diff --git a/charts/vaultwarden/Chart.yaml b/charts/vaultwarden/Chart.yaml new file mode 100644 index 0000000..d2ccbfb --- /dev/null +++ b/charts/vaultwarden/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: "v2" +name: "vaultwarden" +version: "0.1" +appVersion: "1.30.1" +description: | + This chart installs and configures Vaultwarden. + + Vaultwarden is an alternative implementation of the + Bitwarden server API, compatible with Bitwarden clients. diff --git a/charts/vaultwarden/README.md b/charts/vaultwarden/README.md new file mode 100644 index 0000000..6c89c15 --- /dev/null +++ b/charts/vaultwarden/README.md @@ -0,0 +1,154 @@ +## Parameters + +### Global parameters + +| Name | Description | Value | +| ------------------------- | ----------------------------------------------- | ----- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | + +### Common parameters + +| Name | Description | Value | +| ------------------- | ------------------------------------------------- | ----- | +| `nameOverride` | String to partially override common.names.name | `""` | +| `fullnameOverride` | String to fully override common.names.fullname | `""` | +| `namespaceOverride` | String to fully override common.names.namespace | `""` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | + +### Vaultwarden Server Parameters + +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | +| `server.image.registry` | vaultwarden server image registry | `docker.io` | +| `server.image.repository` | vaultwarden server image repository | `vaultwarden/server` | +| `server.image.tag` | vaultwarden server image tag (immutable tags are recommended) | `1.30.1` | +| `server.image.digest` | vaultwarden server image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended) | `""` | +| `server.image.pullPolicy` | vaultwarden server image pull policy | `IfNotPresent` | +| `server.image.pullSecrets` | vaultwarden server image pull secrets | `[]` | +| `server.replicaCount` | Number of vaultwarden server replicas to deploy | `1` | +| `server.databaseURL.value` | Specifies the value for the DATABASE_URL environmt variable. Creates a secret from that value. If you have already a secret containing the db connection leave this empty. | `""` | +| `server.databaseURL.existingSecret.name` | Specifies the name of an existing Secret for the database URL | `postgres-cluster-app` | +| `server.databaseURL.existingSecret.key` | Specifies the key of an existing Secret for the database URL | `uri` | +| `server.appURL` | URL where the app will be accessible. Used a needed env var for vaultwarden and for the ingress, if enabled. | `https://` | +| `server.pvc.accessMode` | Name of the access mode to be set in the PVC | `ReadWriteOnce` | +| `server.pvc.size` | Size to be requested for the PVC | `8Gi` | +| `server.pvc.storageClass` | Name of the storage class to be used by the PVC | `standard` | +| `server.containerPorts.frontend` | vaultwarden server frontend container port | `80` | +| `server.env.dataFolder` | Main data folder | `/data` | +| `server.env.attachmentsFolder` | Attachments folder, override main data folder | `/data/attachments` | +| `server.env.showPasswordHint` | Controls whether a password hint should be shown directly in the web page if SMTP service is not configured. Not recommended for publicly-accessible instances as this provides unauthenticated access to potentially sensitive data. | `false` | +| `server.env.signupsAllowed` | Controls if new users can register | `true` | +| `server.env.invitationsAllowed` | Invitations allow org admins to invite users, even when signups are disabled | `true` | +| `server.env.invitationOrgName` | Name shown in the invitation emails that don't come from a specific organization | `Vaultwarden` | +| `server.env.signupDomainsWhitelist` | Controls if new users from a list of comma-separated domains can register even if SIGNUPS_ALLOWED is set to false | `""` | +| `server.env.signupsVerify` | Controls if new users need to verify their email address upon registration | `false` | +| `server.env.logFile` | Logging to file | `""` | +| `server.env.logLevel` | Change the verbosity of the log output. Valid values are "trace", "debug", "info", "warn", "error" and "off". | `""` | +| `server.env.iconBlacklistNonGlobalIps` | Any IP which is not defined as a global IP will be blacklisted. Useful to secure your internal environment. | `false` | +| `server.env.ipHeader` | Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP". Set to the string "none" (without quotes), to disable any headers and just use the remote IP. | `X-Real-IP` | +| `server.env.dbConnectionRetries` | Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely | `15` | +| `server.env.databaseMaxConnections` | Define the size of the connection pool used for connecting to the database. | `10` | +| `server.env.enableDbWAL` | Set to false to avoid enabling WAL during startup. Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB, this setting only prevents Vaultwarden from automatically enabling it on start. | `true` | +| `server.env.webVaultEnabled` | Wheter to enable web vault | `true` | +| `server.env.websocket.enabled` | | `true` | +| `server.env.websocket.address` | | `0.0.0.0` | +| `server.env.websocket.port` | | `3012` | +| `server.env.rocket.address` | | `""` | +| `server.env.rocket.workers` | | `10` | +| `server.env.rocket.port` | | `""` | +| `server.env.rocket.workers` | | `10` | +| `server.env.yubico.clientId` | | `""` | +| `server.env.yubico.secretKey` | | `""` | +| `server.env.yubico.server` | | `""` | +| `server.env.smtp.existingSecret` | | `""` | +| `server.env.smtp.host` | | `""` | +| `server.env.smtp.security` | | `starttls` | +| `server.env.smtp.port` | | `25` | +| `server.env.smtp.from` | | `""` | +| `server.env.smtp.fromName` | | `""` | +| `server.env.smtp.username.value` | | `""` | +| `server.env.smtp.username.existingSecretKey` | | `""` | +| `server.env.smtp.password.value` | | `""` | +| `server.env.smtp.password.existingSecretKey` | | `""` | +| `server.env.smtp.authMechanism` | | `Plain` | +| `server.env.smtp.acceptInvalidHostnames` | | `false` | +| `server.env.smtp.acceptInvalidCerts` | | `false` | +| `server.env.smtp.debug` | | `false` | +| `server.env.pushNotifications` | | `{}` | +| `server.service.ports.frontend` | vaultwarden server service frontend port | `80` | +| `server.service.annotations` | Additional custom annotations for vaultwarden server service | `{}` | +| `server.ingress.enable` | Boolean to enable or disable creation of an ingress | `true` | +| `server.ingress.ingressClassName` | Name of the class to be used by the ingress | `nginx` | +| `server.ingress.enableTLS` | Wheter to enable TLS encryption for the ingress | `true` | +| `server.ingress.annotations` | Additional custom annotations for vaultwarden ingress | `{}` | +| `server.rbac.create` | Specifies whether RBAC resources should be created | `true` | +| `server.rbac.rules` | Custom RBAC rules to set | `[]` | +| `server.livenessProbe.enabled` | Enable livenessProbe on vaultwarden server containers | `false` | +| `server.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | +| `server.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `2` | +| `server.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `3` | +| `server.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `server.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `server.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `server.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `server.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `server.resources.vaultwardenServer.limits` | The resources limits for the vaultwarden server containers | `{}` | +| `server.resources.vaultwardenServer.requests` | The requested resources for the vaultwarden server containers | `{}` | +| `server.podSecurityContext.enabled` | Enabled vaultwarden server pods' Security Context | `false` | +| `server.podSecurityContext.fsGroup` | Set vaultwarden server pod's Security Context fsGroup | `1001` | +| `server.podLabels` | Extra labels for vaultwarden server pods | `{}` | +| `server.podAnnotations` | Annotations for vaultwarden server pods | `{}` | +| `server.pdb.create` | Enable PodDisruptionBudged for vaultwarden server pods | `false` | +| `server.pdb.minAvailable` | Set minAvailable for vaultwarden server pods | `1` | +| `server.pdb.maxUnavailable` | Set maxUnavailable for vaultwarden server pods | `""` | +| `server.autoscaling.enabled` | Enable autoscaling for server | `false` | +| `server.autoscaling.minReplicas` | Minimum number of vaultwarden server replicas | `""` | +| `server.autoscaling.maxReplicas` | Maximum number of vaultwarden server replicas | `""` | +| `server.autoscaling.targetCPU` | Target CPU utilization percentage | `""` | +| `server.autoscaling.targetMemory` | Target Memory utilization percentage | `""` | +| `server.affinity` | Affinity for vaultwarden server pods assignment | `{}` | +| `server.nodeSelector` | Node labels for vaultwarden server pods assignment | `{}` | +| `server.tolerations` | Tolerations for vaultwarden server pods assignment | `[]` | +| `server.updateStrategy.type` | vaultwarden server statefulset strategy type | `RollingUpdate` | +| `server.priorityClassName` | vaultwarden server pods' priorityClassName | `""` | +| `server.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `server.schedulerName` | Name of the k8s scheduler (other than default) for vaultwarden server pods | `""` | +| `server.terminationGracePeriodSeconds` | Seconds Redmine pod needs to terminate gracefully | `""` | +| `server.lifecycleHooks` | for the vaultwarden server container(s) to automate configuration before or after startup | `{}` | +| `server.extraEnvVars` | Array with extra environment variables to add to vaultwarden server nodes | `[]` | +| `server.extraVolumes` | Extra Volumes for vaultwarden server pods | `[]` | +| `server.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the vaultwarden server container(s) | `[]` | +| `server.sidecars` | Add additional sidecar containers to the vaultwarden server pod(s) | `[]` | +| `server.initContainers` | Add additional init containers to the vaultwarden server pod(s) | `[]` | + +### Other Parameters + +| Name | Description | Value | +| --------------------------------------------- | -------------------------------------------------------------------------- | ------ | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | +| `serviceAccount.automountServiceAccountToken` | Automount service account token for the vaultwarden server service account | `true` | + +### SSO Parameters + +| Name | Description | Value | +| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `server.env.sso.enabled` | Specifies whether sso should be enabled or not | `false` | +| `server.env.sso.clientId` | Specifies the value of the clientid if specified which will be placed in the config Map, this will cause the application ignore the clientIdFromSecret values set in the secret | `""` | +| `server.env.sso.clientSecret` | Specifies the value of the clientSecret if specified which will be placed in the config Map, this will cause the application ignore the clientSecretFromSecret values set in the secret | `""` | +| `server.env.sso.authority` | Specifies the value of the authority if specified which will be placed in the config Map, this will cause the application ignore the authorityFromSecret values set in the secret | `""` | +| `server.env.sso.disablePasswordLogin` | Specifies whether disablePasswordLogin should be enabled or not | `false` | +| `server.env.sso.scopes` | Specifies the scope parameters configured in authentik for the vaultwarden profile showing what permissions vaultwarden has | `""` | +| `server.env.sso.cache_expiration` | Specifies the cache_expiration parameters configured in authentik for the vaultwarden profile, how often Vaultwarden fetches IdP configuration | `""` | +| `server.env.sso.frontend` | Specifies the frontend override parameters configured in authentik for the vaultwarden profile, enforces the SSO only login UI for vaulwarden | `""` | +| `server.sso.clientIdFromSecret.name` | Specifies the value of the name of the secret containing clientId (helps authentik identity the client vaultwarden) obtained from authentik on vaultwarden profile | `""` | +| `server.sso.clientIdFromSecret.key` | Specifies the value of the key of the secret containing clientId obtained from authentik on vaultwarden profile | `""` | +| `server.sso.clientSecretFromSecret.name` | Specifies the value of the name of the secret containing clientSecret(helps authentik authenticate the client vaultwarden) obtained from authentik on vaultwarden profile | `""` | +| `server.sso.clientSecretFromSecret.key` | Specifies the value of the key of the secret containing clientSecret obtained from authentik on vaultwarden profile | `""` | +| `server.sso.authorityFromSecret.name` | Specifies the value of the name of the secret containing authority obtained from authentik on vaultwarden profile | `""` | +| `server.sso.authorityFromSecret.key` | Specifies the value of the key of the secret containing authority obtained from authentik on vaultwarden profile | `""` | diff --git a/charts/vaultwarden/example-prod.values.yaml b/charts/vaultwarden/example-prod.values.yaml new file mode 100644 index 0000000..6cf17c1 --- /dev/null +++ b/charts/vaultwarden/example-prod.values.yaml @@ -0,0 +1,79 @@ +fullnameOverride: "vaultwarden" + +server: + image: + registry: docker.io + repository: vaultwarden/server + tag: "1.30.1" + pullPolicy: IfNotPresent + + databaseURL: + existingSecret: + name: postgres-cluster-app + key: uri + + appURL: "https://vault.example.domain.com" + + pvc: + accessMode: ReadWriteMany + size: 8Gi + storageClass: standard + + containerPorts: + frontend: 80 + + env: + dataFolder: "/data" + attachmentsFolder: "/data/attachments" + showPasswordHint: false + signupsAllowed: false + invitationsAllowed: true + invitationOrgName: "Vaultwarden" + signupDomainsWhitelist: "yourcompany.tld,yourcompany.example.com" + signupsVerify: true + ipHeader: "X-Real-IP" + websocket: + enabled: true + address: "0.0.0.0" + port: 3012 + + service: + ports: + frontend: 80 + + ingress: + enable: true + ingressClassName: nginx + enableTLS: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + external-dns.alpha.kubernetes.io/ttl: "1m" + + livenessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 2 + timeoutSeconds: 3 + failureThreshold: 5 + successThreshold: 1 + + resources: + vaultwardenServer: + limits: + memory: 2Gi + cpu: 2Gi + requests: + memory: 500Mi + cpu: 500Mi + + podSecurityContext: + enabled: true + fsGroup: 1001 + + pdb: + create: true + minAvailable: 1 + + autoscaling: + enabled: true + minReplicas: 2 diff --git a/charts/vaultwarden/templates/NOTES.txt b/charts/vaultwarden/templates/NOTES.txt new file mode 100644 index 0000000..a0fdeae --- /dev/null +++ b/charts/vaultwarden/templates/NOTES.txt @@ -0,0 +1,13 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +** Please be patient while the chart is being deployed ** + +Get the list of pods by executing: + + kubectl get pods --namespace {{ include "common.names.namespace" . | quote }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ include "common.names.namespace" . | quote }} -ti -- bash diff --git a/charts/vaultwarden/templates/_common_images.tpl b/charts/vaultwarden/templates/_common_images.tpl new file mode 100644 index 0000000..9828f04 --- /dev/null +++ b/charts/vaultwarden/templates/_common_images.tpl @@ -0,0 +1,80 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/vaultwarden/templates/_common_labels.tpl b/charts/vaultwarden/templates/_common_labels.tpl new file mode 100644 index 0000000..1d2647d --- /dev/null +++ b/charts/vaultwarden/templates/_common_labels.tpl @@ -0,0 +1,18 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes standard labels +*/}} +{{- define "common.labels.standard" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.labels.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} \ No newline at end of file diff --git a/charts/vaultwarden/templates/_common_name.tpl b/charts/vaultwarden/templates/_common_name.tpl new file mode 100644 index 0000000..2247723 --- /dev/null +++ b/charts/vaultwarden/templates/_common_name.tpl @@ -0,0 +1,77 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a fully qualified app name adding the installation's namespace. +*/}} +{{- define "common.names.fullname.namespace" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "common.names.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/vaultwarden/templates/_common_tplvalues.tpl b/charts/vaultwarden/templates/_common_tplvalues.tpl new file mode 100644 index 0000000..5d3d603 --- /dev/null +++ b/charts/vaultwarden/templates/_common_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/vaultwarden/templates/server/configmap.yaml b/charts/vaultwarden/templates/server/configmap.yaml new file mode 100644 index 0000000..0f7340b --- /dev/null +++ b/charts/vaultwarden/templates/server/configmap.yaml @@ -0,0 +1,97 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-env + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + DOMAIN: {{ .Values.server.appURL | quote }} + {{- if and .Values.server.env.smtp.host .Values.server.env.smtp.from }} + SMTP_HOST: {{ .Values.server.env.smtp.host | quote }} + SMTP_SECURITY: {{ .Values.server.env.smtp.security | quote }} + SMTP_PORT: {{ .Values.server.env.smtp.port | quote }} + {{- if .Values.server.env.smtp.authMechanism }} + SMTP_AUTH_MECHANISM: {{ .Values.server.env.smtp.authMechanism | quote }} + {{- end }} + SMTP_FROM: {{ .Values.server.env.smtp.from | quote }} + SMTP_FROM_NAME: {{ default "Vaultwarden" .Values.server.env.smtp.fromName | quote }} + SMTP_DEBUG: {{ .Values.server.env.smtp.debug | quote }} + SMTP_ACCEPT_INVALID_HOSTNAMES: {{ .Values.server.env.smtp.acceptInvalidHostnames | quote }} + SMTP_ACCEPT_INVALID_CERTS: {{ .Values.server.env.smtp.acceptInvalidCerts | quote }} + {{- end }} + {{- if .Values.server.env.websocket.enabled }} + WEBSOCKET_ENABLED: 'true' + WEBSOCKET_ADDRESS: {{ .Values.server.env.websocket.address | quote }} + WEBSOCKET_PORT: {{ .Values.server.env.websocket.port | quote }} + {{- end }} + {{- if .Values.server.env.data }} + DATA_FOLDER: {{ .Values.server.env.dataFolder | quote }} + {{- end }} + {{- if .Values.server.env.attachments }} + ATTACHMENTS_FOLDER: {{ .Values.server.env.attachmentsFolder | quote }} + {{- end }} + {{- if and .Values.server.env.rocket.address .Values.server.env.rocket.port }} + ROCKET_ADDRESS: {{ .Values.server.env.rocket.address | quote }} + ROCKET_PORT: {{ .Values.server.env.rocket.port | quote }} + ROCKET_WORKERS: {{ .Values.server.env.rocket.workers | quote }} + {{- end }} + {{- if .Values.server.env.sso.enabled }} + SSO_ENABLED: 'true' + SSO_ONLY: {{ .Values.server.env.sso.disablePasswordLogin | quote }} + + {{- if .Values.server.env.sso.existingSecretEnabled -}} + + {{ else }} + {{- if and .Values.server.env.sso.clientId (ne .Values.server.env.sso.clientId "") }} + SSO_CLIENT_ID: {{ .Values.server.env.sso.clientId | quote }} + {{- end }} + {{- if and .Values.server.env.sso.clientSecret (ne .Values.server.env.sso.clientSecret "") }} + SSO_CLIENT_SECRET: {{ .Values.server.env.sso.clientSecret | quote }} + {{- end }} + {{- if and .Values.server.env.sso.authority (ne .Values.server.env.sso.authority "") }} + SSO_AUTHORITY: {{ .Values.server.env.sso.authority | quote }} + {{- end }} + {{- end }} + SSO_FRONTEND: {{ .Values.server.env.sso.frontend | quote }} + SSO_CLIENT_CACHE_EXPIRATION: {{ .Values.server.env.sso.cache_expiration | quote }} + SSO_SCOPES: {{ .Values.server.env.sso.scopes | quote }} + {{- end }} + SHOW_PASSWORD_HINT: {{ .Values.server.env.showPasswordHint | quote }} + SIGNUPS_ALLOWED: {{ .Values.server.env.signupsAllowed | quote }} + INVITATIONS_ALLOWED: {{ .Values.server.env.invitationsAllowed | quote }} + {{- if .Values.server.env.signupDomainsWhitelist }} + SIGNUPS_DOMAINS_WHITELIST: {{ .Values.server.env.signupDomainsWhitelist | quote }} + {{- end }} + SIGNUPS_VERIFY: {{ .Values.server.env.signupsVerify | quote }} + WEB_VAULT_ENABLED: {{ .Values.server.env.webVaultEnabled | quote }} + {{- if .Values.server.env.logFile }} + LOG_FILE: {{ .Values.server.env.logFile | quote }} + {{- end }} + {{- if .Values.server.env.logLevel }} + LOG_LEVEL: {{ .Values.server.env.logLevel | quote }} + {{- end }} + DB_CONNECTION_RETRIES: {{ .Values.server.env.dbConnectionRetries | quote }} + DATABASE_MAX_CONNS: {{ .Values.server.env.databaseMaxConnections | quote }} + ENABLE_DB_WAL: {{ .Values.server.env.enableDbWAL | quote }} + INVITATION_ORG_NAME: {{ .Values.server.env.invitationOrgName | quote }} + ICON_BLACKLIST_NON_GLOBAL_IPS: {{ .Values.server.env.iconBlacklistNonGlobalIps | quote }} + IP_HEADER: {{ .Values.server.env.ipHeader | quote }} + {{- if .Values.server.env.pushNotifications }} + PUSH_ENABLED: 'true' + PUSH_INSTALLATION_ID: {{ .Values.server.env.pushNotifications.installationId | quote }} + PUSH_INSTALLATION_KEY: {{ .Values.server.env.pushNotifications.installationKey | quote }} + {{- end }} + {{- if and .Values.server.env.yubico.clientId .Values.server.env.yubico.secretKey }} + YUBICO_CLIENT_ID: {{ .Values.server.env.yubico.clientId | quote }} + YUBICO_SECRET_KEY: {{ .Values.server.env.yubico.secretKey | quote }} + {{- if .Values.server.env.yubico.server }} + YUBICO_SERVER: {{ .Values.server.env.yubico.server | quote }} + {{- end }} + {{- end }} \ No newline at end of file diff --git a/charts/vaultwarden/templates/server/deployment.yaml b/charts/vaultwarden/templates/server/deployment.yaml new file mode 100644 index 0000000..f344f78 --- /dev/null +++ b/charts/vaultwarden/templates/server/deployment.yaml @@ -0,0 +1,148 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "common.names.fullname" . }}-server + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.server.autoscaling.enabled }} + replicas: {{ .Values.server.replicaCount }} + {{- end }} + {{- if .Values.server.updateStrategy }} + strategy: {{- toYaml .Values.server.updateStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: server + template: + metadata: + {{- if .Values.server.podAnnotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.server.podAnnotations "context" $) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: server + {{- if .Values.server.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.server.podLabels "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "common.names.serviceAccountName" . }}-server + {{- include "common.images.pullSecrets" (dict "images" (list .Values.server.image) "global" .Values.global) | nindent 6 }} + {{- if .Values.server.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.server.affinity "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.server.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.server.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName | quote }} + {{- end }} + {{- if .Values.server.schedulerName }} + schedulerName: {{ .Values.server.schedulerName | quote }} + {{- end }} + {{- if .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.server.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.server.podSecurityContext.enabled }} + securityContext: {{- omit .Values.server.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.server.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + {{- end }} + initContainers: + {{- if .Values.server.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.server.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: vaultwarden-server + {{- if .Values.server.image.tag }} + image: {{ include "common.images.image" (dict "imageRoot" .Values.server.image "global" .Values.global) }} + {{- else }} + image: "{{ .Values.server.image.repository }}:{{ .Chart.AppVersion }}" + {{- end }} + imagePullPolicy: {{ .Values.server.image.pullPolicy }} + {{- if .Values.server.resources.vaultwardenServer }} + resources: {{- toYaml .Values.server.resources.vaultwardenServer | nindent 12 }} + {{- end }} + volumeMounts: + - name: vaultwarden-data + mountPath: /data + env: + {{- if or .Values.server.databaseURL.value (and .Values.server.databaseURL.existingSecret.name .Values.server.databaseURL.existingSecret.key)}} + - name: DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.server.databaseURL.value }} + name: {{ template "common.names.fullname" . }}-db-uri + key: uri + {{- else }} + name: {{ .Values.server.databaseURL.existingSecret.name }} + key: {{ .Values.server.databaseURL.existingSecret.key }} + {{- end }} + {{- end }} + {{- if (and (eq (default "" (toString .Values.server.env.sso.clientId)) "") (not (eq (default "" (toString .Values.server.sso.clientIdFromSecret.name)) ""))) }} + - name: SSO_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.server.sso.clientIdFromSecret.name }} + key: {{ .Values.server.sso.clientIdFromSecret.key }} + {{- end }} + {{- if (and (eq (default "" (toString .Values.server.env.sso.clientSecret)) "") (not (eq (default "" (toString .Values.server.sso.clientSecretFromSecret.name)) ""))) }} + - name: SSO_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.server.sso.clientSecretFromSecret.name }} + key: {{ .Values.server.sso.clientSecretFromSecret.key }} + {{- end }} + {{- if (and (eq (default "" (toString .Values.server.env.sso.authority)) "") (not (eq (default "" (toString .Values.server.sso.authorityFromSecret.name)) ""))) }} + - name: SSO_AUTHORITY + valueFrom: + secretKeyRef: + name: {{ .Values.server.sso.authorityFromSecret.name }} + key: {{ .Values.server.sso.authorityFromSecret.key }} + {{- end }} + envFrom: + - configMapRef: + name: {{ template "common.names.fullname" . }}-env + ports: + - name: server + containerPort: {{ .Values.server.containerPorts.frontend }} + {{- if .Values.server.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.server.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.server.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.server.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: server + {{- end }} + {{- if .Values.server.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.server.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.server.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.server.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.server.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.server.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.server.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.server.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: vaultwarden-data + persistentVolumeClaim: + claimName: vaultwarden-data + {{- if .Values.server.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.server.extraVolumes "context" $) | nindent 8 }} + {{- end }} diff --git a/charts/vaultwarden/templates/server/hpa.yaml b/charts/vaultwarden/templates/server/hpa.yaml new file mode 100644 index 0000000..3c70774 --- /dev/null +++ b/charts/vaultwarden/templates/server/hpa.yaml @@ -0,0 +1,38 @@ +{{- if .Values.server.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.names.fullname" . }}-server + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.names.fullname" . }}-server + minReplicas: {{ .Values.server.autoscaling.minReplicas }} + maxReplicas: {{ .Values.server.autoscaling.maxReplicas }} + metrics: + {{- if .Values.server.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.server.autoscaling.targetMemory }} + {{- end }} + {{- if .Values.server.autoscaling.targetCPU }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.server.autoscaling.targetCPU }} + {{- end }} +{{- end }} diff --git a/charts/vaultwarden/templates/server/ingress.yaml b/charts/vaultwarden/templates/server/ingress.yaml new file mode 100644 index 0000000..27ef2af --- /dev/null +++ b/charts/vaultwarden/templates/server/ingress.yaml @@ -0,0 +1,38 @@ +{{- if eq .Values.server.ingress.enable true }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "common.names.fullname" . }}-server + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.server.ingress.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.server.ingress.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.server.ingress.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + ingressClassName: {{ .Values.server.ingress.ingressClassName }} + tls: + - hosts: + - {{ .Values.server.appURL | trimPrefix "http" | trimPrefix "s" | trimPrefix "://" }} + secretName: vaultwarden-tls + rules: + - host: {{ .Values.server.appURL | trimPrefix "http" | trimPrefix "s" | trimPrefix "://" }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ template "common.names.fullname" . }}-server + port: + number: {{ .Values.server.containerPorts.frontend }} +{{- end }} diff --git a/charts/vaultwarden/templates/server/pdb.yaml b/charts/vaultwarden/templates/server/pdb.yaml new file mode 100644 index 0000000..496a8b0 --- /dev/null +++ b/charts/vaultwarden/templates/server/pdb.yaml @@ -0,0 +1,26 @@ +{{- $replicaCount := int .Values.server.replicaCount }} +{{- if and .Values.server.pdb.create (or (gt $replicaCount 1) .Values.server.autoscaling.enabled) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "common.names.fullname" . }}-server + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.server.pdb.minAvailable }} + minAvailable: {{ .Values.server.pdb.minAvailable }} + {{- end }} + {{- if .Values.server.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.server.pdb.maxUnavailable }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: server +{{- end }} diff --git a/charts/vaultwarden/templates/server/pvc.yaml b/charts/vaultwarden/templates/server/pvc.yaml new file mode 100644 index 0000000..ee97258 --- /dev/null +++ b/charts/vaultwarden/templates/server/pvc.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "common.names.name" . }}-data + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + accessModes: + - {{ .Values.server.pvc.accessMode }} + resources: + requests: + storage: {{ .Values.server.pvc.size }} + {{- if .Values.server.pvc.storageClass }} + storageClassName: {{ .Values.server.pvc.storageClass }} + {{- else }} + storageClassName: "" + {{- end}} diff --git a/charts/vaultwarden/templates/server/secret.yaml b/charts/vaultwarden/templates/server/secret.yaml new file mode 100644 index 0000000..90e41ec --- /dev/null +++ b/charts/vaultwarden/templates/server/secret.yaml @@ -0,0 +1,18 @@ +{{- if .Values.server.databaseURL.value }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "common.names.fullname" . }}-db-uri + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + token: {{ .Values.server.databaseURL.value | b64enc }} +{{- end }} diff --git a/charts/vaultwarden/templates/server/service.yaml b/charts/vaultwarden/templates/server/service.yaml new file mode 100644 index 0000000..d6f9acd --- /dev/null +++ b/charts/vaultwarden/templates/server/service.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }}-server + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.server.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.server.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.server.service.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + ports: + - name: frontend + port: {{ .Values.server.service.ports.frontend }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: server diff --git a/charts/vaultwarden/templates/server/serviceaccount.yaml b/charts/vaultwarden/templates/server/serviceaccount.yaml new file mode 100644 index 0000000..18292ee --- /dev/null +++ b/charts/vaultwarden/templates/server/serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "common.names.serviceAccountName" . }}-server + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.serviceAccount.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.serviceAccount.annotations "context" $) | nindent 4 }} + {{- end }} + {{- end }} +#automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/charts/vaultwarden/values.yaml b/charts/vaultwarden/values.yaml new file mode 100644 index 0000000..e47827e --- /dev/null +++ b/charts/vaultwarden/values.yaml @@ -0,0 +1,466 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + +## @section Common parameters +## + +## @param nameOverride String to partially override common.names.name +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param namespaceOverride String to fully override common.names.namespace +## +namespaceOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} + +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] + +## @section Vaultwarden Server Parameters +## + +## Server +## +server: + ## @param server.image.registry vaultwarden server image registry + ## @param server.image.repository vaultwarden server image repository + ## @param server.image.tag vaultwarden server image tag (immutable tags are recommended) + ## @param server.image.digest vaultwarden server image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended) + ## @param server.image.pullPolicy vaultwarden server image pull policy + ## @param server.image.pullSecrets vaultwarden server image pull secrets + ## + image: + registry: docker.io + repository: vaultwarden/server + tag: "" + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + + ## @param server.replicaCount Number of vaultwarden server replicas to deploy + ## + ## Currently, raising this number will result in issues due to the only + ## volume claim mode available being ReadWriteOnce in our Hetzner VMs + replicaCount: 1 + + ## @param server.databaseURL.value Specifies the value for the DATABASE_URL environmt variable. Creates a secret from that value. If you have already a secret containing the db connection leave this empty. + ## @param server.databaseURL.existingSecret.name Specifies the name of an existing Secret for the database URL + ## @param server.databaseURL.existingSecret.key Specifies the key of an existing Secret for the database URL + ## + databaseURL: + # value: "" + # existingSecret: + # {} + # name: postgres-cluster-app + # key: uri + + ## @param server.appURL URL where the app will be accessible. Used a needed env var for vaultwarden and for the ingress, if enabled. + appURL: "" + + ## Vaultwarden Persistent Volume Claim parameters + pvc: + ## @param server.pvc.accessMode Name of the access mode to be set in the PVC + accessMode: ReadWriteOnce + + ## @param server.pvc.size Size to be requested for the PVC + size: 8Gi + + ## @param server.pvc.storageClass Name of the storage class to be used by the PVC + storageClass: standard + + ## @param server.containerPorts.frontend vaultwarden server frontend container port + ## + containerPorts: + frontend: 80 + + ## Vaultwarden environment variables + ## ref: https://github.com/dani-garcia/vaultwarden/blob/main/.env.template + ## @param server.env.dataFolder Main data folder + ## @param server.env.attachmentsFolder Attachments folder, override main data folder + ## @param server.env.showPasswordHint Controls whether a password hint should be shown directly in the web page if SMTP service is not configured. Not recommended for publicly-accessible instances as this provides unauthenticated access to potentially sensitive data. + ## @param server.env.signupsAllowed Controls if new users can register + ## @param server.env.invitationsAllowed Invitations allow org admins to invite users, even when signups are disabled + ## @param server.env.invitationOrgName Name shown in the invitation emails that don't come from a specific organization + ## @param server.env.signupDomainsWhitelist Controls if new users from a list of comma-separated domains can register even if SIGNUPS_ALLOWED is set to false + ## @param server.env.signupsVerify Controls if new users need to verify their email address upon registration + ## @param server.env.logFile Logging to file + ## @param server.env.logLevel Change the verbosity of the log output. Valid values are "trace", "debug", "info", "warn", "error" and "off". + ## @param server.env.iconBlacklistNonGlobalIps Any IP which is not defined as a global IP will be blacklisted. Useful to secure your internal environment. + ## @param server.env.ipHeader Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP". Set to the string "none" (without quotes), to disable any headers and just use the remote IP. + ## @param server.env.dbConnectionRetries Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely + ## @param server.env.databaseMaxConnections Define the size of the connection pool used for connecting to the database. + ## @param server.env.enableDbWAL Set to false to avoid enabling WAL during startup. Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB, this setting only prevents Vaultwarden from automatically enabling it on start. + ## @param server.env.webVaultEnabled Wheter to enable web vault + ## @param server.env.sso.enabled + ## @param server.env.sso.disablePasswordLogin + ## @param server.env.sso.clientId + ## @param server.env.sso.clientSecret + ## @param server.env.sso.authority + ## @param server.env.websocket.enabled + ## @param server.env.websocket.address + ## @param server.env.websocket.port + ## @param server.env.rocket.address + ## @param server.env.rocket.workers + ## @param server.env.rocket.port + ## @param server.env.rocket.workers + ## @param server.env.yubico.clientId + ## @param server.env.yubico.secretKey + ## @param server.env.yubico.server + ## @param server.env.smtp.existingSecret + ## @param server.env.smtp.host + ## @param server.env.smtp.security + ## @param server.env.smtp.port + ## @param server.env.smtp.from + ## @param server.env.smtp.fromName + ## @param server.env.smtp.username.value + ## @param server.env.smtp.username.existingSecretKey + ## @param server.env.smtp.password.value + ## @param server.env.smtp.password.existingSecretKey + ## @param server.env.smtp.authMechanism + ## @param server.env.smtp.acceptInvalidHostnames + ## @param server.env.smtp.acceptInvalidCerts + ## @param server.env.smtp.debug + ## @param server.env.pushNotifications + + sso: + existingSecretEnabled: true + clientIdFromSecret: + name: "" + key: "" + clientSecretFromSecret: + name: "" + key: "" + authorityFromSecret: + name: "" + key: "" + + env: + dataFolder: "/data" + attachmentsFolder: "/data/attachments" + showPasswordHint: false + signupsAllowed: true + invitationsAllowed: true + invitationOrgName: "Vaultwarden" + signupDomainsWhitelist: "" + signupsVerify: false + logFile: "" + logLevel: "" + iconBlacklistNonGlobalIps: false + ipHeader: "X-Real-IP" + dbConnectionRetries: 15 + databaseMaxConnections: 10 + enableDbWAL: true + webVaultEnabled: true + + sso: + enabled: false + disablePasswordLogin: false + frontend: "" + clientId: "" + clientSecret: "" + authority: "" + scopes: "" + + websocket: + enabled: true + address: "0.0.0.0" + port: 3012 + + rocket: + address: "" + port: "" + workers: "10" + + yubico: + clientId: "" + secretKey: "" + server: "" + + smtp: + existingSecret: "" + host: "" + security: "starttls" + port: 25 + from: "" + fromName: "" + username: + value: "" + existingSecretKey: "" + password: + value: "" + existingSecretKey: "" + authMechanism: "Plain" + acceptInvalidHostnames: "false" + acceptInvalidCerts: "false" + debug: false + + pushNotifications: + {} + # installationId: "" + # installationKey: "" + + ## Vaultwarden server service parameters + ## + service: + ## @param server.service.ports.frontend vaultwarden server service frontend port + ports: + frontend: 80 + + ## @param server.service.annotations Additional custom annotations for vaultwarden server service + annotations: {} + + ## Vaultwarden ingress parameters + ingress: + ## @param server.ingress.enable Boolean to enable or disable creation of an ingress + enable: false + + ## @param server.ingress.ingressClassName Name of the class to be used by the ingress + ingressClassName: nginx + + ## @param server.ingress.enableTLS Wheter to enable TLS encryption for the ingress + enableTLS: true + + ## @param server.ingress.annotations Additional custom annotations for vaultwarden ingress + annotations: + {} + ## + # cert-manager.io/cluster-issuer: letsencrypt-staging + # external-dns.alpha.kubernetes.io/ttl: "1m" + + ## RBAC configuration + ## + rbac: + ## @param server.rbac.create Specifies whether RBAC resources should be created + ## + create: true + ## @param server.rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] + + ## Configure extra options for vaultwarden server containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param server.livenessProbe.enabled Enable livenessProbe on vaultwarden server containers + ## @param server.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param server.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param server.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param server.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param server.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: false + initialDelaySeconds: 10 + periodSeconds: 2 + timeoutSeconds: 3 + failureThreshold: 5 + successThreshold: 1 + + ## @param server.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param server.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param server.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## Vaultwarden server resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## @param server.resources.vaultwardenServer.limits The resources limits for the vaultwarden server containers + ## @param server.resources.vaultwardenServer.requests The requested resources for the vaultwarden server containers + ## + resources: + vaultwardenServer: + limits: {} + requests: {} + + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param server.podSecurityContext.enabled Enabled vaultwarden server pods' Security Context + ## @param server.podSecurityContext.fsGroup Set vaultwarden server pod's Security Context fsGroup + ## + podSecurityContext: + enabled: false + fsGroup: 1001 + + ## @param server.podLabels Extra labels for vaultwarden server pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + + ## @param server.podAnnotations Annotations for vaultwarden server pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + + ## @param server.pdb.create Enable PodDisruptionBudged for vaultwarden server pods + ## @param server.pdb.minAvailable Set minAvailable for vaultwarden server pods + ## @param server.pdb.maxUnavailable Set maxUnavailable for vaultwarden server pods + ## + pdb: + create: false + minAvailable: 1 + maxUnavailable: "" + + ## Autoscaling configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + ## @param server.autoscaling.enabled Enable autoscaling for server + ## @param server.autoscaling.minReplicas Minimum number of vaultwarden server replicas + ## @param server.autoscaling.maxReplicas Maximum number of vaultwarden server replicas + ## @param server.autoscaling.targetCPU Target CPU utilization percentage + ## @param server.autoscaling.targetMemory Target Memory utilization percentage + ## + autoscaling: + enabled: false + minReplicas: "" + maxReplicas: "" + targetCPU: "" + targetMemory: "" + + ## @param server.affinity Affinity for vaultwarden server pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + + ## @param server.nodeSelector Node labels for vaultwarden server pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## @param server.tolerations Tolerations for vaultwarden server pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + ## @param server.updateStrategy.type vaultwarden server statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + + ## @param server.priorityClassName vaultwarden server pods' priorityClassName + ## + priorityClassName: "" + + ## @param server.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + + ## @param server.schedulerName Name of the k8s scheduler (other than default) for vaultwarden server pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + + ## @param server.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + + ## @param server.lifecycleHooks for the vaultwarden server container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + + ## @param server.extraEnvVars Array with extra environment variables to add to vaultwarden server nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + + ## @param server.extraVolumes Extra Volumes for vaultwarden server pods + extraVolumes: [] + + ## @param server.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the vaultwarden server container(s) + ## + extraVolumeMounts: [] + + ## @param server.sidecars Add additional sidecar containers to the vaultwarden server pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + + ## @param server.initContainers Add additional init containers to the vaultwarden server pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + +## @section Other Parameters +## + +## ServiceAccount configuration +## +serviceAccount: + ## @param serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param serviceAccount.annotations Additional Service Account annotations (evaluated as a template) + ## + annotations: {} + ## @param serviceAccount.automountServiceAccountToken Automount service account token for the vaultwarden server service account + ## + automountServiceAccountToken: true