Skip to content

Commit

Permalink
test
Browse files Browse the repository at this point in the history
  • Loading branch information
@d4rkfella
d4rkfella committed Dec 2, 2024
1 parent 88bdbdd commit 06c8366
Show file tree
Hide file tree
Showing 2 changed files with 142 additions and 205 deletions.
10 changes: 6 additions & 4 deletions kubernetes/main/apps/vaultwarden/app/externalsecret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,16 +13,18 @@ spec:
template:
engineVersion: v2
data:
admin-token: "{{ .VAULTWARDEN_ADMIN_TOKEN }}"
VAULTWARDEN_DATABASE_URI: "{{ .VAULTWARDEN_DATABASE_URI }}"
smtp-user: "{{ .SMTP_USERNAME }}"
smtp-password: "{{ .SMTP_VAULTWARDEN_PASS }}"
ADMIN_TOKEN: "{{ .VAULTWARDEN_ADMIN_TOKEN }}"
DATABASE_URL: "{{ .VAULTWARDEN_DATABASE_URI }}"
SMTP_USERNAME: "{{ .SMTP_USERNAME }}"
SMTP_PASSWORD: "{{ .SMTP_VAULTWARDEN_PASS }}"
SMTP_SENDER: "{{ .SMTP_SENDER }}"
INIT_POSTGRES_DBNAME: vaultwarden
INIT_POSTGRES_HOST: postgres17-rw.database.svc.cluster.local
INIT_POSTGRES_USER: "{{ .VAULTWARDEN_POSTGRESS_USER }}"
INIT_POSTGRES_PASS: "{{ .VAULTWARDEN_POSTGRES_PASS }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
INSTALLATION_ID: "{{ .VAULTWARDEN_INSTALLATION_ID }}"
INSTALLATION_KEY: "{{ .VAULTWARDEN_INSTALLATION_KEY }}"
dataFrom:
- extract:
key: secrets/vaultwarden
Expand Down
337 changes: 136 additions & 201 deletions kubernetes/main/apps/vaultwarden/app/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,228 +1,163 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: vaultwarden
name: &app vaultwarden
namespace: vaultwarden
spec:
interval: 30m
chart:
spec:
chart: vaultwarden
version: 1.2.4
chart: app-template
version: 3.5.1
sourceRef:
kind: HelmRepository
name: vaultwarden
name: bjw-s
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
uninstall:
keepHistory: false
values:
replicaCount: 1
database:
type: postgresql
existingSecret: &secret vaultwarden-secret
existingSecretKey: VAULTWARDEN_DATABASE_URI
vaultwarden:
domain: https://vaultwarden.${PUBLIC_DOMAIN}
allowSignups: true
signupDomains:
- ${PUBLIC_DOMAIN}
verifySignup: true
requireEmail: false
emailAttempts: 3
emailTokenExpiration: 600
allowInvitation: true
invitationExpiration: 120
passwordHintsAllowed: true
showPasswordHint: false
defaultInviteName: DarkfellaNET
enableWebVault: true
enableSends: true
orgCreationUsers: all
## Limit attachment disk usage per organization.
#attachmentLimitOrg:
## Limit attachment disk usage per user.
#attachmentLimitUser:
## Limit send disk usage per user.
#sendLimitUser:
## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key.
#hibpApiKey:
## Number of days to auto-delete trashed items. By default iteams are not auto-deleted.
#autoDeleteDays:
## Organization event logging
#orgEvents: false
## Organization event retation. Leave empty to not delete.
#orgEventsRetention: ""
## Allow users to change their email.
#emailChangeAllowed: true
## Map of custom environment variables. Use carefully.
#extraEnv:
# IP_HEADER: CF-Connecting-IP
# ALLOWED_IFRAME_ANCESTORS: myintranet.local
# COOL_VARIABLE:
# secretKeyRef:
# name: my-secret
# key: my-secret-key
# ANOTHER_VARIABLE:
# configMapKeyRef:
# name: my-config-map
# key: my-config-map-key

admin:
enabled: true
disableAdminToken: false
existingSecret: *secret

emergency:
enabled: true
## Schedule to send expiration reminders to emergency access grantors. Cron schedule format.
#reminder: "0 3 * * * *"
## Schedule to grant emergency access requests that have met the required wait time. Cron schedule format.
#timeout: "0 3 * * * *"

# Enable SMTP. https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
smtp:
enabled: true
host: smtp-relay.brevo.com
from: noreply@${PUBLIC_DOMAIN}
#fromName: ""
security: starttls
port: 587
authMechanism: Login
timeout: 15
invalidHostname: false
invalidCertificate: false
existingSecret: *secret
embedImages: true

log:
file: ""
level: ""
push:
enabled: false
controllers:
vaultwarden:
annotations:
reloader.stakater.com/auto: "true"

initContainers:
init-db:
image:
repository: ghcr.io/onedr0p/postgres-init
tag: 16.6@sha256:35353a77777ee8f634d0f3945f495b4a40065134b8619e0d18bd49b0ee9c855b
env:
INIT_POSTGRES_DBNAME: vaultwarden
INIT_POSTGRES_HOST: postgres17-rw.database.svc.cluster.local
INIT_POSTGRES_USER:
valueFrom:
secretKeyRef:
name: &secret vaultwarden-secret
key: INIT_POSTGRES_USER
INIT_POSTGRES_PASS:
valueFrom:
secretKeyRef:
name: *secret
key: INIT_POSTGRES_PASS
INIT_POSTGRES_SUPER_PASS:
valueFrom:
secretKeyRef:
name: *secret
key: INIT_POSTGRES_SUPER_PASS

containers:
app:
image:
repository: vaultwarden/server
tag: 1.32.5@sha256:84015c9306cc58f4be8b09c1adc62cfc3b2648b1430e9c15901482f3d870bd14
env:
DATA_FOLDER: data
ICON_CACHE_FOLDER: data/icon_cache
ATTACHMENTS_FOLDER: data/attachments
DOMAIN: https://vaultwarden.${PUBLIC_DOMAIN}
TZ: "Europe/Sofia"
EMAIL_CHANGE_ALLOWED: false
SIGNUPS_ALLOWED: false
SIGNUPS_VERIFY: true
SIGNUPS_DOMAINS_WHITELIST: ${PUBLIC_DOMAIN}
ROCKET_ADDRESS: 0.0.0.0
SMTP_AUTH_MECHANISM: Login
SMTP_HOST: smtp-relay.brevo.com.
SMTP_FROM: noreply@${PUBLIC_DOMAIN}
SMTP_FROM_NAME: vaultwarden
SMTP_PORT: 587
SMTP_SECURITY: starttls
SMTP_USERNAME:
valueFrom:
secretKeyRef:
name: *secret
key: SMTP_USERNAME
SMTP_PASSWORD:
valueFrom:
secretKeyRef:
name: *secret
key: SMTP_PASSWORD
ADMIN_TOKEN:
valueFrom:
secretKeyRef:
name: *secret
key: ADMIN_TOKEN
DATABASE_URL:
valueFrom:
secretKeyRef:
name: *secret
key: DATABASE_URL
PUSH_ENABLED: true
PUSH_INSTALLATION_ID:
PUSH_INSTALLATION_KEY:
PUSH_RELAY_URI: https://api.bitwarden.eu
PUSH_IDENTITY_URI: https://identity.bitwarden.eu
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
memory: 2Gi

defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
fsGroup: 65534
fsGroupChangePolicy: OnRootMismatch
seccompProfile: { type: RuntimeDefault }

service:
type: ClusterIP
httpPort: 80
externalTrafficPolicy: Cluster
app:
controller: *app
ports:
http:
port: &port 80

ingress:
enabled: true
className: external
host: &host vaultwarden.${PUBLIC_DOMAIN}
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "access-control-allow-origin https://vaultwarden.${PUBLIC_DOMAIN}";
external-dns.alpha.kubernetes.io/target: external.${PUBLIC_DOMAIN}
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
nginx.ingress.kubernetes.io/auth-snippet: |
# Bypass authentication for specific paths
if ($request_uri ~* "^/$") {
return 200;
}
if ($request_uri ~* "^/.*\.js") {
return 200;
}
if ($request_uri ~* "^/#/.*") {
return 200;
}
if ($request_uri ~* "^/#/login") {
return 200;
}
if ($request_uri ~* "^/#/2fa") {
return 200;
}
if ($request_uri ~* "^/#/vault") {
return 200;
}
if ($request_uri ~* "^/api/.*") {
return 200;
}
if ($request_uri ~* "^/images/.*") {
return 200;
}
if ($request_uri ~* "^/identity/.*") {
return 200;
}
if ($request_uri ~* "^/app/.*") {
return 200;
}
if ($request_uri ~* "^/locales/.*") {
return 200;
}
if ($request_uri ~* "^/alive") {
return 200;
}
cert-manager.io/cluster-issuer: zerossl-prod
cert-manager.io/private-key-rotation-policy: Always
cert-manager.io/private-key-algorithm: ECDSA
cert-manager.io/private-key-size: "384"
tls:
- secretName: vaultwarden-tls
hosts:
- *host
app:
enabled: true
className: external
annotations:
external-dns.alpha.kubernetes.io/target: external.${PUBLIC_DOMAIN}
cert-manager.io/cluster-issuer: zerossl-prod
cert-manager.io/private-key-rotation-policy: Always
cert-manager.io/private-key-algorithm: ECDSA
cert-manager.io/private-key-size: "384"
hosts:
- host: &host vaultwarden.${PUBLIC_DOMAIN}
paths:
- path: /
service:
identifier: app
port: *port
tls:
- hosts:
- *host

persistence:
enabled: true
size: 1Gi
accessMode: ReadWriteOnce
storageClass: openebs-zfs-128k

image:
pullPolicy: IfNotPresent
repository: vaultwarden/server

nameOverride: ""
fullnameOverride: ""

serviceAccount:
create: false

deploymentAnnotations: {}
probes: {}
#liveness:
#timeoutSeconds: 1
#periodSeconds: 10
#successThreshold: 1
#failureThreshold: 3
#readiness:
#timeoutSeconds: 1
#periodSeconds: 10
#successThreshold: 1
#failureThreshold: 3

sidecars: []
# - name: sidecar
# image: sidecarimage:1.2.3
# env:
# - name: SIDECAR_END
# value: "sidecar"
# volumeMounts:
# - name: vaultwarden
# mountPath: /data

podSecurityContext:
fsGroup: 65534

securityContext:
runAsUser: 65534
runAsGroup: 65534

strategy: {}

resources: {}

nodeSelector: {}

tolerations: []

affinity: {}
config:
enabled: true
type: persistentVolumeClaim
size: 15Gi
accessMode: ReadWriteOnce
storageClass: openebs-zfs-128k
globalMounts:
- path: /data

0 comments on commit 06c8366

Please sign in to comment.