vaultwarden helm template

2025-09-02 00:41:43 +02:00
parent 56db75f1c4
commit 849bd7dc1d
3 changed files with 97 additions and 73 deletions
--- a/vaultwarden/main.yaml
+++ b/vaultwarden/main.yaml
@@ -98,39 +98,21 @@ subjects:
 ---
 apiVersion: v1
 data:
-  _enable_duo: "false"
-  _enable_email_2fa: "false"
-  _enable_smtp: "true"
-  _enable_yubico: "false"
  ADMIN_RATELIMIT_MAX_BURST: "3"
  ADMIN_RATELIMIT_SECONDS: "300"
-  admin_session_lifetime: "20"
-  authenticator_disable_time_drift: "false"
+  DATA_FOLDER: /data
  DATABASE_MAX_CONNS: "10"
  DB_CONNECTION_RETRIES: "15"
-  disable_2fa_remember: "false"
-  disable_icon_download: "false"
  DOMAIN: https://vault.borninpain.de
-  email_2fa_enforce_on_verified_invite: "false"
-  email_2fa_auto_fallback: "false"
-  email_attempts_limit: "3"
  EMAIL_CHANGE_ALLOWED: "true"
-  email_expiration_time: "600"
-  email_token_size: "6"
  EMERGENCY_ACCESS_ALLOWED: "true"
  EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE: 0 3 * * * *
  EMERGENCY_REQUEST_TIMEOUT_SCHEDULE: 0 7 * * * *
-  EXTENDED_LOGGING: "true"
  EXPERIMENTAL_CLIENT_FEATURE_FLAGS: ssh-key-vault-item,ssh-agent
-  http_request_block_non_global_ips: "true"
+  EXTENDED_LOGGING: "true"
  ICON_BLACKLIST_NON_GLOBAL_IPS: "true"
-  icon_cache_ttl: "2592000"
-  icon_cache_negttl: "259200"
-  icon_download_timeout: "10"
  ICON_REDIRECT_CODE: "302"
  ICON_SERVICE: internal
-  incomplete_2fa_time_limit: "3"
-  increase_note_size_limit: "false"
  INVITATION_EXPIRATION_HOURS: "120"
  INVITATION_ORG_NAME: Vaultwarden
  INVITATIONS_ALLOWED: "true"
@@ -138,9 +120,6 @@ data:
  LOG_TIMESTAMP_FORMAT: '%Y-%m-%d %H:%M:%S.%3f'
  ORG_EVENTS_ENABLED: "false"
  ORG_GROUPS_ENABLED: "false"
-  password_hints_allowed: "true"
-  password_iterations: "600000"
-  reload_templates: "false"
  REQUIRE_DEVICE_EMAIL: "false"
  ROCKET_ADDRESS: 0.0.0.0
  ROCKET_PORT: "8080"
@@ -149,19 +128,17 @@ data:
  SHOW_PASSWORD_HINT: "false"
  SIGNUPS_ALLOWED: "true"
  SIGNUPS_VERIFY: "true"
-  signups_verify_resend_limit: "6"
-  signups_verify_resend_time: "3600"
-  smtp_host: mxe965.netcup.net
-  smtp_security: starttls
-  smtp_port: "587"
-  smtp_from: noreply@borninpain.de
-  smtp_from_name: Vaultwarden
-  smtp_timeout: "15"
-  smtp_embed_images: "true"
-  smtp_accept_invalid_certs: "false"
-  smtp_accept_invalid_hostnames: "false"
+  SMTP_ACCEPT_INVALID_CERTS: "false"
+  SMTP_ACCEPT_INVALID_HOSTNAMES: "false"
+  SMTP_AUTH_MECHANISM: Plain
+  SMTP_DEBUG: "false"
+  SMTP_FROM: noreply@borninpain.de
+  SMTP_FROM_NAME: Vaultwarden
+  SMTP_HOST: mxe965.netcup.net
+  SMTP_PORT: "587"
+  SMTP_SECURITY: starttls
  TRASH_AUTO_DELETE_DAYS: ""
-  use_sendmail: "false"
+  TZ: Europe/Berlin
  WEB_VAULT_ENABLED: "true"
 kind: ConfigMap
 metadata:
@@ -226,20 +203,54 @@ spec:
  template:
    metadata:
      annotations:
-        checksum/config: 168947ab11e3ea29e464b86f13ba129b41fa167f
-        checksum/secret: 63df1807c40909b47d8731b04a208cffc9f387f4
+        checksum/config: 43e8689608a3dc84803c911f22965468d480cd42
+        checksum/secret: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
      labels:
        app.kubernetes.io/component: vaultwarden
        app.kubernetes.io/instance: vaultwarden
        app.kubernetes.io/name: vaultwarden
    spec:
      containers:
-      - envFrom:
+      - env:
+        - name: YUBICO_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              key: YUBICO_SECRET_KEY
+              name: vaultwarden
+        - name: DUO_SKEY
+          valueFrom:
+            secretKeyRef:
+              key: DUO_SKEY
+              name: vaultwarden
+        - name: SMTP_USERNAME
+          valueFrom:
+            secretKeyRef:
+              key: SMTP_USERNAME
+              name: vaultwarden
+        - name: SMTP_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: SMTP_PASSWORD
+              name: vaultwarden
+        - name: ADMIN_TOKEN
+          valueFrom:
+            secretKeyRef:
+              key: ADMIN_TOKEN
+              name: vaultwarden
+        - name: PUSH_INSTALLATION_ID
+          valueFrom:
+            secretKeyRef:
+              key: PUSH_INSTALLATION_ID
+              name: vaultwarden
+        - name: PUSH_INSTALLATION_KEY
+          valueFrom:
+            secretKeyRef:
+              key: PUSH_INSTALLATION_KEY
+              name: vaultwarden
+        envFrom:
        - configMapRef:
            name: vaultwarden
-        - secretRef:
-            name: vaultwarden
-        image: docker.io/vaultwarden/server:1.33.2-alpine
+        image: docker.io/vaultwarden/server:1.34.3-alpine
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 10
@@ -266,10 +277,23 @@ spec:
          timeoutSeconds: 1
        resources: {}
        volumeMounts:
-        - name: vaultwarden-data
-          mountPath: /data
-      volumes:
-      - name: vaultwarden-data
-        persistentVolumeClaim:
-          claimName: vaultwarden-data-pvc
+        - mountPath: /data
+          name: vaultwarden-data
      serviceAccountName: vaultwarden-svc
+  volumeClaimTemplates:
+  - metadata:
+      annotations:
+        meta.helm.sh/release-name: vaultwarden
+        meta.helm.sh/release-namespace: vaultwarden
+      labels:
+        app.kubernetes.io/component: vaultwarden
+        app.kubernetes.io/instance: vaultwarden
+        app.kubernetes.io/name: vaultwarden
+      name: vaultwarden-data
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 1Gi
+      storageClassName: openebs-3-replicas
--- a/vaultwarden/src/kustomization.yaml
+++ b/vaultwarden/src/kustomization.yaml
@@ -8,3 +8,4 @@ helmCharts:
    version: 0.31.8
    releaseName: vaultwarden
    namespace: vaultwarden
+    valuesFile: values.yaml
--- a/vaultwarden/src/values.yaml
+++ b/vaultwarden/src/values.yaml
@@ -294,13 +294,12 @@ storage:
  ## @param storage.data Data directory configuration, refer to values.yaml for parameters.
  ##
  data:
-    {}
-    # name: "vaultwarden-data"
-    # size: "15Gi"
-    # class: ""
-    # path: "/data"
-    # keepPvc: false
-    # accessMode: "ReadWriteOnce"
+    name: vaultwarden-data
+    size: 1Gi
+    class: openebs-3-replicas
+    path: /data
+    keepPvc: false
+    accessMode: ReadWriteOnce

  ## @param storage.attachments Attachments directory configuration, refer to values.yaml for parameters.
  ## By default, attachments/ is located inside the data directory.
@@ -373,7 +372,7 @@ pushNotifications:
  enabled: false
  ## @param pushNotifications.existingSecret Name of an existing secret containing the Bitwarden installation id and key
  ##
-  existingSecret: ""
+  existingSecret: vaultwarden
  installationId:
    ## @param pushNotifications.installationId.value Bitwarden installation id string
    ## Example: installationIdGoesHere
@@ -382,7 +381,7 @@ pushNotifications:
    ## @param pushNotifications.installationId.existingSecretKey When using an existing secret, specify the key which contains the installation id.
    ## Example: INSTALLATION_ID
    ##
-    existingSecretKey: ""
+    existingSecretKey: PUSH_INSTALLATION_ID
  installationKey:
    ## @param pushNotifications.installationKey.value Bitwarden installation key string
    ## Example: superSecretInstallationKey
@@ -391,7 +390,7 @@ pushNotifications:
    ## @param pushNotifications.installationKey.existingSecretKey When using an existing secret, specify the key which contains the installation key.
    ## Example: INSTALLATION_KEY
    ##
-    existingSecretKey: ""
+    existingSecretKey: PUSH_INSTALLATION_KEY
  ## @param pushNotifications.relayUri Change Bitwarden relay uri.
  ## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details
  ##
@@ -430,7 +429,7 @@ eventsDayRetain: ""
 ## @param domain Domain name where the application is accessed
 ## Example: https://warden.contoso.com:8443
 ##
-domain: ""
+domain: "https://vault.borninpain.de"

 ## @param sendsAllowed Controls whether users are allowed to create Bitwarden Sends.
 ##
@@ -548,7 +547,7 @@ iconBlacklistNonGlobalIps: "true"
 ##  - "browser-fileless-import": Directly import credentials from other providers without a file.
 ##  - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
 ##
-experimentalClientFeatureFlags: null
+experimentalClientFeatureFlags: ssh-key-vault-item,ssh-agent

 ## @param requireDeviceEmail Require new device emails. When a user logs in an email is required to be sent.
 ##
@@ -575,11 +574,11 @@ adminToken:
  ## @param adminToken.existingSecret Specify an existing Kubernetes secret containing the admin token. Also set adminToken.existingSecretKey.
  ## Example: admincreds_secret
  ##
-  existingSecret: ""
+  existingSecret: vaultwarden
  ## @param adminToken.existingSecretKey When using adminToken.existingSecret, specify the key containing the token.
  ## Example: ADMIN_TOKEN
  ##
-  existingSecretKey: ""
+  existingSecretKey: ADMIN_TOKEN
  ## @param adminToken.value Plain or argon2 string containing the admin token.
  ## This example is the argon2 has of "R@ndomTokenString" (no quotes).
  ##
@@ -596,7 +595,7 @@ adminRateLimitMaxBurst: "3"
 ## @param timeZone Specify timezone different from the default (UTC).
 ## For example: "Europe/Berlin"
 ##
-timeZone: ""
+timeZone: Europe/Berlin

 ## @section BETA Features
 ##
@@ -616,7 +615,7 @@ yubico:
  clientId: ""
  ## @param yubico.existingSecret Name of an existing secret containing the Yubico secret key. Also set yubico.secretKey.existingSecretKey.
  ##
-  existingSecret: ""
+  existingSecret: vaultwarden
  ## Yubico secret key
  ##
  secretKey:
@@ -627,7 +626,7 @@ yubico:
    ## @param yubico.secretKey.existingSecretKey When using an existing secret, specify the key which contains the secretKey.
    ## Example: YUBICO_SECRET_KEY
    ##
-    existingSecretKey: ""
+    existingSecretKey: YUBICO_SECRET_KEY
  ## @param yubico.server Specify a Yubico server, otherwise the default servers will be used
  ##
  server: ""
@@ -641,7 +640,7 @@ duo:
  iKey: ""
  ## @param duo.existingSecret Name of an existing secret containing the Duo skey. Also set duo.sKey.existingSecretKey.
  ##
-  existingSecret: ""
+  existingSecret: vaultwarden
  ## Duo secret key
  ##
  sKey:
@@ -652,7 +651,7 @@ duo:
    ## @param duo.sKey.existingSecretKey When using an existing secret, specify the key which contains the sKey.
    ## Example: DUO_SKEY
    ##
-    existingSecretKey: ""
+    existingSecretKey: DUO_SKEY
  ## @param duo.hostname Duo API hostname
  ##
  hostname: ""
@@ -662,10 +661,10 @@ duo:
 smtp:
  ## @param smtp.existingSecret Name of an existing secret containing the SMTP username and password. Also set smtp.username.existingSecretKey and smtp.password.existingSecretKey.
  ##
-  existingSecret: ""
+  existingSecret: vaultwarden
  ## @param smtp.host SMTP host
  ##
-  host: ""
+  host: "mxe965.netcup.net"
  ## @param smtp.security SMTP Encryption method
  ## Possible values:
  ##  - starttls: explicit TLS using ports 587 or 25
@@ -675,14 +674,14 @@ smtp:
  security: "starttls"
  ## @param smtp.port SMTP port
  ##
-  port: 25
+  port: 587
  ## @param smtp.from SMTP sender email address
  ## Example: juan.delacruz@gmail.com
  ##
-  from: ""
+  from: noreply@borninpain.de
  ## @param smtp.fromName SMTP sender FROM
  ##
-  fromName: ""
+  fromName: Vaultwarden
  ## Username for SMTP authentication.
  ##
  username:
@@ -693,7 +692,7 @@ smtp:
    ## @param smtp.username.existingSecretKey When using an existing secret, specify the key which contains the username.
    ## Example: SMTP_USERNAME
    ##
-    existingSecretKey: ""
+    existingSecretKey: SMTP_USERNAME
  ## Password for SMTP authentication.
  ##
  password:
@@ -704,7 +703,7 @@ smtp:
    ## @param smtp.password.existingSecretKey When using an existing secret, specify the key which contains the password.
    ## Example: SMTP_PASSWORD
    ##
-    existingSecretKey: ""
+    existingSecretKey: SMTP_PASSWORD
  ## @param smtp.authMechanism SMTP authentication mechanism
  ## Possible values: "Plain", "Login", "Xoauth2"
  ## Multiple options need to be separated by a comma. (not tested)