Skip to content

Commit

Permalink
🌱 SSO feature has been added to vault warden
Browse files Browse the repository at this point in the history
  • Loading branch information
@RJ-0605
RJ-0605 committed Jan 11, 2025
1 parent d98eaac commit 824c790
Show file tree
Hide file tree
Showing 4 changed files with 90 additions and 22 deletions.
28 changes: 21 additions & 7 deletions charts/vaultwarden/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
| `server.databaseURL.value` | Specifies the value for the DATABASE_URL environmt variable. Creates a secret from that value. If you have already a secret containing the db connection leave this empty. | `""` |
| `server.databaseURL.existingSecret.name` | Specifies the name of an existing Secret for the database URL | `postgres-cluster-app` |
| `server.databaseURL.existingSecret.key` | Specifies the key of an existing Secret for the database URL | `uri` |
| `server.appURL` | URL where the app will be accessible. Used a needed env var for vaultwarden and for the ingress, if enabled. | `""` |
| `server.appURL` | URL where the app will be accessible. Used a needed env var for vaultwarden and for the ingress, if enabled. | `https://vault.test.syself.org` |
| `server.pvc.accessMode` | Name of the access mode to be set in the PVC | `ReadWriteOnce` |
| `server.pvc.size` | Size to be requested for the PVC | `8Gi` |
| `server.pvc.storageClass` | Name of the storage class to be used by the PVC | `standard` |
Expand All @@ -54,11 +54,6 @@
| `server.env.databaseMaxConnections` | Define the size of the connection pool used for connecting to the database. | `10` |
| `server.env.enableDbWAL` | Set to false to avoid enabling WAL during startup. Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB, this setting only prevents Vaultwarden from automatically enabling it on start. | `true` |
| `server.env.webVaultEnabled` | Wheter to enable web vault | `true` |
| `server.env.sso.enabled` | | `false` |
| `server.env.sso.disablePasswordLogin` | | `false` |
| `server.env.sso.clientId` | | `vaultwarden` |
| `server.env.sso.clientSecret` | | `vaultwarden` |
| `server.env.sso.authority` | | `""` |
| `server.env.websocket.enabled` | | `true` |
| `server.env.websocket.address` | | `0.0.0.0` |
| `server.env.websocket.port` | | `3012` |
Expand Down Expand Up @@ -86,7 +81,7 @@
| `server.env.pushNotifications` | | `{}` |
| `server.service.ports.frontend` | vaultwarden server service frontend port | `80` |
| `server.service.annotations` | Additional custom annotations for vaultwarden server service | `{}` |
| `server.ingress.enable` | Boolean to enable or disable creation of an ingress | `false` |
| `server.ingress.enable` | Boolean to enable or disable creation of an ingress | `true` |
| `server.ingress.ingressClassName` | Name of the class to be used by the ingress | `nginx` |
| `server.ingress.enableTLS` | Wheter to enable TLS encryption for the ingress | `true` |
| `server.ingress.annotations` | Additional custom annotations for vaultwarden ingress | `{}` |
Expand Down Expand Up @@ -138,3 +133,22 @@
| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` |
| `serviceAccount.automountServiceAccountToken` | Automount service account token for the vaultwarden server service account | `true` |

### SSO Parameters

| Name | Description | Value |
| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
| `server.env.sso.enabled` | Specifies whether sso should be enabled or not | `true` |
| `server.env.sso.clientId` | Specifies the value of the clientid if specified which will be placed in the config Map, this will cause the application ignore the clientIdFromSecret values set in the secret | `""` |
| `server.env.sso.clientSecret` | Specifies the value of the clientSecret if specified which will be placed in the config Map, this will cause the application ignore the clientSecretFromSecret values set in the secret | `""` |
| `server.env.sso.authority` | Specifies the value of the authority if specified which will be placed in the config Map, this will cause the application ignore the authorityFromSecret values set in the secret | `""` |
| `server.env.sso.disablePasswordLogin` | Specifies whether disablePasswordLogin should be enabled or not | `true` |
| `server.env.sso.scopes` | Specifies the scope parameters configured in authentik for the vaultwarden profile showing what permissions vaultwarden has | `""` |
| `server.env.sso.cache_expiration` | Specifies the cache_expiration parameters configured in authentik for the vaultwarden profile, how often Vaultwarden fetches IdP configuration | `""` |
| `server.env.sso.frontend` | Specifies the frontend override parameters configured in authentik for the vaultwarden profile, enforces the SSO only login UI for vaulwarden | `""` |
| `server.sso.clientIdFromSecret.name` | Specifies the value of the name of the secret containing clientId (helps authentik identity the client vaultwarden) obtained from authentik on vaultwarden profile | `"<clientId-secret-name>"` |
| `server.sso.clientIdFromSecret.key` | Specifies the value of the key of the secret containing clientId obtained from authentik on vaultwarden profile | `"<clientId-secret-key>"` |
| `server.sso.clientSecretFromSecret.name` | Specifies the value of the name of the secret containing clientSecret(helps authentik authenticate the client vaultwarden) obtained from authentik on vaultwarden profile | `"<clientSecret-secret-name>"` |
| `server.sso.clientSecretFromSecret.key` | Specifies the value of the key of the secret containing clientSecret obtained from authentik on vaultwarden profile | `"<clientSecret-secret-key>"` |
| `server.sso.authorityFromSecret.name` | Specifies the value of the name of the secret containing authority obtained from authentik on vaultwarden profile | `"<authority-secret-name>"` |
| `server.sso.authorityFromSecret.key` | Specifies the value of the key of the secret containing authority obtained from authentik on vaultwarden profile | `"<authority-secret-key>"` |
20 changes: 17 additions & 3 deletions charts/vaultwarden/templates/server/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,23 @@ data:
{{- if .Values.server.env.sso.enabled }}
SSO_ENABLED: 'true'
SSO_ONLY: {{ .Values.server.env.sso.disablePasswordLogin | quote }}
SSO_CLIENT_ID: {{ .Values.server.env.sso.clientId | quote }}
SSO_CLIENT_SECRET: {{ .Values.server.env.sso.clientSecret | quote }}
SSO_AUTHORITY: {{ .Values.server.env.sso.authority | quote }}

{{- if .Values.server.env.sso.existingSecretEnabled -}}

{{ else }}
{{- if and .Values.server.env.sso.clientId (ne .Values.server.env.sso.clientId "") }}
SSO_CLIENT_ID: {{ .Values.server.env.sso.clientId | quote }}
{{- end }}
{{- if and .Values.server.env.sso.clientSecret (ne .Values.server.env.sso.clientSecret "") }}
SSO_CLIENT_SECRET: {{ .Values.server.env.sso.clientSecret | quote }}
{{- end }}
{{- if and .Values.server.env.sso.authority (ne .Values.server.env.sso.authority "") }}
SSO_AUTHORITY: {{ .Values.server.env.sso.authority | quote }}
{{- end }}
{{- end }}
SSO_FRONTEND: {{ .Values.server.env.sso.frontend | quote }}
SSO_CLIENT_CACHE_EXPIRATION: {{ .Values.server.env.sso.cache_expiration | quote }}
SSO_SCOPES: {{ .Values.server.env.sso.scopes | quote }}
{{- end }}
SHOW_PASSWORD_HINT: {{ .Values.server.env.showPasswordHint | quote }}
SIGNUPS_ALLOWED: {{ .Values.server.env.signupsAllowed | quote }}
Expand Down
21 changes: 21 additions & 0 deletions charts/vaultwarden/templates/server/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,27 @@ spec:
key: {{ .Values.server.databaseURL.existingSecret.key }}
{{- end }}
{{- end }}
{{- if (and (eq (default "" (toString .Values.server.env.sso.clientId)) "") (not (eq (default "" (toString .Values.server.sso.clientIdFromSecret.name)) ""))) }}
- name: SSO_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ .Values.server.sso.clientIdFromSecret.name }}
key: {{ .Values.server.sso.clientIdFromSecret.key }}
{{- end }}
{{- if (and (eq (default "" (toString .Values.server.env.sso.clientSecret)) "") (not (eq (default "" (toString .Values.server.sso.clientSecretFromSecret.name)) ""))) }}
- name: SSO_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.server.sso.clientSecretFromSecret.name }}
key: {{ .Values.server.sso.clientSecretFromSecret.key }}
{{- end }}
{{- if (and (eq (default "" (toString .Values.server.env.sso.authority)) "") (not (eq (default "" (toString .Values.server.sso.authorityFromSecret.name)) ""))) }}
- name: SSO_AUTHORITY
valueFrom:
secretKeyRef:
name: {{ .Values.server.sso.authorityFromSecret.name }}
key: {{ .Values.server.sso.authorityFromSecret.key }}
{{- end }}
envFrom:
- configMapRef:
name: {{ template "common.names.fullname" . }}-env
Expand Down
43 changes: 31 additions & 12 deletions charts/vaultwarden/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,10 +83,11 @@ server:
## @param server.databaseURL.existingSecret.key Specifies the key of an existing Secret for the database URL
##
databaseURL:
value: ""
existingSecret: {}
# name: postgres-cluster-app
# key: uri
# value: ""
# existingSecret:
# {}
# name: postgres-cluster-app
# key: uri

## @param server.appURL URL where the app will be accessible. Used a needed env var for vaultwarden and for the ingress, if enabled.
appURL: ""
Expand All @@ -107,7 +108,6 @@ server:
containerPorts:
frontend: 80


## Vaultwarden environment variables
## ref: https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
## @param server.env.dataFolder Main data folder
Expand Down Expand Up @@ -156,6 +156,22 @@ server:
## @param server.env.smtp.acceptInvalidCerts
## @param server.env.smtp.debug
## @param server.env.pushNotifications

sso:
existingSecretEnabled: true
clientIdFromSecret:
existingSecret:
name: ""
key: ""
clientSecretFromSecret:
existingSecret:
name: ""
key: ""
authorityFromSecret:
existingSecret:
name: ""
key: ""

env:
dataFolder: "/data"
attachmentsFolder: "/data/attachments"
Expand All @@ -175,11 +191,12 @@ server:
webVaultEnabled: true

sso:
enabled: false
disablePasswordLogin: false
clientId: vaultwarden
clientSecret: vaultwarden
enabled: true
disablePasswordLogin: true
clientId: ""
clientSecret: ""
authority: ""
scopes: ""

websocket:
enabled: true
Expand Down Expand Up @@ -214,7 +231,8 @@ server:
acceptInvalidCerts: "false"
debug: false

pushNotifications: {}
pushNotifications:
{}
# installationId: ""
# installationKey: ""

Expand All @@ -224,7 +242,7 @@ server:
## @param server.service.ports.frontend vaultwarden server service frontend port
ports:
frontend: 80

## @param server.service.annotations Additional custom annotations for vaultwarden server service
annotations: {}

Expand All @@ -240,7 +258,8 @@ server:
enableTLS: true

## @param server.ingress.annotations Additional custom annotations for vaultwarden ingress
annotations: {}
annotations:
{}
##
# cert-manager.io/cluster-issuer: letsencrypt-staging
# external-dns.alpha.kubernetes.io/ttl: "1m"
Expand Down

0 comments on commit 824c790

Please sign in to comment.