## Instruction: when adding a new value, follow https://github.com/dani-garcia/vaultwarden/blob/main/.env.template as much as possible. ## @section Kubernetes settings ## image: ## @param image.registry Vaultwarden image registry ## registry: docker.io ## @param image.repository Vaultwarden image repository ## repository: vaultwarden/server ## ## @param image.tag Vaultwarden image tag ## Ref: https://hub.docker.com/r/vaultwarden/server/tags ## tag: "1.34.3-alpine" ## @param image.pullPolicy Vaultwarden image pull policy ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## pullPolicy: IfNotPresent ## @param image.pullSecrets Specify docker-registry secrets ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## Example: ## pullSecrets: ## - name: myRegistryKeySecretName ## pullSecrets: [] ## @param image.extraSecrets Vaultwarden image extra secrets ## Example: ## extraSecrets: ## - key: SSO_CLIENT_SECRET ## value: secretStuff ## extraSecrets: [] ## @param image.extraVars Vaultwarden image extra vars ## Example: ## extraVars: ## - key: SSO_AUTHORITY ## value: https://bananaguy.com/auth ## extraVars: [] ## @param image.extraVarsCM Vaultwarden image extra vars ConfigMap ## Example: ## extraVarsCM: "vaultwarden-extra-vars" extraVarsCM: "" ## @param image.extraVarsSecret Vaultwarden image extra vars Secret ## Example: ## extraVarsSecret: "vaultwarden-extra-vars" extraVarsSecret: "" ## @param replicas Number of deployment replicas ## replicas: 1 ## @param fullnameOverride String to override the application name. ## fullnameOverride: "" ## @param resourceType Can be either Deployment or StatefulSet ## Overwrite automatic resource type detection by specifying the resource type ## resourceType: "" ## @param commonAnnotations Annotations for the deployment or statefulset ## commonAnnotations: {} ## @param configMapAnnotations Add extra annotations to the configmap ## configMapAnnotations: {} ## @param podAnnotations Add extra annotations to the pod ## podAnnotations: {} ## @param commonLabels Additional labels for the deployment or statefulset ## commonLabels: {} ## @param podLabels Add extra labels to the pod ## podLabels: {} ## @param initContainers extra init containers for initializing the vaultwarden instance ## initContainers: [] ## @param sidecars extra containers running alongside the vaultwarden instance ## sidecars: [] ## @param extraVolumes Optionally specify extra list of additional volumes ## extraVolumes: [] ## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts ## extraVolumeMounts: [] ## @param nodeSelector Node labels for pod assignment ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector ## nodeSelector: {} ## @param affinity Affinity for pod assignment ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity ## affinity: {} ## @param tolerations Tolerations for pod assignment ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ## tolerations: [] ## @param serviceAccount.create Create a service account ## @param serviceAccount.name Name of the service account to create ## serviceAccount: create: true name: "vaultwarden-svc" ## @param podSecurityContext Pod security options ## podSecurityContext: {} # fsGroup: 1001 # supplementalGroups: # - 1001 ## @param securityContext Default security options to run vault as read only container without privilege escalation securityContext: {} # allowPrivilegeEscalation: false # privileged: false # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsGroup: 1001 # runAsUser: 1001 # capabilities: # drop: # - ALL ## @param dnsConfig Pod DNS options ## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config dnsConfig: {} ## @param enableServiceLinks Enable service links, Kubernetes default is true ## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service ## enableServiceLinks: true ## Extra objects extraObjects: [] ## @param extraObjects List of extra Kubernetes objects to create ## This can be used to add additional Kubernetes objects such as ConfigMaps, Secrets, or Custom Resources. ## Example: ## - apiVersion: isindir.github.com/v1alpha3 ## kind: SopsSecret ## metadata: ## name: "{{ .Release.Name }}-sops-secret" ## spec: ## data: ## DB_STRING: ENC[AES256_GCM,data:******,iv:***,tag:***,type:str] ## sops: ... ## @section Reliability configuration ## ## Liveness probe configuration ## livenessProbe: ## @param livenessProbe.enabled Enable liveness probe ## enabled: true ## @param livenessProbe.initialDelaySeconds Delay before liveness probe is initiated ## initialDelaySeconds: 5 ## @param livenessProbe.timeoutSeconds How long to wait for the probe to succeed ## timeoutSeconds: 1 ## @param livenessProbe.periodSeconds How often to perform the probe ## periodSeconds: 10 ## @param livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful ## successThreshold: 1 ## @param livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed ## failureThreshold: 10 ## @param livenessProbe.path Path on which the probe is exposed, default is "/alive". Replace when using non-root path deployment ## path: /alive ## Readiness probe configuration ## readinessProbe: ## @param readinessProbe.enabled Enable readiness probe ## enabled: true ## @param readinessProbe.initialDelaySeconds Delay before readiness probe is initiated ## initialDelaySeconds: 5 ## @param readinessProbe.timeoutSeconds How long to wait for the probe to succeed ## timeoutSeconds: 1 ## @param readinessProbe.periodSeconds How often to perform the probe ## periodSeconds: 10 ## @param readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful ## successThreshold: 1 ## @param readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed ## failureThreshold: 3 ## @param readinessProbe.path Path on which the probe is exposed, default is "/alive". Replace when using non-root path deployment ## path: /alive ## Startup probe configuration ## startupProbe: ## @param startupProbe.enabled Enable startup probe ## enabled: false ## @param startupProbe.initialDelaySeconds Delay before startup probe is initiated ## initialDelaySeconds: 5 ## @param startupProbe.timeoutSeconds How long to wait for the probe to succeed ## timeoutSeconds: 1 ## @param startupProbe.periodSeconds How often to perform the probe ## periodSeconds: 10 ## @param startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful ## successThreshold: 1 ## @param startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed ## failureThreshold: 10 ## @param startupProbe.path Path on which the probe is exposed, default is "/alive". Replace when using non-root path deployment ## path: /alive ## @param resources Resource configurations ## resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 300m # memory: 1Gi # requests: # cpu: 50m # memory: 256Mi ## @param strategy Resource configurations ## strategy: {} # type: RollingUpdate # rollingUpdate: # maxSurge: 1 # maxUnavailable: 0 podDisruptionBudget: ## @param podDisruptionBudget.enabled Enable PodDisruptionBudget settings # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ enabled: false ## @param podDisruptionBudget.minAvailable Minimum number/percentage of pods that should remain scheduled. # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` minAvailable: 1 ## @param podDisruptionBudget.maxUnavailable Maximum number/percentage of pods that may be made unavailable maxUnavailable: null ## @section Persistent data configuration ## storage: ## @param storage.existingVolumeClaim If defined, the values here will be used for the data and ## attachments PV's. The custom values for data and attachments will be ignored if ## a value is set here ## existingVolumeClaim: {} # claimName: "vaultwarden-pvc" # dataPath: "/data" # attachmentsPath: /data/attachments ## @param storage.data Data directory configuration, refer to values.yaml for parameters. ## data: name: vaultwarden-data size: 1Gi class: openebs-3-replicas path: /data keepPvc: false accessMode: ReadWriteOnce ## @param storage.attachments Attachments directory configuration, refer to values.yaml for parameters. ## By default, attachments/ is located inside the data directory. ## attachments: {} # name: "vaultwarden-files" # size: "100Gi" # class: "" # path: /files # keepPvc: false # accessMode: "ReadWriteOnce" ## @param webVaultEnabled Enable Web Vault ## webVaultEnabled: "true" ## @section Database settings ## database: ## @param database.type Database type, either mysql or postgresql ## Default is a sqlite database. ## type: "default" ## @param database.host Database hostname or IP address ## host: "" ## @param database.port Database port ## Default for MySQL is 3306, default for PostgreSQL is 5432 port: "" ## @param database.username Database username ## username: "" ## @param database.password Database password ## password: "" ## @param database.dbName Database name ## dbName: "" ## @param database.uriOverride Manually specify the DB connection string ## uriOverride: "" ## @param database.existingSecret Name of an existing secret containing either a single key with the database uri, or a separate key for username and password ## existingSecret: "" ## @param database.existingSecretKey Key in the existing secret ## existingSecretKey: "" ## @param database.existingSecretUserKey Key in the existing secret ## existingSecretUserKey: username ## @param database.existingSecretPasswordKey Key in the existing secret ## existingSecretPasswordKey: password ## @param database.connectionRetries Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely. ## connectionRetries: 15 ## @param database.maxConnections Define the size of the connection pool used for connecting to the database. ## maxConnections: 10 ## @section Push Notifications ## Supported since 1.29.0. ## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details ## pushNotifications: ## @param pushNotifications.enabled Enable the push notification service ## enabled: false ## @param pushNotifications.existingSecret Name of an existing secret containing the Bitwarden installation id and key ## existingSecret: vaultwarden installationId: ## @param pushNotifications.installationId.value Bitwarden installation id string ## Example: installationIdGoesHere ## value: "" ## @param pushNotifications.installationId.existingSecretKey When using an existing secret, specify the key which contains the installation id. ## Example: INSTALLATION_ID ## existingSecretKey: PUSH_INSTALLATION_ID installationKey: ## @param pushNotifications.installationKey.value Bitwarden installation key string ## Example: superSecretInstallationKey ## value: "" ## @param pushNotifications.installationKey.existingSecretKey When using an existing secret, specify the key which contains the installation key. ## Example: INSTALLATION_KEY ## existingSecretKey: PUSH_INSTALLATION_KEY ## @param pushNotifications.relayUri Change Bitwarden relay uri. ## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details ## relayUri: "https://push.bitwarden.com" ## @param pushNotifications.identityUri Change Bitwarden identity uri. ## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details ## identityUri: "https://identity.bitwarden.com" ## @section Scheduled jobs ## ## @param emergencyNotifReminderSched Cron schedule of the job that sends expiration reminders to emergency access grantors. ## Set to blank to disable this job. ## emergencyNotifReminderSched: "0 3 * * * *" ## @param emergencyRqstTimeoutSched Cron schedule of the job that grants emergency access requests that have met the required wait time. ## Set to blank to disable this job. ## emergencyRqstTimeoutSched: "0 7 * * * *" ## @param eventCleanupSched Cron schedule of the job that cleans old events from the event table. ## Set to blank to disable this job. Also without eventsDayRetain set, this job will not start. ## eventCleanupSched: "0 10 0 * * *" ## @param eventsDayRetain Number of days to retain events stored in the database. ## If unset (the default), events are kept indefinitely and the scheduled job is disabled! ## eventsDayRetain: "" ## @section General settings ## ## @param domain Domain name where the application is accessed ## Example: https://warden.contoso.com:8443 ## domain: "https://vault.borninpain.de" ## @param sendsAllowed Controls whether users are allowed to create Bitwarden Sends. ## sendsAllowed: "true" ## @param hibpApiKey HaveIBeenPwned API Key ## hibpApiKey: "" ## @param orgAttachmentLimit Max Kilobytes of attachment storage allowed per organization. ## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization. ## orgAttachmentLimit: "" ## @param userAttachmentLimit Max kilobytes of attachment storage allowed per user. ## When this limit is reached, the user will not be allowed to upload further attachments. ## userAttachmentLimit: "" ## @param userSendLimit Max kilobytes of send storage allowed per user. ## When this limit is reached, the user will not be allowed to upload further sends. ## userSendLimit: "" ## @param trashAutoDeleteDays Number of days to wait before auto-deleting a trashed item. ## If unset (the default), trashed items are not auto-deleted. ## This setting applies globally, so make sure to inform all users of any changes to this setting. ## trashAutoDeleteDays: "" ## @param signupsAllowed By default, anyone who can access your instance can register for a new account. ## To disable this, set this parameter to false. Even when signupsAllowed=false, an existing user who is ## an organization owner or admin can still invite new users. If you want to disable this as well, set ## invitationsAllowed to false. The vaultwarden admin can invite anyone via the admin page, regardless ## of any of the restrictions above ## ## If signupDomains is set, then the value of signupsAllowed is ignored signupsAllowed: true ## @param signupsVerify Whether to require account verification for newly-registered users. ## signupsVerify: "true" ## @param signupDomains List of domain names for users allowed to register. For example: ## example.com,example.net,example.org. ## signupDomains: "" ## @param orgEventsEnabled Controls whether event logging is enabled for organizations ## orgEventsEnabled: "false" ## @param orgCreationUsers Controls which users can create new orgs. ## Blank or 'all' means all users can create orgs. ## 'none' means no users can create orgs. ## A comma-separated list means only those users can create orgs. ## orgCreationUsers: "" ## @param invitationsAllowed Even when registration is disabled, organization administrators or owners can ## invite users to join organization. After they are invited, they can register with the invited email even ## if signupsAllowed is actually set to false. You can disable this functionality completely by setting ## invitationsAllowed env variable to false ## invitationsAllowed: true ## @param invitationOrgName String Name shown in the invitation emails that don't come from a specific organization ## invitationOrgName: "Vaultwarden" ## @param invitationExpirationHours The number of hours after which an organization invite token, emergency access invite token, ## email verification token and deletion request token will expire (must be at least 1) ## invitationExpirationHours: "120" ## @param emergencyAccessAllowed Controls whether users can enable emergency access to their accounts. ## emergencyAccessAllowed: "true" ## @param emailChangeAllowed Controls whether users can change their email. ## This setting applies globally to all users ## emailChangeAllowed: "true" ## @param showPassHint Controls whether a password hint should be shown directly in the web page if ## SMTP service is not configured. Not recommended for publicly-accessible instances ## as this provides unauthenticated access to potentially sensitive data. ## showPassHint: "false" ## @section Advanced settings ## ## @param ipHeader Client IP Header, used to identify the IP of the client ## ipHeader: "X-Real-IP" ## @param iconService The predefined icon services are: internal, bitwarden, duckduckgo, google. ## iconService: "internal" ## @param iconRedirectCode Icon redirect code ## iconRedirectCode: "302" ## @param iconBlacklistNonGlobalIps Whether block non-global IPs. ## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block ## iconBlacklistNonGlobalIps: "true" ## @param experimentalClientFeatureFlags Comma separated list of experimental features to enable in clients, make sure to check which features are already enabled by default (.env.template) ## Possible values: ## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials. ## - "autofill-v2": Use the new autofill implementation. ## - "browser-fileless-import": Directly import credentials from other providers without a file. ## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor. ## experimentalClientFeatureFlags: ssh-key-vault-item,ssh-agent ## @param requireDeviceEmail Require new device emails. When a user logs in an email is required to be sent. ## requireDeviceEmail: "false" ## @param extendedLogging Enable extended logging, which shows timestamps and targets in the logs ## extendedLogging: "true" ## @param logTimestampFormat Timestamp format used in extended logging. ## logTimestampFormat: "%Y-%m-%d %H:%M:%S.%3f" logging: ## @param logging.logLevel Specify the log level ## logLevel: "" ## @param logging.logFile Log to a file ## logFile: "" ## Token for the admin interface, preferably an Argon2 PCH string adminToken: ## @param adminToken.existingSecret Specify an existing Kubernetes secret containing the admin token. Also set adminToken.existingSecretKey. ## Example: admincreds_secret ## existingSecret: vaultwarden ## @param adminToken.existingSecretKey When using adminToken.existingSecret, specify the key containing the token. ## Example: ADMIN_TOKEN ## existingSecretKey: ADMIN_TOKEN ## @param adminToken.value Plain or argon2 string containing the admin token. ## This example is the argon2 has of "R@ndomTokenString" (no quotes). ## value: "$argon2id$v=19$m=19456,t=2,p=1$Vkx1VkE4RmhDMUhwNm9YVlhPQkVOZk1Yc1duSDdGRVYzd0Y5ZkgwaVg0Yz0$PK+h1ANCbzzmEKaiQfCjWw+hWFaMKvLhG2PjRanH5Kk" ## @param adminRateLimitSeconds Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in. ## adminRateLimitSeconds: "300" ## @param adminRateLimitMaxBurst Allow a burst of requests of up to this size, while maintaining the average indicated by adminRateLimitSeconds. ## adminRateLimitMaxBurst: "3" ## @param timeZone Specify timezone different from the default (UTC). ## For example: "Europe/Berlin" ## timeZone: Europe/Berlin ## @section BETA Features ## ## @param orgGroupsEnabled Controls whether group support is enabled for organizations orgGroupsEnabled: "false" ## @section MFA/2FA settings ## ## Yubico (Yubikey) settings ## Reference: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication ## yubico: ## @param yubico.clientId Yubico client ID ## clientId: "" ## @param yubico.existingSecret Name of an existing secret containing the Yubico secret key. Also set yubico.secretKey.existingSecretKey. ## existingSecret: "" ## Yubico secret key ## secretKey: ## @param yubico.secretKey.value secretKey plain text ## Example: ABCDEABCDEABCDEABCDE= ## value: "" ## @param yubico.secretKey.existingSecretKey When using an existing secret, specify the key which contains the secretKey. ## Example: YUBICO_SECRET_KEY ## existingSecretKey: "" ## @param yubico.server Specify a Yubico server, otherwise the default servers will be used ## server: "" ## Duo settings ## Reference: https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account ## duo: ## @param duo.iKey Duo Integration Key ## iKey: "" ## @param duo.existingSecret Name of an existing secret containing the Duo skey. Also set duo.sKey.existingSecretKey. ## existingSecret: "" ## Duo secret key ## sKey: ## @param duo.sKey.value sKey plain text ## Example: ABCDEABCDEABCDEABCDE= ## value: "" ## @param duo.sKey.existingSecretKey When using an existing secret, specify the key which contains the sKey. ## Example: DUO_SKEY ## existingSecretKey: "" ## @param duo.hostname Duo API hostname ## hostname: "" ## @section SMTP Configuration ## smtp: ## @param smtp.existingSecret Name of an existing secret containing the SMTP username and password. Also set smtp.username.existingSecretKey and smtp.password.existingSecretKey. ## existingSecret: vaultwarden ## @param smtp.host SMTP host ## host: "mxe965.netcup.net" ## @param smtp.security SMTP Encryption method ## Possible values: ## - starttls: explicit TLS using ports 587 or 25 ## - force_tls: implicit TLS using port 465 ## - off: no encryption, using port 25, unless using STARTTLS ## security: "starttls" ## @param smtp.port SMTP port ## port: 587 ## @param smtp.from SMTP sender email address ## Example: juan.delacruz@gmail.com ## from: noreply@borninpain.de ## @param smtp.fromName SMTP sender FROM ## fromName: Vaultwarden ## Username for SMTP authentication. ## username: ## @param smtp.username.value Username string for the SMTP authentication. ## Example: juan ## value: "" ## @param smtp.username.existingSecretKey When using an existing secret, specify the key which contains the username. ## Example: SMTP_USERNAME ## existingSecretKey: SMTP_USERNAME ## Password for SMTP authentication. ## password: ## @param smtp.password.value Password string for the SMTP authentication. ## Example: Sup3rsecurepa$$word ## value: "" ## @param smtp.password.existingSecretKey When using an existing secret, specify the key which contains the password. ## Example: SMTP_PASSWORD ## existingSecretKey: SMTP_PASSWORD ## @param smtp.authMechanism SMTP authentication mechanism ## Possible values: "Plain", "Login", "Xoauth2" ## Multiple options need to be separated by a comma. (not tested) ## authMechanism: "Plain" ## @param smtp.acceptInvalidHostnames Accept Invalid Hostnames ## acceptInvalidHostnames: "false" ## @param smtp.acceptInvalidCerts Accept Invalid Certificates ## acceptInvalidCerts: "false" ## @param smtp.debug SMTP debugging ## debug: false ## @section Exposure settings ## ## @param rocket.address Address to bind to ## @param rocket.port Rocket port ## @param rocket.workers Rocket number of workers ## rocket: address: "0.0.0.0" port: "8080" workers: "10" ## Service configuration service: ## @param service.type Service type ## type: "ClusterIP" ## @param service.annotations Additional annotations for the vaultwarden service ## annotations: {} ## @param service.labels Additional labels for the service ## labels: {} ## @param service.ipFamilyPolicy IP family policy for the service ## ipFamilyPolicy: "SingleStack" ## @param service.sessionAffinity Session affinity ## # sessionAffinity: ClientIP sessionAffinity: "" ## @param service.sessionAffinityConfig Session affinity configuration ## sessionAffinityConfig: {} # sessionAffinityConfig: # clientIP: # timeoutSeconds: 10800 ## Ingress configuration ## Refer to the README for some examples ## ingress: ## @param ingress.enabled Deploy an ingress resource. ## enabled: false ## @param ingress.class Ingress resource class ## The Ingress class to use, e. g. "nginx" for a nginx ingress controller or "alb" for a AWS LB controller. # class: "nginx" ## @param ingress.nginxIngressAnnotations Add nginx specific ingress annotations ## These annotations only make sense for the kubernetes nginx ingress controller (https://kubernetes.github.io/ingress-nginx/) ## nginxIngressAnnotations: true ## @param ingress.additionalAnnotations Additional annotations for the ingress resource. ## additionalAnnotations: {} ## @param ingress.labels Additional labels for the ingress resource. ## labels: {} ## @param ingress.tls Enable TLS on the ingress resource. ## tls: true ## @param ingress.hostname Hostname for the ingress. ## hostname: "warden.contoso.com" ## @param ingress.additionalHostnames Additional hostnames for the ingress. ## additionalHostnames: [] ## @param ingress.path Default application path for the ingress ## path: "/" ## @param ingress.pathType Path type for the ingress ## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## pathType: "Prefix" ## @param ingress.tlsSecret Kubernetes secret containing the SSL certificate when using the "nginx" class. ## tlsSecret: "" ## @param ingress.nginxAllowList Comma-separated list of IP addresses and subnets to allow. ## nginxAllowList: "" ## @param ingress.customHeadersConfigMap ConfigMap containing custom headers to be added to the ingress. ## Requirement: First define the allowed response headers in global-allowed-response-headers. ## Ref: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#custom-headers ## customHeadersConfigMap: {} ## TODO: ## - Add support for using cert-manager. ## - Support for multiple TLS hostnames. ##