use patched helm chart k8s-at-home/bitwardenrs

This commit is contained in:
ace 2021-01-18 19:38:16 +03:00
parent c26c7c66b0
commit 2cde98435f
No known key found for this signature in database
GPG Key ID: 2E47CC17BA7F8CF0
17 changed files with 705 additions and 175 deletions

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
*.yaml /*.yaml
*.yml /*.yml

View File

@ -14,8 +14,10 @@
*.swp *.swp
*.bak *.bak
*.tmp *.tmp
*.orig
*~ *~
# Various IDEs # Various IDEs
.project .project
.idea/ .idea/
*.tmproj *.tmproj
.vscode/

View File

@ -1,14 +1,19 @@
apiVersion: v1 apiVersion: v2
appVersion: "1.0" appVersion: 1.18.0
description: A Bitwarden Helm chart for Kubernetes description: Unofficial Bitwarden compatible server written in Rust
name: bitwarden home: https://github.com/k8s-at-home/charts/tree/master/charts/bitwardenrs
version: 0.1.6 icon: https://raw.githubusercontent.com/bitwarden/brand/master/icons/256x256.png
home: https://github.com/dani-garcia/bitwarden_rs keywords:
icon: https://raw.githubusercontent.com/bitwarden/brand/master/icons/icon.svg - bitwarden
sources: - bitwardenrs
- https://github.com/dani-garcia/bitwarden_rs - bitwarden_rs
- https://github.com/cdwv/bitwarden-k8s - password
- rust
maintainers: maintainers:
- name: CodeWave - email: nick@cajun.pro
email: hello@codewave.eu name: DirtyCajunRice
url: https://codewave.eu name: bitwarden
sources:
- https://github.com/dani-garcia/bitwarden_rs
type: application
version: 2.0.1

View File

@ -1,7 +1,9 @@
1. Get the application URL by running these commands: 1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }} {{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }} {{- range $host := .Values.ingress.hosts }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }} {{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
{{- end }}
{{- end }} {{- end }}
{{- else if contains "NodePort" .Values.service.type }} {{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "bitwarden.fullname" . }}) export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "bitwarden.fullname" . }})
@ -9,11 +11,11 @@
echo http://$NODE_IP:$NODE_PORT echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }} {{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available. NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ include "bitwarden.fullname" . }}' You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "bitwarden.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "bitwarden.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "bitwarden.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }} echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }} {{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "bitwarden.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "bitwarden.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application" echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:80 kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
{{- end }} {{- end }}

View File

@ -0,0 +1,38 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Generate environment variables for external database
*/}}
{{- define "bitwarden.externalDatabaseConfigMap" -}}
{{- with .Values.bitwarden.externalDatabase }}
{{- if and .enabled (or (eq .type "postgresql") (eq .type "mysql")) }}
{{- if and (not .existingSecret.enabled) .user }}
DATABASE_USER: {{ .user | quote }}
{{- end }}
{{- if and (not .existingSecret.enabled) .password }}
DATABASE_PASSWORD: {{ .password | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- define "bitwarden.externalDatabaseEnv" -}}
{{- with .Values.bitwarden.externalDatabase }}
{{- if and .enabled (or (eq .type "postgresql") (eq .type "mysql")) }}
{{- if .existingSecret.enabled }}
- name: DATABASE_USER
valueFrom:
secretKeyRef:
name: {{ .existingSecret.name | quote }}
key: {{ .existingSecret.userKey | quote }}
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .existingSecret.name | quote }}
key: {{ .existingSecret.passwordKey | quote }}
{{- end }}
{{- $dbport := not (empty .port) | ternary (printf ":%v" .port) "" }}
- name: DATABASE_URL
value: {{ printf "%v://$(DATABASE_USER):$(DATABASE_PASSWORD)@%v%v/%v" .type .host $dbport .database }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -3,8 +3,8 @@
Expand the name of the chart. Expand the name of the chart.
*/}} */}}
{{- define "bitwarden.name" -}} {{- define "bitwarden.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end -}} {{- end }}
{{/* {{/*
Create a default fully qualified app name. Create a default fully qualified app name.
@ -12,21 +12,52 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
If release name contains chart name it will be used as a full name. If release name contains chart name it will be used as a full name.
*/}} */}}
{{- define "bitwarden.fullname" -}} {{- define "bitwarden.fullname" -}}
{{- if .Values.fullnameOverride -}} {{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else -}} {{- else }}
{{- $name := default .Chart.Name .Values.nameOverride -}} {{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name -}} {{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}} {{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else -}} {{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end -}} {{- end }}
{{- end -}} {{- end }}
{{- end -}} {{- end }}
{{/* {{/*
Create chart name and version as used by the chart label. Create chart name and version as used by the chart label.
*/}} */}}
{{- define "bitwarden.chart" -}} {{- define "bitwarden.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end -}} {{- end }}
{{/*
Common labels
*/}}
{{- define "bitwarden.labels" -}}
helm.sh/chart: {{ include "bitwarden.chart" . }}
{{ include "bitwarden.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "bitwarden.selectorLabels" -}}
app.kubernetes.io/name: {{ include "bitwarden.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "bitwarden.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "bitwarden.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,60 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "bitwarden.fullname" . }}
labels:
{{- include "bitwarden.labels" . | nindent 4 }}
data:
SIGNUPS_ALLOWED: {{ .Values.bitwarden.signupsAllowed | quote }}
INVITATIONS_ALLOWED: {{ .Values.bitwarden.invitationsAllowed | quote }}
{{- if .Values.bitwarden.domain }}
DOMAIN: {{ .Values.bitwarden.domain | quote }}
{{- end }}
WEBSOCKET_ENABLED: {{ .Values.bitwarden.websockets.enabled | quote }}
{{- if and .Values.bitwarden.admin.enabled .Values.bitwarden.admin.disableAdminToken }}
DISABLE_ADMIN_TOKEN: "true"
{{- end }}
{{- with .Values.bitwarden.smtp }}
{{- if .enabled }}
SMTP_HOST: {{ required "SMTP host is required to enable SMTP" .host | quote }}
SMTP_FROM: {{ required "SMTP sender address ('from') is required to enable SMTP" .from | quote }}
{{- if .fromName }}
SMTP_FROM_NAME: {{ .fromName | quote }}
{{- end }}
{{- if .ssl }}
SMTP_SSL: {{ .ssl | quote }}
{{- end }}
{{- if .explicitTLS }}
SMTP_EXPLICIT_TLS: {{ .explicitTLS | quote }}
{{- end }}
{{- if .port }}
SMTP_PORT: {{ .port | quote }}
{{- end }}
{{- if .timeout }}
SMTP_TIMEOUT: {{ .timeout | quote }}
{{- end }}
{{- if and (not .existingSecret.enabled) .user }}
SMTP_USERNAME: {{ .user | quote }}
{{- end }}
{{- if and (not .existingSecret.enabled) .password }}
SMTP_PASSWORD: {{ .password | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.bitwarden.yubico }}
{{- if .enabled }}
{{- if .server }}
YUBICO_SERVER: {{ .server | quote }}
{{- end }}
{{- if and (not .existingSecret.enabled) .clientId }}
YUBICO_CLIENT_ID: {{ .clientId | quote }}
{{- end }}
{{- if and (not .existingSecret.enabled) .secretKey }}
YUBICO_SECRET_KEY: {{ .secretKey | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- include "bitwarden.externalDatabaseConfigMap" . | nindent 2 }}
{{- if .Values.env }}
{{- toYaml .Values.env | nindent 2 }}
{{- end }}

View File

@ -1,49 +1,102 @@
{{- if eq .Values.persistence.type "deployment" }}
{{- $fullName := include "bitwarden.fullname" . -}}
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ include "bitwarden.fullname" . }} name: {{ $fullName }}
{{- if .Values.deploymentAnnotations }}
annotations:
{{- range $key, $value := .Values.deploymentAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels: labels:
app.kubernetes.io/name: {{ include "bitwarden.name" . }} {{- include "bitwarden.labels" . | nindent 4 }}
helm.sh/chart: {{ include "bitwarden.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec: spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }} replicas: {{ .Values.replicaCount }}
{{- end }}
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ include "bitwarden.name" . }} {{- include "bitwarden.selectorLabels" . | nindent 6 }}
app.kubernetes.io/instance: {{ .Release.Name }}
template: template:
metadata: metadata:
labels: {{- with .Values.podAnnotations }}
app.kubernetes.io/name: {{ include "bitwarden.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
annotations: annotations:
{{- if .Values.podAnnotations }} {{- toYaml . | nindent 8 }}
{{ toYaml .Values.podAnnotations | indent 8 }} {{- end }}
{{- end }} labels:
{{- include "bitwarden.selectorLabels" . | nindent 8 }}
spec: spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "bitwarden.serviceAccountName" . }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers: containers:
- name: {{ .Chart.Name }} - name: {{ $fullName }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" {{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
resources: envFrom:
{{ toYaml .Values.resources | indent 12 }} - configMapRef:
name: {{ $fullName }}
env: env:
{{- range $key, $val := .Values.env }} {{- with .Values.bitwarden.admin }}
- name: {{ $key }} {{- if and .enabled (not .disableAdminToken) }}
value: {{ $val | quote }} - name: ADMIN_TOKEN
{{- end}} valueFrom:
secretKeyRef:
{{- if .existingSecret.enabled }}
name: {{ .existingSecret.name | quote }}
key: {{ .existingSecret.tokenKey | quote }}
{{- else }}
name: {{ $fullName }}
key: admin-token
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.bitwarden.smtp }}
{{- if eq .enabled true }}
{{- if and .existingSecret.enabled (not .user) }}
- name: SMTP_USERNAME
valueFrom:
secretKeyRef:
name: {{ .existingSecret.name | quote }}
key: {{ .existingSecret.userKey | quote }}
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .existingSecret.name | quote }}
key: {{ .existingSecret.passwordKey | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.bitwarden.yubico }}
{{- if and .enabled .existingSecret.enabled }}
- name: YUBICO_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ .existingSecret.name | quote }}
key: {{ .existingSecret.clientIdKey | quote }}
- name: YUBICO_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ .existingSecret.name | quote }}
key: {{ .existingSecret.secretKeyKey | quote }}
{{- end }}
{{- end }}
{{- include "bitwarden.externalDatabaseEnv" . | nindent 12 }}
ports: ports:
- name: http - name: http
containerPort: 80 containerPort: {{ .Values.bitwarden.gui.port }}
protocol: TCP protocol: TCP
{{- if .Values.bitwarden.websockets.enabled }}
- name: websocket
containerPort: {{ .Values.bitwarden.websockets.port }}
protocol: TCP
{{- end }}
livenessProbe: livenessProbe:
httpGet: httpGet:
path: / path: /
@ -52,30 +105,31 @@ spec:
httpGet: httpGet:
path: / path: /
port: http port: http
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts: volumeMounts:
- name: data - name: {{ include "bitwarden.fullname" . }}
mountPath: /data mountPath: /data
{{- if .Values.image.pullSecrets }} {{- with .Values.nodeSelector }}
imagePullSecrets: nodeSelector:
- name: {{ .Values.image.pullSecrets }} {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
volumes: volumes:
- name: data - name: {{ include "bitwarden.fullname" . }}
{{- if .Values.persistence.enabled }} {{- if .Values.persistence.enabled }}
persistentVolumeClaim: persistentVolumeClaim:
claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ template "bitwarden.fullname" . }}{{- end }} claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim | quote }}{{- else }}{{ include "bitwarden.fullname" . }}{{- end }}
{{- else }} {{- else }}
emptyDir: {} emptyDir: {}
{{- end }} {{- end }}
{{- with .Values.nodeSelector }} {{- end }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}

View File

@ -0,0 +1,32 @@
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "bitwarden.fullname" . }}
labels:
{{- include "bitwarden.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
{{- if eq .Values.persistence.type "statefulset" }}
kind: StatefulSet
{{- else }}
kind: Deployment
{{- end }}
name: {{ include "bitwarden.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

View File

@ -1,38 +1,52 @@
{{- if .Values.ingress.enabled -}} {{- if .Values.ingress.enabled -}}
{{- $fullName := include "bitwarden.fullname" . -}} {{- $fullName := include "bitwarden.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}} {{- $svcPort := .Values.service.port -}}
{{- $websockets := .Values.bitwarden.websockets -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress kind: Ingress
metadata: metadata:
name: {{ $fullName }} name: {{ $fullName }}
labels: labels:
app.kubernetes.io/name: {{ include "bitwarden.name" . }} {{- include "bitwarden.labels" . | nindent 4 }}
helm.sh/chart: {{ include "bitwarden.chart" . }} {{- with .Values.ingress.annotations }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.ingress.annotations }}
annotations: annotations:
{{ toYaml . | indent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
spec: spec:
{{- if .Values.ingress.tls }} {{- if .Values.ingress.tls }}
tls: tls:
{{- range .Values.ingress.tls }} {{- range .Values.ingress.tls }}
- hosts: - hosts:
{{- range .hosts }} {{- range .hosts }}
- {{ . | quote }} - {{ . | quote }}
{{- end }} {{- end }}
secretName: {{ .secretName }} secretName: {{ .secretName }}
{{- end }}
{{- end }} {{- end }}
{{- end }}
rules: rules:
{{- range .Values.ingress.hosts }} {{- range .Values.ingress.hosts }}
- host: {{ . | quote }} - host: {{ .host | quote }}
http: http:
paths: paths:
- path: {{ $ingressPath }} {{- range .paths }}
- path: {{ . }}
backend: backend:
serviceName: {{ $fullName }} serviceName: {{ $fullName }}
servicePort: http servicePort: {{ $svcPort }}
{{- if $websockets.enabled }}
- path: {{ . | trimSuffix "/" }}/notifications/hub
backend:
serviceName: {{ $fullName }}
servicePort: {{ $websockets.port }}
- path: {{ . | trimSuffix "/" }}/notifications/hub/negotiate
backend:
serviceName: {{ $fullName }}
servicePort: {{ $svcPort}}
{{- end }}
{{- end }}
{{- end }}
{{- end }} {{- end }}
{{- end }}

View File

@ -0,0 +1,15 @@
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ include "bitwarden.fullname" . }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
storageClassName: {{ .Values.persistence.storageClass | quote }}
{{- end }}
{{- end -}}

View File

@ -0,0 +1,11 @@
{{- if not .Values.bitwarden.admin.existingSecret.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "bitwarden.fullname" . }}
labels:
{{- include "bitwarden.labels" . | nindent 4 }}
type: Opaque
data:
admin-token: {{ randAlphaNum 48 | b64enc | quote }}
{{- end }}

View File

@ -3,20 +3,26 @@ kind: Service
metadata: metadata:
name: {{ include "bitwarden.fullname" . }} name: {{ include "bitwarden.fullname" . }}
labels: labels:
app.kubernetes.io/name: {{ include "bitwarden.name" . }} {{- include "bitwarden.labels" . | nindent 4 }}
helm.sh/chart: {{ include "bitwarden.chart" . }} {{- with .Values.service.annotations }}
app.kubernetes.io/instance: {{ .Release.Name }} annotations:
app.kubernetes.io/managed-by: {{ .Release.Service }} {{- toYaml . | nindent 4 }}
{{- end }}
spec: spec:
type: {{ .Values.service.type }} type: {{ .Values.service.type }}
{{- if .Values.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
ports: ports:
- port: {{ .Values.service.port }} - port: {{ .Values.service.port }}
targetPort: http targetPort: http
protocol: TCP protocol: TCP
name: http name: http
{{- if .Values.bitwarden.websockets.enabled }}
- port: {{ .Values.bitwarden.websockets.port }}
targetPort: websocket
protocol: TCP
name: websocket
{{- end }}
{{- with .Values.service.additionalSpec }}
{{- toYaml . | nindent 2 }}
{{- end }}
selector: selector:
app.kubernetes.io/name: {{ include "bitwarden.name" . }} {{- include "bitwarden.selectorLabels" . | nindent 4 }}
app.kubernetes.io/instance: {{ .Release.Name }}

View File

@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "bitwarden.serviceAccountName" . }}
labels:
{{- include "bitwarden.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,136 @@
{{- if eq .Values.persistence.type "statefulset" }}
{{- $fullName := include "bitwarden.fullname" . -}}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ $fullName }}
labels:
{{- include "bitwarden.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "bitwarden.selectorLabels" . | nindent 6 }}
serviceName: {{ $fullName }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "bitwarden.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "bitwarden.serviceAccountName" . }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ $fullName }}
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
envFrom:
- configMapRef:
name: {{ $fullName }}
env:
{{- with .Values.bitwarden.admin }}
{{- if and .enabled (not .disableAdminToken) }}
- name: ADMIN_TOKEN
valueFrom:
secretKeyRef:
{{- if .existingSecret.enabled }}
name: {{ .existingSecret.name | quote }}
key: {{ .existingSecret.tokenKey | quote }}
{{- else }}
name: {{ $fullName }}
key: admin-token
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.bitwarden.smtp }}
{{- if eq .enabled true }}
{{- if and .existingSecret.enabled (not .user) }}
- name: SMTP_USERNAME
valueFrom:
secretKeyRef:
name: {{ .existingSecret.name | quote }}
key: {{ .existingSecret.userKey | quote }}
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .existingSecret.name | quote }}
key: {{ .existingSecret.passwordKey | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.bitwarden.yubico }}
{{- if and .enabled .existingSecret.enabled }}
- name: YUBICO_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ .existingSecret.name | quote }}
key: {{ .existingSecret.clientIdKey | quote }}
- name: YUBICO_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ .existingSecret.name | quote }}
key: {{ .existingSecret.secretKeyKey | quote }}
{{- end }}
{{- end }}
{{- include "bitwarden.externalDatabaseEnv" . | nindent 12 }}
ports:
- name: http
containerPort: {{ .Values.bitwarden.gui.port }}
protocol: TCP
{{- if .Values.bitwarden.websockets.enabled }}
- name: websocket
containerPort: {{ .Values.bitwarden.websockets.port }}
protocol: TCP
{{- end }}
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- name: {{ include "bitwarden.fullname" . }}
mountPath: /data
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: {{ include "bitwarden.fullname" . }}
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim | quote }}{{- else }}{{ include "bitwarden.fullname" . }}{{- end }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "bitwarden.fullname" . }}-test-connection"
labels:
{{- include "bitwarden.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "bitwarden.fullname" . }}:{{ .Values.service.port }}']
restartPolicy: Never

View File

@ -1,59 +1,161 @@
# Default values for bitwarden. # Default values for bitwardenrs.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1 replicaCount: 1
image: image:
repository: bitwardenrs/server repository: bitwardenrs/server
tag: 1.18.0
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# imagePullSecrets for accessing private registries tag: "1.18.0"
# pullSecrets: regcred
env:
SIGNUPS_ALLOWED: true
INVITATIONS_ALLOWED: true
# SERVER_ADMIN_EMAIL
# DOMAIN
# YUBICO_CLIENT_ID
# YUBICO_SECRET_KEY
# DATA_FOLDER
# DATABASE_URL
# ATTACHMENTS_FOLDER
# ICON_CACHE_FOLDER
# ROCKET_LIMITS
# ROCKET_WORKERS
# SMTP_HOST
# SMTP_FROM
# SMTP_PORT
# SMTP_SSL
# SMTP_EXPLICIT_TLS
# SMTP_USERNAME
# SMTP_PASSWORD
# SHOW_PASSWORD_HINT
# WEB_VAULT_ENABLED
imagePullSecrets: []
nameOverride: "" nameOverride: ""
fullnameOverride: "" fullnameOverride: ""
bitwarden:
domain: ""
signupsAllowed: true
invitationsAllowed: true
gui:
# If you set a different port here, you must also provide it under env
port: 80
websockets:
enabled: true
port: 3012
admin:
enabled: false
disableAdminToken: true
existingSecret:
enabled: false
name: ""
tokenKey: ""
# External database configuration.
# Requires bitwardenrs/server >= 1.17.0 or bitwardenrs/server-{mysql,postgres} images
# ref: https://github.com/dani-garcia/bitwarden_rs/wiki/Using-the-MySQL-Backend
# https://github.com/dani-garcia/bitwarden_rs/wiki/Using-the-PostgreSQL-Backend
externalDatabase:
enabled: false
# Supported values: 'mysql', 'postgresql'.
type: ""
# Database host. Required if external database is enabled.
host: ""
# Database port. Optional, default value is specific to the database backend.
port: ""
# Database name.
database: ""
# Database user.
user: ""
# Database password. Special characters must be escaped with percent encoding.
password: ""
# Use existing secret for database credentials.
existingSecret:
enabled: false
name: ""
userKey: ""
# Special characters in the password value must be escaped with percent encoding.
passwordKey: ""
# Enable SMTP. https://github.com/dani-garcia/bitwarden_rs/wiki/SMTP-configuration
smtp:
enabled: false
# SMTP hostname, required if SMTP is enabled
host: ""
# SMTP sender e-mail address, required if SMTP is enabled
from: ""
# SMTP sender name, defaults to 'Bitwarden_RS'
fromName: ""
# Enable SSL connection
ssl: true
# Explicit TLS
explicitTLS: true
# SMTP port
port: 465
# Timeout
timeout: 120
# SMTP username
user: ""
# SMTP password. Required is user is specified, ignored if no user provided
password: ""
# Use existing secret for SMTP authentication
existingSecret:
enabled: false
name: ""
userKey: ""
passwordKey: ""
# Enable Yubikey 2FA: https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-Yubikey-OTP-authentication
yubico:
enabled: false
# OTP verification server. Will use the default YubiCloud servers if not specified
server: ""
# API Client ID for OTP server. Ignored if existingSecret is provided.
clientId: ""
# API Secret Key for OTP server. Required if clientId is specified, ignored when using existingSecret.
secretKey: ""
# Use existing secret for API keys
existingSecret:
enabled: false
name: ""
clientIdKey: ""
secretKeyKey: ""
env: {}
# If you plan to run the WebUI on a port other than port 80, specify that here:
# For example, if running the container as a non-root user.
# ROCKET_PORT: "80"
persistence:
type: statefulset
enabled: false
size: 1Gi
accessMode: ReadWriteOnce
## Persistent Volume storage class
# storageClass: "-"
## Use existing Persistent Volume Claim
# existingClaim:
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service: service:
type: ClusterIP type: ClusterIP
port: 80 port: 80
loadBalancerIP: "" ## Provide any additional annotations which may be required. This can be used to
## set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
annotations: {}
labels: {}
additionalSpec: {}
ingress: ingress:
enabled: true enabled: false
annotations: annotations: {}
kubernetes.io/ingress.class: nginx # kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true" # kubernetes.io/tls-acme: "true"
path: /
hosts: hosts:
- bitwarden.example - host: chart-example.local
tls: paths: []
- secretName: bitwarden-tls tls: []
hosts: # - secretName: chart-example-tls
- bitwarden.example # hosts:
# - chart-example.local
resources: {} resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious # We usually recommend not to specify default resources and to leave this as a conscious
@ -61,26 +163,21 @@ resources: {}
# resources, such as Minikube. If you do want to specify resources, uncomment the following # resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'. # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits: # limits:
# cpu: 100m # cpu: 100m
# memory: 128Mi # memory: 128Mi
# requests: # requests:
# cpu: 100m # cpu: 100m
# memory: 128Mi # memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {} nodeSelector: {}
tolerations: [] tolerations: []
affinity: {} affinity: {}
podAnnotations: {}
deploymentAnnotations: {}
## Persist data to a persitent volume
persistence:
enabled: false
accessMode: ReadWriteOnce
size: 800Mi
#storageClass:
#existingClaim: "bitwarden-pvc"