k8s/apps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vaultwarden restructure

Browse Source
This commit is contained in:
Philip Haupt
2025-08-27 00:15:12 +02:00
parent 2384144cd6
commit 56db75f1c4
5 changed files with 965 additions and 155 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
vaultwarden/cm.yaml
View File

@@ -1,78 +0,0 @@
apiVersion: v1
data:
_enable_duo: "false"
_enable_email_2fa: "false"
_enable_smtp: "true"
_enable_yubico: "false"
ADMIN_RATELIMIT_MAX_BURST: "3"
ADMIN_RATELIMIT_SECONDS: "300"
admin_session_lifetime: "20"
authenticator_disable_time_drift: "false"
DATABASE_MAX_CONNS: "10"
DB_CONNECTION_RETRIES: "15"
disable_2fa_remember: "false"
disable_icon_download: "false"
DOMAIN: https://vault.borninpain.de
email_2fa_enforce_on_verified_invite: "false"
email_2fa_auto_fallback: "false"
email_attempts_limit: "3"
EMAIL_CHANGE_ALLOWED: "true"
email_expiration_time: "600"
email_token_size: "6"
EMERGENCY_ACCESS_ALLOWED: "true"
EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE: 0 3 * * * *
EMERGENCY_REQUEST_TIMEOUT_SCHEDULE: 0 7 * * * *
EXTENDED_LOGGING: "true"
EXPERIMENTAL_CLIENT_FEATURE_FLAGS: ssh-key-vault-item,ssh-agent
http_request_block_non_global_ips: "true"
ICON_BLACKLIST_NON_GLOBAL_IPS: "true"
icon_cache_ttl: "2592000"
icon_cache_negttl: "259200"
icon_download_timeout: "10"
ICON_REDIRECT_CODE: "302"
ICON_SERVICE: internal
incomplete_2fa_time_limit: "3"
increase_note_size_limit: "false"
INVITATION_EXPIRATION_HOURS: "120"
INVITATION_ORG_NAME: Vaultwarden
INVITATIONS_ALLOWED: "true"
IP_HEADER: X-Real-IP
LOG_TIMESTAMP_FORMAT: '%Y-%m-%d %H:%M:%S.%3f'
ORG_EVENTS_ENABLED: "false"
ORG_GROUPS_ENABLED: "false"
password_hints_allowed: "true"
password_iterations: "600000"
reload_templates: "false"
REQUIRE_DEVICE_EMAIL: "false"
ROCKET_ADDRESS: 0.0.0.0
ROCKET_PORT: "8080"
ROCKET_WORKERS: "10"
SENDS_ALLOWED: "true"
SHOW_PASSWORD_HINT: "false"
SIGNUPS_ALLOWED: "true"
SIGNUPS_VERIFY: "true"
signups_verify_resend_limit: "6"
signups_verify_resend_time: "3600"
smtp_host: mxe965.netcup.net
smtp_security: starttls
smtp_port: "587"
smtp_from: noreply@borninpain.de
smtp_from_name: Vaultwarden
smtp_timeout: "15"
smtp_embed_images: "true"
smtp_accept_invalid_certs: "false"
smtp_accept_invalid_hostnames: "false"
TRASH_AUTO_DELETE_DAYS: ""
use_sendmail: "false"
WEB_VAULT_ENABLED: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: vaultwarden
app.kubernetes.io/instance: vaultwarden
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/version: 1.33.2
helm.sh/chart: vaultwarden-0.31.8
name: vaultwarden
namespace: vaultwarden

4
vaultwarden/kustomization.yaml
View File

@@ -3,7 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- cm.yaml
- main.yaml - main.yaml
- pvc.yaml - pvc.yaml
- ss.yaml

153
vaultwarden/main.yaml
View File

@@ -97,6 +97,85 @@ subjects:
name: vaultwarden-svc name: vaultwarden-svc
--- ---
apiVersion: v1 apiVersion: v1
data:
_enable_duo: "false"
_enable_email_2fa: "false"
_enable_smtp: "true"
_enable_yubico: "false"
ADMIN_RATELIMIT_MAX_BURST: "3"
ADMIN_RATELIMIT_SECONDS: "300"
admin_session_lifetime: "20"
authenticator_disable_time_drift: "false"
DATABASE_MAX_CONNS: "10"
DB_CONNECTION_RETRIES: "15"
disable_2fa_remember: "false"
disable_icon_download: "false"
DOMAIN: https://vault.borninpain.de
email_2fa_enforce_on_verified_invite: "false"
email_2fa_auto_fallback: "false"
email_attempts_limit: "3"
EMAIL_CHANGE_ALLOWED: "true"
email_expiration_time: "600"
email_token_size: "6"
EMERGENCY_ACCESS_ALLOWED: "true"
EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE: 0 3 * * * *
EMERGENCY_REQUEST_TIMEOUT_SCHEDULE: 0 7 * * * *
EXTENDED_LOGGING: "true"
EXPERIMENTAL_CLIENT_FEATURE_FLAGS: ssh-key-vault-item,ssh-agent
http_request_block_non_global_ips: "true"
ICON_BLACKLIST_NON_GLOBAL_IPS: "true"
icon_cache_ttl: "2592000"
icon_cache_negttl: "259200"
icon_download_timeout: "10"
ICON_REDIRECT_CODE: "302"
ICON_SERVICE: internal
incomplete_2fa_time_limit: "3"
increase_note_size_limit: "false"
INVITATION_EXPIRATION_HOURS: "120"
INVITATION_ORG_NAME: Vaultwarden
INVITATIONS_ALLOWED: "true"
IP_HEADER: X-Real-IP
LOG_TIMESTAMP_FORMAT: '%Y-%m-%d %H:%M:%S.%3f'
ORG_EVENTS_ENABLED: "false"
ORG_GROUPS_ENABLED: "false"
password_hints_allowed: "true"
password_iterations: "600000"
reload_templates: "false"
REQUIRE_DEVICE_EMAIL: "false"
ROCKET_ADDRESS: 0.0.0.0
ROCKET_PORT: "8080"
ROCKET_WORKERS: "10"
SENDS_ALLOWED: "true"
SHOW_PASSWORD_HINT: "false"
SIGNUPS_ALLOWED: "true"
SIGNUPS_VERIFY: "true"
signups_verify_resend_limit: "6"
signups_verify_resend_time: "3600"
smtp_host: mxe965.netcup.net
smtp_security: starttls
smtp_port: "587"
smtp_from: noreply@borninpain.de
smtp_from_name: Vaultwarden
smtp_timeout: "15"
smtp_embed_images: "true"
smtp_accept_invalid_certs: "false"
smtp_accept_invalid_hostnames: "false"
TRASH_AUTO_DELETE_DAYS: ""
use_sendmail: "false"
WEB_VAULT_ENABLED: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: vaultwarden
app.kubernetes.io/instance: vaultwarden
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/version: 1.33.2
helm.sh/chart: vaultwarden-0.31.8
name: vaultwarden
namespace: vaultwarden
---
apiVersion: v1
kind: Service kind: Service
metadata: metadata:
labels: labels:
@@ -120,3 +199,77 @@ spec:
app.kubernetes.io/instance: vaultwarden app.kubernetes.io/instance: vaultwarden
app.kubernetes.io/name: vaultwarden app.kubernetes.io/name: vaultwarden
type: ClusterIP type: ClusterIP
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app.kubernetes.io/component: vaultwarden
app.kubernetes.io/instance: vaultwarden
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/version: 1.33.2
helm.sh/chart: vaultwarden-0.31.8
name: vaultwarden
namespace: vaultwarden
spec:
persistentVolumeClaimRetentionPolicy:
whenDeleted: Retain
whenScaled: Retain
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: vaultwarden
app.kubernetes.io/instance: vaultwarden
app.kubernetes.io/name: vaultwarden
serviceName: vaultwarden
template:
metadata:
annotations:
checksum/config: 168947ab11e3ea29e464b86f13ba129b41fa167f
checksum/secret: 63df1807c40909b47d8731b04a208cffc9f387f4
labels:
app.kubernetes.io/component: vaultwarden
app.kubernetes.io/instance: vaultwarden
app.kubernetes.io/name: vaultwarden
spec:
containers:
- envFrom:
- configMapRef:
name: vaultwarden
- secretRef:
name: vaultwarden
image: docker.io/vaultwarden/server:1.33.2-alpine
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 10
httpGet:
path: /alive
port: http
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: vaultwarden
ports:
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /alive
port: http
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
volumeMounts:
- name: vaultwarden-data
mountPath: /data
volumes:
- name: vaultwarden-data
persistentVolumeClaim:
claimName: vaultwarden-data-pvc
serviceAccountName: vaultwarden-svc

811
vaultwarden/src/values.yaml Normal file
View File

@@ -0,0 +1,811 @@
## Instruction: when adding a new value, follow https://github.com/dani-garcia/vaultwarden/blob/main/.env.template as much as possible.
## @section Kubernetes settings
##
image:
## @param image.registry Vaultwarden image registry
##
registry: docker.io
## @param image.repository Vaultwarden image repository
##
repository: vaultwarden/server
##
## @param image.tag Vaultwarden image tag
## Ref: https://hub.docker.com/r/vaultwarden/server/tags
##
tag: "1.34.3-alpine"
## @param image.pullPolicy Vaultwarden image pull policy
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## @param image.pullSecrets Specify docker-registry secrets
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Example:
## pullSecrets:
## - name: myRegistryKeySecretName
##
pullSecrets: []
## @param image.extraSecrets Vaultwarden image extra secrets
## Example:
## extraSecrets:
## - key: SSO_CLIENT_SECRET
## value: secretStuff
##
extraSecrets: []
## @param image.extraVars Vaultwarden image extra vars
## Example:
## extraVars:
## - key: SSO_AUTHORITY
## value: https://bananaguy.com/auth
##
extraVars: []
## @param image.extraVarsCM Vaultwarden image extra vars ConfigMap
## Example:
## extraVarsCM: "vaultwarden-extra-vars"
extraVarsCM: ""
## @param image.extraVarsSecret Vaultwarden image extra vars Secret
## Example:
## extraVarsSecret: "vaultwarden-extra-vars"
extraVarsSecret: ""
## @param replicas Number of deployment replicas
##
replicas: 1
## @param fullnameOverride String to override the application name.
##
fullnameOverride: ""
## @param resourceType Can be either Deployment or StatefulSet
## Overwrite automatic resource type detection by specifying the resource type
##
resourceType: ""
## @param commonAnnotations Annotations for the deployment or statefulset
##
commonAnnotations: {}
## @param configMapAnnotations Add extra annotations to the configmap
##
configMapAnnotations: {}
## @param podAnnotations Add extra annotations to the pod
##
podAnnotations: {}
## @param commonLabels Additional labels for the deployment or statefulset
##
commonLabels: {}
## @param podLabels Add extra labels to the pod
##
podLabels: {}
## @param initContainers extra init containers for initializing the vaultwarden instance
##
initContainers: []
## @param sidecars extra containers running alongside the vaultwarden instance
##
sidecars: []
## @param extraVolumes Optionally specify extra list of additional volumes
##
extraVolumes: []
## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts
##
extraVolumeMounts: []
## @param nodeSelector Node labels for pod assignment
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
##
nodeSelector: {}
## @param affinity Affinity for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
affinity: {}
## @param tolerations Tolerations for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## @param serviceAccount.create Create a service account
## @param serviceAccount.name Name of the service account to create
##
serviceAccount:
create: true
name: "vaultwarden-svc"
## @param podSecurityContext Pod security options
##
podSecurityContext:
{}
# fsGroup: 1001
# supplementalGroups:
# - 1001
## @param securityContext Default security options to run vault as read only container without privilege escalation
securityContext:
{}
# allowPrivilegeEscalation: false
# privileged: false
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsGroup: 1001
# runAsUser: 1001
# capabilities:
# drop:
# - ALL
## @param dnsConfig Pod DNS options
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
dnsConfig: {}
## @param enableServiceLinks Enable service links, Kubernetes default is true
## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service
##
enableServiceLinks: true
## Extra objects
extraObjects: []
## @param extraObjects List of extra Kubernetes objects to create
## This can be used to add additional Kubernetes objects such as ConfigMaps, Secrets, or Custom Resources.
## Example:
## - apiVersion: isindir.github.com/v1alpha3
## kind: SopsSecret
## metadata:
## name: "{{ .Release.Name }}-sops-secret"
## spec:
## data:
## DB_STRING: ENC[AES256_GCM,data:******,iv:***,tag:***,type:str]
## sops: ...
## @section Reliability configuration
##
## Liveness probe configuration
##
livenessProbe:
## @param livenessProbe.enabled Enable liveness probe
##
enabled: true
## @param livenessProbe.initialDelaySeconds Delay before liveness probe is initiated
##
initialDelaySeconds: 5
## @param livenessProbe.timeoutSeconds How long to wait for the probe to succeed
##
timeoutSeconds: 1
## @param livenessProbe.periodSeconds How often to perform the probe
##
periodSeconds: 10
## @param livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful
##
successThreshold: 1
## @param livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed
##
failureThreshold: 10
## @param livenessProbe.path Path on which the probe is exposed, default is "/alive". Replace when using non-root path deployment
##
path: /alive
## Readiness probe configuration
##
readinessProbe:
## @param readinessProbe.enabled Enable readiness probe
##
enabled: true
## @param readinessProbe.initialDelaySeconds Delay before readiness probe is initiated
##
initialDelaySeconds: 5
## @param readinessProbe.timeoutSeconds How long to wait for the probe to succeed
##
timeoutSeconds: 1
## @param readinessProbe.periodSeconds How often to perform the probe
##
periodSeconds: 10
## @param readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful
##
successThreshold: 1
## @param readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed
##
failureThreshold: 3
## @param readinessProbe.path Path on which the probe is exposed, default is "/alive". Replace when using non-root path deployment
##
path: /alive
## Startup probe configuration
##
startupProbe:
## @param startupProbe.enabled Enable startup probe
##
enabled: false
## @param startupProbe.initialDelaySeconds Delay before startup probe is initiated
##
initialDelaySeconds: 5
## @param startupProbe.timeoutSeconds How long to wait for the probe to succeed
##
timeoutSeconds: 1
## @param startupProbe.periodSeconds How often to perform the probe
##
periodSeconds: 10
## @param startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful
##
successThreshold: 1
## @param startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed
##
failureThreshold: 10
## @param startupProbe.path Path on which the probe is exposed, default is "/alive". Replace when using non-root path deployment
##
path: /alive
## @param resources Resource configurations
##
resources:
{}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 300m
# memory: 1Gi
# requests:
# cpu: 50m
# memory: 256Mi
## @param strategy Resource configurations
##
strategy:
{}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 1
# maxUnavailable: 0
podDisruptionBudget:
## @param podDisruptionBudget.enabled Enable PodDisruptionBudget settings
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
enabled: false
## @param podDisruptionBudget.minAvailable Minimum number/percentage of pods that should remain scheduled.
# When it's set, maxUnavailable must be disabled by `maxUnavailable: null`
minAvailable: 1
## @param podDisruptionBudget.maxUnavailable Maximum number/percentage of pods that may be made unavailable
maxUnavailable: null
## @section Persistent data configuration
##
storage:
## @param storage.existingVolumeClaim If defined, the values here will be used for the data and
## attachments PV's. The custom values for data and attachments will be ignored if
## a value is set here
##
existingVolumeClaim:
{}
# claimName: "vaultwarden-pvc"
# dataPath: "/data"
# attachmentsPath: /data/attachments
## @param storage.data Data directory configuration, refer to values.yaml for parameters.
##
data:
{}
# name: "vaultwarden-data"
# size: "15Gi"
# class: ""
# path: "/data"
# keepPvc: false
# accessMode: "ReadWriteOnce"
## @param storage.attachments Attachments directory configuration, refer to values.yaml for parameters.
## By default, attachments/ is located inside the data directory.
##
attachments:
{}
# name: "vaultwarden-files"
# size: "100Gi"
# class: ""
# path: /files
# keepPvc: false
# accessMode: "ReadWriteOnce"
## @param webVaultEnabled Enable Web Vault
##
webVaultEnabled: "true"
## @section Database settings
##
database:
## @param database.type Database type, either mysql or postgresql
## Default is a sqlite database.
##
type: "default"
## @param database.host Database hostname or IP address
##
host: ""
## @param database.port Database port
## Default for MySQL is 3306, default for PostgreSQL is 5432
port: ""
## @param database.username Database username
##
username: ""
## @param database.password Database password
##
password: ""
## @param database.dbName Database name
##
dbName: ""
## @param database.uriOverride Manually specify the DB connection string
##
uriOverride: ""
## @param database.existingSecret Name of an existing secret containing either a single key with the database uri, or a separate key for username and password
##
existingSecret: ""
## @param database.existingSecretKey Key in the existing secret
##
existingSecretKey: ""
## @param database.existingSecretUserKey Key in the existing secret
##
existingSecretUserKey: username
## @param database.existingSecretPasswordKey Key in the existing secret
##
existingSecretPasswordKey: password
## @param database.connectionRetries Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely.
##
connectionRetries: 15
## @param database.maxConnections Define the size of the connection pool used for connecting to the database.
##
maxConnections: 10
## @section Push Notifications
## Supported since 1.29.0.
## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details
##
pushNotifications:
## @param pushNotifications.enabled Enable the push notification service
##
enabled: false
## @param pushNotifications.existingSecret Name of an existing secret containing the Bitwarden installation id and key
##
existingSecret: ""
installationId:
## @param pushNotifications.installationId.value Bitwarden installation id string
## Example: installationIdGoesHere
##
value: ""
## @param pushNotifications.installationId.existingSecretKey When using an existing secret, specify the key which contains the installation id.
## Example: INSTALLATION_ID
##
existingSecretKey: ""
installationKey:
## @param pushNotifications.installationKey.value Bitwarden installation key string
## Example: superSecretInstallationKey
##
value: ""
## @param pushNotifications.installationKey.existingSecretKey When using an existing secret, specify the key which contains the installation key.
## Example: INSTALLATION_KEY
##
existingSecretKey: ""
## @param pushNotifications.relayUri Change Bitwarden relay uri.
## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details
##
relayUri: "https://push.bitwarden.com"
## @param pushNotifications.identityUri Change Bitwarden identity uri.
## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details
##
identityUri: "https://identity.bitwarden.com"
## @section Scheduled jobs
##
## @param emergencyNotifReminderSched Cron schedule of the job that sends expiration reminders to emergency access grantors.
## Set to blank to disable this job.
##
emergencyNotifReminderSched: "0 3 * * * *"
## @param emergencyRqstTimeoutSched Cron schedule of the job that grants emergency access requests that have met the required wait time.
## Set to blank to disable this job.
##
emergencyRqstTimeoutSched: "0 7 * * * *"
## @param eventCleanupSched Cron schedule of the job that cleans old events from the event table.
## Set to blank to disable this job. Also without eventsDayRetain set, this job will not start.
##
eventCleanupSched: "0 10 0 * * *"
## @param eventsDayRetain Number of days to retain events stored in the database.
## If unset (the default), events are kept indefinitely and the scheduled job is disabled!
##
eventsDayRetain: ""
## @section General settings
##
## @param domain Domain name where the application is accessed
## Example: https://warden.contoso.com:8443
##
domain: ""
## @param sendsAllowed Controls whether users are allowed to create Bitwarden Sends.
##
sendsAllowed: "true"
## @param hibpApiKey HaveIBeenPwned API Key
##
hibpApiKey: ""
## @param orgAttachmentLimit Max Kilobytes of attachment storage allowed per organization.
## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization.
##
orgAttachmentLimit: ""
## @param userAttachmentLimit Max kilobytes of attachment storage allowed per user.
## When this limit is reached, the user will not be allowed to upload further attachments.
##
userAttachmentLimit: ""
## @param userSendLimit Max kilobytes of send storage allowed per user.
## When this limit is reached, the user will not be allowed to upload further sends.
##
userSendLimit: ""
## @param trashAutoDeleteDays Number of days to wait before auto-deleting a trashed item.
## If unset (the default), trashed items are not auto-deleted.
## This setting applies globally, so make sure to inform all users of any changes to this setting.
##
trashAutoDeleteDays: ""
## @param signupsAllowed By default, anyone who can access your instance can register for a new account.
## To disable this, set this parameter to false. Even when signupsAllowed=false, an existing user who is
## an organization owner or admin can still invite new users. If you want to disable this as well, set
## invitationsAllowed to false. The vaultwarden admin can invite anyone via the admin page, regardless
## of any of the restrictions above
##
## If signupDomains is set, then the value of signupsAllowed is ignored
signupsAllowed: true
## @param signupsVerify Whether to require account verification for newly-registered users.
##
signupsVerify: "true"
## @param signupDomains List of domain names for users allowed to register. For example:
## example.com,example.net,example.org.
##
signupDomains: ""
## @param orgEventsEnabled Controls whether event logging is enabled for organizations
##
orgEventsEnabled: "false"
## @param orgCreationUsers Controls which users can create new orgs.
## Blank or 'all' means all users can create orgs.
## 'none' means no users can create orgs.
## A comma-separated list means only those users can create orgs.
##
orgCreationUsers: ""
## @param invitationsAllowed Even when registration is disabled, organization administrators or owners can
## invite users to join organization. After they are invited, they can register with the invited email even
## if signupsAllowed is actually set to false. You can disable this functionality completely by setting
## invitationsAllowed env variable to false
##
invitationsAllowed: true
## @param invitationOrgName String Name shown in the invitation emails that don't come from a specific organization
##
invitationOrgName: "Vaultwarden"
## @param invitationExpirationHours The number of hours after which an organization invite token, emergency access invite token,
## email verification token and deletion request token will expire (must be at least 1)
##
invitationExpirationHours: "120"
## @param emergencyAccessAllowed Controls whether users can enable emergency access to their accounts.
##
emergencyAccessAllowed: "true"
## @param emailChangeAllowed Controls whether users can change their email.
## This setting applies globally to all users
##
emailChangeAllowed: "true"
## @param showPassHint Controls whether a password hint should be shown directly in the web page if
## SMTP service is not configured. Not recommended for publicly-accessible instances
## as this provides unauthenticated access to potentially sensitive data.
##
showPassHint: "false"
## @section Advanced settings
##
## @param ipHeader Client IP Header, used to identify the IP of the client
##
ipHeader: "X-Real-IP"
## @param iconService The predefined icon services are: internal, bitwarden, duckduckgo, google.
##
iconService: "internal"
## @param iconRedirectCode Icon redirect code
##
iconRedirectCode: "302"
## @param iconBlacklistNonGlobalIps Whether block non-global IPs.
## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
##
iconBlacklistNonGlobalIps: "true"
## @param experimentalClientFeatureFlags Comma separated list of experimental features to enable in clients, make sure to check which features are already enabled by default (.env.template)
## Possible values:
## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
## - "autofill-v2": Use the new autofill implementation.
## - "browser-fileless-import": Directly import credentials from other providers without a file.
## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
##
experimentalClientFeatureFlags: null
## @param requireDeviceEmail Require new device emails. When a user logs in an email is required to be sent.
##
requireDeviceEmail: "false"
## @param extendedLogging Enable extended logging, which shows timestamps and targets in the logs
##
extendedLogging: "true"
## @param logTimestampFormat Timestamp format used in extended logging.
##
logTimestampFormat: "%Y-%m-%d %H:%M:%S.%3f"
logging:
## @param logging.logLevel Specify the log level
##
logLevel: ""
## @param logging.logFile Log to a file
##
logFile: ""
## Token for the admin interface, preferably an Argon2 PCH string
adminToken:
## @param adminToken.existingSecret Specify an existing Kubernetes secret containing the admin token. Also set adminToken.existingSecretKey.
## Example: admincreds_secret
##
existingSecret: ""
## @param adminToken.existingSecretKey When using adminToken.existingSecret, specify the key containing the token.
## Example: ADMIN_TOKEN
##
existingSecretKey: ""
## @param adminToken.value Plain or argon2 string containing the admin token.
## This example is the argon2 has of "R@ndomTokenString" (no quotes).
##
value: "$argon2id$v=19$m=19456,t=2,p=1$Vkx1VkE4RmhDMUhwNm9YVlhPQkVOZk1Yc1duSDdGRVYzd0Y5ZkgwaVg0Yz0$PK+h1ANCbzzmEKaiQfCjWw+hWFaMKvLhG2PjRanH5Kk"
## @param adminRateLimitSeconds Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in.
##
adminRateLimitSeconds: "300"
## @param adminRateLimitMaxBurst Allow a burst of requests of up to this size, while maintaining the average indicated by adminRateLimitSeconds.
##
adminRateLimitMaxBurst: "3"
## @param timeZone Specify timezone different from the default (UTC).
## For example: "Europe/Berlin"
##
timeZone: ""
## @section BETA Features
##
## @param orgGroupsEnabled Controls whether group support is enabled for organizations
orgGroupsEnabled: "false"
## @section MFA/2FA settings
##
## Yubico (Yubikey) settings
## Reference: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication
##
yubico:
## @param yubico.clientId Yubico client ID
##
clientId: ""
## @param yubico.existingSecret Name of an existing secret containing the Yubico secret key. Also set yubico.secretKey.existingSecretKey.
##
existingSecret: ""
## Yubico secret key
##
secretKey:
## @param yubico.secretKey.value secretKey plain text
## Example: ABCDEABCDEABCDEABCDE=
##
value: ""
## @param yubico.secretKey.existingSecretKey When using an existing secret, specify the key which contains the secretKey.
## Example: YUBICO_SECRET_KEY
##
existingSecretKey: ""
## @param yubico.server Specify a Yubico server, otherwise the default servers will be used
##
server: ""
## Duo settings
## Reference: https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
##
duo:
## @param duo.iKey Duo Integration Key
##
iKey: ""
## @param duo.existingSecret Name of an existing secret containing the Duo skey. Also set duo.sKey.existingSecretKey.
##
existingSecret: ""
## Duo secret key
##
sKey:
## @param duo.sKey.value sKey plain text
## Example: ABCDEABCDEABCDEABCDE=
##
value: ""
## @param duo.sKey.existingSecretKey When using an existing secret, specify the key which contains the sKey.
## Example: DUO_SKEY
##
existingSecretKey: ""
## @param duo.hostname Duo API hostname
##
hostname: ""
## @section SMTP Configuration
##
smtp:
## @param smtp.existingSecret Name of an existing secret containing the SMTP username and password. Also set smtp.username.existingSecretKey and smtp.password.existingSecretKey.
##
existingSecret: ""
## @param smtp.host SMTP host
##
host: ""
## @param smtp.security SMTP Encryption method
## Possible values:
## - starttls: explicit TLS using ports 587 or 25
## - force_tls: implicit TLS using port 465
## - off: no encryption, using port 25, unless using STARTTLS
##
security: "starttls"
## @param smtp.port SMTP port
##
port: 25
## @param smtp.from SMTP sender email address
## Example: juan.delacruz@gmail.com
##
from: ""
## @param smtp.fromName SMTP sender FROM
##
fromName: ""
## Username for SMTP authentication.
##
username:
## @param smtp.username.value Username string for the SMTP authentication.
## Example: juan
##
value: ""
## @param smtp.username.existingSecretKey When using an existing secret, specify the key which contains the username.
## Example: SMTP_USERNAME
##
existingSecretKey: ""
## Password for SMTP authentication.
##
password:
## @param smtp.password.value Password string for the SMTP authentication.
## Example: Sup3rsecurepa$$word
##
value: ""
## @param smtp.password.existingSecretKey When using an existing secret, specify the key which contains the password.
## Example: SMTP_PASSWORD
##
existingSecretKey: ""
## @param smtp.authMechanism SMTP authentication mechanism
## Possible values: "Plain", "Login", "Xoauth2"
## Multiple options need to be separated by a comma. (not tested)
##
authMechanism: "Plain"
## @param smtp.acceptInvalidHostnames Accept Invalid Hostnames
##
acceptInvalidHostnames: "false"
## @param smtp.acceptInvalidCerts Accept Invalid Certificates
##
acceptInvalidCerts: "false"
## @param smtp.debug SMTP debugging
##
debug: false
## @section Exposure settings
##
## @param rocket.address Address to bind to
## @param rocket.port Rocket port
## @param rocket.workers Rocket number of workers
##
rocket:
address: "0.0.0.0"
port: "8080"
workers: "10"
## Service configuration
service:
## @param service.type Service type
##
type: "ClusterIP"
## @param service.annotations Additional annotations for the vaultwarden service
##
annotations: {}
## @param service.labels Additional labels for the service
##
labels: {}
## @param service.ipFamilyPolicy IP family policy for the service
##
ipFamilyPolicy: "SingleStack"
## @param service.sessionAffinity Session affinity
##
# sessionAffinity: ClientIP
sessionAffinity: ""
## @param service.sessionAffinityConfig Session affinity configuration
##
sessionAffinityConfig: {}
# sessionAffinityConfig:
# clientIP:
# timeoutSeconds: 10800
## Ingress configuration
## Refer to the README for some examples
##
ingress:
## @param ingress.enabled Deploy an ingress resource.
##
enabled: false
## @param ingress.class Ingress resource class
## The Ingress class to use, e. g. "nginx" for a nginx ingress controller or "alb" for a AWS LB controller.
#
class: "nginx"
## @param ingress.nginxIngressAnnotations Add nginx specific ingress annotations
## These annotations only make sense for the kubernetes nginx ingress controller (https://kubernetes.github.io/ingress-nginx/)
##
nginxIngressAnnotations: true
## @param ingress.additionalAnnotations Additional annotations for the ingress resource.
##
additionalAnnotations: {}
## @param ingress.labels Additional labels for the ingress resource.
##
labels: {}
## @param ingress.tls Enable TLS on the ingress resource.
##
tls: true
## @param ingress.hostname Hostname for the ingress.
##
hostname: "warden.contoso.com"
## @param ingress.additionalHostnames Additional hostnames for the ingress.
##
additionalHostnames: []
## @param ingress.path Default application path for the ingress
##
path: "/"
## @param ingress.pathType Path type for the ingress
## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
##
pathType: "Prefix"
## @param ingress.tlsSecret Kubernetes secret containing the SSL certificate when using the "nginx" class.
##
tlsSecret: ""
## @param ingress.nginxAllowList Comma-separated list of IP addresses and subnets to allow.
##
nginxAllowList: ""
## @param ingress.customHeadersConfigMap ConfigMap containing custom headers to be added to the ingress.
## Requirement: First define the allowed response headers in global-allowed-response-headers.
## Ref: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#custom-headers
##
customHeadersConfigMap: {}
## TODO:
## - Add support for using cert-manager.
## - Support for multiple TLS hostnames.
##

74
vaultwarden/ss.yaml
View File

@@ -1,74 +0,0 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app.kubernetes.io/component: vaultwarden
app.kubernetes.io/instance: vaultwarden
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/version: 1.33.2
helm.sh/chart: vaultwarden-0.31.8
name: vaultwarden
namespace: vaultwarden
spec:
persistentVolumeClaimRetentionPolicy:
whenDeleted: Retain
whenScaled: Retain
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: vaultwarden
app.kubernetes.io/instance: vaultwarden
app.kubernetes.io/name: vaultwarden
serviceName: vaultwarden
template:
metadata:
annotations:
checksum/config: 168947ab11e3ea29e464b86f13ba129b41fa167f
checksum/secret: 63df1807c40909b47d8731b04a208cffc9f387f4
labels:
app.kubernetes.io/component: vaultwarden
app.kubernetes.io/instance: vaultwarden
app.kubernetes.io/name: vaultwarden
spec:
containers:
- envFrom:
- configMapRef:
name: vaultwarden
- secretRef:
name: vaultwarden
image: docker.io/vaultwarden/server:1.33.2-alpine
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 10
httpGet:
path: /alive
port: http
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: vaultwarden
ports:
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /alive
port: http
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
volumeMounts:
- name: vaultwarden-data
mountPath: /data
volumes:
- name: vaultwarden-data
persistentVolumeClaim:
claimName: vaultwarden-data-pvc
serviceAccountName: vaultwarden-svc