Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Adding Vaultwarden chart #83

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions charts/vaultwarden/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: "v2"
name: "vaultwarden"
version: "0.1"
appVersion: "1.30.1"
description: |
This chart installs and configures Vaultwarden.

Vaultwarden is an alternative implementation of the
Bitwarden server API, compatible with Bitwarden clients.
154 changes: 154 additions & 0 deletions charts/vaultwarden/README.md

Large diffs are not rendered by default.

79 changes: 79 additions & 0 deletions charts/vaultwarden/example-prod.values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
fullnameOverride: "vaultwarden"

server:
image:
registry: docker.io
repository: vaultwarden/server
tag: "1.30.1"
pullPolicy: IfNotPresent

databaseURL:
existingSecret:
name: postgres-cluster-app
key: uri

appURL: "https://vault.example.domain.com"

pvc:
accessMode: ReadWriteMany
size: 8Gi
storageClass: standard

containerPorts:
frontend: 80

env:
dataFolder: "/data"
attachmentsFolder: "/data/attachments"
showPasswordHint: false
signupsAllowed: false
invitationsAllowed: true
invitationOrgName: "Vaultwarden"
signupDomainsWhitelist: "yourcompany.tld,yourcompany.example.com"
signupsVerify: true
ipHeader: "X-Real-IP"
websocket:
enabled: true
address: "0.0.0.0"
port: 3012

service:
ports:
frontend: 80

ingress:
enable: true
ingressClassName: nginx
enableTLS: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
external-dns.alpha.kubernetes.io/ttl: "1m"

livenessProbe:
enabled: true
initialDelaySeconds: 10
periodSeconds: 2
timeoutSeconds: 3
failureThreshold: 5
successThreshold: 1

resources:
vaultwardenServer:
limits:
memory: 2Gi
cpu: 2Gi
requests:
memory: 500Mi
cpu: 500Mi

podSecurityContext:
enabled: true
fsGroup: 1001

pdb:
create: true
minAvailable: 1

autoscaling:
enabled: true
minReplicas: 2
13 changes: 13 additions & 0 deletions charts/vaultwarden/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}

** Please be patient while the chart is being deployed **

Get the list of pods by executing:

kubectl get pods --namespace {{ include "common.names.namespace" . | quote }} -l app.kubernetes.io/instance={{ .Release.Name }}

Access the pod you want to debug by executing

kubectl exec --namespace {{ include "common.names.namespace" . | quote }} -ti <NAME OF THE POD> -- bash
80 changes: 80 additions & 0 deletions charts/vaultwarden/templates/_common_images.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper image name
{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }}
*/}}
{{- define "common.images.image" -}}
{{- $registryName := .imageRoot.registry -}}
{{- $repositoryName := .imageRoot.repository -}}
{{- $separator := ":" -}}
{{- $termination := .imageRoot.tag | toString -}}
{{- if .global }}
{{- if .global.imageRegistry }}
{{- $registryName = .global.imageRegistry -}}
{{- end -}}
{{- end -}}
{{- if .imageRoot.digest }}
{{- $separator = "@" -}}
{{- $termination = .imageRoot.digest | toString -}}
{{- end -}}
{{- if $registryName }}
{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
{{- else -}}
{{- printf "%s%s%s" $repositoryName $separator $termination -}}
{{- end -}}
{{- end -}}

{{/*
Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead)
{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }}
*/}}
{{- define "common.images.pullSecrets" -}}
{{- $pullSecrets := list }}

{{- if .global }}
{{- range .global.imagePullSecrets -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- end -}}
{{- end -}}

{{- range .images -}}
{{- range .pullSecrets -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- end -}}
{{- end -}}

{{- if (not (empty $pullSecrets)) }}
imagePullSecrets:
{{- range $pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end -}}

{{/*
Return the proper Docker Image Registry Secret Names evaluating values as templates
{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }}
*/}}
{{- define "common.images.renderPullSecrets" -}}
{{- $pullSecrets := list }}
{{- $context := .context }}

{{- if $context.Values.global }}
{{- range $context.Values.global.imagePullSecrets -}}
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
{{- end -}}
{{- end -}}

{{- range .images -}}
{{- range .pullSecrets -}}
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
{{- end -}}
{{- end -}}

{{- if (not (empty $pullSecrets)) }}
imagePullSecrets:
{{- range $pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end -}}
18 changes: 18 additions & 0 deletions charts/vaultwarden/templates/_common_labels.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Kubernetes standard labels
*/}}
{{- define "common.labels.standard" -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
helm.sh/chart: {{ include "common.names.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}

{{/*
Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
*/}}
{{- define "common.labels.matchLabels" -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
77 changes: 77 additions & 0 deletions charts/vaultwarden/templates/_common_name.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "common.names.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "common.names.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "common.names.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{/*
Create a default fully qualified dependency name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
Usage:
{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }}
*/}}
{{- define "common.names.dependency.fullname" -}}
{{- if .chartValues.fullnameOverride -}}
{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .chartName .chartValues.nameOverride -}}
{{- if contains $name .context.Release.Name -}}
{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts.
*/}}
{{- define "common.names.namespace" -}}
{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Create a fully qualified app name adding the installation's namespace.
*/}}
{{- define "common.names.fullname.namespace" -}}
{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Create the name of the service account to use
*/}}
{{- define "common.names.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
13 changes: 13 additions & 0 deletions charts/vaultwarden/templates/_common_tplvalues.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Renders a value that contains template.
Usage:
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "common.tplvalues.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}
97 changes: 97 additions & 0 deletions charts/vaultwarden/templates/server/configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "common.names.fullname" . }}-env
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: server
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
DOMAIN: {{ .Values.server.appURL | quote }}
{{- if and .Values.server.env.smtp.host .Values.server.env.smtp.from }}
SMTP_HOST: {{ .Values.server.env.smtp.host | quote }}
SMTP_SECURITY: {{ .Values.server.env.smtp.security | quote }}
SMTP_PORT: {{ .Values.server.env.smtp.port | quote }}
{{- if .Values.server.env.smtp.authMechanism }}
SMTP_AUTH_MECHANISM: {{ .Values.server.env.smtp.authMechanism | quote }}
{{- end }}
SMTP_FROM: {{ .Values.server.env.smtp.from | quote }}
SMTP_FROM_NAME: {{ default "Vaultwarden" .Values.server.env.smtp.fromName | quote }}
SMTP_DEBUG: {{ .Values.server.env.smtp.debug | quote }}
SMTP_ACCEPT_INVALID_HOSTNAMES: {{ .Values.server.env.smtp.acceptInvalidHostnames | quote }}
SMTP_ACCEPT_INVALID_CERTS: {{ .Values.server.env.smtp.acceptInvalidCerts | quote }}
{{- end }}
{{- if .Values.server.env.websocket.enabled }}
WEBSOCKET_ENABLED: 'true'
WEBSOCKET_ADDRESS: {{ .Values.server.env.websocket.address | quote }}
WEBSOCKET_PORT: {{ .Values.server.env.websocket.port | quote }}
{{- end }}
{{- if .Values.server.env.data }}
DATA_FOLDER: {{ .Values.server.env.dataFolder | quote }}
{{- end }}
{{- if .Values.server.env.attachments }}
ATTACHMENTS_FOLDER: {{ .Values.server.env.attachmentsFolder | quote }}
{{- end }}
{{- if and .Values.server.env.rocket.address .Values.server.env.rocket.port }}
ROCKET_ADDRESS: {{ .Values.server.env.rocket.address | quote }}
ROCKET_PORT: {{ .Values.server.env.rocket.port | quote }}
ROCKET_WORKERS: {{ .Values.server.env.rocket.workers | quote }}
{{- end }}
{{- if .Values.server.env.sso.enabled }}
SSO_ENABLED: 'true'
SSO_ONLY: {{ .Values.server.env.sso.disablePasswordLogin | quote }}

{{- if .Values.server.env.sso.existingSecretEnabled -}}

{{ else }}
{{- if and .Values.server.env.sso.clientId (ne .Values.server.env.sso.clientId "") }}
SSO_CLIENT_ID: {{ .Values.server.env.sso.clientId | quote }}
{{- end }}
{{- if and .Values.server.env.sso.clientSecret (ne .Values.server.env.sso.clientSecret "") }}
SSO_CLIENT_SECRET: {{ .Values.server.env.sso.clientSecret | quote }}
{{- end }}
{{- if and .Values.server.env.sso.authority (ne .Values.server.env.sso.authority "") }}
SSO_AUTHORITY: {{ .Values.server.env.sso.authority | quote }}
{{- end }}
{{- end }}
SSO_FRONTEND: {{ .Values.server.env.sso.frontend | quote }}
SSO_CLIENT_CACHE_EXPIRATION: {{ .Values.server.env.sso.cache_expiration | quote }}
SSO_SCOPES: {{ .Values.server.env.sso.scopes | quote }}
{{- end }}
SHOW_PASSWORD_HINT: {{ .Values.server.env.showPasswordHint | quote }}
SIGNUPS_ALLOWED: {{ .Values.server.env.signupsAllowed | quote }}
INVITATIONS_ALLOWED: {{ .Values.server.env.invitationsAllowed | quote }}
{{- if .Values.server.env.signupDomainsWhitelist }}
SIGNUPS_DOMAINS_WHITELIST: {{ .Values.server.env.signupDomainsWhitelist | quote }}
{{- end }}
SIGNUPS_VERIFY: {{ .Values.server.env.signupsVerify | quote }}
WEB_VAULT_ENABLED: {{ .Values.server.env.webVaultEnabled | quote }}
{{- if .Values.server.env.logFile }}
LOG_FILE: {{ .Values.server.env.logFile | quote }}
{{- end }}
{{- if .Values.server.env.logLevel }}
LOG_LEVEL: {{ .Values.server.env.logLevel | quote }}
{{- end }}
DB_CONNECTION_RETRIES: {{ .Values.server.env.dbConnectionRetries | quote }}
DATABASE_MAX_CONNS: {{ .Values.server.env.databaseMaxConnections | quote }}
ENABLE_DB_WAL: {{ .Values.server.env.enableDbWAL | quote }}
INVITATION_ORG_NAME: {{ .Values.server.env.invitationOrgName | quote }}
ICON_BLACKLIST_NON_GLOBAL_IPS: {{ .Values.server.env.iconBlacklistNonGlobalIps | quote }}
IP_HEADER: {{ .Values.server.env.ipHeader | quote }}
{{- if .Values.server.env.pushNotifications }}
PUSH_ENABLED: 'true'
PUSH_INSTALLATION_ID: {{ .Values.server.env.pushNotifications.installationId | quote }}
PUSH_INSTALLATION_KEY: {{ .Values.server.env.pushNotifications.installationKey | quote }}
{{- end }}
{{- if and .Values.server.env.yubico.clientId .Values.server.env.yubico.secretKey }}
YUBICO_CLIENT_ID: {{ .Values.server.env.yubico.clientId | quote }}
YUBICO_SECRET_KEY: {{ .Values.server.env.yubico.secretKey | quote }}
{{- if .Values.server.env.yubico.server }}
YUBICO_SERVER: {{ .Values.server.env.yubico.server | quote }}
{{- end }}
{{- end }}
Loading