diff --git a/charts/vaultwarden/README.md b/charts/vaultwarden/README.md index 9e809bc..6849551 100644 --- a/charts/vaultwarden/README.md +++ b/charts/vaultwarden/README.md @@ -33,7 +33,7 @@ | `server.databaseURL.value` | Specifies the value for the DATABASE_URL environmt variable. Creates a secret from that value. If you have already a secret containing the db connection leave this empty. | `""` | | `server.databaseURL.existingSecret.name` | Specifies the name of an existing Secret for the database URL | `postgres-cluster-app` | | `server.databaseURL.existingSecret.key` | Specifies the key of an existing Secret for the database URL | `uri` | -| `server.appURL` | URL where the app will be accessible. Used a needed env var for vaultwarden and for the ingress, if enabled. | `""` | +| `server.appURL` | URL where the app will be accessible. Used a needed env var for vaultwarden and for the ingress, if enabled. | `https://vault.test.syself.org` | | `server.pvc.accessMode` | Name of the access mode to be set in the PVC | `ReadWriteOnce` | | `server.pvc.size` | Size to be requested for the PVC | `8Gi` | | `server.pvc.storageClass` | Name of the storage class to be used by the PVC | `standard` | @@ -54,11 +54,6 @@ | `server.env.databaseMaxConnections` | Define the size of the connection pool used for connecting to the database. | `10` | | `server.env.enableDbWAL` | Set to false to avoid enabling WAL during startup. Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB, this setting only prevents Vaultwarden from automatically enabling it on start. | `true` | | `server.env.webVaultEnabled` | Wheter to enable web vault | `true` | -| `server.env.sso.enabled` | | `false` | -| `server.env.sso.disablePasswordLogin` | | `false` | -| `server.env.sso.clientId` | | `vaultwarden` | -| `server.env.sso.clientSecret` | | `vaultwarden` | -| `server.env.sso.authority` | | `""` | | `server.env.websocket.enabled` | | `true` | | `server.env.websocket.address` | | `0.0.0.0` | | `server.env.websocket.port` | | `3012` | @@ -86,7 +81,7 @@ | `server.env.pushNotifications` | | `{}` | | `server.service.ports.frontend` | vaultwarden server service frontend port | `80` | | `server.service.annotations` | Additional custom annotations for vaultwarden server service | `{}` | -| `server.ingress.enable` | Boolean to enable or disable creation of an ingress | `false` | +| `server.ingress.enable` | Boolean to enable or disable creation of an ingress | `true` | | `server.ingress.ingressClassName` | Name of the class to be used by the ingress | `nginx` | | `server.ingress.enableTLS` | Wheter to enable TLS encryption for the ingress | `true` | | `server.ingress.annotations` | Additional custom annotations for vaultwarden ingress | `{}` | @@ -138,3 +133,22 @@ | `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | | `serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | | `serviceAccount.automountServiceAccountToken` | Automount service account token for the vaultwarden server service account | `true` | + +### SSO Parameters + +| Name | Description | Value | +| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | +| `server.env.sso.enabled` | Specifies whether sso should be enabled or not | `true` | +| `server.env.sso.clientId` | Specifies the value of the clientid if specified which will be placed in the config Map, this will cause the application ignore the clientIdFromSecret values set in the secret | `""` | +| `server.env.sso.clientSecret` | Specifies the value of the clientSecret if specified which will be placed in the config Map, this will cause the application ignore the clientSecretFromSecret values set in the secret | `""` | +| `server.env.sso.authority` | Specifies the value of the authority if specified which will be placed in the config Map, this will cause the application ignore the authorityFromSecret values set in the secret | `""` | +| `server.env.sso.disablePasswordLogin` | Specifies whether disablePasswordLogin should be enabled or not | `true` | +| `server.env.sso.scopes` | Specifies the scope parameters configured in authentik for the vaultwarden profile showing what permissions vaultwarden has | `""` | +| `server.env.sso.cache_expiration` | Specifies the cache_expiration parameters configured in authentik for the vaultwarden profile, how often Vaultwarden fetches IdP configuration | `""` | +| `server.env.sso.frontend` | Specifies the frontend override parameters configured in authentik for the vaultwarden profile, enforces the SSO only login UI for vaulwarden | `""` | +| `server.sso.clientIdFromSecret.name` | Specifies the value of the name of the secret containing clientId (helps authentik identity the client vaultwarden) obtained from authentik on vaultwarden profile | `""` | +| `server.sso.clientIdFromSecret.key` | Specifies the value of the key of the secret containing clientId obtained from authentik on vaultwarden profile | `""` | +| `server.sso.clientSecretFromSecret.name` | Specifies the value of the name of the secret containing clientSecret(helps authentik authenticate the client vaultwarden) obtained from authentik on vaultwarden profile | `""` | +| `server.sso.clientSecretFromSecret.key` | Specifies the value of the key of the secret containing clientSecret obtained from authentik on vaultwarden profile | `""` | +| `server.sso.authorityFromSecret.name` | Specifies the value of the name of the secret containing authority obtained from authentik on vaultwarden profile | `""` | +| `server.sso.authorityFromSecret.key` | Specifies the value of the key of the secret containing authority obtained from authentik on vaultwarden profile | `""` | diff --git a/charts/vaultwarden/templates/server/configmap.yaml b/charts/vaultwarden/templates/server/configmap.yaml index af98c0f..0f7340b 100644 --- a/charts/vaultwarden/templates/server/configmap.yaml +++ b/charts/vaultwarden/templates/server/configmap.yaml @@ -45,9 +45,23 @@ data: {{- if .Values.server.env.sso.enabled }} SSO_ENABLED: 'true' SSO_ONLY: {{ .Values.server.env.sso.disablePasswordLogin | quote }} - SSO_CLIENT_ID: {{ .Values.server.env.sso.clientId | quote }} - SSO_CLIENT_SECRET: {{ .Values.server.env.sso.clientSecret | quote }} - SSO_AUTHORITY: {{ .Values.server.env.sso.authority | quote }} + + {{- if .Values.server.env.sso.existingSecretEnabled -}} + + {{ else }} + {{- if and .Values.server.env.sso.clientId (ne .Values.server.env.sso.clientId "") }} + SSO_CLIENT_ID: {{ .Values.server.env.sso.clientId | quote }} + {{- end }} + {{- if and .Values.server.env.sso.clientSecret (ne .Values.server.env.sso.clientSecret "") }} + SSO_CLIENT_SECRET: {{ .Values.server.env.sso.clientSecret | quote }} + {{- end }} + {{- if and .Values.server.env.sso.authority (ne .Values.server.env.sso.authority "") }} + SSO_AUTHORITY: {{ .Values.server.env.sso.authority | quote }} + {{- end }} + {{- end }} + SSO_FRONTEND: {{ .Values.server.env.sso.frontend | quote }} + SSO_CLIENT_CACHE_EXPIRATION: {{ .Values.server.env.sso.cache_expiration | quote }} + SSO_SCOPES: {{ .Values.server.env.sso.scopes | quote }} {{- end }} SHOW_PASSWORD_HINT: {{ .Values.server.env.showPasswordHint | quote }} SIGNUPS_ALLOWED: {{ .Values.server.env.signupsAllowed | quote }} diff --git a/charts/vaultwarden/templates/server/deployment.yaml b/charts/vaultwarden/templates/server/deployment.yaml index 1f86747..f344f78 100644 --- a/charts/vaultwarden/templates/server/deployment.yaml +++ b/charts/vaultwarden/templates/server/deployment.yaml @@ -92,6 +92,27 @@ spec: key: {{ .Values.server.databaseURL.existingSecret.key }} {{- end }} {{- end }} + {{- if (and (eq (default "" (toString .Values.server.env.sso.clientId)) "") (not (eq (default "" (toString .Values.server.sso.clientIdFromSecret.name)) ""))) }} + - name: SSO_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.server.sso.clientIdFromSecret.name }} + key: {{ .Values.server.sso.clientIdFromSecret.key }} + {{- end }} + {{- if (and (eq (default "" (toString .Values.server.env.sso.clientSecret)) "") (not (eq (default "" (toString .Values.server.sso.clientSecretFromSecret.name)) ""))) }} + - name: SSO_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.server.sso.clientSecretFromSecret.name }} + key: {{ .Values.server.sso.clientSecretFromSecret.key }} + {{- end }} + {{- if (and (eq (default "" (toString .Values.server.env.sso.authority)) "") (not (eq (default "" (toString .Values.server.sso.authorityFromSecret.name)) ""))) }} + - name: SSO_AUTHORITY + valueFrom: + secretKeyRef: + name: {{ .Values.server.sso.authorityFromSecret.name }} + key: {{ .Values.server.sso.authorityFromSecret.key }} + {{- end }} envFrom: - configMapRef: name: {{ template "common.names.fullname" . }}-env diff --git a/charts/vaultwarden/values.yaml b/charts/vaultwarden/values.yaml index 772180d..a53e57a 100644 --- a/charts/vaultwarden/values.yaml +++ b/charts/vaultwarden/values.yaml @@ -83,10 +83,11 @@ server: ## @param server.databaseURL.existingSecret.key Specifies the key of an existing Secret for the database URL ## databaseURL: - value: "" - existingSecret: {} - # name: postgres-cluster-app - # key: uri + # value: "" + # existingSecret: + # {} + # name: postgres-cluster-app + # key: uri ## @param server.appURL URL where the app will be accessible. Used a needed env var for vaultwarden and for the ingress, if enabled. appURL: "" @@ -107,7 +108,6 @@ server: containerPorts: frontend: 80 - ## Vaultwarden environment variables ## ref: https://github.com/dani-garcia/vaultwarden/blob/main/.env.template ## @param server.env.dataFolder Main data folder @@ -156,6 +156,22 @@ server: ## @param server.env.smtp.acceptInvalidCerts ## @param server.env.smtp.debug ## @param server.env.pushNotifications + + sso: + existingSecretEnabled: true + clientIdFromSecret: + existingSecret: + name: "" + key: "" + clientSecretFromSecret: + existingSecret: + name: "" + key: "" + authorityFromSecret: + existingSecret: + name: "" + key: "" + env: dataFolder: "/data" attachmentsFolder: "/data/attachments" @@ -175,11 +191,12 @@ server: webVaultEnabled: true sso: - enabled: false - disablePasswordLogin: false - clientId: vaultwarden - clientSecret: vaultwarden + enabled: true + disablePasswordLogin: true + clientId: "" + clientSecret: "" authority: "" + scopes: "" websocket: enabled: true @@ -214,7 +231,8 @@ server: acceptInvalidCerts: "false" debug: false - pushNotifications: {} + pushNotifications: + {} # installationId: "" # installationKey: "" @@ -224,7 +242,7 @@ server: ## @param server.service.ports.frontend vaultwarden server service frontend port ports: frontend: 80 - + ## @param server.service.annotations Additional custom annotations for vaultwarden server service annotations: {} @@ -240,7 +258,8 @@ server: enableTLS: true ## @param server.ingress.annotations Additional custom annotations for vaultwarden ingress - annotations: {} + annotations: + {} ## # cert-manager.io/cluster-issuer: letsencrypt-staging # external-dns.alpha.kubernetes.io/ttl: "1m"