | ------ | ------- +image.tag | Docker image tag | Text | Chart appVersion (Chart.yaml) +image.repository | Docker image | Text | vaultwarden/server +imagePullSecrets | Image pull secrets | Array | Empty + +## **General Kubernetes/Helm** + +Option | Description | Format | Default +------ | ----------- | ------ | ------- +strategy | Deployment Strategy options | sub-tree | Empty +replicaCount | Number of pod replicas | Number | 1 +nameOverride | Name override | Text | Empty +fullnameOverride | Full name override | Text | Empty +serviceAccount.create | Create Service Account | true / false | false +serviceAccount.annotations | Annotations service account | Map | Empty +serviceAccount.name | Service Account name | Text | Generated from template +deploymentAnnotations | Deployment Annotations | Map | Empty +sidecars | Sidecar container definition [Spec](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) | Array | Empty +podAnnotations | Pod Annotations | Map | Empty +podLabels | Extra Pod Labels | Map | Empty +podSecurityContext | Pod-level Security Context | Map | {fsGroup:65534} +securityContext | Container-level Security Context | Map | {runAsUser:65534, runAsGroup:65534} +resources | Deployment Resources | Map | Empty +nodeSelector | Node selector | Map | Empty +tolerations | Tolerations | Array | Empty +affinity | Affinity | Map | Empty + +## Upgrade + +### From 0.x to 1.x + +Vaultwarden version before v1.25.0 had a [bug/mislabelled](https://github.com/dani-garcia/vaultwarden/issues/851) configuration setting regarding SSL and TLS. This has been fixed in testing and newer released versions. When image version is 1.25 or higher, use vaultwarden.smtp.security instead of vaultwarden.smtp.ssl/vaultwarden.smtp.explicitTLS. + +ssl | explicitTLS | security equivalent +--- | ----------- | ------------------- +false | false | off +false | true | off +true | false | starttls +true | true | force_tls diff --git a/vaultwarden/templates/NOTES.txt b/vaultwarden/templates/NOTES.txt new file mode 100644 index 0000000..194c226 --- /dev/null +++ b/vaultwarden/templates/NOTES.txt @@ -0,0 +1,25 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.host }}/ +{{- else if .Values.ingressRoute.enabled }} + http{{ if $.Values.ingressRoute.tls }}s{{ end }}://{{ .Values.ingressRoute.host }}/ +{{- else }} + {{- if eq .Values.vaultwarden.enableWebsockets true }} + NOTE: the websocket listens on a different port and might not work unless /notifications/hub is redirected externally. + + {{- end }} + {{- if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "vaultwarden.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT + {{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "vaultwarden.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "vaultwarden.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.httpPort }} + {{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "vaultwarden.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:8080 +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vaultwarden/templates/_helpers.tpl b/vaultwarden/templates/_helpers.tpl new file mode 100644 index 0000000..acabb8c --- /dev/null +++ b/vaultwarden/templates/_helpers.tpl @@ -0,0 +1,105 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "vaultwarden.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "vaultwarden.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "vaultwarden.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "vaultwarden.labels" -}} +helm.sh/chart: {{ include "vaultwarden.chart" . }} +{{ include "vaultwarden.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "vaultwarden.selectorLabels" -}} +app.kubernetes.io/name: {{ include "vaultwarden.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "vaultwarden.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "vaultwarden.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Ensure valid DB type is select, defaults to SQLite +*/}} +{{- define "vaultwarden.dbTypeValid" -}} +{{- if not (or (eq .Values.database.type "postgresql") (eq .Values.database.type "mysql") (eq .Values.database.type "sqlite")) }} +{{- required "Invalid database type" nil }} +{{- end -}} +{{- end -}} + +{{/* +Ensure log type is valid +*/}} +{{- define "vaultwarden.logLevelValid" -}} +{{- if not (or (eq .Values.vaultwarden.log.level "trace") (eq .Values.vaultwarden.log.level "debug") (eq .Values.vaultwarden.log.level "info") (eq .Values.vaultwarden.log.level "warn") (eq .Values.vaultwarden.log.level "error") (eq .Values.vaultwarden.log.level "off")) }} +{{- required "Invalid log level" nil }} +{{- end }} +{{- end }} + +{{/* +Ensure SMTP Security setting is valid +*/}} + +{{- define "vaultwarden.smtpSecurityValid" -}} +{{- if or (hasKey .Values.vaultwarden.smtp "ssl") (hasKey .Values.vaultwarden.smtp "explicitTLS") }} +{{- required "SMTP options ssl and explicitTLS are deprecated for Vaulwarden 1.25 or newer, see documentation" nil }} +{{- end }} +{{- if not (or (eq .Values.vaultwarden.smtp.security "off") (eq .Values.vaultwarden.smtp.security "starttls") (eq .Values.vaultwarden.smtp.security "force_tls") ) }} +{{- required "Invalid SMTP security setting, valid options are: off, starttls and force_tls" nil }} +{{- end }} +{{- end }} + + +{{- define "vaultwarden.domainSubPath" -}} +{{- if .Values.vaultwarden.domain }} +{{- if not (regexMatch "https?:\\/\\/.*?(\\/|$)" .Values.vaultwarden.domain) }} +{{- required "Invalid domain, must start with http or https" nil }} +{{- end }} +{{- $subpath := regexReplaceAll "https?:\\/\\/.*?(\\/|$)" .Values.vaultwarden.domain "" -}}/{{ $subpath }} +{{- else }}/ +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/vaultwarden/templates/deployment.yaml b/vaultwarden/templates/deployment.yaml new file mode 100644 index 0000000..e83ad31 --- /dev/null +++ b/vaultwarden/templates/deployment.yaml @@ -0,0 +1,342 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "vaultwarden.fullname" . }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} + {{- with .Values.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "vaultwarden.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "vaultwarden.selectorLabels" . | nindent 8 }} + {{- if .Values.podLabels }} + {{- toYaml .Values.podLabels | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "vaultwarden.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: ROCKET_PORT + value: "8080" + - name: SIGNUPS_ALLOWED + value: {{ .Values.vaultwarden.allowSignups | quote }} + {{- if .Values.vaultwarden.signupDomains }} + - name: SIGNUPS_DOMAINS_WHITELIST + value: {{ join "," .Values.vaultwarden.signupDomains | quote }} + {{- end }} + {{- if and (eq .Values.vaultwarden.verifySignup true) (eq .Values.vaultwarden.smtp.enabled false) }}{{ required "Signup verification requires SMTP to be enabled" nil}}{{end}} + - name: SIGNUPS_VERIFY + value: {{ .Values.vaultwarden.verifySignup | quote }} + {{- if and (eq .Values.vaultwarden.requireEmail true) (eq .Values.vaultwarden.smtp.enabled false) }}{{ required "Requiring emails for login depends on SMTP" nil}}{{end}} + - name: REQUIRE_DEVICE_EMAIL + value: {{ .Values.vaultwarden.requireEmail | quote }} + {{- if .Values.vaultwarden.emailAttempts }} + - name: EMAIL_ATTEMPTS_LIMIT + value: {{ .Values.vaultwarden.emailAttempts | quote }} + {{- end }} + {{- if .Values.vaultwarden.emailTokenExpiration }} + - name: EMAIL_EXPIRATION_TIME + value: {{ .Values.vaultwarden.emailTokenExpiration | quote }} + {{- end }} + - name: INVITATIONS_ALLOWED + value: {{ .Values.vaultwarden.allowInvitation | quote }} + {{- if .Values.vaultwarden.invitationExpiration }} + - name: INVITATION_EXPIRATION_HOURS + value: {{ .Values.vaultwarden.invitationExpiration | quote }} + {{- end }} + {{- if .Values.vaultwarden.defaultInviteName }} + - name: INVITATION_ORG_NAME + value: {{ .Values.vaultwarden.defaultInviteName | quote }} + {{- end }} + {{- if hasKey .Values.vaultwarden "passwordHintsAllowed" }} + - name: PASSWORD_HINTS_ALLOWED + value: {{ .Values.vaultwarden.passwordHintsAllowed | quote }} + {{- end }} + - name: SHOW_PASSWORD_HINT + value: {{ .Values.vaultwarden.showPasswordHint | quote }} + - name: WEBSOCKET_ENABLED + value: {{ .Values.vaultwarden.enableWebsockets | quote }} + - name: WEB_VAULT_ENABLED + value: {{ .Values.vaultwarden.enableWebVault | quote }} + - name: SENDS_ALLOWED + value: {{ .Values.vaultwarden.enableSends | quote }} + - name: ORG_CREATION_USERS + value: {{ .Values.vaultwarden.orgCreationUsers | quote }} + {{- if .Values.vaultwarden.attachmentLimitOrg }} + - name: ORG_ATTACHMENT_LIMIT + value: {{ .Values.vaultwarden.attachmentLimitOrg | quote }} + {{- end }} + {{- if .Values.vaultwarden.attachmentLimitUser }} + - name: USER_ATTACHMENT_LIMIT + value: {{ .Values.vaultwarden.attachmentLimitUser | quote }} + {{- end }} + {{- if .Values.vaultwarden.hibpApiKey }} + - name: HIBP_API_KEY + value: {{ .Values.vaultwarden.hibpApiKey | quote }} + {{- end }} + {{- if .Values.vaultwarden.autoDeleteDays }} + - name: TRASH_AUTO_DELETE_DAYS + value: {{ .Values.vaultwarden.autoDeleteDays | quote }} + {{- end }} + {{- if hasKey .Values.vaultwarden "orgEvents" }} + - name: ORG_EVENTS_ENABLED + value: {{ .Values.vaultwarden.orgEvents | quote }} + {{- end }} + {{- if hasKey .Values.vaultwarden "orgEventsRetention" }} + - name: EVENTS_DAYS_RETAIN + value: {{ .Values.vaultwarden.orgEventsRetention | quote }} + {{- end }} + {{- if .Values.vaultwarden.extraEnv }} + {{- range $key, $val := .Values.vaultwarden.extraEnv }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + {{- end }} + {{- include "vaultwarden.dbTypeValid" . }} + {{- if .Values.database.retries }} + - name: DB_CONNECTION_RETRIES + value: {{ .Values.database.retries | quote }} + {{- end }} + {{- if .Values.database.maxConnections }} + - name: DATABASE_MAX_CONNS + value: {{ .Values.database.maxConnections | quote }} + {{- end }} + {{- if eq .Values.database.type "sqlite" }} + - name: ENABLE_DB_WAL + value: {{ .Values.database.wal | quote }} + {{- else }} + - name: ENABLE_DB_WAL + value: "false" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: {{ if .Values.database.existingSecret }}{{ .Values.database.existingSecret }}{{else}}{{ include "vaultwarden.fullname" . }}{{end}} + key: database-url + {{- end }} + {{- if .Values.vaultwarden.domain }} + - name: DOMAIN + value: {{ .Values.vaultwarden.domain | quote }} + {{- end }} + {{- if eq .Values.vaultwarden.admin.enabled true }} + {{- if eq .Values.vaultwarden.admin.disableAdminToken true }} + - name: DISABLE_ADMIN_TOKEN + value: "true" + {{- else }} + - name: ADMIN_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.vaultwarden.admin.existingSecret | default (include "vaultwarden.fullname" .) }} + key: admin-token + {{- end }} + {{- end }} + - name: EMERGENCY_ACCESS_ALLOWED + value: {{ .Values.vaultwarden.emergency.enabled | quote }} + {{- if eq .Values.vaultwarden.emergency.enabled true }} + {{- if not (kindIs "invalid" .Values.vaultwarden.emergency.reminder) }} + - name: EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE + value: {{ .Values.vaultwarden.emergency.reminder | quote }} + {{- end }} + {{- if not (kindIs "invalid" .Values.vaultwarden.emergency.timeout) }} + - name: EMERGENCY_REQUEST_TIMEOUT_SCHEDULE + value: {{ .Values.vaultwarden.emergency.timeout | quote }} + {{- end }} + {{- end }} + {{- if eq .Values.vaultwarden.smtp.enabled true }} + - name: SMTP_HOST + value: {{ required "SMTP host is required to enable SMTP" .Values.vaultwarden.smtp.host | quote }} + - name: SMTP_FROM + value: {{ required "SMTP sender address ('from') is required to enable SMTP" .Values.vaultwarden.smtp.from | quote }} + {{- if .Values.vaultwarden.smtp.fromName }} + - name: SMTP_FROM_NAME + value: {{ .Values.vaultwarden.smtp.fromName | quote }} + {{- end }} + {{- if semverCompare "<1.25.0" (.Values.image.tag | default .Chart.AppVersion) }} + - name: SMTP_SSL + value: {{ required "Value smtp.ssl required for Vaultwarden prior to 1.25" .Values.vaultwarden.smtp.ssl | quote }} + {{- if required "Value smtp.explictTLS required for Vaultwarden prior to 1.25" .Values.vaultwarden.smtp.explicitTLS }} + {{- if (eq .Values.vaultwarden.smtp.ssl false) }} + {{- required "Explicit TLS requires SSL to be enabled" nil }} + {{- end }} + - name: SMTP_EXPLICIT_TLS + value: {{ .Values.vaultwarden.smtp.explicitTLS | quote }} + {{- end}} + {{- else }} + {{- include "vaultwarden.smtpSecurityValid" . }} + - name: SMTP_SECURITY + value: {{ .Values.vaultwarden.smtp.security | quote }} + {{- end }} + {{- if .Values.vaultwarden.smtp.port }} + - name: SMTP_PORT + value: {{ .Values.vaultwarden.smtp.port | quote }} + {{- end }} + {{- if .Values.vaultwarden.smtp.authMechanism }} + - name: SMTP_AUTH_MECHANISM + value: {{ .Values.vaultwarden.smtp.authMechanism | quote }} + {{- end }} + {{- if .Values.vaultwarden.smtp.heloName }} + - name: HELO_NAME + value: {{ .Values.vaultwarden.smtp.heloName | quote }} + {{- end }} + {{- if .Values.vaultwarden.smtp.timeout }} + - name: SMTP_TIMEOUT + value: {{ .Values.vaultwarden.smtp.timeout | quote }} + {{- end }} + {{- if .Values.vaultwarden.smtp.invalidHostname }} + - name: SMTP_ACCEPT_INVALID_HOSTNAMES + value: {{ .Values.vaultwarden.smtp.invalidHostname | quote }} + {{- end }} + {{- if .Values.vaultwarden.smtp.invalidCertificate }} + - name: SMTP_ACCEPT_INVALID_CERTS + value: {{ .Values.vaultwarden.smtp.invalidCertificate | quote }} + {{- end }} + {{- if or .Values.vaultwarden.smtp.existingSecret .Values.vaultwarden.smtp.user }} + - name: SMTP_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.vaultwarden.smtp.existingSecret | default (include "vaultwarden.fullname" .) }} + key: smtp-user + - name: SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.vaultwarden.smtp.existingSecret | default (include "vaultwarden.fullname" .) }} + key: smtp-password + {{- end }} + {{- if hasKey .Values.vaultwarden.smtp "embedImages" }} + - name: SMTP_EMBED_IMAGES + value: {{ .Values.vaultwarden.smtp.embedImages | quote }} + {{- end }} + {{- end }}{{/*SMTP*/}} + {{- if eq .Values.vaultwarden.yubico.enabled true }} + {{- if .Values.vaultwarden.yubico.server }} + - name: YUBICO_SERVER + value: {{ .Values.vaultwarden.yubico.server | quote }} + {{- end }} + - name: YUBICO_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.vaultwarden.yubico.existingSecret | default (include "vaultwarden.fullname" .) }} + key: yubico-client-id + - name: YUBICO_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.vaultwarden.yubico.existingSecret | default (include "vaultwarden.fullname" .) }} + key: yubico-secret-key + {{- end }} + {{- if .Values.vaultwarden.log.file }} + - name: LOG_FILE + value: {{ .Values.vaultwarden.log.file | quote }} + {{- end }} + {{- if or .Values.vaultwarden.log.level .Values.vaultwarden.log.timeFormat }} + - name: EXTENDED_LOGGING + value: "true" + {{- end }} + {{- if .Values.vaultwarden.log.level }} + {{- include "vaultwarden.logLevelValid" . }} + - name: LOG_LEVEL + value: {{ .Values.vaultwarden.log.level | quote }} + {{- end }} + {{- if .Values.vaultwarden.log.timeFormat }} + - name: LOG_TIMESTAMP_FORMAT + value: {{ .Values.vaultwarden.log.timeFormat | quote }} + {{- end }} + {{- if hasKey .Values.vaultwarden.icons "service" }} + - name: ICON_SERVICE + value: {{ .Values.vaultwarden.icons.service | quote }} + {{- end }} + {{- if .Values.vaultwarden.icons.disableDownload }} + - name: DISABLE_ICON_DOWNLOAD + value: {{ .Values.vaultwarden.icons.disableDownload | quote }} + {{- if and (not .Values.vaultwarden.icons.cache) (eq .Values.vaultwarden.icons.disableDownload "true") }} + - name: ICON_CACHE_TTL + value: 0 + {{- end }} + {{- end }} + {{- if .Values.vaultwarden.icons.cache }} + - name: ICON_CACHE_TTL + value: {{ .Values.vaultwarden.icons.cache }} + {{- end }} + {{- if .Values.vaultwarden.icons.cacheFailed }} + - name: ICON_CACHE_NEGTTL + value: {{ .Values.vaultwarden.icons.cacheFailed }} + {{- end }} + {{- if hasKey .Values.vaultwarden.icons "redirectCode" }} + - name: ICON_REDIRECT_CODE + value: {{ .Values.vaultwarden.icons.redirectCode | quote }} + {{- end }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + {{- if .Values.vaultwarden.enableWebsockets }} + - name: websocket + containerPort: 3012 + protocol: TCP + {{- end }} + livenessProbe: + httpGet: + path: {{ include "vaultwarden.domainSubPath" . }} + port: http + readinessProbe: + httpGet: + path: {{ include "vaultwarden.domainSubPath" . }} + port: http + volumeMounts: + - name: {{ include "vaultwarden.fullname" . }} + mountPath: /data + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.sidecars }} + {{- toYaml .Values.sidecars | nindent 8 }} + {{- end }} + volumes: + - name: {{ include "vaultwarden.fullname" . }} + {{- if and .Values.persistence.enabled .Values.customVolume }} + {{ required "customVolume cannot be used if persistence is enabled." nil }} + {{- end }} + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim | quote }}{{- else }}{{ include "vaultwarden.fullname" . }}{{- end }} + {{- else if .Values.customVolume }} + {{- toYaml .Values.customVolume | nindent 8 }} + {{- else }} + emptyDir: {} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/vaultwarden/templates/ingress.yaml b/vaultwarden/templates/ingress.yaml new file mode 100644 index 0000000..53d4b62 --- /dev/null +++ b/vaultwarden/templates/ingress.yaml @@ -0,0 +1,67 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "vaultwarden.fullname" . -}} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}} +apiVersion: networking.k8s.io/v1 +{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + - host: {{ required "Host required for ingress" .Values.ingress.host | quote }} + http: + paths: + {{- if .Values.vaultwarden.enableWebsockets }} + - path: "/notifications/hub" + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + {{- end }} + backend: + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + service: + name: {{ $fullName }} + port: + number: {{ .Values.service.websocketPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ .Values.service.websocketPort }} + {{- end }} + {{- end }} + - path: "/" + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + {{- end }} + backend: + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + service: + name: {{ $fullName }} + port: + number: {{ .Values.service.httpPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ .Values.service.httpPort }} + {{- end }} +{{- end }} diff --git a/vaultwarden/templates/ingressroute.yaml b/vaultwarden/templates/ingressroute.yaml new file mode 100644 index 0000000..e2ec522 --- /dev/null +++ b/vaultwarden/templates/ingressroute.yaml @@ -0,0 +1,40 @@ +{{- if .Values.ingressRoute.enabled -}} +{{- $fullName := include "vaultwarden.fullname" . -}} +{{- $host := (required "Host required for IngressRoute" .Values.ingressRoute.host ) -}} +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: {{ $fullName }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} +spec: + entryPoints: + {{- range .Values.ingressRoute.entrypoints }} + - {{ . | quote }} + {{- end }} + routes: + {{- if .Values.vaultwarden.enableWebsockets }} + - match: Host(`{{ $host }}`) && PathPrefix(`/notifications/hub`) + kind: Rule + {{- if .Values.ingressRoute.middlewares }} + middlewares: + {{- toYaml .Values.ingressRoute.middlewares | nindent 6 }} + {{- end }} + services: + - name: {{ $fullName }} + port: {{ .Values.service.websocketPort }} + {{- end }} + - match: Host(`{{ $host }}`) + kind: Rule + {{- if .Values.ingressRoute.middlewares }} + middlewares: + {{- toYaml .Values.ingressRoute.middlewares | nindent 6 }} + {{- end }} + services: + - name: {{ $fullName }} + port: {{ .Values.service.httpPort }} + {{- if .Values.ingressRoute.tls }} + tls: + {{- toYaml .Values.ingressRoute.tls | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/vaultwarden/templates/pvc.yaml b/vaultwarden/templates/pvc.yaml new file mode 100644 index 0000000..6ef9c1e --- /dev/null +++ b/vaultwarden/templates/pvc.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ include "vaultwarden.fullname" . }} +spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.storageClass }} + storageClassName: {{ .Values.persistence.storageClass | quote }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/vaultwarden/templates/secret.yaml b/vaultwarden/templates/secret.yaml new file mode 100644 index 0000000..65f3156 --- /dev/null +++ b/vaultwarden/templates/secret.yaml @@ -0,0 +1,43 @@ +{{- $adminToken := "" }} +{{- if and (eq .Values.vaultwarden.admin.enabled true) (not .Values.vaultwarden.admin.existingSecret) }} +{{- $adminToken = .Values.vaultwarden.admin.token | default (randAlphaNum 48) | b64enc | quote }} +{{- end -}} + +{{- $databaseUrl := "" }} +{{- if and (ne .Values.database.type "sqlite") (not .Values.database.existingSecret) }} +{{- $databaseUrl = required "External databases need either URL or existing secret" .Values.database.url | b64enc | quote }} +{{- end -}} + +{{- $smtpUser := "" }} +{{- if and (eq .Values.vaultwarden.smtp.enabled true ) (not .Values.vaultwarden.smtp.existingSecret) (.Values.vaultwarden.smtp.user) }} +{{- $smtpUser = .Values.vaultwarden.smtp.user | b64enc | quote }} +{{- end -}} + +{{- $yubicoClientId := "" }} +{{- if and (eq .Values.vaultwarden.yubico.enabled true ) (not .Values.vaultwarden.yubico.existingSecret) }} +{{- $yubicoClientId = required "Yubico Client ID required" .Values.vaultwarden.yubico.clientId | toString | b64enc | quote }} +{{- end -}} + +{{- if or (ne $adminToken "") (ne $databaseUrl "") (ne $smtpUser "" ) (ne $yubicoClientId "") }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "vaultwarden.fullname" . }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} +data: + {{- if ne $adminToken "" }} + admin-token: {{ $adminToken }} + {{- end }} + {{- if ne $databaseUrl "" }} + database-url: {{ $databaseUrl }} + {{- end }} + {{- if ne $smtpUser "" }} + smtp-user: {{ $smtpUser }} + smtp-password: {{ required "Must specify SMTP password" .Values.vaultwarden.smtp.password | b64enc | quote }} + {{- end }} + {{- if ne $yubicoClientId "" }} + yubico-client-id: {{ $yubicoClientId }} + yubico-secret-key: {{ required "Yubico Secret Key required" .Values.vaultwarden.yubico.secretKey | b64enc | quote }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/vaultwarden/templates/service.yaml b/vaultwarden/templates/service.yaml new file mode 100644 index 0000000..c4b7e64 --- /dev/null +++ b/vaultwarden/templates/service.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "vaultwarden.fullname" . }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + {{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if eq .Values.service.type "LoadBalancer" }} + loadBalancerIP: {{ default "" .Values.service.loadBalancerIP }} + {{- end }} + ports: + - name: http + port: {{ .Values.service.httpPort }} + targetPort: http + protocol: TCP + {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePorts.http)))}} + nodePort: {{ .Values.service.nodePorts.http }} + {{- end }} + {{- if .Values.vaultwarden.enableWebsockets }} + - name: websocket + port: {{ .Values.service.websocketPort }} + targetPort: websocket + protocol: TCP + {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePorts.websocket)))}} + nodePort: {{ .Values.service.nodePorts.websocket }} + {{- end }} + {{- end }} + selector: + {{- include "vaultwarden.selectorLabels" . | nindent 4 }} diff --git a/vaultwarden/templates/serviceaccount.yaml b/vaultwarden/templates/serviceaccount.yaml new file mode 100644 index 0000000..6b2a67e --- /dev/null +++ b/vaultwarden/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "vaultwarden.serviceAccountName" . }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vaultwarden/templates/tests/test-connection.yaml b/vaultwarden/templates/tests/test-connection.yaml new file mode 100644 index 0000000..f42a8c1 --- /dev/null +++ b/vaultwarden/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "vaultwarden.fullname" . }}-test-connection" + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "vaultwarden.fullname" . }}:{{ .Values.service.httpPort }}'] + restartPolicy: Never diff --git a/vaultwarden/values.home.yaml b/vaultwarden/values.home.yaml new file mode 100644 index 0000000..e4ea448 --- /dev/null +++ b/vaultwarden/values.home.yaml @@ -0,0 +1,273 @@ +# Default values for vaultwarden. + +database: + # Database type, must be one of: 'sqlite', 'mysql' or 'postgresql'. + type: postgresql + # Enable DB Write-Ahead-Log for SQLite, disabled for other databases. https://github.com/dani-garcia/vaultwarden/wiki/Running-without-WAL-enabled + wal: true + ## URL for external databases (mysql://user:pass@host:port/database-name or postgresql://user:pass@host:port/database-name). + url: "postgresql://vaultwarden:0UnBYmhT7LZ1GePohx13zRxIKM30TZA0m3GZTjgFh0dBiwENwOtZZqcPlyhMXIUD@home-postgres.db.svc.cluster.local:5432/vw" + ## Use existing secret for database URL, key 'database-url'. + existingSecret: vw-home-vaultwarden + ## Set the size of the database connection pool. + #maxConnections: 10 + ## Connection retries during startup, 0 for infinite. 1 second between retries. + #retries: 15 + +# Set vaultwarden application variables +vaultwarden: + ## Set Bitwarden URL, mandatory for invitations over email. Recommended if using a reverse proxy / ingress. Format is https://name or http://name + #domain: + # Allow any user to sign-up: https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users + allowSignups: true + ## Whitelist domains allowed to sign-up. 'allowSignups' is ignored if set. + #signupDomains: + # - domain.tld + # Verify e-mail before login is enabled. SMTP must be enabled. + verifySignup: false + # When a user logs in an email is required to be sent. If sending the email fails the login attempt will fail. SMTP must be enabled. + requireEmail: false + ## Maximum attempts before an email token is reset and a new email will need to be sent. + #emailAttempts: 3 + ## Email token validity in seconds. + #emailTokenExpiration: 600 + # Allow invited users to sign-up even feature is disabled: https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations + allowInvitation: true + ## Number of hours after which an organization invite token, emergency access invite token, + ## email verification token and deletion request token will expire + #invitationExpiration: 120 + ## Allow users to set password hints. Applies to all users. + #passwordHintsAllowed: true + # Show password hints: https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display + showPasswordHint: false + ## Default organization name in invitation e-mails that are not coming from a specific organization. + #defaultInviteName: "" + # Enable Websockets for notification. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications + # Redirect HTTP path "/notifications/hub" to port 3012. Ingress/IngressRoute controllers are automatically configured. + enableWebsockets: true + # Enable Web Vault (static content). https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting + enableWebVault: true + # Enable Bitwarden Sends globally + enableSends: true + # Restrict creation of orgs. Options are: 'all', 'none' or a comma-separated list of users. + orgCreationUsers: all + ## Limit attachment disk usage per organization. + #attachmentLimitOrg: + ## Limit attachment disk usage per user. + #attachmentLimitUser: + ## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key. + #hibpApiKey: + ## Number of days to auto-delete trashed items. By default iteams are not auto-deleted. + #autoDeleteDays: + ## Organization event logging + #orgEvents: false + ## Organization event retation. Leave empty to not delete. + #orgEventsRetention: "" + ## Map of custom environment variables. Use carefully. + #extraEnv: + # IP_HEADER: CF-Connecting-IP + # ALLOWED_IFRAME_ANCESTORS: myintranet.local + + admin: + # Enable admin portal. + enabled: true + # Disabling the admin token will make the admin portal accessible to anyone, use carefully: https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token + disableAdminToken: false + ## Token for admin login, will be generated if not defined. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page + #token: + ## Use existing secret for the admin token. Key is 'admin-token'. + #existingSecret: + + emergency: + # Allow any user to enable emergency access. + enabled: true + ## Schedule to send expiration reminders to emergency access grantors. Cron schedule format. + #reminder: "0 3 * * * *" + ## Schedule to grant emergency access requests that have met the required wait time. Cron schedule format. + #timeout: "0 3 * * * *" + + # Enable SMTP. https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration + smtp: + enabled: false + # SMTP hostname, required if SMTP is enabled. + host: "" + # SMTP sender e-mail address, required if SMTP is enabled. + from: "" + ## SMTP sender name, defaults to 'Vaultwarden'. + #fromName: "" + # Enable secure SSL connection. Options are: "starttls", "force_tls" and "off" + # Users migrating from 1.24 or lower using ssl/explicitTLS settings: + # ssl = false -> "off" + # ssl = true and explicitTLS = false -> "starttls" + # ssl = true and explicitTLS = true -> "force_tls" + security: starttls + ## SMTP port. Defaults depends on security: 465 for "force_tls", 587 for "starttls" and 25 for "off" + #port: 587 + ## SMTP Authentication Mechanisms. Comma-separated options: 'Plain', 'Login' and 'Xoauth2'. Defaults to 'Plain'. + #authMechanism: Plain + ## Hostname to be sent for SMTP HELO. Defaults to pod name. + #heloName: "" + ## SMTP timeout. + #timeout: 15 + ## Accept SSL session if certificate is valid but hostname doesn't match. DANGEROUS, vulnerable to men-in-the-middle attacks! + #invalidHostname: false + ## Accept invalid certificates. DANGEROUS, vulnerable to men-in-the-middle attacks! + #invalidCertificate: false + ## SMTP username. + #user: "" + ## SMTP password. Required is user is specified, ignored if no user provided. + #password: "" + ## Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password'. + #existingSecret: + ## Embed images as email attachments + #embedImages: false + + ## Enable Yubico OPT authentication. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication + yubico: + enabled: false + ## Yubico server. Defaults to YubiCloud. + #server: + ## Yubico ID and Secret Key. + #clientId: + #secretKey: + ## Use existing secret for Yubico. Keys are 'yubico-client-id' and 'yubico-secret-key'. + #existingSecret: + + ## Logging options. https://github.com/dani-garcia/vaultwarden/wiki/Logging + log: + # Log to file. + file: "" + # Log level. Options are "trace", "debug", "info", "warn", "error" or "off". + level: "" + ## Log timestamp format. See https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html. Defaults to time in milliseconds. + #timeFormat: "" + + icons: + ## Icon download service. "internal" to fetch icons directly, otherwise options are: "bitwarden", "duckduckgo" or "google" + #service: internal + # Disables download of external icons on internal service. Setting to true will still serve icons from cache (/data/icon_cache). TTL will default to zero. + disableDownload: false + ## Cache time-to-live for icons fetched. 0 means no purging. + #cache: 2592000 + ## Cache time-to-live for icons that were not available. 0 means no purging. + #cacheFailed: 259200 + ## HTTP code for redirect to external icon service + #redirectCode: 302 + +service: + type: ClusterIP + httpPort: 80 + websocketPort: 3012 + externalTrafficPolicy: Cluster + # loadBalancerIP: + nodePorts: + # Choose NodePorts manually + http: "" + websocket: "" + +# Kubernetes Ingress +ingress: + enabled: true + # className: nginx + host: "warden.ervine.cloud" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + - secretName: warden-ervine-cloud-tls + hosts: + - warden.ervine.cloud + +# Traefik IngressRoute CRD +ingressRoute: + enabled: false + # Mandatory to enable IngressRoute + host: "" + entrypoints: + - websecure + ## Enable Traefik middlewares + middlewares: {} + # - name: my_middleware + # namespace: default + tls: {} + #certResolver: letsencrypt + +persistence: + enabled: true + size: 1Gi + accessMode: ReadWriteOnce + ## Persistent Volume storage class + # storageClass: "-" + ## Use existing Persistent Volume Claim + existingClaim: vw-home-vaultwarden + + +# Use custom volume definition. Cannot be used with persistence. +customVolume: {} + #hostPath: + # path: "/examplefolder/vaultwarden" + +image: + pullPolicy: IfNotPresent + repository: vaultwarden/server + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +replicaCount: 1 + +serviceAccount: + # Specifies whether a service account should be created + create: false + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} +podLabels: {} + +# Annotations to add to the Deployment +deploymentAnnotations: {} + +# Sidecar containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) +# No templating possible, values need to be hardcoded +sidecars: [] +# - name: sidecar +# image: sidecarimage:1.2.3 +# env: +# - name: SIDECAR_END +# value: "sidecar" +# volumeMounts: +# - name: vaultwarden +# mountPath: /data + +podSecurityContext: + fsGroup: 65534 + +securityContext: + runAsUser: 65534 + runAsGroup: 65534 + +strategy: {} + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/vaultwarden/values.yaml b/vaultwarden/values.yaml new file mode 100644 index 0000000..b4eca7b --- /dev/null +++ b/vaultwarden/values.yaml @@ -0,0 +1,273 @@ +# Default values for vaultwarden. + +database: + # Database type, must be one of: 'sqlite', 'mysql' or 'postgresql'. + type: sqlite + # Enable DB Write-Ahead-Log for SQLite, disabled for other databases. https://github.com/dani-garcia/vaultwarden/wiki/Running-without-WAL-enabled + wal: true + ## URL for external databases (mysql://user:pass@host:port/database-name or postgresql://user:pass@host:port/database-name). + #url: "" + ## Use existing secret for database URL, key 'database-url'. + #existingSecret: + ## Set the size of the database connection pool. + #maxConnections: 10 + ## Connection retries during startup, 0 for infinite. 1 second between retries. + #retries: 15 + +# Set vaultwarden application variables +vaultwarden: + ## Set Bitwarden URL, mandatory for invitations over email. Recommended if using a reverse proxy / ingress. Format is https://name or http://name + #domain: + # Allow any user to sign-up: https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users + allowSignups: true + ## Whitelist domains allowed to sign-up. 'allowSignups' is ignored if set. + #signupDomains: + # - domain.tld + # Verify e-mail before login is enabled. SMTP must be enabled. + verifySignup: false + # When a user logs in an email is required to be sent. If sending the email fails the login attempt will fail. SMTP must be enabled. + requireEmail: false + ## Maximum attempts before an email token is reset and a new email will need to be sent. + #emailAttempts: 3 + ## Email token validity in seconds. + #emailTokenExpiration: 600 + # Allow invited users to sign-up even feature is disabled: https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations + allowInvitation: true + ## Number of hours after which an organization invite token, emergency access invite token, + ## email verification token and deletion request token will expire + #invitationExpiration: 120 + ## Allow users to set password hints. Applies to all users. + #passwordHintsAllowed: true + # Show password hints: https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display + showPasswordHint: false + ## Default organization name in invitation e-mails that are not coming from a specific organization. + #defaultInviteName: "" + # Enable Websockets for notification. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications + # Redirect HTTP path "/notifications/hub" to port 3012. Ingress/IngressRoute controllers are automatically configured. + enableWebsockets: true + # Enable Web Vault (static content). https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting + enableWebVault: true + # Enable Bitwarden Sends globally + enableSends: true + # Restrict creation of orgs. Options are: 'all', 'none' or a comma-separated list of users. + orgCreationUsers: all + ## Limit attachment disk usage per organization. + #attachmentLimitOrg: + ## Limit attachment disk usage per user. + #attachmentLimitUser: + ## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key. + #hibpApiKey: + ## Number of days to auto-delete trashed items. By default iteams are not auto-deleted. + #autoDeleteDays: + ## Organization event logging + #orgEvents: false + ## Organization event retation. Leave empty to not delete. + #orgEventsRetention: "" + ## Map of custom environment variables. Use carefully. + #extraEnv: + # IP_HEADER: CF-Connecting-IP + # ALLOWED_IFRAME_ANCESTORS: myintranet.local + + admin: + # Enable admin portal. + enabled: false + # Disabling the admin token will make the admin portal accessible to anyone, use carefully: https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token + disableAdminToken: false + ## Token for admin login, will be generated if not defined. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page + #token: + ## Use existing secret for the admin token. Key is 'admin-token'. + #existingSecret: + + emergency: + # Allow any user to enable emergency access. + enabled: true + ## Schedule to send expiration reminders to emergency access grantors. Cron schedule format. + #reminder: "0 3 * * * *" + ## Schedule to grant emergency access requests that have met the required wait time. Cron schedule format. + #timeout: "0 3 * * * *" + + # Enable SMTP. https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration + smtp: + enabled: false + # SMTP hostname, required if SMTP is enabled. + host: "" + # SMTP sender e-mail address, required if SMTP is enabled. + from: "" + ## SMTP sender name, defaults to 'Vaultwarden'. + #fromName: "" + # Enable secure SSL connection. Options are: "starttls", "force_tls" and "off" + # Users migrating from 1.24 or lower using ssl/explicitTLS settings: + # ssl = false -> "off" + # ssl = true and explicitTLS = false -> "starttls" + # ssl = true and explicitTLS = true -> "force_tls" + security: starttls + ## SMTP port. Defaults depends on security: 465 for "force_tls", 587 for "starttls" and 25 for "off" + #port: 587 + ## SMTP Authentication Mechanisms. Comma-separated options: 'Plain', 'Login' and 'Xoauth2'. Defaults to 'Plain'. + #authMechanism: Plain + ## Hostname to be sent for SMTP HELO. Defaults to pod name. + #heloName: "" + ## SMTP timeout. + #timeout: 15 + ## Accept SSL session if certificate is valid but hostname doesn't match. DANGEROUS, vulnerable to men-in-the-middle attacks! + #invalidHostname: false + ## Accept invalid certificates. DANGEROUS, vulnerable to men-in-the-middle attacks! + #invalidCertificate: false + ## SMTP username. + #user: "" + ## SMTP password. Required is user is specified, ignored if no user provided. + #password: "" + ## Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password'. + #existingSecret: + ## Embed images as email attachments + #embedImages: false + + ## Enable Yubico OPT authentication. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication + yubico: + enabled: false + ## Yubico server. Defaults to YubiCloud. + #server: + ## Yubico ID and Secret Key. + #clientId: + #secretKey: + ## Use existing secret for Yubico. Keys are 'yubico-client-id' and 'yubico-secret-key'. + #existingSecret: + + ## Logging options. https://github.com/dani-garcia/vaultwarden/wiki/Logging + log: + # Log to file. + file: "" + # Log level. Options are "trace", "debug", "info", "warn", "error" or "off". + level: "" + ## Log timestamp format. See https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html. Defaults to time in milliseconds. + #timeFormat: "" + + icons: + ## Icon download service. "internal" to fetch icons directly, otherwise options are: "bitwarden", "duckduckgo" or "google" + #service: internal + # Disables download of external icons on internal service. Setting to true will still serve icons from cache (/data/icon_cache). TTL will default to zero. + disableDownload: false + ## Cache time-to-live for icons fetched. 0 means no purging. + #cache: 2592000 + ## Cache time-to-live for icons that were not available. 0 means no purging. + #cacheFailed: 259200 + ## HTTP code for redirect to external icon service + #redirectCode: 302 + +service: + type: ClusterIP + httpPort: 80 + websocketPort: 3012 + externalTrafficPolicy: Cluster + # loadBalancerIP: + nodePorts: + # Choose NodePorts manually + http: "" + websocket: "" + +# Kubernetes Ingress +ingress: + enabled: false + # className: nginx + host: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: [] + # - secretName: vaultwarden-tls + # hosts: + # - vaultwarden.local + +# Traefik IngressRoute CRD +ingressRoute: + enabled: false + # Mandatory to enable IngressRoute + host: "" + entrypoints: + - websecure + ## Enable Traefik middlewares + middlewares: {} + # - name: my_middleware + # namespace: default + tls: {} + #certResolver: letsencrypt + +persistence: + enabled: false + size: 1Gi + accessMode: ReadWriteOnce + ## Persistent Volume storage class + # storageClass: "-" + ## Use existing Persistent Volume Claim + # existingClaim: + + +# Use custom volume definition. Cannot be used with persistence. +customVolume: {} + #hostPath: + # path: "/examplefolder/vaultwarden" + +image: + pullPolicy: IfNotPresent + repository: vaultwarden/server + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +replicaCount: 1 + +serviceAccount: + # Specifies whether a service account should be created + create: false + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} +podLabels: {} + +# Annotations to add to the Deployment +deploymentAnnotations: {} + +# Sidecar containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) +# No templating possible, values need to be hardcoded +sidecars: [] +# - name: sidecar +# image: sidecarimage:1.2.3 +# env: +# - name: SIDECAR_END +# value: "sidecar" +# volumeMounts: +# - name: vaultwarden +# mountPath: /data + +podSecurityContext: + fsGroup: 65534 + +securityContext: + runAsUser: 65534 + runAsGroup: 65534 + +strategy: {} + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {}