vaultwarden helm template

vaultwarden/main.yaml

@@ -98,39 +98,21 @@ subjects:
 ---
 apiVersion: v1
 data:
-  _enable_duo: "false"
-  _enable_email_2fa: "false"
-  _enable_smtp: "true"
-  _enable_yubico: "false"
   ADMIN_RATELIMIT_MAX_BURST: "3"
   ADMIN_RATELIMIT_SECONDS: "300"
-  admin_session_lifetime: "20"
+  DATA_FOLDER: /data
-  authenticator_disable_time_drift: "false"
   DATABASE_MAX_CONNS: "10"
   DB_CONNECTION_RETRIES: "15"
-  disable_2fa_remember: "false"
-  disable_icon_download: "false"
   DOMAIN: https://vault.borninpain.de
-  email_2fa_enforce_on_verified_invite: "false"
-  email_2fa_auto_fallback: "false"
-  email_attempts_limit: "3"
   EMAIL_CHANGE_ALLOWED: "true"
-  email_expiration_time: "600"
-  email_token_size: "6"
   EMERGENCY_ACCESS_ALLOWED: "true"
   EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE: 0 3 * * * *
   EMERGENCY_REQUEST_TIMEOUT_SCHEDULE: 0 7 * * * *
-  EXTENDED_LOGGING: "true"
   EXPERIMENTAL_CLIENT_FEATURE_FLAGS: ssh-key-vault-item,ssh-agent
-  http_request_block_non_global_ips: "true"
+  EXTENDED_LOGGING: "true"
   ICON_BLACKLIST_NON_GLOBAL_IPS: "true"
-  icon_cache_ttl: "2592000"
-  icon_cache_negttl: "259200"
-  icon_download_timeout: "10"
   ICON_REDIRECT_CODE: "302"
   ICON_SERVICE: internal
-  incomplete_2fa_time_limit: "3"
-  increase_note_size_limit: "false"
   INVITATION_EXPIRATION_HOURS: "120"
   INVITATION_ORG_NAME: Vaultwarden
   INVITATIONS_ALLOWED: "true"
@@ -138,9 +120,6 @@ data:
   LOG_TIMESTAMP_FORMAT: '%Y-%m-%d %H:%M:%S.%3f'
   ORG_EVENTS_ENABLED: "false"
   ORG_GROUPS_ENABLED: "false"
-  password_hints_allowed: "true"
-  password_iterations: "600000"
-  reload_templates: "false"
   REQUIRE_DEVICE_EMAIL: "false"
   ROCKET_ADDRESS: 0.0.0.0
   ROCKET_PORT: "8080"
@@ -149,19 +128,17 @@ data:
   SHOW_PASSWORD_HINT: "false"
   SIGNUPS_ALLOWED: "true"
   SIGNUPS_VERIFY: "true"
-  signups_verify_resend_limit: "6"
+  SMTP_ACCEPT_INVALID_CERTS: "false"
-  signups_verify_resend_time: "3600"
+  SMTP_ACCEPT_INVALID_HOSTNAMES: "false"
-  smtp_host: mxe965.netcup.net
+  SMTP_AUTH_MECHANISM: Plain
-  smtp_security: starttls
+  SMTP_DEBUG: "false"
-  smtp_port: "587"
+  SMTP_FROM: noreply@borninpain.de
-  smtp_from: noreply@borninpain.de
+  SMTP_FROM_NAME: Vaultwarden
-  smtp_from_name: Vaultwarden
+  SMTP_HOST: mxe965.netcup.net
-  smtp_timeout: "15"
+  SMTP_PORT: "587"
-  smtp_embed_images: "true"
+  SMTP_SECURITY: starttls
-  smtp_accept_invalid_certs: "false"
-  smtp_accept_invalid_hostnames: "false"
   TRASH_AUTO_DELETE_DAYS: ""
-  use_sendmail: "false"
+  TZ: Europe/Berlin
   WEB_VAULT_ENABLED: "true"
 kind: ConfigMap
 metadata:
@@ -226,20 +203,54 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: 168947ab11e3ea29e464b86f13ba129b41fa167f
+        checksum/config: 43e8689608a3dc84803c911f22965468d480cd42
-        checksum/secret: 63df1807c40909b47d8731b04a208cffc9f387f4
+        checksum/secret: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
       labels:
         app.kubernetes.io/component: vaultwarden
         app.kubernetes.io/instance: vaultwarden
         app.kubernetes.io/name: vaultwarden
     spec:
       containers:
-      - envFrom:
+      - env:
+        - name: YUBICO_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              key: YUBICO_SECRET_KEY
+              name: vaultwarden
+        - name: DUO_SKEY
+          valueFrom:
+            secretKeyRef:
+              key: DUO_SKEY
+              name: vaultwarden
+        - name: SMTP_USERNAME
+          valueFrom:
+            secretKeyRef:
+              key: SMTP_USERNAME
+              name: vaultwarden
+        - name: SMTP_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: SMTP_PASSWORD
+              name: vaultwarden
+        - name: ADMIN_TOKEN
+          valueFrom:
+            secretKeyRef:
+              key: ADMIN_TOKEN
+              name: vaultwarden
+        - name: PUSH_INSTALLATION_ID
+          valueFrom:
+            secretKeyRef:
+              key: PUSH_INSTALLATION_ID
+              name: vaultwarden
+        - name: PUSH_INSTALLATION_KEY
+          valueFrom:
+            secretKeyRef:
+              key: PUSH_INSTALLATION_KEY
+              name: vaultwarden
+        envFrom:
         - configMapRef:
             name: vaultwarden
-        - secretRef:
+        image: docker.io/vaultwarden/server:1.34.3-alpine
-            name: vaultwarden
-        image: docker.io/vaultwarden/server:1.33.2-alpine
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 10
@@ -266,10 +277,23 @@ spec:
           timeoutSeconds: 1
         resources: {}
         volumeMounts:
-        - name: vaultwarden-data
+        - mountPath: /data
-          mountPath: /data
+          name: vaultwarden-data
-      volumes:
-      - name: vaultwarden-data
-        persistentVolumeClaim:
-          claimName: vaultwarden-data-pvc
       serviceAccountName: vaultwarden-svc
+  volumeClaimTemplates:
+  - metadata:
+      annotations:
+        meta.helm.sh/release-name: vaultwarden
+        meta.helm.sh/release-namespace: vaultwarden
+      labels:
+        app.kubernetes.io/component: vaultwarden
+        app.kubernetes.io/instance: vaultwarden
+        app.kubernetes.io/name: vaultwarden
+      name: vaultwarden-data
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 1Gi
+      storageClassName: openebs-3-replicas

vaultwarden/src/kustomization.yaml

@@ -8,3 +8,4 @@ helmCharts:
     version: 0.31.8
     releaseName: vaultwarden
     namespace: vaultwarden
+    valuesFile: values.yaml

vaultwarden/src/values.yaml

@@ -294,13 +294,12 @@ storage:
   ## @param storage.data Data directory configuration, refer to values.yaml for parameters.
   ##
   data:
-    {}
+    name: vaultwarden-data
-    # name: "vaultwarden-data"
+    size: 1Gi
-    # size: "15Gi"
+    class: openebs-3-replicas
-    # class: ""
+    path: /data
-    # path: "/data"
+    keepPvc: false
-    # keepPvc: false
+    accessMode: ReadWriteOnce
-    # accessMode: "ReadWriteOnce"
 
   ## @param storage.attachments Attachments directory configuration, refer to values.yaml for parameters.
   ## By default, attachments/ is located inside the data directory.
@@ -373,7 +372,7 @@ pushNotifications:
   enabled: false
   ## @param pushNotifications.existingSecret Name of an existing secret containing the Bitwarden installation id and key
   ##
-  existingSecret: ""
+  existingSecret: vaultwarden
   installationId:
     ## @param pushNotifications.installationId.value Bitwarden installation id string
     ## Example: installationIdGoesHere
@@ -382,7 +381,7 @@ pushNotifications:
     ## @param pushNotifications.installationId.existingSecretKey When using an existing secret, specify the key which contains the installation id.
     ## Example: INSTALLATION_ID
     ##
-    existingSecretKey: ""
+    existingSecretKey: PUSH_INSTALLATION_ID
   installationKey:
     ## @param pushNotifications.installationKey.value Bitwarden installation key string
     ## Example: superSecretInstallationKey
@@ -391,7 +390,7 @@ pushNotifications:
     ## @param pushNotifications.installationKey.existingSecretKey When using an existing secret, specify the key which contains the installation key.
     ## Example: INSTALLATION_KEY
     ##
-    existingSecretKey: ""
+    existingSecretKey: PUSH_INSTALLATION_KEY
   ## @param pushNotifications.relayUri Change Bitwarden relay uri.
   ## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details
   ##
@@ -430,7 +429,7 @@ eventsDayRetain: ""
 ## @param domain Domain name where the application is accessed
 ## Example: https://warden.contoso.com:8443
 ##
-domain: ""
+domain: "https://vault.borninpain.de"
 
 ## @param sendsAllowed Controls whether users are allowed to create Bitwarden Sends.
 ##
@@ -548,7 +547,7 @@ iconBlacklistNonGlobalIps: "true"
 ##  - "browser-fileless-import": Directly import credentials from other providers without a file.
 ##  - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
 ##
-experimentalClientFeatureFlags: null
+experimentalClientFeatureFlags: ssh-key-vault-item,ssh-agent
 
 ## @param requireDeviceEmail Require new device emails. When a user logs in an email is required to be sent.
 ##
@@ -575,11 +574,11 @@ adminToken:
   ## @param adminToken.existingSecret Specify an existing Kubernetes secret containing the admin token. Also set adminToken.existingSecretKey.
   ## Example: admincreds_secret
   ##
-  existingSecret: ""
+  existingSecret: vaultwarden
   ## @param adminToken.existingSecretKey When using adminToken.existingSecret, specify the key containing the token.
   ## Example: ADMIN_TOKEN
   ##
-  existingSecretKey: ""
+  existingSecretKey: ADMIN_TOKEN
   ## @param adminToken.value Plain or argon2 string containing the admin token.
   ## This example is the argon2 has of "R@ndomTokenString" (no quotes).
   ##
@@ -596,7 +595,7 @@ adminRateLimitMaxBurst: "3"
 ## @param timeZone Specify timezone different from the default (UTC).
 ## For example: "Europe/Berlin"
 ##
-timeZone: ""
+timeZone: Europe/Berlin
 
 ## @section BETA Features
 ##
@@ -616,7 +615,7 @@ yubico:
   clientId: ""
   ## @param yubico.existingSecret Name of an existing secret containing the Yubico secret key. Also set yubico.secretKey.existingSecretKey.
   ##
-  existingSecret: ""
+  existingSecret: vaultwarden
   ## Yubico secret key
   ##
   secretKey:
@@ -627,7 +626,7 @@ yubico:
     ## @param yubico.secretKey.existingSecretKey When using an existing secret, specify the key which contains the secretKey.
     ## Example: YUBICO_SECRET_KEY
     ##
-    existingSecretKey: ""
+    existingSecretKey: YUBICO_SECRET_KEY
   ## @param yubico.server Specify a Yubico server, otherwise the default servers will be used
   ##
   server: ""
@@ -641,7 +640,7 @@ duo:
   iKey: ""
   ## @param duo.existingSecret Name of an existing secret containing the Duo skey. Also set duo.sKey.existingSecretKey.
   ##
-  existingSecret: ""
+  existingSecret: vaultwarden
   ## Duo secret key
   ##
   sKey:
@@ -652,7 +651,7 @@ duo:
     ## @param duo.sKey.existingSecretKey When using an existing secret, specify the key which contains the sKey.
     ## Example: DUO_SKEY
     ##
-    existingSecretKey: ""
+    existingSecretKey: DUO_SKEY
   ## @param duo.hostname Duo API hostname
   ##
   hostname: ""
@@ -662,10 +661,10 @@ duo:
 smtp:
   ## @param smtp.existingSecret Name of an existing secret containing the SMTP username and password. Also set smtp.username.existingSecretKey and smtp.password.existingSecretKey.
   ##
-  existingSecret: ""
+  existingSecret: vaultwarden
   ## @param smtp.host SMTP host
   ##
-  host: ""
+  host: "mxe965.netcup.net"
   ## @param smtp.security SMTP Encryption method
   ## Possible values:
   ##  - starttls: explicit TLS using ports 587 or 25
@@ -675,14 +674,14 @@ smtp:
   security: "starttls"
   ## @param smtp.port SMTP port
   ##
-  port: 25
+  port: 587
   ## @param smtp.from SMTP sender email address
   ## Example: juan.delacruz@gmail.com
   ##
-  from: ""
+  from: noreply@borninpain.de
   ## @param smtp.fromName SMTP sender FROM
   ##
-  fromName: ""
+  fromName: Vaultwarden
   ## Username for SMTP authentication.
   ##
   username:
@@ -693,7 +692,7 @@ smtp:
     ## @param smtp.username.existingSecretKey When using an existing secret, specify the key which contains the username.
     ## Example: SMTP_USERNAME
     ##
-    existingSecretKey: ""
+    existingSecretKey: SMTP_USERNAME
   ## Password for SMTP authentication.
   ##
   password:
@@ -704,7 +703,7 @@ smtp:
     ## @param smtp.password.existingSecretKey When using an existing secret, specify the key which contains the password.
     ## Example: SMTP_PASSWORD
     ##
-    existingSecretKey: ""
+    existingSecretKey: SMTP_PASSWORD
   ## @param smtp.authMechanism SMTP authentication mechanism
   ## Possible values: "Plain", "Login", "Xoauth2"
   ## Multiple options need to be separated by a comma. (not tested)