From 56db75f1c497a9ea58830c670319741a02c7132c Mon Sep 17 00:00:00 2001 From: Philip Haupt <“der.mad.mob@gmail.com”> Date: Wed, 27 Aug 2025 00:15:12 +0200 Subject: [PATCH] vaultwarden restructure --- vaultwarden/cm.yaml | 78 ---- vaultwarden/kustomization.yaml | 4 +- vaultwarden/main.yaml | 153 +++++++ vaultwarden/src/values.yaml | 811 +++++++++++++++++++++++++++++++++ vaultwarden/ss.yaml | 74 --- 5 files changed, 965 insertions(+), 155 deletions(-) delete mode 100644 vaultwarden/cm.yaml create mode 100644 vaultwarden/src/values.yaml delete mode 100644 vaultwarden/ss.yaml diff --git a/vaultwarden/cm.yaml b/vaultwarden/cm.yaml deleted file mode 100644 index 9848f57..0000000 --- a/vaultwarden/cm.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: v1 -data: - _enable_duo: "false" - _enable_email_2fa: "false" - _enable_smtp: "true" - _enable_yubico: "false" - ADMIN_RATELIMIT_MAX_BURST: "3" - ADMIN_RATELIMIT_SECONDS: "300" - admin_session_lifetime: "20" - authenticator_disable_time_drift: "false" - DATABASE_MAX_CONNS: "10" - DB_CONNECTION_RETRIES: "15" - disable_2fa_remember: "false" - disable_icon_download: "false" - DOMAIN: https://vault.borninpain.de - email_2fa_enforce_on_verified_invite: "false" - email_2fa_auto_fallback: "false" - email_attempts_limit: "3" - EMAIL_CHANGE_ALLOWED: "true" - email_expiration_time: "600" - email_token_size: "6" - EMERGENCY_ACCESS_ALLOWED: "true" - EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE: 0 3 * * * * - EMERGENCY_REQUEST_TIMEOUT_SCHEDULE: 0 7 * * * * - EXTENDED_LOGGING: "true" - EXPERIMENTAL_CLIENT_FEATURE_FLAGS: ssh-key-vault-item,ssh-agent - http_request_block_non_global_ips: "true" - ICON_BLACKLIST_NON_GLOBAL_IPS: "true" - icon_cache_ttl: "2592000" - icon_cache_negttl: "259200" - icon_download_timeout: "10" - ICON_REDIRECT_CODE: "302" - ICON_SERVICE: internal - incomplete_2fa_time_limit: "3" - increase_note_size_limit: "false" - INVITATION_EXPIRATION_HOURS: "120" - INVITATION_ORG_NAME: Vaultwarden - INVITATIONS_ALLOWED: "true" - IP_HEADER: X-Real-IP - LOG_TIMESTAMP_FORMAT: '%Y-%m-%d %H:%M:%S.%3f' - ORG_EVENTS_ENABLED: "false" - ORG_GROUPS_ENABLED: "false" - password_hints_allowed: "true" - password_iterations: "600000" - reload_templates: "false" - REQUIRE_DEVICE_EMAIL: "false" - ROCKET_ADDRESS: 0.0.0.0 - ROCKET_PORT: "8080" - ROCKET_WORKERS: "10" - SENDS_ALLOWED: "true" - SHOW_PASSWORD_HINT: "false" - SIGNUPS_ALLOWED: "true" - SIGNUPS_VERIFY: "true" - signups_verify_resend_limit: "6" - signups_verify_resend_time: "3600" - smtp_host: mxe965.netcup.net - smtp_security: starttls - smtp_port: "587" - smtp_from: noreply@borninpain.de - smtp_from_name: Vaultwarden - smtp_timeout: "15" - smtp_embed_images: "true" - smtp_accept_invalid_certs: "false" - smtp_accept_invalid_hostnames: "false" - TRASH_AUTO_DELETE_DAYS: "" - use_sendmail: "false" - WEB_VAULT_ENABLED: "true" -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/component: vaultwarden - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: vaultwarden - app.kubernetes.io/version: 1.33.2 - helm.sh/chart: vaultwarden-0.31.8 - name: vaultwarden - namespace: vaultwarden \ No newline at end of file diff --git a/vaultwarden/kustomization.yaml b/vaultwarden/kustomization.yaml index afde5d6..5ec52c7 100644 --- a/vaultwarden/kustomization.yaml +++ b/vaultwarden/kustomization.yaml @@ -3,7 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - cm.yaml - main.yaml - - pvc.yaml - - ss.yaml \ No newline at end of file + - pvc.yaml \ No newline at end of file diff --git a/vaultwarden/main.yaml b/vaultwarden/main.yaml index 31e658d..c66f135 100644 --- a/vaultwarden/main.yaml +++ b/vaultwarden/main.yaml @@ -97,6 +97,85 @@ subjects: name: vaultwarden-svc --- apiVersion: v1 +data: + _enable_duo: "false" + _enable_email_2fa: "false" + _enable_smtp: "true" + _enable_yubico: "false" + ADMIN_RATELIMIT_MAX_BURST: "3" + ADMIN_RATELIMIT_SECONDS: "300" + admin_session_lifetime: "20" + authenticator_disable_time_drift: "false" + DATABASE_MAX_CONNS: "10" + DB_CONNECTION_RETRIES: "15" + disable_2fa_remember: "false" + disable_icon_download: "false" + DOMAIN: https://vault.borninpain.de + email_2fa_enforce_on_verified_invite: "false" + email_2fa_auto_fallback: "false" + email_attempts_limit: "3" + EMAIL_CHANGE_ALLOWED: "true" + email_expiration_time: "600" + email_token_size: "6" + EMERGENCY_ACCESS_ALLOWED: "true" + EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE: 0 3 * * * * + EMERGENCY_REQUEST_TIMEOUT_SCHEDULE: 0 7 * * * * + EXTENDED_LOGGING: "true" + EXPERIMENTAL_CLIENT_FEATURE_FLAGS: ssh-key-vault-item,ssh-agent + http_request_block_non_global_ips: "true" + ICON_BLACKLIST_NON_GLOBAL_IPS: "true" + icon_cache_ttl: "2592000" + icon_cache_negttl: "259200" + icon_download_timeout: "10" + ICON_REDIRECT_CODE: "302" + ICON_SERVICE: internal + incomplete_2fa_time_limit: "3" + increase_note_size_limit: "false" + INVITATION_EXPIRATION_HOURS: "120" + INVITATION_ORG_NAME: Vaultwarden + INVITATIONS_ALLOWED: "true" + IP_HEADER: X-Real-IP + LOG_TIMESTAMP_FORMAT: '%Y-%m-%d %H:%M:%S.%3f' + ORG_EVENTS_ENABLED: "false" + ORG_GROUPS_ENABLED: "false" + password_hints_allowed: "true" + password_iterations: "600000" + reload_templates: "false" + REQUIRE_DEVICE_EMAIL: "false" + ROCKET_ADDRESS: 0.0.0.0 + ROCKET_PORT: "8080" + ROCKET_WORKERS: "10" + SENDS_ALLOWED: "true" + SHOW_PASSWORD_HINT: "false" + SIGNUPS_ALLOWED: "true" + SIGNUPS_VERIFY: "true" + signups_verify_resend_limit: "6" + signups_verify_resend_time: "3600" + smtp_host: mxe965.netcup.net + smtp_security: starttls + smtp_port: "587" + smtp_from: noreply@borninpain.de + smtp_from_name: Vaultwarden + smtp_timeout: "15" + smtp_embed_images: "true" + smtp_accept_invalid_certs: "false" + smtp_accept_invalid_hostnames: "false" + TRASH_AUTO_DELETE_DAYS: "" + use_sendmail: "false" + WEB_VAULT_ENABLED: "true" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: vaultwarden + app.kubernetes.io/instance: vaultwarden + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vaultwarden + app.kubernetes.io/version: 1.33.2 + helm.sh/chart: vaultwarden-0.31.8 + name: vaultwarden + namespace: vaultwarden +--- +apiVersion: v1 kind: Service metadata: labels: @@ -120,3 +199,77 @@ spec: app.kubernetes.io/instance: vaultwarden app.kubernetes.io/name: vaultwarden type: ClusterIP +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app.kubernetes.io/component: vaultwarden + app.kubernetes.io/instance: vaultwarden + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vaultwarden + app.kubernetes.io/version: 1.33.2 + helm.sh/chart: vaultwarden-0.31.8 + name: vaultwarden + namespace: vaultwarden +spec: + persistentVolumeClaimRetentionPolicy: + whenDeleted: Retain + whenScaled: Retain + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: vaultwarden + app.kubernetes.io/instance: vaultwarden + app.kubernetes.io/name: vaultwarden + serviceName: vaultwarden + template: + metadata: + annotations: + checksum/config: 168947ab11e3ea29e464b86f13ba129b41fa167f + checksum/secret: 63df1807c40909b47d8731b04a208cffc9f387f4 + labels: + app.kubernetes.io/component: vaultwarden + app.kubernetes.io/instance: vaultwarden + app.kubernetes.io/name: vaultwarden + spec: + containers: + - envFrom: + - configMapRef: + name: vaultwarden + - secretRef: + name: vaultwarden + image: docker.io/vaultwarden/server:1.33.2-alpine + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + path: /alive + port: http + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: vaultwarden + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /alive + port: http + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + volumeMounts: + - name: vaultwarden-data + mountPath: /data + volumes: + - name: vaultwarden-data + persistentVolumeClaim: + claimName: vaultwarden-data-pvc + serviceAccountName: vaultwarden-svc diff --git a/vaultwarden/src/values.yaml b/vaultwarden/src/values.yaml new file mode 100644 index 0000000..6bfa05a --- /dev/null +++ b/vaultwarden/src/values.yaml @@ -0,0 +1,811 @@ +## Instruction: when adding a new value, follow https://github.com/dani-garcia/vaultwarden/blob/main/.env.template as much as possible. + +## @section Kubernetes settings +## +image: + ## @param image.registry Vaultwarden image registry + ## + registry: docker.io + ## @param image.repository Vaultwarden image repository + ## + repository: vaultwarden/server + ## + ## @param image.tag Vaultwarden image tag + ## Ref: https://hub.docker.com/r/vaultwarden/server/tags + ## + tag: "1.34.3-alpine" + ## @param image.pullPolicy Vaultwarden image pull policy + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## @param image.pullSecrets Specify docker-registry secrets + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - name: myRegistryKeySecretName + ## + pullSecrets: [] + ## @param image.extraSecrets Vaultwarden image extra secrets + ## Example: + ## extraSecrets: + ## - key: SSO_CLIENT_SECRET + ## value: secretStuff + ## + extraSecrets: [] + ## @param image.extraVars Vaultwarden image extra vars + ## Example: + ## extraVars: + ## - key: SSO_AUTHORITY + ## value: https://bananaguy.com/auth + ## + extraVars: [] + ## @param image.extraVarsCM Vaultwarden image extra vars ConfigMap + ## Example: + ## extraVarsCM: "vaultwarden-extra-vars" + extraVarsCM: "" + ## @param image.extraVarsSecret Vaultwarden image extra vars Secret + ## Example: + ## extraVarsSecret: "vaultwarden-extra-vars" + extraVarsSecret: "" + +## @param replicas Number of deployment replicas +## +replicas: 1 + +## @param fullnameOverride String to override the application name. +## +fullnameOverride: "" + +## @param resourceType Can be either Deployment or StatefulSet +## Overwrite automatic resource type detection by specifying the resource type +## +resourceType: "" + +## @param commonAnnotations Annotations for the deployment or statefulset +## +commonAnnotations: {} + +## @param configMapAnnotations Add extra annotations to the configmap +## +configMapAnnotations: {} + +## @param podAnnotations Add extra annotations to the pod +## +podAnnotations: {} + +## @param commonLabels Additional labels for the deployment or statefulset +## +commonLabels: {} + +## @param podLabels Add extra labels to the pod +## +podLabels: {} + +## @param initContainers extra init containers for initializing the vaultwarden instance +## +initContainers: [] + +## @param sidecars extra containers running alongside the vaultwarden instance +## +sidecars: [] + +## @param extraVolumes Optionally specify extra list of additional volumes +## +extraVolumes: [] + +## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts +## +extraVolumeMounts: [] + +## @param nodeSelector Node labels for pod assignment +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector +## +nodeSelector: {} + +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} + +## @param tolerations Tolerations for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] + +## @param serviceAccount.create Create a service account +## @param serviceAccount.name Name of the service account to create +## +serviceAccount: + create: true + name: "vaultwarden-svc" + +## @param podSecurityContext Pod security options +## +podSecurityContext: + {} + # fsGroup: 1001 + # supplementalGroups: + # - 1001 + +## @param securityContext Default security options to run vault as read only container without privilege escalation +securityContext: + {} + # allowPrivilegeEscalation: false + # privileged: false + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsGroup: 1001 + # runAsUser: 1001 + # capabilities: + # drop: + # - ALL + +## @param dnsConfig Pod DNS options +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config +dnsConfig: {} + +## @param enableServiceLinks Enable service links, Kubernetes default is true +## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service +## +enableServiceLinks: true + +## Extra objects +extraObjects: [] + ## @param extraObjects List of extra Kubernetes objects to create + ## This can be used to add additional Kubernetes objects such as ConfigMaps, Secrets, or Custom Resources. + ## Example: + ## - apiVersion: isindir.github.com/v1alpha3 + ## kind: SopsSecret + ## metadata: + ## name: "{{ .Release.Name }}-sops-secret" + ## spec: + ## data: + ## DB_STRING: ENC[AES256_GCM,data:******,iv:***,tag:***,type:str] + ## sops: ... + + +## @section Reliability configuration +## + +## Liveness probe configuration +## +livenessProbe: + ## @param livenessProbe.enabled Enable liveness probe + ## + enabled: true + ## @param livenessProbe.initialDelaySeconds Delay before liveness probe is initiated + ## + initialDelaySeconds: 5 + ## @param livenessProbe.timeoutSeconds How long to wait for the probe to succeed + ## + timeoutSeconds: 1 + ## @param livenessProbe.periodSeconds How often to perform the probe + ## + periodSeconds: 10 + ## @param livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful + ## + successThreshold: 1 + ## @param livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed + ## + failureThreshold: 10 + ## @param livenessProbe.path Path on which the probe is exposed, default is "/alive". Replace when using non-root path deployment + ## + path: /alive + +## Readiness probe configuration +## +readinessProbe: + ## @param readinessProbe.enabled Enable readiness probe + ## + enabled: true + ## @param readinessProbe.initialDelaySeconds Delay before readiness probe is initiated + ## + initialDelaySeconds: 5 + ## @param readinessProbe.timeoutSeconds How long to wait for the probe to succeed + ## + timeoutSeconds: 1 + ## @param readinessProbe.periodSeconds How often to perform the probe + ## + periodSeconds: 10 + ## @param readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful + ## + successThreshold: 1 + ## @param readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed + ## + failureThreshold: 3 + ## @param readinessProbe.path Path on which the probe is exposed, default is "/alive". Replace when using non-root path deployment + ## + path: /alive + +## Startup probe configuration +## +startupProbe: + ## @param startupProbe.enabled Enable startup probe + ## + enabled: false + ## @param startupProbe.initialDelaySeconds Delay before startup probe is initiated + ## + initialDelaySeconds: 5 + ## @param startupProbe.timeoutSeconds How long to wait for the probe to succeed + ## + timeoutSeconds: 1 + ## @param startupProbe.periodSeconds How often to perform the probe + ## + periodSeconds: 10 + ## @param startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful + ## + successThreshold: 1 + ## @param startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed + ## + failureThreshold: 10 + ## @param startupProbe.path Path on which the probe is exposed, default is "/alive". Replace when using non-root path deployment + ## + path: /alive + +## @param resources Resource configurations +## +resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 300m + # memory: 1Gi + # requests: + # cpu: 50m + # memory: 256Mi + +## @param strategy Resource configurations +## +strategy: + {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 1 + # maxUnavailable: 0 + +podDisruptionBudget: + ## @param podDisruptionBudget.enabled Enable PodDisruptionBudget settings + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + ## @param podDisruptionBudget.minAvailable Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: 1 + ## @param podDisruptionBudget.maxUnavailable Maximum number/percentage of pods that may be made unavailable + maxUnavailable: null + +## @section Persistent data configuration +## + + +storage: + ## @param storage.existingVolumeClaim If defined, the values here will be used for the data and + ## attachments PV's. The custom values for data and attachments will be ignored if + ## a value is set here + ## + existingVolumeClaim: + {} + # claimName: "vaultwarden-pvc" + # dataPath: "/data" + # attachmentsPath: /data/attachments + + ## @param storage.data Data directory configuration, refer to values.yaml for parameters. + ## + data: + {} + # name: "vaultwarden-data" + # size: "15Gi" + # class: "" + # path: "/data" + # keepPvc: false + # accessMode: "ReadWriteOnce" + + ## @param storage.attachments Attachments directory configuration, refer to values.yaml for parameters. + ## By default, attachments/ is located inside the data directory. + ## + attachments: + {} + # name: "vaultwarden-files" + # size: "100Gi" + # class: "" + # path: /files + # keepPvc: false + # accessMode: "ReadWriteOnce" + +## @param webVaultEnabled Enable Web Vault +## +webVaultEnabled: "true" + +## @section Database settings +## + +database: + ## @param database.type Database type, either mysql or postgresql + ## Default is a sqlite database. + ## + type: "default" + ## @param database.host Database hostname or IP address + ## + host: "" + ## @param database.port Database port + ## Default for MySQL is 3306, default for PostgreSQL is 5432 + port: "" + ## @param database.username Database username + ## + username: "" + ## @param database.password Database password + ## + password: "" + ## @param database.dbName Database name + ## + dbName: "" + ## @param database.uriOverride Manually specify the DB connection string + ## + uriOverride: "" + ## @param database.existingSecret Name of an existing secret containing either a single key with the database uri, or a separate key for username and password + ## + existingSecret: "" + ## @param database.existingSecretKey Key in the existing secret + ## + existingSecretKey: "" + ## @param database.existingSecretUserKey Key in the existing secret + ## + existingSecretUserKey: username + ## @param database.existingSecretPasswordKey Key in the existing secret + ## + existingSecretPasswordKey: password + ## @param database.connectionRetries Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely. + ## + connectionRetries: 15 + ## @param database.maxConnections Define the size of the connection pool used for connecting to the database. + ## + maxConnections: 10 + +## @section Push Notifications +## Supported since 1.29.0. +## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details +## +pushNotifications: + ## @param pushNotifications.enabled Enable the push notification service + ## + enabled: false + ## @param pushNotifications.existingSecret Name of an existing secret containing the Bitwarden installation id and key + ## + existingSecret: "" + installationId: + ## @param pushNotifications.installationId.value Bitwarden installation id string + ## Example: installationIdGoesHere + ## + value: "" + ## @param pushNotifications.installationId.existingSecretKey When using an existing secret, specify the key which contains the installation id. + ## Example: INSTALLATION_ID + ## + existingSecretKey: "" + installationKey: + ## @param pushNotifications.installationKey.value Bitwarden installation key string + ## Example: superSecretInstallationKey + ## + value: "" + ## @param pushNotifications.installationKey.existingSecretKey When using an existing secret, specify the key which contains the installation key. + ## Example: INSTALLATION_KEY + ## + existingSecretKey: "" + ## @param pushNotifications.relayUri Change Bitwarden relay uri. + ## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details + ## + relayUri: "https://push.bitwarden.com" + ## @param pushNotifications.identityUri Change Bitwarden identity uri. + ## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details + ## + identityUri: "https://identity.bitwarden.com" + +## @section Scheduled jobs +## + +## @param emergencyNotifReminderSched Cron schedule of the job that sends expiration reminders to emergency access grantors. +## Set to blank to disable this job. +## +emergencyNotifReminderSched: "0 3 * * * *" + +## @param emergencyRqstTimeoutSched Cron schedule of the job that grants emergency access requests that have met the required wait time. +## Set to blank to disable this job. +## +emergencyRqstTimeoutSched: "0 7 * * * *" + +## @param eventCleanupSched Cron schedule of the job that cleans old events from the event table. +## Set to blank to disable this job. Also without eventsDayRetain set, this job will not start. +## +eventCleanupSched: "0 10 0 * * *" + +## @param eventsDayRetain Number of days to retain events stored in the database. +## If unset (the default), events are kept indefinitely and the scheduled job is disabled! +## +eventsDayRetain: "" + +## @section General settings +## + +## @param domain Domain name where the application is accessed +## Example: https://warden.contoso.com:8443 +## +domain: "" + +## @param sendsAllowed Controls whether users are allowed to create Bitwarden Sends. +## +sendsAllowed: "true" + +## @param hibpApiKey HaveIBeenPwned API Key +## +hibpApiKey: "" + +## @param orgAttachmentLimit Max Kilobytes of attachment storage allowed per organization. +## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization. +## +orgAttachmentLimit: "" + +## @param userAttachmentLimit Max kilobytes of attachment storage allowed per user. +## When this limit is reached, the user will not be allowed to upload further attachments. +## +userAttachmentLimit: "" + +## @param userSendLimit Max kilobytes of send storage allowed per user. +## When this limit is reached, the user will not be allowed to upload further sends. +## +userSendLimit: "" + +## @param trashAutoDeleteDays Number of days to wait before auto-deleting a trashed item. +## If unset (the default), trashed items are not auto-deleted. +## This setting applies globally, so make sure to inform all users of any changes to this setting. +## +trashAutoDeleteDays: "" + +## @param signupsAllowed By default, anyone who can access your instance can register for a new account. +## To disable this, set this parameter to false. Even when signupsAllowed=false, an existing user who is +## an organization owner or admin can still invite new users. If you want to disable this as well, set +## invitationsAllowed to false. The vaultwarden admin can invite anyone via the admin page, regardless +## of any of the restrictions above +## +## If signupDomains is set, then the value of signupsAllowed is ignored +signupsAllowed: true + +## @param signupsVerify Whether to require account verification for newly-registered users. +## +signupsVerify: "true" + +## @param signupDomains List of domain names for users allowed to register. For example: +## example.com,example.net,example.org. +## +signupDomains: "" + +## @param orgEventsEnabled Controls whether event logging is enabled for organizations +## +orgEventsEnabled: "false" + +## @param orgCreationUsers Controls which users can create new orgs. +## Blank or 'all' means all users can create orgs. +## 'none' means no users can create orgs. +## A comma-separated list means only those users can create orgs. +## +orgCreationUsers: "" + +## @param invitationsAllowed Even when registration is disabled, organization administrators or owners can +## invite users to join organization. After they are invited, they can register with the invited email even +## if signupsAllowed is actually set to false. You can disable this functionality completely by setting +## invitationsAllowed env variable to false +## +invitationsAllowed: true + +## @param invitationOrgName String Name shown in the invitation emails that don't come from a specific organization +## +invitationOrgName: "Vaultwarden" + +## @param invitationExpirationHours The number of hours after which an organization invite token, emergency access invite token, +## email verification token and deletion request token will expire (must be at least 1) +## +invitationExpirationHours: "120" + +## @param emergencyAccessAllowed Controls whether users can enable emergency access to their accounts. +## +emergencyAccessAllowed: "true" + +## @param emailChangeAllowed Controls whether users can change their email. +## This setting applies globally to all users +## +emailChangeAllowed: "true" + +## @param showPassHint Controls whether a password hint should be shown directly in the web page if +## SMTP service is not configured. Not recommended for publicly-accessible instances +## as this provides unauthenticated access to potentially sensitive data. +## +showPassHint: "false" + +## @section Advanced settings +## + +## @param ipHeader Client IP Header, used to identify the IP of the client +## +ipHeader: "X-Real-IP" + +## @param iconService The predefined icon services are: internal, bitwarden, duckduckgo, google. +## +iconService: "internal" + +## @param iconRedirectCode Icon redirect code +## +iconRedirectCode: "302" + +## @param iconBlacklistNonGlobalIps Whether block non-global IPs. +## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block +## +iconBlacklistNonGlobalIps: "true" + +## @param experimentalClientFeatureFlags Comma separated list of experimental features to enable in clients, make sure to check which features are already enabled by default (.env.template) +## Possible values: +## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials. +## - "autofill-v2": Use the new autofill implementation. +## - "browser-fileless-import": Directly import credentials from other providers without a file. +## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor. +## +experimentalClientFeatureFlags: null + +## @param requireDeviceEmail Require new device emails. When a user logs in an email is required to be sent. +## +requireDeviceEmail: "false" + +## @param extendedLogging Enable extended logging, which shows timestamps and targets in the logs +## +extendedLogging: "true" + +## @param logTimestampFormat Timestamp format used in extended logging. +## +logTimestampFormat: "%Y-%m-%d %H:%M:%S.%3f" + +logging: + ## @param logging.logLevel Specify the log level + ## + logLevel: "" + ## @param logging.logFile Log to a file + ## + logFile: "" + +## Token for the admin interface, preferably an Argon2 PCH string +adminToken: + ## @param adminToken.existingSecret Specify an existing Kubernetes secret containing the admin token. Also set adminToken.existingSecretKey. + ## Example: admincreds_secret + ## + existingSecret: "" + ## @param adminToken.existingSecretKey When using adminToken.existingSecret, specify the key containing the token. + ## Example: ADMIN_TOKEN + ## + existingSecretKey: "" + ## @param adminToken.value Plain or argon2 string containing the admin token. + ## This example is the argon2 has of "R@ndomTokenString" (no quotes). + ## + value: "$argon2id$v=19$m=19456,t=2,p=1$Vkx1VkE4RmhDMUhwNm9YVlhPQkVOZk1Yc1duSDdGRVYzd0Y5ZkgwaVg0Yz0$PK+h1ANCbzzmEKaiQfCjWw+hWFaMKvLhG2PjRanH5Kk" + +## @param adminRateLimitSeconds Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in. +## +adminRateLimitSeconds: "300" + +## @param adminRateLimitMaxBurst Allow a burst of requests of up to this size, while maintaining the average indicated by adminRateLimitSeconds. +## +adminRateLimitMaxBurst: "3" + +## @param timeZone Specify timezone different from the default (UTC). +## For example: "Europe/Berlin" +## +timeZone: "" + +## @section BETA Features +## + +## @param orgGroupsEnabled Controls whether group support is enabled for organizations +orgGroupsEnabled: "false" + +## @section MFA/2FA settings +## + +## Yubico (Yubikey) settings +## Reference: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication +## +yubico: + ## @param yubico.clientId Yubico client ID + ## + clientId: "" + ## @param yubico.existingSecret Name of an existing secret containing the Yubico secret key. Also set yubico.secretKey.existingSecretKey. + ## + existingSecret: "" + ## Yubico secret key + ## + secretKey: + ## @param yubico.secretKey.value secretKey plain text + ## Example: ABCDEABCDEABCDEABCDE= + ## + value: "" + ## @param yubico.secretKey.existingSecretKey When using an existing secret, specify the key which contains the secretKey. + ## Example: YUBICO_SECRET_KEY + ## + existingSecretKey: "" + ## @param yubico.server Specify a Yubico server, otherwise the default servers will be used + ## + server: "" + +## Duo settings +## Reference: https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account +## +duo: + ## @param duo.iKey Duo Integration Key + ## + iKey: "" + ## @param duo.existingSecret Name of an existing secret containing the Duo skey. Also set duo.sKey.existingSecretKey. + ## + existingSecret: "" + ## Duo secret key + ## + sKey: + ## @param duo.sKey.value sKey plain text + ## Example: ABCDEABCDEABCDEABCDE= + ## + value: "" + ## @param duo.sKey.existingSecretKey When using an existing secret, specify the key which contains the sKey. + ## Example: DUO_SKEY + ## + existingSecretKey: "" + ## @param duo.hostname Duo API hostname + ## + hostname: "" + +## @section SMTP Configuration +## +smtp: + ## @param smtp.existingSecret Name of an existing secret containing the SMTP username and password. Also set smtp.username.existingSecretKey and smtp.password.existingSecretKey. + ## + existingSecret: "" + ## @param smtp.host SMTP host + ## + host: "" + ## @param smtp.security SMTP Encryption method + ## Possible values: + ## - starttls: explicit TLS using ports 587 or 25 + ## - force_tls: implicit TLS using port 465 + ## - off: no encryption, using port 25, unless using STARTTLS + ## + security: "starttls" + ## @param smtp.port SMTP port + ## + port: 25 + ## @param smtp.from SMTP sender email address + ## Example: juan.delacruz@gmail.com + ## + from: "" + ## @param smtp.fromName SMTP sender FROM + ## + fromName: "" + ## Username for SMTP authentication. + ## + username: + ## @param smtp.username.value Username string for the SMTP authentication. + ## Example: juan + ## + value: "" + ## @param smtp.username.existingSecretKey When using an existing secret, specify the key which contains the username. + ## Example: SMTP_USERNAME + ## + existingSecretKey: "" + ## Password for SMTP authentication. + ## + password: + ## @param smtp.password.value Password string for the SMTP authentication. + ## Example: Sup3rsecurepa$$word + ## + value: "" + ## @param smtp.password.existingSecretKey When using an existing secret, specify the key which contains the password. + ## Example: SMTP_PASSWORD + ## + existingSecretKey: "" + ## @param smtp.authMechanism SMTP authentication mechanism + ## Possible values: "Plain", "Login", "Xoauth2" + ## Multiple options need to be separated by a comma. (not tested) + ## + authMechanism: "Plain" + ## @param smtp.acceptInvalidHostnames Accept Invalid Hostnames + ## + acceptInvalidHostnames: "false" + ## @param smtp.acceptInvalidCerts Accept Invalid Certificates + ## + acceptInvalidCerts: "false" + ## @param smtp.debug SMTP debugging + ## + debug: false + +## @section Exposure settings +## + +## @param rocket.address Address to bind to +## @param rocket.port Rocket port +## @param rocket.workers Rocket number of workers +## +rocket: + address: "0.0.0.0" + port: "8080" + workers: "10" + +## Service configuration +service: + ## @param service.type Service type + ## + type: "ClusterIP" + ## @param service.annotations Additional annotations for the vaultwarden service + ## + annotations: {} + ## @param service.labels Additional labels for the service + ## + labels: {} + ## @param service.ipFamilyPolicy IP family policy for the service + ## + ipFamilyPolicy: "SingleStack" + ## @param service.sessionAffinity Session affinity + ## + # sessionAffinity: ClientIP + sessionAffinity: "" + ## @param service.sessionAffinityConfig Session affinity configuration + ## + sessionAffinityConfig: {} + # sessionAffinityConfig: + # clientIP: + # timeoutSeconds: 10800 + +## Ingress configuration +## Refer to the README for some examples +## +ingress: + ## @param ingress.enabled Deploy an ingress resource. + ## + enabled: false + ## @param ingress.class Ingress resource class + ## The Ingress class to use, e. g. "nginx" for a nginx ingress controller or "alb" for a AWS LB controller. + # + class: "nginx" + ## @param ingress.nginxIngressAnnotations Add nginx specific ingress annotations + ## These annotations only make sense for the kubernetes nginx ingress controller (https://kubernetes.github.io/ingress-nginx/) + ## + nginxIngressAnnotations: true + ## @param ingress.additionalAnnotations Additional annotations for the ingress resource. + ## + additionalAnnotations: {} + ## @param ingress.labels Additional labels for the ingress resource. + ## + labels: {} + ## @param ingress.tls Enable TLS on the ingress resource. + ## + tls: true + ## @param ingress.hostname Hostname for the ingress. + ## + hostname: "warden.contoso.com" + ## @param ingress.additionalHostnames Additional hostnames for the ingress. + ## + additionalHostnames: [] + ## @param ingress.path Default application path for the ingress + ## + path: "/" + ## @param ingress.pathType Path type for the ingress + ## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ + ## + pathType: "Prefix" + ## @param ingress.tlsSecret Kubernetes secret containing the SSL certificate when using the "nginx" class. + ## + tlsSecret: "" + ## @param ingress.nginxAllowList Comma-separated list of IP addresses and subnets to allow. + ## + nginxAllowList: "" + ## @param ingress.customHeadersConfigMap ConfigMap containing custom headers to be added to the ingress. + ## Requirement: First define the allowed response headers in global-allowed-response-headers. + ## Ref: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#custom-headers + ## + customHeadersConfigMap: {} + ## TODO: + ## - Add support for using cert-manager. + ## - Support for multiple TLS hostnames. + ## diff --git a/vaultwarden/ss.yaml b/vaultwarden/ss.yaml deleted file mode 100644 index 1b5ed7f..0000000 --- a/vaultwarden/ss.yaml +++ /dev/null @@ -1,74 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - labels: - app.kubernetes.io/component: vaultwarden - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: vaultwarden - app.kubernetes.io/version: 1.33.2 - helm.sh/chart: vaultwarden-0.31.8 - name: vaultwarden - namespace: vaultwarden -spec: - persistentVolumeClaimRetentionPolicy: - whenDeleted: Retain - whenScaled: Retain - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/component: vaultwarden - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/name: vaultwarden - serviceName: vaultwarden - template: - metadata: - annotations: - checksum/config: 168947ab11e3ea29e464b86f13ba129b41fa167f - checksum/secret: 63df1807c40909b47d8731b04a208cffc9f387f4 - labels: - app.kubernetes.io/component: vaultwarden - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/name: vaultwarden - spec: - containers: - - envFrom: - - configMapRef: - name: vaultwarden - - secretRef: - name: vaultwarden - image: docker.io/vaultwarden/server:1.33.2-alpine - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 10 - httpGet: - path: /alive - port: http - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - name: vaultwarden - ports: - - containerPort: 8080 - name: http - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /alive - port: http - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - resources: {} - volumeMounts: - - name: vaultwarden-data - mountPath: /data - volumes: - - name: vaultwarden-data - persistentVolumeClaim: - claimName: vaultwarden-data-pvc - serviceAccountName: vaultwarden-svc \ No newline at end of file