apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "vaultwarden.fullname" . }} labels: {{- include "vaultwarden.labels" . | nindent 4 }} {{- with .Values.deploymentAnnotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: {{- with .Values.strategy }} strategy: {{- toYaml . | nindent 4 }} {{- end }} replicas: {{ .Values.replicaCount }} selector: matchLabels: {{- include "vaultwarden.selectorLabels" . | nindent 6 }} template: metadata: {{- with .Values.podAnnotations }} annotations: {{- toYaml . | nindent 8 }} {{- end }} labels: {{- include "vaultwarden.selectorLabels" . | nindent 8 }} {{- if .Values.podLabels }} {{- toYaml .Values.podLabels | nindent 8 }} {{- end }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "vaultwarden.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: ROCKET_PORT value: "8080" - name: SIGNUPS_ALLOWED value: {{ .Values.vaultwarden.allowSignups | quote }} {{- if .Values.vaultwarden.signupDomains }} - name: SIGNUPS_DOMAINS_WHITELIST value: {{ join "," .Values.vaultwarden.signupDomains | quote }} {{- end }} {{- if and (eq .Values.vaultwarden.verifySignup true) (eq .Values.vaultwarden.smtp.enabled false) }}{{ required "Signup verification requires SMTP to be enabled" nil}}{{end}} - name: SIGNUPS_VERIFY value: {{ .Values.vaultwarden.verifySignup | quote }} {{- if and (eq .Values.vaultwarden.requireEmail true) (eq .Values.vaultwarden.smtp.enabled false) }}{{ required "Requiring emails for login depends on SMTP" nil}}{{end}} - name: REQUIRE_DEVICE_EMAIL value: {{ .Values.vaultwarden.requireEmail | quote }} {{- if .Values.vaultwarden.emailAttempts }} - name: EMAIL_ATTEMPTS_LIMIT value: {{ .Values.vaultwarden.emailAttempts | quote }} {{- end }} {{- if .Values.vaultwarden.emailTokenExpiration }} - name: EMAIL_EXPIRATION_TIME value: {{ .Values.vaultwarden.emailTokenExpiration | quote }} {{- end }} - name: INVITATIONS_ALLOWED value: {{ .Values.vaultwarden.allowInvitation | quote }} {{- if .Values.vaultwarden.invitationExpiration }} - name: INVITATION_EXPIRATION_HOURS value: {{ .Values.vaultwarden.invitationExpiration | quote }} {{- end }} {{- if .Values.vaultwarden.defaultInviteName }} - name: INVITATION_ORG_NAME value: {{ .Values.vaultwarden.defaultInviteName | quote }} {{- end }} {{- if hasKey .Values.vaultwarden "passwordHintsAllowed" }} - name: PASSWORD_HINTS_ALLOWED value: {{ .Values.vaultwarden.passwordHintsAllowed | quote }} {{- end }} - name: SHOW_PASSWORD_HINT value: {{ .Values.vaultwarden.showPasswordHint | quote }} - name: WEBSOCKET_ENABLED value: {{ .Values.vaultwarden.enableWebsockets | quote }} - name: WEB_VAULT_ENABLED value: {{ .Values.vaultwarden.enableWebVault | quote }} - name: SENDS_ALLOWED value: {{ .Values.vaultwarden.enableSends | quote }} - name: ORG_CREATION_USERS value: {{ .Values.vaultwarden.orgCreationUsers | quote }} {{- if .Values.vaultwarden.attachmentLimitOrg }} - name: ORG_ATTACHMENT_LIMIT value: {{ .Values.vaultwarden.attachmentLimitOrg | quote }} {{- end }} {{- if .Values.vaultwarden.attachmentLimitUser }} - name: USER_ATTACHMENT_LIMIT value: {{ .Values.vaultwarden.attachmentLimitUser | quote }} {{- end }} {{- if .Values.vaultwarden.hibpApiKey }} - name: HIBP_API_KEY value: {{ .Values.vaultwarden.hibpApiKey | quote }} {{- end }} {{- if .Values.vaultwarden.autoDeleteDays }} - name: TRASH_AUTO_DELETE_DAYS value: {{ .Values.vaultwarden.autoDeleteDays | quote }} {{- end }} {{- if hasKey .Values.vaultwarden "orgEvents" }} - name: ORG_EVENTS_ENABLED value: {{ .Values.vaultwarden.orgEvents | quote }} {{- end }} {{- if hasKey .Values.vaultwarden "orgEventsRetention" }} - name: EVENTS_DAYS_RETAIN value: {{ .Values.vaultwarden.orgEventsRetention | quote }} {{- end }} {{- if .Values.vaultwarden.extraEnv }} {{- range $key, $val := .Values.vaultwarden.extraEnv }} - name: {{ $key }} value: {{ $val | quote }} {{- end }} {{- end }} {{- include "vaultwarden.dbTypeValid" . }} {{- if .Values.database.retries }} - name: DB_CONNECTION_RETRIES value: {{ .Values.database.retries | quote }} {{- end }} {{- if .Values.database.maxConnections }} - name: DATABASE_MAX_CONNS value: {{ .Values.database.maxConnections | quote }} {{- end }} {{- if eq .Values.database.type "sqlite" }} - name: ENABLE_DB_WAL value: {{ .Values.database.wal | quote }} {{- else }} - name: ENABLE_DB_WAL value: "false" - name: DATABASE_URL valueFrom: secretKeyRef: name: {{ if .Values.database.existingSecret }}{{ .Values.database.existingSecret }}{{else}}{{ include "vaultwarden.fullname" . }}{{end}} key: database-url {{- end }} {{- if .Values.vaultwarden.domain }} - name: DOMAIN value: {{ .Values.vaultwarden.domain | quote }} {{- end }} {{- if eq .Values.vaultwarden.admin.enabled true }} {{- if eq .Values.vaultwarden.admin.disableAdminToken true }} - name: DISABLE_ADMIN_TOKEN value: "true" {{- else }} - name: ADMIN_TOKEN valueFrom: secretKeyRef: name: {{ .Values.vaultwarden.admin.existingSecret | default (include "vaultwarden.fullname" .) }} key: admin-token {{- end }} {{- end }} - name: EMERGENCY_ACCESS_ALLOWED value: {{ .Values.vaultwarden.emergency.enabled | quote }} {{- if eq .Values.vaultwarden.emergency.enabled true }} {{- if not (kindIs "invalid" .Values.vaultwarden.emergency.reminder) }} - name: EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE value: {{ .Values.vaultwarden.emergency.reminder | quote }} {{- end }} {{- if not (kindIs "invalid" .Values.vaultwarden.emergency.timeout) }} - name: EMERGENCY_REQUEST_TIMEOUT_SCHEDULE value: {{ .Values.vaultwarden.emergency.timeout | quote }} {{- end }} {{- end }} {{- if eq .Values.vaultwarden.smtp.enabled true }} - name: SMTP_HOST value: {{ required "SMTP host is required to enable SMTP" .Values.vaultwarden.smtp.host | quote }} - name: SMTP_FROM value: {{ required "SMTP sender address ('from') is required to enable SMTP" .Values.vaultwarden.smtp.from | quote }} {{- if .Values.vaultwarden.smtp.fromName }} - name: SMTP_FROM_NAME value: {{ .Values.vaultwarden.smtp.fromName | quote }} {{- end }} {{- if semverCompare "<1.25.0" (.Values.image.tag | default .Chart.AppVersion) }} - name: SMTP_SSL value: {{ required "Value smtp.ssl required for Vaultwarden prior to 1.25" .Values.vaultwarden.smtp.ssl | quote }} {{- if required "Value smtp.explictTLS required for Vaultwarden prior to 1.25" .Values.vaultwarden.smtp.explicitTLS }} {{- if (eq .Values.vaultwarden.smtp.ssl false) }} {{- required "Explicit TLS requires SSL to be enabled" nil }} {{- end }} - name: SMTP_EXPLICIT_TLS value: {{ .Values.vaultwarden.smtp.explicitTLS | quote }} {{- end}} {{- else }} {{- include "vaultwarden.smtpSecurityValid" . }} - name: SMTP_SECURITY value: {{ .Values.vaultwarden.smtp.security | quote }} {{- end }} {{- if .Values.vaultwarden.smtp.port }} - name: SMTP_PORT value: {{ .Values.vaultwarden.smtp.port | quote }} {{- end }} {{- if .Values.vaultwarden.smtp.authMechanism }} - name: SMTP_AUTH_MECHANISM value: {{ .Values.vaultwarden.smtp.authMechanism | quote }} {{- end }} {{- if .Values.vaultwarden.smtp.heloName }} - name: HELO_NAME value: {{ .Values.vaultwarden.smtp.heloName | quote }} {{- end }} {{- if .Values.vaultwarden.smtp.timeout }} - name: SMTP_TIMEOUT value: {{ .Values.vaultwarden.smtp.timeout | quote }} {{- end }} {{- if .Values.vaultwarden.smtp.invalidHostname }} - name: SMTP_ACCEPT_INVALID_HOSTNAMES value: {{ .Values.vaultwarden.smtp.invalidHostname | quote }} {{- end }} {{- if .Values.vaultwarden.smtp.invalidCertificate }} - name: SMTP_ACCEPT_INVALID_CERTS value: {{ .Values.vaultwarden.smtp.invalidCertificate | quote }} {{- end }} {{- if or .Values.vaultwarden.smtp.existingSecret .Values.vaultwarden.smtp.user }} - name: SMTP_USERNAME valueFrom: secretKeyRef: name: {{ .Values.vaultwarden.smtp.existingSecret | default (include "vaultwarden.fullname" .) }} key: smtp-user - name: SMTP_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.vaultwarden.smtp.existingSecret | default (include "vaultwarden.fullname" .) }} key: smtp-password {{- end }} {{- if hasKey .Values.vaultwarden.smtp "embedImages" }} - name: SMTP_EMBED_IMAGES value: {{ .Values.vaultwarden.smtp.embedImages | quote }} {{- end }} {{- end }}{{/*SMTP*/}} {{- if eq .Values.vaultwarden.yubico.enabled true }} {{- if .Values.vaultwarden.yubico.server }} - name: YUBICO_SERVER value: {{ .Values.vaultwarden.yubico.server | quote }} {{- end }} - name: YUBICO_CLIENT_ID valueFrom: secretKeyRef: name: {{ .Values.vaultwarden.yubico.existingSecret | default (include "vaultwarden.fullname" .) }} key: yubico-client-id - name: YUBICO_SECRET_KEY valueFrom: secretKeyRef: name: {{ .Values.vaultwarden.yubico.existingSecret | default (include "vaultwarden.fullname" .) }} key: yubico-secret-key {{- end }} {{- if .Values.vaultwarden.log.file }} - name: LOG_FILE value: {{ .Values.vaultwarden.log.file | quote }} {{- end }} {{- if or .Values.vaultwarden.log.level .Values.vaultwarden.log.timeFormat }} - name: EXTENDED_LOGGING value: "true" {{- end }} {{- if .Values.vaultwarden.log.level }} {{- include "vaultwarden.logLevelValid" . }} - name: LOG_LEVEL value: {{ .Values.vaultwarden.log.level | quote }} {{- end }} {{- if .Values.vaultwarden.log.timeFormat }} - name: LOG_TIMESTAMP_FORMAT value: {{ .Values.vaultwarden.log.timeFormat | quote }} {{- end }} {{- if hasKey .Values.vaultwarden.icons "service" }} - name: ICON_SERVICE value: {{ .Values.vaultwarden.icons.service | quote }} {{- end }} {{- if .Values.vaultwarden.icons.disableDownload }} - name: DISABLE_ICON_DOWNLOAD value: {{ .Values.vaultwarden.icons.disableDownload | quote }} {{- if and (not .Values.vaultwarden.icons.cache) (eq .Values.vaultwarden.icons.disableDownload "true") }} - name: ICON_CACHE_TTL value: 0 {{- end }} {{- end }} {{- if .Values.vaultwarden.icons.cache }} - name: ICON_CACHE_TTL value: {{ .Values.vaultwarden.icons.cache }} {{- end }} {{- if .Values.vaultwarden.icons.cacheFailed }} - name: ICON_CACHE_NEGTTL value: {{ .Values.vaultwarden.icons.cacheFailed }} {{- end }} {{- if hasKey .Values.vaultwarden.icons "redirectCode" }} - name: ICON_REDIRECT_CODE value: {{ .Values.vaultwarden.icons.redirectCode | quote }} {{- end }} ports: - name: http containerPort: 8080 protocol: TCP {{- if .Values.vaultwarden.enableWebsockets }} - name: websocket containerPort: 3012 protocol: TCP {{- end }} livenessProbe: httpGet: path: {{ include "vaultwarden.domainSubPath" . }} port: http readinessProbe: httpGet: path: {{ include "vaultwarden.domainSubPath" . }} port: http volumeMounts: - name: {{ include "vaultwarden.fullname" . }} mountPath: /data resources: {{- toYaml .Values.resources | nindent 12 }} {{- if .Values.sidecars }} {{- toYaml .Values.sidecars | nindent 8 }} {{- end }} volumes: - name: {{ include "vaultwarden.fullname" . }} {{- if and .Values.persistence.enabled .Values.customVolume }} {{ required "customVolume cannot be used if persistence is enabled." nil }} {{- end }} {{- if .Values.persistence.enabled }} persistentVolumeClaim: claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim | quote }}{{- else }}{{ include "vaultwarden.fullname" . }}{{- end }} {{- else if .Values.customVolume }} {{- toYaml .Values.customVolume | nindent 8 }} {{- else }} emptyDir: {} {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }}