diff --git a/kubernetes/main/apps/vaultwarden/app/externalsecret.yaml b/kubernetes/main/apps/vaultwarden/app/externalsecret.yaml index ec762d27a..64d7fcb02 100644 --- a/kubernetes/main/apps/vaultwarden/app/externalsecret.yaml +++ b/kubernetes/main/apps/vaultwarden/app/externalsecret.yaml @@ -13,16 +13,18 @@ spec: template: engineVersion: v2 data: - admin-token: "{{ .VAULTWARDEN_ADMIN_TOKEN }}" - VAULTWARDEN_DATABASE_URI: "{{ .VAULTWARDEN_DATABASE_URI }}" - smtp-user: "{{ .SMTP_USERNAME }}" - smtp-password: "{{ .SMTP_VAULTWARDEN_PASS }}" + ADMIN_TOKEN: "{{ .VAULTWARDEN_ADMIN_TOKEN }}" + DATABASE_URL: "{{ .VAULTWARDEN_DATABASE_URI }}" + SMTP_USERNAME: "{{ .SMTP_USERNAME }}" + SMTP_PASSWORD: "{{ .SMTP_VAULTWARDEN_PASS }}" SMTP_SENDER: "{{ .SMTP_SENDER }}" INIT_POSTGRES_DBNAME: vaultwarden INIT_POSTGRES_HOST: postgres17-rw.database.svc.cluster.local INIT_POSTGRES_USER: "{{ .VAULTWARDEN_POSTGRESS_USER }}" INIT_POSTGRES_PASS: "{{ .VAULTWARDEN_POSTGRES_PASS }}" INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" + INSTALLATION_ID: "{{ .VAULTWARDEN_INSTALLATION_ID }}" + INSTALLATION_KEY: "{{ .VAULTWARDEN_INSTALLATION_KEY }}" dataFrom: - extract: key: secrets/vaultwarden diff --git a/kubernetes/main/apps/vaultwarden/app/helmrelease.yaml b/kubernetes/main/apps/vaultwarden/app/helmrelease.yaml index 7d3b6bbfa..c3808a7c6 100644 --- a/kubernetes/main/apps/vaultwarden/app/helmrelease.yaml +++ b/kubernetes/main/apps/vaultwarden/app/helmrelease.yaml @@ -1,228 +1,163 @@ --- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: vaultwarden + name: &app vaultwarden + namespace: vaultwarden spec: interval: 30m chart: spec: - chart: vaultwarden - version: 1.2.4 + chart: app-template + version: 3.5.1 sourceRef: kind: HelmRepository - name: vaultwarden + name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: + createNamespace: true remediation: retries: 3 upgrade: cleanupOnFail: true remediation: + strategy: rollback retries: 3 uninstall: keepHistory: false values: - replicaCount: 1 - database: - type: postgresql - existingSecret: &secret vaultwarden-secret - existingSecretKey: VAULTWARDEN_DATABASE_URI - vaultwarden: - domain: https://vaultwarden.${PUBLIC_DOMAIN} - allowSignups: true - signupDomains: - - ${PUBLIC_DOMAIN} - verifySignup: true - requireEmail: false - emailAttempts: 3 - emailTokenExpiration: 600 - allowInvitation: true - invitationExpiration: 120 - passwordHintsAllowed: true - showPasswordHint: false - defaultInviteName: DarkfellaNET - enableWebVault: true - enableSends: true - orgCreationUsers: all - ## Limit attachment disk usage per organization. - #attachmentLimitOrg: - ## Limit attachment disk usage per user. - #attachmentLimitUser: - ## Limit send disk usage per user. - #sendLimitUser: - ## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key. - #hibpApiKey: - ## Number of days to auto-delete trashed items. By default iteams are not auto-deleted. - #autoDeleteDays: - ## Organization event logging - #orgEvents: false - ## Organization event retation. Leave empty to not delete. - #orgEventsRetention: "" - ## Allow users to change their email. - #emailChangeAllowed: true - ## Map of custom environment variables. Use carefully. - #extraEnv: - # IP_HEADER: CF-Connecting-IP - # ALLOWED_IFRAME_ANCESTORS: myintranet.local - # COOL_VARIABLE: - # secretKeyRef: - # name: my-secret - # key: my-secret-key - # ANOTHER_VARIABLE: - # configMapKeyRef: - # name: my-config-map - # key: my-config-map-key - - admin: - enabled: true - disableAdminToken: false - existingSecret: *secret - - emergency: - enabled: true - ## Schedule to send expiration reminders to emergency access grantors. Cron schedule format. - #reminder: "0 3 * * * *" - ## Schedule to grant emergency access requests that have met the required wait time. Cron schedule format. - #timeout: "0 3 * * * *" - - # Enable SMTP. https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration - smtp: - enabled: true - host: smtp-relay.brevo.com - from: noreply@${PUBLIC_DOMAIN} - #fromName: "" - security: starttls - port: 587 - authMechanism: Login - timeout: 15 - invalidHostname: false - invalidCertificate: false - existingSecret: *secret - embedImages: true - - log: - file: "" - level: "" - push: - enabled: false + controllers: + vaultwarden: + annotations: + reloader.stakater.com/auto: "true" + + initContainers: + init-db: + image: + repository: ghcr.io/onedr0p/postgres-init + tag: 16.6@sha256:35353a77777ee8f634d0f3945f495b4a40065134b8619e0d18bd49b0ee9c855b + env: + INIT_POSTGRES_DBNAME: vaultwarden + INIT_POSTGRES_HOST: postgres17-rw.database.svc.cluster.local + INIT_POSTGRES_USER: + valueFrom: + secretKeyRef: + name: &secret vaultwarden-secret + key: INIT_POSTGRES_USER + INIT_POSTGRES_PASS: + valueFrom: + secretKeyRef: + name: *secret + key: INIT_POSTGRES_PASS + INIT_POSTGRES_SUPER_PASS: + valueFrom: + secretKeyRef: + name: *secret + key: INIT_POSTGRES_SUPER_PASS + + containers: + app: + image: + repository: vaultwarden/server + tag: 1.32.5@sha256:84015c9306cc58f4be8b09c1adc62cfc3b2648b1430e9c15901482f3d870bd14 + env: + DATA_FOLDER: data + ICON_CACHE_FOLDER: data/icon_cache + ATTACHMENTS_FOLDER: data/attachments + DOMAIN: https://vaultwarden.${PUBLIC_DOMAIN} + TZ: "Europe/Sofia" + EMAIL_CHANGE_ALLOWED: false + SIGNUPS_ALLOWED: false + SIGNUPS_VERIFY: true + SIGNUPS_DOMAINS_WHITELIST: ${PUBLIC_DOMAIN} + ROCKET_ADDRESS: 0.0.0.0 + SMTP_AUTH_MECHANISM: Login + SMTP_HOST: smtp-relay.brevo.com. + SMTP_FROM: noreply@${PUBLIC_DOMAIN} + SMTP_FROM_NAME: vaultwarden + SMTP_PORT: 587 + SMTP_SECURITY: starttls + SMTP_USERNAME: + valueFrom: + secretKeyRef: + name: *secret + key: SMTP_USERNAME + SMTP_PASSWORD: + valueFrom: + secretKeyRef: + name: *secret + key: SMTP_PASSWORD + ADMIN_TOKEN: + valueFrom: + secretKeyRef: + name: *secret + key: ADMIN_TOKEN + DATABASE_URL: + valueFrom: + secretKeyRef: + name: *secret + key: DATABASE_URL + PUSH_ENABLED: true + PUSH_INSTALLATION_ID: + PUSH_INSTALLATION_KEY: + PUSH_RELAY_URI: https://api.bitwarden.eu + PUSH_IDENTITY_URI: https://identity.bitwarden.eu + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + memory: 2Gi + + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + fsGroup: 65534 + fsGroupChangePolicy: OnRootMismatch + seccompProfile: { type: RuntimeDefault } service: - type: ClusterIP - httpPort: 80 - externalTrafficPolicy: Cluster + app: + controller: *app + ports: + http: + port: &port 80 ingress: - enabled: true - className: external - host: &host vaultwarden.${PUBLIC_DOMAIN} - annotations: - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "access-control-allow-origin https://vaultwarden.${PUBLIC_DOMAIN}"; - external-dns.alpha.kubernetes.io/target: external.${PUBLIC_DOMAIN} - nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth" - nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri" - nginx.ingress.kubernetes.io/auth-snippet: | - # Bypass authentication for specific paths - if ($request_uri ~* "^/$") { - return 200; - } - if ($request_uri ~* "^/.*\.js") { - return 200; - } - if ($request_uri ~* "^/#/.*") { - return 200; - } - if ($request_uri ~* "^/#/login") { - return 200; - } - if ($request_uri ~* "^/#/2fa") { - return 200; - } - if ($request_uri ~* "^/#/vault") { - return 200; - } - if ($request_uri ~* "^/api/.*") { - return 200; - } - if ($request_uri ~* "^/images/.*") { - return 200; - } - if ($request_uri ~* "^/identity/.*") { - return 200; - } - if ($request_uri ~* "^/app/.*") { - return 200; - } - if ($request_uri ~* "^/locales/.*") { - return 200; - } - if ($request_uri ~* "^/alive") { - return 200; - } - cert-manager.io/cluster-issuer: zerossl-prod - cert-manager.io/private-key-rotation-policy: Always - cert-manager.io/private-key-algorithm: ECDSA - cert-manager.io/private-key-size: "384" - tls: - - secretName: vaultwarden-tls - hosts: - - *host + app: + enabled: true + className: external + annotations: + external-dns.alpha.kubernetes.io/target: external.${PUBLIC_DOMAIN} + cert-manager.io/cluster-issuer: zerossl-prod + cert-manager.io/private-key-rotation-policy: Always + cert-manager.io/private-key-algorithm: ECDSA + cert-manager.io/private-key-size: "384" + hosts: + - host: &host vaultwarden.${PUBLIC_DOMAIN} + paths: + - path: / + service: + identifier: app + port: *port + tls: + - hosts: + - *host persistence: - enabled: true - size: 1Gi - accessMode: ReadWriteOnce - storageClass: openebs-zfs-128k - - image: - pullPolicy: IfNotPresent - repository: vaultwarden/server - - nameOverride: "" - fullnameOverride: "" - - serviceAccount: - create: false - - deploymentAnnotations: {} - probes: {} - #liveness: - #timeoutSeconds: 1 - #periodSeconds: 10 - #successThreshold: 1 - #failureThreshold: 3 - #readiness: - #timeoutSeconds: 1 - #periodSeconds: 10 - #successThreshold: 1 - #failureThreshold: 3 - - sidecars: [] - # - name: sidecar - # image: sidecarimage:1.2.3 - # env: - # - name: SIDECAR_END - # value: "sidecar" - # volumeMounts: - # - name: vaultwarden - # mountPath: /data - - podSecurityContext: - fsGroup: 65534 - - securityContext: - runAsUser: 65534 - runAsGroup: 65534 - - strategy: {} - - resources: {} - - nodeSelector: {} - - tolerations: [] - - affinity: {} + config: + enabled: true + type: persistentVolumeClaim + size: 15Gi + accessMode: ReadWriteOnce + storageClass: openebs-zfs-128k + globalMounts: + - path: /data