jonny/charts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add vaultwarden

Browse Source
This commit is contained in:
Jonny Ervine 2023-10-06 22:09:48 +08:00
parent 75d720a37a
commit 9be4ff1f35
15 changed files with 1469 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
vaultwarden/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

14
vaultwarden/Chart.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v2
appVersion: 1.27.0
description: Unofficial Bitwarden compatible server written in Rust
home: https://github.com/dani-garcia/vaultwarden - bitwarden - bitwarden_rs - password
- vaultwarden
icon: https://upload.wikimedia.org/wikipedia/commons/0/03/Bitwarden_Logo.png
maintainers:
- email: silvio@gissilabs.com
name: Silvio Gissi
name: vaultwarden
sources:
- https://github.com/dani-garcia/vaultwarden
type: application
version: 1.0.0

189
vaultwarden/README.md Normal file
View File

@ -0,0 +1,189 @@
# Gissilabs Helm Charts
## Upgrade from bitwardenrs Helm Chart
The upstream project changed its name from bitwarden_rs to Vaultwarden on April 27th, 2021. If you are using the bitwardenrs chart, the following changes are needed to use this chart:
- Change chart name from gissilabs/bitwardenrs to gissilabs/vaultwarden
- If using custom values, update top-level "bitwardenrs" option to "vaultwarden"
Chart and application version numbers are the same across both charts.
## Vaultwarden
Vaultwarden (previously known as bitwarden_rs) is an unofficial Bitwarden compatible server written in Rust. For more information, check the project on Github: <https://github.com/dani-garcia/vaultwarden>
## Helm Chart
The default installation will deploy one Vaultwarden instance using a SQLite database without persistence. All data will be lost if the pod is deleted.
```bash
# Uncomment below if the Gissilabs repository is not yet added to Helm
#helm repo add gissilabs https://gissilabs.github.io/charts/
helm install myvaultwarden gissilabs/vaultwarden
```
See options below to customize the deployment.
## **Database**
Option | Description | Format | Default
------ | ----------- | ------ | -------
database.type | Backend database type | sqlite, mysql or postgresql | sqlite
database.wal | Enable SQLite Write-Ahead-Log, ignored for external databases | true / false | true
database.url | URL of external database (MySQL/PostgreSQL) | \[mysql\|postgresql\]://user:pass@host:port\[/database\] | Empty
database.existingSecret | Use existing secret for database URL, key 'database-url' | Secret name | Not defined
database.maxConnections | Set the size of the database connection pool | Number | 10
database.retries | Connection retries during startup, 0 for infinite. 1 second between retries | Number | 15
## **Main application**
Option | Description | Format | Default
------ | ----------- | ------ | -------
vaultwarden.domain | Bitwarden URL. Mandatory for invitations over email | http\[s\]://hostname | Not defined
vaultwarden.allowSignups | Allow any user to sign-up. [More information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users) | true / false | true
vaultwarden.signupDomains | Whitelist domains allowed to sign-up. 'allowSignups' is ignored if set | domain1,domain2 | Not defined
vaultwarden.verifySignup | Verify e-mail before login is enabled. SMTP must be enabled | true / false | false
vaultwarden.requireEmail | Require that an e-mail is sucessfully sent before login. SMTP must be enabled | true / false | false
vaultwarden.emailAttempts | Maximum attempts before an email token is reset and a new email will need to be sent | Number | 3
vaultwarden.emailTokenExpiration | Email token validity in seconds | Number | 600
vaultwarden.allowInvitation | Allow invited users to sign-up even feature is disabled. [More information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations) | true / false | true
vaultwarden.invitationExpiration | Number of hours after which tokens expire (organization invite, emergency access, email verification and deletion request | Number (minimum 1) | 120
vaultwarden.defaultInviteName | Default organization name in invitation e-mails that are not coming from a specific organization. | Text | Vaultwarden
vaultwarden.passwordHintsAllowed | Allow users to set password hints. Applies to all users. | true / false | true
vaultwarden.showPasswordHint | Show password hints. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display) | true / false | false
vaultwarden.enableWebsockets | Enable Websockets for notification. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications). If using Ingress controllers, "notifications/hub" URL is redirected to websocket port | true / false | true
vaultwarden.enableWebVault | Enable Web Vault static site. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting). | true / false | true
vaultwarden.enableSends | Enable Bitwarden Sends globally. | true / false | true
vaultwarden.orgCreationUsers | Restrict creation of orgs. | 'all', 'none' or a comma-separated list of users. | all
vaultwarden.attachmentLimitOrg | Limit attachment disk usage in Kb per organization | Number | Not defined
vaultwarden.attachmentLimitUser | Limit attachment disk usage in Kb per user | Number | Not defined
vaultwarden.hibpApiKey | API Key to use HaveIBeenPwned service. Can be purchased at [here](https://haveibeenpwned.com/API/Key) | Text | Not defined
vaultwarden.autoDeleteDays | Number of days to auto-delete trashed items. | Number | Empty (never auto-delete)
vaultwarden.orgEvents | Enable Organization event logging | true / false | false
vaultwarden.orgEventsRetention | Organization event log retention in days | Number | Empty (never delete)
vaultwarden.extraEnv | Pass extra environment variables | Map | Not defined
vaultwarden.log.file | Filename to log to disk. [More information](https://github.com/dani-garcia/vaultwarden/wiki/Logging) | File path | Empty
vaultwarden.log.level | Change log level | trace, debug, info, warn, error or off | Empty
vaultwarden.log.timeFormat | Log timestamp | Rust chrono [format](https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html). | Time in milliseconds | Empty
## **Application Features**
:warning: SMTP SSL/TLS settings changed following Vaultwarden v1.25 release, see [Upgrade](#upgrade)
Option | Description | Format | Default
------ | ----------- | ------ | -------
vaultwarden.admin.enabled | Enable admin portal. Change settings in the portal will overwrite chart options. | true / false | false
vaultwarden.admin.disableAdminToken | Disabling the admin token will make the admin portal accessible to anyone, use carefully. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token) | true / false | false
vaultwarden.admin.token | Token for admin login, will be generated if not defined. [More Information](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page) | Text | Auto-generated
vaultwarden.admin.existingSecret | Use existing secret for the admin token. Key is 'admin-token' | Secret name | Not defined
|||
vaultwarden.emergency.enabled | Allow any user to enable emergency access. | true / false | true
vaultwarden.emergency.reminder | Schedule to send expiration reminders to emergency access grantors. | Cron schedule format, blank to disable | "0 3 \* \* \* \*" (hourly 3 minutes after the hour)
vaultwarden.emergency.timeout | Schedule to grant emergency access requests that have met the required wait time. | Cron schedule format, blank to disable | "0 3 \* \* \* \*" (hourly 3 minutes after the hour)
|||
vaultwarden.smtp.enabled | Enable SMTP | true / false | false
vaultwarden.smtp.host | SMTP hostname **required** | Hostname | Empty
vaultwarden.smtp.from | SMTP sender e-mail address **required** | E-mail | Empty
vaultwarden.smtp.fromName | SMTP sender name | Text | Vaultwarden
vaultwarden.smtp.security | Set SMTP connection security [More Information](https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration) | starttls / force_tls / off | starttls
vaultwarden.smtp.port | SMTP TCP port | Number | Security off: 25, starttls: 587, force_tls: 465
vaultwarden.smtp.authMechanism | SMTP Authentication Mechanisms | Comma-separated list: 'Plain', 'Login', 'Xoauth2' | Plain
vaultwarden.smtp.heloName | Hostname to be sent for SMTP HELO | Text | Pod name
vaultwarden.smtp.timeout | SMTP connection timeout in seconds | Number | 15
vaultwarden.smtp.invalidHostname | Accept valid certificates even if hostnames does not match. DANGEROUS! | true / false | false
vaultwarden.smtp.invalidCertificate | Accept invalid certificates. DANGEROUS! | true / false | false
vaultwarden.smtp.user | SMTP username | Text | Not defined
vaultwarden.smtp.password | SMTP password. Required is user is specified | Text | Not defined
vaultwarden.smtp.existingSecret | Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password' | Secret name | Not defined
vaultwarden.smtp.embedImages | Embed images as email attachments | true / false | false
|||
vaultwarden.yubico.enabled | Enable Yubikey support | true / false | false
vaultwarden.yubico.server | Yubico server | Hostname | YubiCloud
vaultwarden.yubico.clientId | Yubico ID | Text | Not defined
vaultwarden.yubico.secretKey | Yubico Secret Key | Text | Not defined
vaultwarden.yubico.existingSecret | Use existing secret for ID and Secret. Keys are 'yubico-client-id' and 'yubico-secret-key' | Secret name | Not defined
|||
vaultwarden.icons.service | Service to fetch icons from | "internal", "bitwarden", "duckduckgo", "google" or custom URL | internal
vaultwarden.icons.disableDownload | Disables download of external icons, icons in cache will still be served | true / false | false
vaultwarden.icons.cache | Cache time-to-live for icons fetched. 0 means no purging | Number | 2592000. If download is disabled, defaults to 0
vaultwarden.icons.cacheFailed | Cache time-to-live for icons that were not available. 0 means no purging | Number | 2592000
vaultwarden.icons.redirectCode | HTTP code to use for redirects to an external icon service | true / false | 302
## **Network**
Option | Description | Format | Default
------ | ----------- | ------ | -------
service.type | Service Type. [More Information](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) | Type | ClusterIP
service.httpPort | Service port for HTTP server | Number | 80
service.websocketPort | Service port for Websocket server, if enabled | Number | 3012
service.externalTrafficPolicy | External Traffic Policy. [More Information](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | Local / Cluster| Cluster
service.loadBalancerIP | Manually select IP when type is LoadBalancer | IP address | Not defined
service.nodePorts.http | Manually select node port for http | Number | Empty
service.nodePorts.websocket | Manually select node port for websocker, if enabled | Number | Empty
|||
ingress.enabled | Enable Ingress | true / false | false
ingress.className | Name of the ingress class | string | Empty
ingress.host | Ingress hostname **required** | Hostname | Empty
ingress.annotations | Ingress annotations | Map | Empty
ingress.tls | Ingress TLS options | Array of Maps | Empty
|||
ingressRoute.enabled | Enable Traefik IngressRoute CRD | true / false | false
ingressRoute.host | Ingress route hostname **required** | Hostname | Empty
ingressRoute.middlewares | Enable middlewares | Map | Empty
ingressRoute.entrypoints | List of Traefik endpoints | Array of Text | \[websecure\]
ingressRoute.tls | Ingress route TLS options | Map | Empty
## **Storage**
Option | Description | Format | Default
------ | ----------- | ------ | -------
persistence.enabled | Create persistent volume (PVC). Holds attachments, icon cache and, if used, the SQLite database | true / false | false
persistence.size | Size of volume | Size | 1Gi
persistence.accessMode | Volume access mode | Text | ReadWriteOnce
persistence.storageClass | Storage Class | Text | Not defined. Use "-" for default class
persistence.existingClaim | Use existing PVC | Name of PVC | Not defined
customVolume | Use custom volume definition. Cannot be used with persistence | Map | Empty
## **Image**
Option | Description | Format | Default
------ | ----------- | ------ | -------
image.tag | Docker image tag | Text | Chart appVersion (Chart.yaml)
image.repository | Docker image | Text | vaultwarden/server
imagePullSecrets | Image pull secrets | Array | Empty
## **General Kubernetes/Helm**
Option | Description | Format | Default
------ | ----------- | ------ | -------
strategy | Deployment Strategy options | sub-tree | Empty
replicaCount | Number of pod replicas | Number | 1
nameOverride | Name override | Text | Empty
fullnameOverride | Full name override | Text | Empty
serviceAccount.create | Create Service Account | true / false | false
serviceAccount.annotations | Annotations service account | Map | Empty
serviceAccount.name | Service Account name | Text | Generated from template
deploymentAnnotations | Deployment Annotations | Map | Empty
sidecars | Sidecar container definition [Spec](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container) | Array | Empty
podAnnotations | Pod Annotations | Map | Empty
podLabels | Extra Pod Labels | Map | Empty
podSecurityContext | Pod-level Security Context | Map | {fsGroup:65534}
securityContext | Container-level Security Context | Map | {runAsUser:65534, runAsGroup:65534}
resources | Deployment Resources | Map | Empty
nodeSelector | Node selector | Map | Empty
tolerations | Tolerations | Array | Empty
affinity | Affinity | Map | Empty
## Upgrade
### From 0.x to 1.x
Vaultwarden version before v1.25.0 had a [bug/mislabelled](https://github.com/dani-garcia/vaultwarden/issues/851) configuration setting regarding SSL and TLS. This has been fixed in testing and newer released versions. When image version is 1.25 or higher, use vaultwarden.smtp.security instead of vaultwarden.smtp.ssl/vaultwarden.smtp.explicitTLS.
ssl | explicitTLS | security equivalent
--- | ----------- | -------------------
false | false | off
false | true | off
true | false | starttls
true | true | force_tls

25
vaultwarden/templates/NOTES.txt Normal file
View File

@ -0,0 +1,25 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.host }}/
{{- else if .Values.ingressRoute.enabled }}
http{{ if $.Values.ingressRoute.tls }}s{{ end }}://{{ .Values.ingressRoute.host }}/
{{- else }}
{{- if eq .Values.vaultwarden.enableWebsockets true }}
NOTE: the websocket listens on a different port and might not work unless /notifications/hub is redirected externally.
{{- end }}
{{- if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "vaultwarden.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "vaultwarden.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "vaultwarden.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.httpPort }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "vaultwarden.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:8080
{{- end }}
{{- end }}

105
vaultwarden/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,105 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "vaultwarden.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "vaultwarden.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "vaultwarden.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "vaultwarden.labels" -}}
helm.sh/chart: {{ include "vaultwarden.chart" . }}
{{ include "vaultwarden.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "vaultwarden.selectorLabels" -}}
app.kubernetes.io/name: {{ include "vaultwarden.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "vaultwarden.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "vaultwarden.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Ensure valid DB type is select, defaults to SQLite
*/}}
{{- define "vaultwarden.dbTypeValid" -}}
{{- if not (or (eq .Values.database.type "postgresql") (eq .Values.database.type "mysql") (eq .Values.database.type "sqlite")) }}
{{- required "Invalid database type" nil }}
{{- end -}}
{{- end -}}
{{/*
Ensure log type is valid
*/}}
{{- define "vaultwarden.logLevelValid" -}}
{{- if not (or (eq .Values.vaultwarden.log.level "trace") (eq .Values.vaultwarden.log.level "debug") (eq .Values.vaultwarden.log.level "info") (eq .Values.vaultwarden.log.level "warn") (eq .Values.vaultwarden.log.level "error") (eq .Values.vaultwarden.log.level "off")) }}
{{- required "Invalid log level" nil }}
{{- end }}
{{- end }}
{{/*
Ensure SMTP Security setting is valid
*/}}
{{- define "vaultwarden.smtpSecurityValid" -}}
{{- if or (hasKey .Values.vaultwarden.smtp "ssl") (hasKey .Values.vaultwarden.smtp "explicitTLS") }}
{{- required "SMTP options ssl and explicitTLS are deprecated for Vaulwarden 1.25 or newer, see documentation" nil }}
{{- end }}
{{- if not (or (eq .Values.vaultwarden.smtp.security "off") (eq .Values.vaultwarden.smtp.security "starttls") (eq .Values.vaultwarden.smtp.security "force_tls") ) }}
{{- required "Invalid SMTP security setting, valid options are: off, starttls and force_tls" nil }}
{{- end }}
{{- end }}
{{- define "vaultwarden.domainSubPath" -}}
{{- if .Values.vaultwarden.domain }}
{{- if not (regexMatch "https?:\\/\\/.*?(\\/|$)" .Values.vaultwarden.domain) }}
{{- required "Invalid domain, must start with http or https" nil }}
{{- end }}
{{- $subpath := regexReplaceAll "https?:\\/\\/.*?(\\/|$)" .Values.vaultwarden.domain "" -}}/{{ $subpath }}
{{- else }}/
{{- end }}
{{- end -}}

342
vaultwarden/templates/deployment.yaml Normal file
View File

@ -0,0 +1,342 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "vaultwarden.fullname" . }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
{{- with .Values.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with .Values.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "vaultwarden.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "vaultwarden.selectorLabels" . | nindent 8 }}
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "vaultwarden.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: ROCKET_PORT
value: "8080"
- name: SIGNUPS_ALLOWED
value: {{ .Values.vaultwarden.allowSignups | quote }}
{{- if .Values.vaultwarden.signupDomains }}
- name: SIGNUPS_DOMAINS_WHITELIST
value: {{ join "," .Values.vaultwarden.signupDomains | quote }}
{{- end }}
{{- if and (eq .Values.vaultwarden.verifySignup true) (eq .Values.vaultwarden.smtp.enabled false) }}{{ required "Signup verification requires SMTP to be enabled" nil}}{{end}}
- name: SIGNUPS_VERIFY
value: {{ .Values.vaultwarden.verifySignup | quote }}
{{- if and (eq .Values.vaultwarden.requireEmail true) (eq .Values.vaultwarden.smtp.enabled false) }}{{ required "Requiring emails for login depends on SMTP" nil}}{{end}}
- name: REQUIRE_DEVICE_EMAIL
value: {{ .Values.vaultwarden.requireEmail | quote }}
{{- if .Values.vaultwarden.emailAttempts }}
- name: EMAIL_ATTEMPTS_LIMIT
value: {{ .Values.vaultwarden.emailAttempts | quote }}
{{- end }}
{{- if .Values.vaultwarden.emailTokenExpiration }}
- name: EMAIL_EXPIRATION_TIME
value: {{ .Values.vaultwarden.emailTokenExpiration | quote }}
{{- end }}
- name: INVITATIONS_ALLOWED
value: {{ .Values.vaultwarden.allowInvitation | quote }}
{{- if .Values.vaultwarden.invitationExpiration }}
- name: INVITATION_EXPIRATION_HOURS
value: {{ .Values.vaultwarden.invitationExpiration | quote }}
{{- end }}
{{- if .Values.vaultwarden.defaultInviteName }}
- name: INVITATION_ORG_NAME
value: {{ .Values.vaultwarden.defaultInviteName | quote }}
{{- end }}
{{- if hasKey .Values.vaultwarden "passwordHintsAllowed" }}
- name: PASSWORD_HINTS_ALLOWED
value: {{ .Values.vaultwarden.passwordHintsAllowed | quote }}
{{- end }}
- name: SHOW_PASSWORD_HINT
value: {{ .Values.vaultwarden.showPasswordHint | quote }}
- name: WEBSOCKET_ENABLED
value: {{ .Values.vaultwarden.enableWebsockets | quote }}
- name: WEB_VAULT_ENABLED
value: {{ .Values.vaultwarden.enableWebVault | quote }}
- name: SENDS_ALLOWED
value: {{ .Values.vaultwarden.enableSends | quote }}
- name: ORG_CREATION_USERS
value: {{ .Values.vaultwarden.orgCreationUsers | quote }}
{{- if .Values.vaultwarden.attachmentLimitOrg }}
- name: ORG_ATTACHMENT_LIMIT
value: {{ .Values.vaultwarden.attachmentLimitOrg | quote }}
{{- end }}
{{- if .Values.vaultwarden.attachmentLimitUser }}
- name: USER_ATTACHMENT_LIMIT
value: {{ .Values.vaultwarden.attachmentLimitUser | quote }}
{{- end }}
{{- if .Values.vaultwarden.hibpApiKey }}
- name: HIBP_API_KEY
value: {{ .Values.vaultwarden.hibpApiKey | quote }}
{{- end }}
{{- if .Values.vaultwarden.autoDeleteDays }}
- name: TRASH_AUTO_DELETE_DAYS
value: {{ .Values.vaultwarden.autoDeleteDays | quote }}
{{- end }}
{{- if hasKey .Values.vaultwarden "orgEvents" }}
- name: ORG_EVENTS_ENABLED
value: {{ .Values.vaultwarden.orgEvents | quote }}
{{- end }}
{{- if hasKey .Values.vaultwarden "orgEventsRetention" }}
- name: EVENTS_DAYS_RETAIN
value: {{ .Values.vaultwarden.orgEventsRetention | quote }}
{{- end }}
{{- if .Values.vaultwarden.extraEnv }}
{{- range $key, $val := .Values.vaultwarden.extraEnv }}
- name: {{ $key }}
value: {{ $val | quote }}
{{- end }}
{{- end }}
{{- include "vaultwarden.dbTypeValid" . }}
{{- if .Values.database.retries }}
- name: DB_CONNECTION_RETRIES
value: {{ .Values.database.retries | quote }}
{{- end }}
{{- if .Values.database.maxConnections }}
- name: DATABASE_MAX_CONNS
value: {{ .Values.database.maxConnections | quote }}
{{- end }}
{{- if eq .Values.database.type "sqlite" }}
- name: ENABLE_DB_WAL
value: {{ .Values.database.wal | quote }}
{{- else }}
- name: ENABLE_DB_WAL
value: "false"
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: {{ if .Values.database.existingSecret }}{{ .Values.database.existingSecret }}{{else}}{{ include "vaultwarden.fullname" . }}{{end}}
key: database-url
{{- end }}
{{- if .Values.vaultwarden.domain }}
- name: DOMAIN
value: {{ .Values.vaultwarden.domain | quote }}
{{- end }}
{{- if eq .Values.vaultwarden.admin.enabled true }}
{{- if eq .Values.vaultwarden.admin.disableAdminToken true }}
- name: DISABLE_ADMIN_TOKEN
value: "true"
{{- else }}
- name: ADMIN_TOKEN
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.admin.existingSecret | default (include "vaultwarden.fullname" .) }}
key: admin-token
{{- end }}
{{- end }}
- name: EMERGENCY_ACCESS_ALLOWED
value: {{ .Values.vaultwarden.emergency.enabled | quote }}
{{- if eq .Values.vaultwarden.emergency.enabled true }}
{{- if not (kindIs "invalid" .Values.vaultwarden.emergency.reminder) }}
- name: EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE
value: {{ .Values.vaultwarden.emergency.reminder | quote }}
{{- end }}
{{- if not (kindIs "invalid" .Values.vaultwarden.emergency.timeout) }}
- name: EMERGENCY_REQUEST_TIMEOUT_SCHEDULE
value: {{ .Values.vaultwarden.emergency.timeout | quote }}
{{- end }}
{{- end }}
{{- if eq .Values.vaultwarden.smtp.enabled true }}
- name: SMTP_HOST
value: {{ required "SMTP host is required to enable SMTP" .Values.vaultwarden.smtp.host | quote }}
- name: SMTP_FROM
value: {{ required "SMTP sender address ('from') is required to enable SMTP" .Values.vaultwarden.smtp.from | quote }}
{{- if .Values.vaultwarden.smtp.fromName }}
- name: SMTP_FROM_NAME
value: {{ .Values.vaultwarden.smtp.fromName | quote }}
{{- end }}
{{- if semverCompare "<1.25.0" (.Values.image.tag | default .Chart.AppVersion) }}
- name: SMTP_SSL
value: {{ required "Value smtp.ssl required for Vaultwarden prior to 1.25" .Values.vaultwarden.smtp.ssl | quote }}
{{- if required "Value smtp.explictTLS required for Vaultwarden prior to 1.25" .Values.vaultwarden.smtp.explicitTLS }}
{{- if (eq .Values.vaultwarden.smtp.ssl false) }}
{{- required "Explicit TLS requires SSL to be enabled" nil }}
{{- end }}
- name: SMTP_EXPLICIT_TLS
value: {{ .Values.vaultwarden.smtp.explicitTLS | quote }}
{{- end}}
{{- else }}
{{- include "vaultwarden.smtpSecurityValid" . }}
- name: SMTP_SECURITY
value: {{ .Values.vaultwarden.smtp.security | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.port }}
- name: SMTP_PORT
value: {{ .Values.vaultwarden.smtp.port | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.authMechanism }}
- name: SMTP_AUTH_MECHANISM
value: {{ .Values.vaultwarden.smtp.authMechanism | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.heloName }}
- name: HELO_NAME
value: {{ .Values.vaultwarden.smtp.heloName | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.timeout }}
- name: SMTP_TIMEOUT
value: {{ .Values.vaultwarden.smtp.timeout | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.invalidHostname }}
- name: SMTP_ACCEPT_INVALID_HOSTNAMES
value: {{ .Values.vaultwarden.smtp.invalidHostname | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.invalidCertificate }}
- name: SMTP_ACCEPT_INVALID_CERTS
value: {{ .Values.vaultwarden.smtp.invalidCertificate | quote }}
{{- end }}
{{- if or .Values.vaultwarden.smtp.existingSecret .Values.vaultwarden.smtp.user }}
- name: SMTP_USERNAME
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.smtp.existingSecret | default (include "vaultwarden.fullname" .) }}
key: smtp-user
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.smtp.existingSecret | default (include "vaultwarden.fullname" .) }}
key: smtp-password
{{- end }}
{{- if hasKey .Values.vaultwarden.smtp "embedImages" }}
- name: SMTP_EMBED_IMAGES
value: {{ .Values.vaultwarden.smtp.embedImages | quote }}
{{- end }}
{{- end }}{{/*SMTP*/}}
{{- if eq .Values.vaultwarden.yubico.enabled true }}
{{- if .Values.vaultwarden.yubico.server }}
- name: YUBICO_SERVER
value: {{ .Values.vaultwarden.yubico.server | quote }}
{{- end }}
- name: YUBICO_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.yubico.existingSecret | default (include "vaultwarden.fullname" .) }}
key: yubico-client-id
- name: YUBICO_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.yubico.existingSecret | default (include "vaultwarden.fullname" .) }}
key: yubico-secret-key
{{- end }}
{{- if .Values.vaultwarden.log.file }}
- name: LOG_FILE
value: {{ .Values.vaultwarden.log.file | quote }}
{{- end }}
{{- if or .Values.vaultwarden.log.level .Values.vaultwarden.log.timeFormat }}
- name: EXTENDED_LOGGING
value: "true"
{{- end }}
{{- if .Values.vaultwarden.log.level }}
{{- include "vaultwarden.logLevelValid" . }}
- name: LOG_LEVEL
value: {{ .Values.vaultwarden.log.level | quote }}
{{- end }}
{{- if .Values.vaultwarden.log.timeFormat }}
- name: LOG_TIMESTAMP_FORMAT
value: {{ .Values.vaultwarden.log.timeFormat | quote }}
{{- end }}
{{- if hasKey .Values.vaultwarden.icons "service" }}
- name: ICON_SERVICE
value: {{ .Values.vaultwarden.icons.service | quote }}
{{- end }}
{{- if .Values.vaultwarden.icons.disableDownload }}
- name: DISABLE_ICON_DOWNLOAD
value: {{ .Values.vaultwarden.icons.disableDownload | quote }}
{{- if and (not .Values.vaultwarden.icons.cache) (eq .Values.vaultwarden.icons.disableDownload "true") }}
- name: ICON_CACHE_TTL
value: 0
{{- end }}
{{- end }}
{{- if .Values.vaultwarden.icons.cache }}
- name: ICON_CACHE_TTL
value: {{ .Values.vaultwarden.icons.cache }}
{{- end }}
{{- if .Values.vaultwarden.icons.cacheFailed }}
- name: ICON_CACHE_NEGTTL
value: {{ .Values.vaultwarden.icons.cacheFailed }}
{{- end }}
{{- if hasKey .Values.vaultwarden.icons "redirectCode" }}
- name: ICON_REDIRECT_CODE
value: {{ .Values.vaultwarden.icons.redirectCode | quote }}
{{- end }}
ports:
- name: http
containerPort: 8080
protocol: TCP
{{- if .Values.vaultwarden.enableWebsockets }}
- name: websocket
containerPort: 3012
protocol: TCP
{{- end }}
livenessProbe:
httpGet:
path: {{ include "vaultwarden.domainSubPath" . }}
port: http
readinessProbe:
httpGet:
path: {{ include "vaultwarden.domainSubPath" . }}
port: http
volumeMounts:
- name: {{ include "vaultwarden.fullname" . }}
mountPath: /data
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- if .Values.sidecars }}
{{- toYaml .Values.sidecars | nindent 8 }}
{{- end }}
volumes:
- name: {{ include "vaultwarden.fullname" . }}
{{- if and .Values.persistence.enabled .Values.customVolume }}
{{ required "customVolume cannot be used if persistence is enabled." nil }}
{{- end }}
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim | quote }}{{- else }}{{ include "vaultwarden.fullname" . }}{{- end }}
{{- else if .Values.customVolume }}
{{- toYaml .Values.customVolume | nindent 8 }}
{{- else }}
emptyDir: {}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

67
vaultwarden/templates/ingress.yaml Normal file
View File

@ -0,0 +1,67 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "vaultwarden.fullname" . -}}
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
apiVersion: networking.k8s.io/v1
{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.className }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ required "Host required for ingress" .Values.ingress.host | quote }}
http:
paths:
{{- if .Values.vaultwarden.enableWebsockets }}
- path: "/notifications/hub"
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
pathType: Prefix
{{- end }}
backend:
{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
service:
name: {{ $fullName }}
port:
number: {{ .Values.service.websocketPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ .Values.service.websocketPort }}
{{- end }}
{{- end }}
- path: "/"
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
pathType: Prefix
{{- end }}
backend:
{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
service:
name: {{ $fullName }}
port:
number: {{ .Values.service.httpPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ .Values.service.httpPort }}
{{- end }}
{{- end }}

40
vaultwarden/templates/ingressroute.yaml Normal file
View File

@ -0,0 +1,40 @@
{{- if .Values.ingressRoute.enabled -}}
{{- $fullName := include "vaultwarden.fullname" . -}}
{{- $host := (required "Host required for IngressRoute" .Values.ingressRoute.host ) -}}
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: {{ $fullName }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
spec:
entryPoints:
{{- range .Values.ingressRoute.entrypoints }}
- {{ . | quote }}
{{- end }}
routes:
{{- if .Values.vaultwarden.enableWebsockets }}
- match: Host(`{{ $host }}`) && PathPrefix(`/notifications/hub`)
kind: Rule
{{- if .Values.ingressRoute.middlewares }}
middlewares:
{{- toYaml .Values.ingressRoute.middlewares | nindent 6 }}
{{- end }}
services:
- name: {{ $fullName }}
port: {{ .Values.service.websocketPort }}
{{- end }}
- match: Host(`{{ $host }}`)
kind: Rule
{{- if .Values.ingressRoute.middlewares }}
middlewares:
{{- toYaml .Values.ingressRoute.middlewares | nindent 6 }}
{{- end }}
services:
- name: {{ $fullName }}
port: {{ .Values.service.httpPort }}
{{- if .Values.ingressRoute.tls }}
tls:
{{- toYaml .Values.ingressRoute.tls | nindent 4 }}
{{- end }}
{{- end }}

15
vaultwarden/templates/pvc.yaml Normal file
View File

@ -0,0 +1,15 @@
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ include "vaultwarden.fullname" . }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
storageClassName: {{ .Values.persistence.storageClass | quote }}
{{- end }}
{{- end -}}

43
vaultwarden/templates/secret.yaml Normal file
View File

@ -0,0 +1,43 @@
{{- $adminToken := "" }}
{{- if and (eq .Values.vaultwarden.admin.enabled true) (not .Values.vaultwarden.admin.existingSecret) }}
{{- $adminToken = .Values.vaultwarden.admin.token | default (randAlphaNum 48) | b64enc | quote }}
{{- end -}}
{{- $databaseUrl := "" }}
{{- if and (ne .Values.database.type "sqlite") (not .Values.database.existingSecret) }}
{{- $databaseUrl = required "External databases need either URL or existing secret" .Values.database.url | b64enc | quote }}
{{- end -}}
{{- $smtpUser := "" }}
{{- if and (eq .Values.vaultwarden.smtp.enabled true ) (not .Values.vaultwarden.smtp.existingSecret) (.Values.vaultwarden.smtp.user) }}
{{- $smtpUser = .Values.vaultwarden.smtp.user | b64enc | quote }}
{{- end -}}
{{- $yubicoClientId := "" }}
{{- if and (eq .Values.vaultwarden.yubico.enabled true ) (not .Values.vaultwarden.yubico.existingSecret) }}
{{- $yubicoClientId = required "Yubico Client ID required" .Values.vaultwarden.yubico.clientId | toString | b64enc | quote }}
{{- end -}}
{{- if or (ne $adminToken "") (ne $databaseUrl "") (ne $smtpUser "" ) (ne $yubicoClientId "") }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "vaultwarden.fullname" . }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
data:
{{- if ne $adminToken "" }}
admin-token: {{ $adminToken }}
{{- end }}
{{- if ne $databaseUrl "" }}
database-url: {{ $databaseUrl }}
{{- end }}
{{- if ne $smtpUser "" }}
smtp-user: {{ $smtpUser }}
smtp-password: {{ required "Must specify SMTP password" .Values.vaultwarden.smtp.password | b64enc | quote }}
{{- end }}
{{- if ne $yubicoClientId "" }}
yubico-client-id: {{ $yubicoClientId }}
yubico-secret-key: {{ required "Yubico Secret Key required" .Values.vaultwarden.yubico.secretKey | b64enc | quote }}
{{- end }}
{{- end }}

33
vaultwarden/templates/service.yaml Normal file
View File

@ -0,0 +1,33 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "vaultwarden.fullname" . }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
{{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if eq .Values.service.type "LoadBalancer" }}
loadBalancerIP: {{ default "" .Values.service.loadBalancerIP }}
{{- end }}
ports:
- name: http
port: {{ .Values.service.httpPort }}
targetPort: http
protocol: TCP
{{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePorts.http)))}}
nodePort: {{ .Values.service.nodePorts.http }}
{{- end }}
{{- if .Values.vaultwarden.enableWebsockets }}
- name: websocket
port: {{ .Values.service.websocketPort }}
targetPort: websocket
protocol: TCP
{{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePorts.websocket)))}}
nodePort: {{ .Values.service.nodePorts.websocket }}
{{- end }}
{{- end }}
selector:
{{- include "vaultwarden.selectorLabels" . | nindent 4 }}

12
vaultwarden/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "vaultwarden.serviceAccountName" . }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

15
vaultwarden/templates/tests/test-connection.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "vaultwarden.fullname" . }}-test-connection"
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "vaultwarden.fullname" . }}:{{ .Values.service.httpPort }}']
restartPolicy: Never

273
vaultwarden/values.home.yaml Normal file
View File

@ -0,0 +1,273 @@
# Default values for vaultwarden.
database:
# Database type, must be one of: 'sqlite', 'mysql' or 'postgresql'.
type: postgresql
# Enable DB Write-Ahead-Log for SQLite, disabled for other databases. https://github.com/dani-garcia/vaultwarden/wiki/Running-without-WAL-enabled
wal: true
## URL for external databases (mysql://user:pass@host:port/database-name or postgresql://user:pass@host:port/database-name).
url: "postgresql://vaultwarden:0UnBYmhT7LZ1GePohx13zRxIKM30TZA0m3GZTjgFh0dBiwENwOtZZqcPlyhMXIUD@home-postgres.db.svc.cluster.local:5432/vw"
## Use existing secret for database URL, key 'database-url'.
existingSecret: vw-home-vaultwarden
## Set the size of the database connection pool.
#maxConnections: 10
## Connection retries during startup, 0 for infinite. 1 second between retries.
#retries: 15
# Set vaultwarden application variables
vaultwarden:
## Set Bitwarden URL, mandatory for invitations over email. Recommended if using a reverse proxy / ingress. Format is https://name or http://name
#domain:
# Allow any user to sign-up: https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users
allowSignups: true
## Whitelist domains allowed to sign-up. 'allowSignups' is ignored if set.
#signupDomains:
# - domain.tld
# Verify e-mail before login is enabled. SMTP must be enabled.
verifySignup: false
# When a user logs in an email is required to be sent. If sending the email fails the login attempt will fail. SMTP must be enabled.
requireEmail: false
## Maximum attempts before an email token is reset and a new email will need to be sent.
#emailAttempts: 3
## Email token validity in seconds.
#emailTokenExpiration: 600
# Allow invited users to sign-up even feature is disabled: https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations
allowInvitation: true
## Number of hours after which an organization invite token, emergency access invite token,
## email verification token and deletion request token will expire
#invitationExpiration: 120
## Allow users to set password hints. Applies to all users.
#passwordHintsAllowed: true
# Show password hints: https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display
showPasswordHint: false
## Default organization name in invitation e-mails that are not coming from a specific organization.
#defaultInviteName: ""
# Enable Websockets for notification. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications
# Redirect HTTP path "/notifications/hub" to port 3012. Ingress/IngressRoute controllers are automatically configured.
enableWebsockets: true
# Enable Web Vault (static content). https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting
enableWebVault: true
# Enable Bitwarden Sends globally
enableSends: true
# Restrict creation of orgs. Options are: 'all', 'none' or a comma-separated list of users.
orgCreationUsers: all
## Limit attachment disk usage per organization.
#attachmentLimitOrg:
## Limit attachment disk usage per user.
#attachmentLimitUser:
## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key.
#hibpApiKey:
## Number of days to auto-delete trashed items. By default iteams are not auto-deleted.
#autoDeleteDays:
## Organization event logging
#orgEvents: false
## Organization event retation. Leave empty to not delete.
#orgEventsRetention: ""
## Map of custom environment variables. Use carefully.
#extraEnv:
# IP_HEADER: CF-Connecting-IP
# ALLOWED_IFRAME_ANCESTORS: myintranet.local
admin:
# Enable admin portal.
enabled: true
# Disabling the admin token will make the admin portal accessible to anyone, use carefully: https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token
disableAdminToken: false
## Token for admin login, will be generated if not defined. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page
#token:
## Use existing secret for the admin token. Key is 'admin-token'.
#existingSecret:
emergency:
# Allow any user to enable emergency access.
enabled: true
## Schedule to send expiration reminders to emergency access grantors. Cron schedule format.
#reminder: "0 3 * * * *"
## Schedule to grant emergency access requests that have met the required wait time. Cron schedule format.
#timeout: "0 3 * * * *"
# Enable SMTP. https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
smtp:
enabled: false
# SMTP hostname, required if SMTP is enabled.
host: ""
# SMTP sender e-mail address, required if SMTP is enabled.
from: ""
## SMTP sender name, defaults to 'Vaultwarden'.
#fromName: ""
# Enable secure SSL connection. Options are: "starttls", "force_tls" and "off"
# Users migrating from 1.24 or lower using ssl/explicitTLS settings:
# ssl = false -> "off"
# ssl = true and explicitTLS = false -> "starttls"
# ssl = true and explicitTLS = true -> "force_tls"
security: starttls
## SMTP port. Defaults depends on security: 465 for "force_tls", 587 for "starttls" and 25 for "off"
#port: 587
## SMTP Authentication Mechanisms. Comma-separated options: 'Plain', 'Login' and 'Xoauth2'. Defaults to 'Plain'.
#authMechanism: Plain
## Hostname to be sent for SMTP HELO. Defaults to pod name.
#heloName: ""
## SMTP timeout.
#timeout: 15
## Accept SSL session if certificate is valid but hostname doesn't match. DANGEROUS, vulnerable to men-in-the-middle attacks!
#invalidHostname: false
## Accept invalid certificates. DANGEROUS, vulnerable to men-in-the-middle attacks!
#invalidCertificate: false
## SMTP username.
#user: ""
## SMTP password. Required is user is specified, ignored if no user provided.
#password: ""
## Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password'.
#existingSecret:
## Embed images as email attachments
#embedImages: false
## Enable Yubico OPT authentication. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication
yubico:
enabled: false
## Yubico server. Defaults to YubiCloud.
#server:
## Yubico ID and Secret Key.
#clientId:
#secretKey:
## Use existing secret for Yubico. Keys are 'yubico-client-id' and 'yubico-secret-key'.
#existingSecret:
## Logging options. https://github.com/dani-garcia/vaultwarden/wiki/Logging
log:
# Log to file.
file: ""
# Log level. Options are "trace", "debug", "info", "warn", "error" or "off".
level: ""
## Log timestamp format. See https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html. Defaults to time in milliseconds.
#timeFormat: ""
icons:
## Icon download service. "internal" to fetch icons directly, otherwise options are: "bitwarden", "duckduckgo" or "google"
#service: internal
# Disables download of external icons on internal service. Setting to true will still serve icons from cache (/data/icon_cache). TTL will default to zero.
disableDownload: false
## Cache time-to-live for icons fetched. 0 means no purging.
#cache: 2592000
## Cache time-to-live for icons that were not available. 0 means no purging.
#cacheFailed: 259200
## HTTP code for redirect to external icon service
#redirectCode: 302
service:
type: ClusterIP
httpPort: 80
websocketPort: 3012
externalTrafficPolicy: Cluster
# loadBalancerIP:
nodePorts:
# Choose NodePorts manually
http: ""
websocket: ""
# Kubernetes Ingress
ingress:
enabled: true
# className: nginx
host: "warden.ervine.cloud"
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
- secretName: warden-ervine-cloud-tls
hosts:
- warden.ervine.cloud
# Traefik IngressRoute CRD
ingressRoute:
enabled: false
# Mandatory to enable IngressRoute
host: ""
entrypoints:
- websecure
## Enable Traefik middlewares
middlewares: {}
# - name: my_middleware
# namespace: default
tls: {}
#certResolver: letsencrypt
persistence:
enabled: true
size: 1Gi
accessMode: ReadWriteOnce
## Persistent Volume storage class
# storageClass: "-"
## Use existing Persistent Volume Claim
existingClaim: vw-home-vaultwarden
# Use custom volume definition. Cannot be used with persistence.
customVolume: {}
#hostPath:
# path: "/examplefolder/vaultwarden"
image:
pullPolicy: IfNotPresent
repository: vaultwarden/server
tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
replicaCount: 1
serviceAccount:
# Specifies whether a service account should be created
create: false
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podLabels: {}
# Annotations to add to the Deployment
deploymentAnnotations: {}
# Sidecar containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)
# No templating possible, values need to be hardcoded
sidecars: []
# - name: sidecar
# image: sidecarimage:1.2.3
# env:
# - name: SIDECAR_END
# value: "sidecar"
# volumeMounts:
# - name: vaultwarden
# mountPath: /data
podSecurityContext:
fsGroup: 65534
securityContext:
runAsUser: 65534
runAsGroup: 65534
strategy: {}
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}

273
vaultwarden/values.yaml Normal file
View File

@ -0,0 +1,273 @@
# Default values for vaultwarden.
database:
# Database type, must be one of: 'sqlite', 'mysql' or 'postgresql'.
type: sqlite
# Enable DB Write-Ahead-Log for SQLite, disabled for other databases. https://github.com/dani-garcia/vaultwarden/wiki/Running-without-WAL-enabled
wal: true
## URL for external databases (mysql://user:pass@host:port/database-name or postgresql://user:pass@host:port/database-name).
#url: ""
## Use existing secret for database URL, key 'database-url'.
#existingSecret:
## Set the size of the database connection pool.
#maxConnections: 10
## Connection retries during startup, 0 for infinite. 1 second between retries.
#retries: 15
# Set vaultwarden application variables
vaultwarden:
## Set Bitwarden URL, mandatory for invitations over email. Recommended if using a reverse proxy / ingress. Format is https://name or http://name
#domain:
# Allow any user to sign-up: https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users
allowSignups: true
## Whitelist domains allowed to sign-up. 'allowSignups' is ignored if set.
#signupDomains:
# - domain.tld
# Verify e-mail before login is enabled. SMTP must be enabled.
verifySignup: false
# When a user logs in an email is required to be sent. If sending the email fails the login attempt will fail. SMTP must be enabled.
requireEmail: false
## Maximum attempts before an email token is reset and a new email will need to be sent.
#emailAttempts: 3
## Email token validity in seconds.
#emailTokenExpiration: 600
# Allow invited users to sign-up even feature is disabled: https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations
allowInvitation: true
## Number of hours after which an organization invite token, emergency access invite token,
## email verification token and deletion request token will expire
#invitationExpiration: 120
## Allow users to set password hints. Applies to all users.
#passwordHintsAllowed: true
# Show password hints: https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display
showPasswordHint: false
## Default organization name in invitation e-mails that are not coming from a specific organization.
#defaultInviteName: ""
# Enable Websockets for notification. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-WebSocket-notifications
# Redirect HTTP path "/notifications/hub" to port 3012. Ingress/IngressRoute controllers are automatically configured.
enableWebsockets: true
# Enable Web Vault (static content). https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting
enableWebVault: true
# Enable Bitwarden Sends globally
enableSends: true
# Restrict creation of orgs. Options are: 'all', 'none' or a comma-separated list of users.
orgCreationUsers: all
## Limit attachment disk usage per organization.
#attachmentLimitOrg:
## Limit attachment disk usage per user.
#attachmentLimitUser:
## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key.
#hibpApiKey:
## Number of days to auto-delete trashed items. By default iteams are not auto-deleted.
#autoDeleteDays:
## Organization event logging
#orgEvents: false
## Organization event retation. Leave empty to not delete.
#orgEventsRetention: ""
## Map of custom environment variables. Use carefully.
#extraEnv:
# IP_HEADER: CF-Connecting-IP
# ALLOWED_IFRAME_ANCESTORS: myintranet.local
admin:
# Enable admin portal.
enabled: false
# Disabling the admin token will make the admin portal accessible to anyone, use carefully: https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token
disableAdminToken: false
## Token for admin login, will be generated if not defined. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page
#token:
## Use existing secret for the admin token. Key is 'admin-token'.
#existingSecret:
emergency:
# Allow any user to enable emergency access.
enabled: true
## Schedule to send expiration reminders to emergency access grantors. Cron schedule format.
#reminder: "0 3 * * * *"
## Schedule to grant emergency access requests that have met the required wait time. Cron schedule format.
#timeout: "0 3 * * * *"
# Enable SMTP. https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
smtp:
enabled: false
# SMTP hostname, required if SMTP is enabled.
host: ""
# SMTP sender e-mail address, required if SMTP is enabled.
from: ""
## SMTP sender name, defaults to 'Vaultwarden'.
#fromName: ""
# Enable secure SSL connection. Options are: "starttls", "force_tls" and "off"
# Users migrating from 1.24 or lower using ssl/explicitTLS settings:
# ssl = false -> "off"
# ssl = true and explicitTLS = false -> "starttls"
# ssl = true and explicitTLS = true -> "force_tls"
security: starttls
## SMTP port. Defaults depends on security: 465 for "force_tls", 587 for "starttls" and 25 for "off"
#port: 587
## SMTP Authentication Mechanisms. Comma-separated options: 'Plain', 'Login' and 'Xoauth2'. Defaults to 'Plain'.
#authMechanism: Plain
## Hostname to be sent for SMTP HELO. Defaults to pod name.
#heloName: ""
## SMTP timeout.
#timeout: 15
## Accept SSL session if certificate is valid but hostname doesn't match. DANGEROUS, vulnerable to men-in-the-middle attacks!
#invalidHostname: false
## Accept invalid certificates. DANGEROUS, vulnerable to men-in-the-middle attacks!
#invalidCertificate: false
## SMTP username.
#user: ""
## SMTP password. Required is user is specified, ignored if no user provided.
#password: ""
## Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password'.
#existingSecret:
## Embed images as email attachments
#embedImages: false
## Enable Yubico OPT authentication. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication
yubico:
enabled: false
## Yubico server. Defaults to YubiCloud.
#server:
## Yubico ID and Secret Key.
#clientId:
#secretKey:
## Use existing secret for Yubico. Keys are 'yubico-client-id' and 'yubico-secret-key'.
#existingSecret:
## Logging options. https://github.com/dani-garcia/vaultwarden/wiki/Logging
log:
# Log to file.
file: ""
# Log level. Options are "trace", "debug", "info", "warn", "error" or "off".
level: ""
## Log timestamp format. See https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html. Defaults to time in milliseconds.
#timeFormat: ""
icons:
## Icon download service. "internal" to fetch icons directly, otherwise options are: "bitwarden", "duckduckgo" or "google"
#service: internal
# Disables download of external icons on internal service. Setting to true will still serve icons from cache (/data/icon_cache). TTL will default to zero.
disableDownload: false
## Cache time-to-live for icons fetched. 0 means no purging.
#cache: 2592000
## Cache time-to-live for icons that were not available. 0 means no purging.
#cacheFailed: 259200
## HTTP code for redirect to external icon service
#redirectCode: 302
service:
type: ClusterIP
httpPort: 80
websocketPort: 3012
externalTrafficPolicy: Cluster
# loadBalancerIP:
nodePorts:
# Choose NodePorts manually
http: ""
websocket: ""
# Kubernetes Ingress
ingress:
enabled: false
# className: nginx
host: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls: []
# - secretName: vaultwarden-tls
# hosts:
# - vaultwarden.local
# Traefik IngressRoute CRD
ingressRoute:
enabled: false
# Mandatory to enable IngressRoute
host: ""
entrypoints:
- websecure
## Enable Traefik middlewares
middlewares: {}
# - name: my_middleware
# namespace: default
tls: {}
#certResolver: letsencrypt
persistence:
enabled: false
size: 1Gi
accessMode: ReadWriteOnce
## Persistent Volume storage class
# storageClass: "-"
## Use existing Persistent Volume Claim
# existingClaim:
# Use custom volume definition. Cannot be used with persistence.
customVolume: {}
#hostPath:
# path: "/examplefolder/vaultwarden"
image:
pullPolicy: IfNotPresent
repository: vaultwarden/server
tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
replicaCount: 1
serviceAccount:
# Specifies whether a service account should be created
create: false
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podLabels: {}
# Annotations to add to the Deployment
deploymentAnnotations: {}
# Sidecar containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)
# No templating possible, values need to be hardcoded
sidecars: []
# - name: sidecar
# image: sidecarimage:1.2.3
# env:
# - name: SIDECAR_END
# value: "sidecar"
# volumeMounts:
# - name: vaultwarden
# mountPath: /data
podSecurityContext:
fsGroup: 65534
securityContext:
runAsUser: 65534
runAsGroup: 65534
strategy: {}
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}