From 2cde98435f2e5c803a093eeaeb5f33038b513834 Mon Sep 17 00:00:00 2001 From: ace Date: Mon, 18 Jan 2021 19:38:16 +0300 Subject: [PATCH] use patched helm chart k8s-at-home/bitwardenrs --- .gitignore | 4 +- bitwarden/.helmignore | 2 + bitwarden/Chart.yaml | 31 +-- bitwarden/templates/NOTES.txt | 12 +- bitwarden/templates/_database.tpl | 38 ++++ bitwarden/templates/_helpers.tpl | 61 +++-- bitwarden/templates/configmap.yaml | 60 +++++ bitwarden/templates/deployment.yaml | 158 ++++++++----- bitwarden/templates/hpa.yaml | 32 +++ bitwarden/templates/ingress.yaml | 60 +++-- bitwarden/templates/pvc.yaml | 15 ++ bitwarden/templates/secret.yaml | 11 + bitwarden/templates/service.yaml | 24 +- bitwarden/templates/serviceaccount.yaml | 12 + bitwarden/templates/statefulset.yaml | 136 ++++++++++++ .../templates/tests/test-connection.yaml | 15 ++ bitwarden/values.yaml | 209 +++++++++++++----- 17 files changed, 705 insertions(+), 175 deletions(-) create mode 100644 bitwarden/templates/_database.tpl create mode 100644 bitwarden/templates/configmap.yaml create mode 100644 bitwarden/templates/hpa.yaml create mode 100644 bitwarden/templates/pvc.yaml create mode 100644 bitwarden/templates/secret.yaml create mode 100644 bitwarden/templates/serviceaccount.yaml create mode 100644 bitwarden/templates/statefulset.yaml create mode 100644 bitwarden/templates/tests/test-connection.yaml diff --git a/.gitignore b/.gitignore index 99e6073..e382ff4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -*.yaml -*.yml +/*.yaml +/*.yml diff --git a/bitwarden/.helmignore b/bitwarden/.helmignore index f0c1319..0e8a0eb 100644 --- a/bitwarden/.helmignore +++ b/bitwarden/.helmignore @@ -14,8 +14,10 @@ *.swp *.bak *.tmp +*.orig *~ # Various IDEs .project .idea/ *.tmproj +.vscode/ diff --git a/bitwarden/Chart.yaml b/bitwarden/Chart.yaml index 1fe869e..de98523 100644 --- a/bitwarden/Chart.yaml +++ b/bitwarden/Chart.yaml @@ -1,14 +1,19 @@ -apiVersion: v1 -appVersion: "1.0" -description: A Bitwarden Helm chart for Kubernetes -name: bitwarden -version: 0.1.6 -home: https://github.com/dani-garcia/bitwarden_rs -icon: https://raw.githubusercontent.com/bitwarden/brand/master/icons/icon.svg -sources: - - https://github.com/dani-garcia/bitwarden_rs - - https://github.com/cdwv/bitwarden-k8s +apiVersion: v2 +appVersion: 1.18.0 +description: Unofficial Bitwarden compatible server written in Rust +home: https://github.com/k8s-at-home/charts/tree/master/charts/bitwardenrs +icon: https://raw.githubusercontent.com/bitwarden/brand/master/icons/256x256.png +keywords: +- bitwarden +- bitwardenrs +- bitwarden_rs +- password +- rust maintainers: - - name: CodeWave - email: hello@codewave.eu - url: https://codewave.eu +- email: nick@cajun.pro + name: DirtyCajunRice +name: bitwarden +sources: +- https://github.com/dani-garcia/bitwarden_rs +type: application +version: 2.0.1 diff --git a/bitwarden/templates/NOTES.txt b/bitwarden/templates/NOTES.txt index 08cafda..3133035 100644 --- a/bitwarden/templates/NOTES.txt +++ b/bitwarden/templates/NOTES.txt @@ -1,7 +1,9 @@ 1. Get the application URL by running these commands: {{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} + {{- end }} {{- end }} {{- else if contains "NodePort" .Values.service.type }} export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "bitwarden.fullname" . }}) @@ -9,11 +11,11 @@ echo http://$NODE_IP:$NODE_PORT {{- else if contains "LoadBalancer" .Values.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "bitwarden.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "bitwarden.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "bitwarden.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "bitwarden.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") echo http://$SERVICE_IP:{{ .Values.service.port }} {{- else if contains "ClusterIP" .Values.service.type }} export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "bitwarden.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:80 + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 {{- end }} diff --git a/bitwarden/templates/_database.tpl b/bitwarden/templates/_database.tpl new file mode 100644 index 0000000..3445a27 --- /dev/null +++ b/bitwarden/templates/_database.tpl @@ -0,0 +1,38 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate environment variables for external database +*/}} +{{- define "bitwarden.externalDatabaseConfigMap" -}} +{{- with .Values.bitwarden.externalDatabase }} +{{- if and .enabled (or (eq .type "postgresql") (eq .type "mysql")) }} +{{- if and (not .existingSecret.enabled) .user }} +DATABASE_USER: {{ .user | quote }} +{{- end }} +{{- if and (not .existingSecret.enabled) .password }} +DATABASE_PASSWORD: {{ .password | quote }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "bitwarden.externalDatabaseEnv" -}} +{{- with .Values.bitwarden.externalDatabase }} +{{- if and .enabled (or (eq .type "postgresql") (eq .type "mysql")) }} +{{- if .existingSecret.enabled }} +- name: DATABASE_USER + valueFrom: + secretKeyRef: + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.userKey | quote }} +- name: DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.passwordKey | quote }} +{{- end }} +{{- $dbport := not (empty .port) | ternary (printf ":%v" .port) "" }} +- name: DATABASE_URL + value: {{ printf "%v://$(DATABASE_USER):$(DATABASE_PASSWORD)@%v%v/%v" .type .host $dbport .database }} +{{- end }} +{{- end }} +{{- end }} diff --git a/bitwarden/templates/_helpers.tpl b/bitwarden/templates/_helpers.tpl index 28224a3..59c26c9 100644 --- a/bitwarden/templates/_helpers.tpl +++ b/bitwarden/templates/_helpers.tpl @@ -3,8 +3,8 @@ Expand the name of the chart. */}} {{- define "bitwarden.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} {{/* Create a default fully qualified app name. @@ -12,21 +12,52 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this If release name contains chart name it will be used as a full name. */}} {{- define "bitwarden.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} {{/* Create chart name and version as used by the chart label. */}} {{- define "bitwarden.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "bitwarden.labels" -}} +helm.sh/chart: {{ include "bitwarden.chart" . }} +{{ include "bitwarden.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "bitwarden.selectorLabels" -}} +app.kubernetes.io/name: {{ include "bitwarden.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "bitwarden.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "bitwarden.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/bitwarden/templates/configmap.yaml b/bitwarden/templates/configmap.yaml new file mode 100644 index 0000000..4137b5e --- /dev/null +++ b/bitwarden/templates/configmap.yaml @@ -0,0 +1,60 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "bitwarden.fullname" . }} + labels: + {{- include "bitwarden.labels" . | nindent 4 }} +data: + SIGNUPS_ALLOWED: {{ .Values.bitwarden.signupsAllowed | quote }} + INVITATIONS_ALLOWED: {{ .Values.bitwarden.invitationsAllowed | quote }} + {{- if .Values.bitwarden.domain }} + DOMAIN: {{ .Values.bitwarden.domain | quote }} + {{- end }} + WEBSOCKET_ENABLED: {{ .Values.bitwarden.websockets.enabled | quote }} + {{- if and .Values.bitwarden.admin.enabled .Values.bitwarden.admin.disableAdminToken }} + DISABLE_ADMIN_TOKEN: "true" + {{- end }} + {{- with .Values.bitwarden.smtp }} + {{- if .enabled }} + SMTP_HOST: {{ required "SMTP host is required to enable SMTP" .host | quote }} + SMTP_FROM: {{ required "SMTP sender address ('from') is required to enable SMTP" .from | quote }} + {{- if .fromName }} + SMTP_FROM_NAME: {{ .fromName | quote }} + {{- end }} + {{- if .ssl }} + SMTP_SSL: {{ .ssl | quote }} + {{- end }} + {{- if .explicitTLS }} + SMTP_EXPLICIT_TLS: {{ .explicitTLS | quote }} + {{- end }} + {{- if .port }} + SMTP_PORT: {{ .port | quote }} + {{- end }} + {{- if .timeout }} + SMTP_TIMEOUT: {{ .timeout | quote }} + {{- end }} + {{- if and (not .existingSecret.enabled) .user }} + SMTP_USERNAME: {{ .user | quote }} + {{- end }} + {{- if and (not .existingSecret.enabled) .password }} + SMTP_PASSWORD: {{ .password | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.bitwarden.yubico }} + {{- if .enabled }} + {{- if .server }} + YUBICO_SERVER: {{ .server | quote }} + {{- end }} + {{- if and (not .existingSecret.enabled) .clientId }} + YUBICO_CLIENT_ID: {{ .clientId | quote }} + {{- end }} + {{- if and (not .existingSecret.enabled) .secretKey }} + YUBICO_SECRET_KEY: {{ .secretKey | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- include "bitwarden.externalDatabaseConfigMap" . | nindent 2 }} + {{- if .Values.env }} + {{- toYaml .Values.env | nindent 2 }} + {{- end }} diff --git a/bitwarden/templates/deployment.yaml b/bitwarden/templates/deployment.yaml index 585590c..fad7779 100644 --- a/bitwarden/templates/deployment.yaml +++ b/bitwarden/templates/deployment.yaml @@ -1,49 +1,102 @@ +{{- if eq .Values.persistence.type "deployment" }} + {{- $fullName := include "bitwarden.fullname" . -}} apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "bitwarden.fullname" . }} - {{- if .Values.deploymentAnnotations }} - annotations: - {{- range $key, $value := .Values.deploymentAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} + name: {{ $fullName }} labels: - app.kubernetes.io/name: {{ include "bitwarden.name" . }} - helm.sh/chart: {{ include "bitwarden.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- include "bitwarden.labels" . | nindent 4 }} spec: + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} selector: matchLabels: - app.kubernetes.io/name: {{ include "bitwarden.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} + {{- include "bitwarden.selectorLabels" . | nindent 6 }} template: metadata: - labels: - app.kubernetes.io/name: {{ include "bitwarden.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.podAnnotations }} annotations: -{{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} -{{- end }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "bitwarden.selectorLabels" . | nindent 8 }} spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "bitwarden.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + - name: {{ $fullName }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - resources: -{{ toYaml .Values.resources | indent 12 }} + envFrom: + - configMapRef: + name: {{ $fullName }} env: - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end}} + {{- with .Values.bitwarden.admin }} + {{- if and .enabled (not .disableAdminToken) }} + - name: ADMIN_TOKEN + valueFrom: + secretKeyRef: + {{- if .existingSecret.enabled }} + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.tokenKey | quote }} + {{- else }} + name: {{ $fullName }} + key: admin-token + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.bitwarden.smtp }} + {{- if eq .enabled true }} + {{- if and .existingSecret.enabled (not .user) }} + - name: SMTP_USERNAME + valueFrom: + secretKeyRef: + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.userKey | quote }} + - name: SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.passwordKey | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.bitwarden.yubico }} + {{- if and .enabled .existingSecret.enabled }} + - name: YUBICO_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.clientIdKey | quote }} + - name: YUBICO_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.secretKeyKey | quote }} + {{- end }} + {{- end }} + {{- include "bitwarden.externalDatabaseEnv" . | nindent 12 }} ports: - name: http - containerPort: 80 + containerPort: {{ .Values.bitwarden.gui.port }} protocol: TCP + {{- if .Values.bitwarden.websockets.enabled }} + - name: websocket + containerPort: {{ .Values.bitwarden.websockets.port }} + protocol: TCP + {{- end }} livenessProbe: httpGet: path: / @@ -52,30 +105,31 @@ spec: httpGet: path: / port: http + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: - - name: data - mountPath: /data - {{- if .Values.image.pullSecrets }} - imagePullSecrets: - - name: {{ .Values.image.pullSecrets }} + - name: {{ include "bitwarden.fullname" . }} + mountPath: /data + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} {{- end }} volumes: - - name: data - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ template "bitwarden.fullname" . }}{{- end }} - {{- else }} - emptyDir: {} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} + - name: {{ include "bitwarden.fullname" . }} + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim | quote }}{{- else }}{{ include "bitwarden.fullname" . }}{{- end }} + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} \ No newline at end of file diff --git a/bitwarden/templates/hpa.yaml b/bitwarden/templates/hpa.yaml new file mode 100644 index 0000000..6ba3bb6 --- /dev/null +++ b/bitwarden/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "bitwarden.fullname" . }} + labels: + {{- include "bitwarden.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + {{- if eq .Values.persistence.type "statefulset" }} + kind: StatefulSet + {{- else }} + kind: Deployment + {{- end }} + name: {{ include "bitwarden.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/bitwarden/templates/ingress.yaml b/bitwarden/templates/ingress.yaml index d19f9ab..421a2fc 100644 --- a/bitwarden/templates/ingress.yaml +++ b/bitwarden/templates/ingress.yaml @@ -1,38 +1,52 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "bitwarden.fullname" . -}} -{{- $ingressPath := .Values.ingress.path -}} +{{- $svcPort := .Values.service.port -}} +{{- $websockets := .Values.bitwarden.websockets -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} apiVersion: extensions/v1beta1 +{{- end }} kind: Ingress metadata: name: {{ $fullName }} labels: - app.kubernetes.io/name: {{ include "bitwarden.name" . }} - helm.sh/chart: {{ include "bitwarden.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- with .Values.ingress.annotations }} + {{- include "bitwarden.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} annotations: -{{ toYaml . | indent 4 }} -{{- end }} -spec: -{{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} {{- end }} -{{- end }} rules: - {{- range .Values.ingress.hosts }} - - host: {{ . | quote }} + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} http: paths: - - path: {{ $ingressPath }} + {{- range .paths }} + - path: {{ . }} backend: serviceName: {{ $fullName }} - servicePort: http + servicePort: {{ $svcPort }} + {{- if $websockets.enabled }} + - path: {{ . | trimSuffix "/" }}/notifications/hub + backend: + serviceName: {{ $fullName }} + servicePort: {{ $websockets.port }} + - path: {{ . | trimSuffix "/" }}/notifications/hub/negotiate + backend: + serviceName: {{ $fullName }} + servicePort: {{ $svcPort}} + {{- end }} + {{- end }} + {{- end }} {{- end }} -{{- end }} diff --git a/bitwarden/templates/pvc.yaml b/bitwarden/templates/pvc.yaml new file mode 100644 index 0000000..dbc3e5f --- /dev/null +++ b/bitwarden/templates/pvc.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ include "bitwarden.fullname" . }} +spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.storageClass }} + storageClassName: {{ .Values.persistence.storageClass | quote }} + {{- end }} + {{- end -}} diff --git a/bitwarden/templates/secret.yaml b/bitwarden/templates/secret.yaml new file mode 100644 index 0000000..7790609 --- /dev/null +++ b/bitwarden/templates/secret.yaml @@ -0,0 +1,11 @@ +{{- if not .Values.bitwarden.admin.existingSecret.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "bitwarden.fullname" . }} + labels: + {{- include "bitwarden.labels" . | nindent 4 }} +type: Opaque +data: + admin-token: {{ randAlphaNum 48 | b64enc | quote }} + {{- end }} \ No newline at end of file diff --git a/bitwarden/templates/service.yaml b/bitwarden/templates/service.yaml index 29e228b..120c320 100644 --- a/bitwarden/templates/service.yaml +++ b/bitwarden/templates/service.yaml @@ -3,20 +3,26 @@ kind: Service metadata: name: {{ include "bitwarden.fullname" . }} labels: - app.kubernetes.io/name: {{ include "bitwarden.name" . }} - helm.sh/chart: {{ include "bitwarden.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- include "bitwarden.labels" . | nindent 4 }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: type: {{ .Values.service.type }} -{{- if .Values.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} -{{- end }} ports: - port: {{ .Values.service.port }} targetPort: http protocol: TCP name: http + {{- if .Values.bitwarden.websockets.enabled }} + - port: {{ .Values.bitwarden.websockets.port }} + targetPort: websocket + protocol: TCP + name: websocket + {{- end }} + {{- with .Values.service.additionalSpec }} + {{- toYaml . | nindent 2 }} + {{- end }} selector: - app.kubernetes.io/name: {{ include "bitwarden.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} + {{- include "bitwarden.selectorLabels" . | nindent 4 }} diff --git a/bitwarden/templates/serviceaccount.yaml b/bitwarden/templates/serviceaccount.yaml new file mode 100644 index 0000000..aac6974 --- /dev/null +++ b/bitwarden/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "bitwarden.serviceAccountName" . }} + labels: + {{- include "bitwarden.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitwarden/templates/statefulset.yaml b/bitwarden/templates/statefulset.yaml new file mode 100644 index 0000000..5af9495 --- /dev/null +++ b/bitwarden/templates/statefulset.yaml @@ -0,0 +1,136 @@ +{{- if eq .Values.persistence.type "statefulset" }} + {{- $fullName := include "bitwarden.fullname" . -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ $fullName }} + labels: + {{- include "bitwarden.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "bitwarden.selectorLabels" . | nindent 6 }} + serviceName: {{ $fullName }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "bitwarden.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "bitwarden.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ $fullName }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + envFrom: + - configMapRef: + name: {{ $fullName }} + env: + {{- with .Values.bitwarden.admin }} + {{- if and .enabled (not .disableAdminToken) }} + - name: ADMIN_TOKEN + valueFrom: + secretKeyRef: + {{- if .existingSecret.enabled }} + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.tokenKey | quote }} + {{- else }} + name: {{ $fullName }} + key: admin-token + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.bitwarden.smtp }} + {{- if eq .enabled true }} + {{- if and .existingSecret.enabled (not .user) }} + - name: SMTP_USERNAME + valueFrom: + secretKeyRef: + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.userKey | quote }} + - name: SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.passwordKey | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.bitwarden.yubico }} + {{- if and .enabled .existingSecret.enabled }} + - name: YUBICO_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.clientIdKey | quote }} + - name: YUBICO_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.secretKeyKey | quote }} + {{- end }} + {{- end }} + {{- include "bitwarden.externalDatabaseEnv" . | nindent 12 }} + ports: + - name: http + containerPort: {{ .Values.bitwarden.gui.port }} + protocol: TCP + {{- if .Values.bitwarden.websockets.enabled }} + - name: websocket + containerPort: {{ .Values.bitwarden.websockets.port }} + protocol: TCP + {{- end }} + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: {{ include "bitwarden.fullname" . }} + mountPath: /data + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: {{ include "bitwarden.fullname" . }} + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim | quote }}{{- else }}{{ include "bitwarden.fullname" . }}{{- end }} + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} diff --git a/bitwarden/templates/tests/test-connection.yaml b/bitwarden/templates/tests/test-connection.yaml new file mode 100644 index 0000000..6ef602c --- /dev/null +++ b/bitwarden/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "bitwarden.fullname" . }}-test-connection" + labels: + {{- include "bitwarden.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "bitwarden.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/bitwarden/values.yaml b/bitwarden/values.yaml index 0c22735..2f6d212 100644 --- a/bitwarden/values.yaml +++ b/bitwarden/values.yaml @@ -1,59 +1,161 @@ -# Default values for bitwarden. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. +# Default values for bitwardenrs. replicaCount: 1 image: repository: bitwardenrs/server - tag: 1.18.0 pullPolicy: IfNotPresent - # imagePullSecrets for accessing private registries - # pullSecrets: regcred - -env: - SIGNUPS_ALLOWED: true - INVITATIONS_ALLOWED: true - # SERVER_ADMIN_EMAIL - # DOMAIN - # YUBICO_CLIENT_ID - # YUBICO_SECRET_KEY - # DATA_FOLDER - # DATABASE_URL - # ATTACHMENTS_FOLDER - # ICON_CACHE_FOLDER - # ROCKET_LIMITS - # ROCKET_WORKERS - # SMTP_HOST - # SMTP_FROM - # SMTP_PORT - # SMTP_SSL - # SMTP_EXPLICIT_TLS - # SMTP_USERNAME - # SMTP_PASSWORD - # SHOW_PASSWORD_HINT - # WEB_VAULT_ENABLED + tag: "1.18.0" +imagePullSecrets: [] nameOverride: "" fullnameOverride: "" +bitwarden: + domain: "" + signupsAllowed: true + invitationsAllowed: true + gui: + # If you set a different port here, you must also provide it under env + port: 80 + websockets: + enabled: true + port: 3012 + admin: + enabled: false + disableAdminToken: true + existingSecret: + enabled: false + name: "" + tokenKey: "" + # External database configuration. + # Requires bitwardenrs/server >= 1.17.0 or bitwardenrs/server-{mysql,postgres} images + # ref: https://github.com/dani-garcia/bitwarden_rs/wiki/Using-the-MySQL-Backend + # https://github.com/dani-garcia/bitwarden_rs/wiki/Using-the-PostgreSQL-Backend + externalDatabase: + enabled: false + # Supported values: 'mysql', 'postgresql'. + type: "" + # Database host. Required if external database is enabled. + host: "" + # Database port. Optional, default value is specific to the database backend. + port: "" + # Database name. + database: "" + # Database user. + user: "" + # Database password. Special characters must be escaped with percent encoding. + password: "" + # Use existing secret for database credentials. + existingSecret: + enabled: false + name: "" + userKey: "" + # Special characters in the password value must be escaped with percent encoding. + passwordKey: "" + # Enable SMTP. https://github.com/dani-garcia/bitwarden_rs/wiki/SMTP-configuration + smtp: + enabled: false + # SMTP hostname, required if SMTP is enabled + host: "" + # SMTP sender e-mail address, required if SMTP is enabled + from: "" + # SMTP sender name, defaults to 'Bitwarden_RS' + fromName: "" + # Enable SSL connection + ssl: true + # Explicit TLS + explicitTLS: true + # SMTP port + port: 465 + # Timeout + timeout: 120 + # SMTP username + user: "" + # SMTP password. Required is user is specified, ignored if no user provided + password: "" + # Use existing secret for SMTP authentication + existingSecret: + enabled: false + name: "" + userKey: "" + passwordKey: "" + # Enable Yubikey 2FA: https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-Yubikey-OTP-authentication + yubico: + enabled: false + # OTP verification server. Will use the default YubiCloud servers if not specified + server: "" + # API Client ID for OTP server. Ignored if existingSecret is provided. + clientId: "" + # API Secret Key for OTP server. Required if clientId is specified, ignored when using existingSecret. + secretKey: "" + # Use existing secret for API keys + existingSecret: + enabled: false + name: "" + clientIdKey: "" + secretKeyKey: "" + +env: {} +# If you plan to run the WebUI on a port other than port 80, specify that here: +# For example, if running the container as a non-root user. +# ROCKET_PORT: "80" + +persistence: + type: statefulset + enabled: false + size: 1Gi + accessMode: ReadWriteOnce + ## Persistent Volume storage class + # storageClass: "-" + ## Use existing Persistent Volume Claim + # existingClaim: + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + service: type: ClusterIP port: 80 - loadBalancerIP: "" + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + labels: {} + additionalSpec: {} ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - kubernetes.io/tls-acme: "true" - path: / + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" hosts: - - bitwarden.example - tls: - - secretName: bitwarden-tls - hosts: - - bitwarden.example + - host: chart-example.local + paths: [] + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -61,26 +163,21 @@ resources: {} # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: - # cpu: 100m - # memory: 128Mi + # cpu: 100m + # memory: 128Mi # requests: - # cpu: 100m - # memory: 128Mi + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 nodeSelector: {} tolerations: [] affinity: {} - -podAnnotations: {} - -deploymentAnnotations: {} - -## Persist data to a persitent volume -persistence: - enabled: false - accessMode: ReadWriteOnce - size: 800Mi - #storageClass: - #existingClaim: "bitwarden-pvc"