# Default values for vaultwarden.

replicaCount: 1

image:
  repository: vaultwarden/server
  pullPolicy: IfNotPresent
  tag: "1.26.0"

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

bitwarden:
  domain: ""
  signupsAllowed: true
  invitationsAllowed: true
  gui:
    # If you set a different port here, you must also provide it under env
    port: 80
  websockets:
    enabled: true
    port: 3012
  admin:
    enabled: false
    disableAdminToken: true
    existingSecret:
      enabled: false
      name: ""
      tokenKey: ""
  # External database configuration.
  # Requires vaultwarden/server >= 1.17.0 or vaultwarden/server-{mysql,postgres} images
  # ref: https://github.com/dani-garcia/vaultwarden/wiki/Using-the-MySQL-Backend
  #      https://github.com/dani-garcia/vaultwarden/wiki/Using-the-PostgreSQL-Backend
  externalDatabase:
    enabled: false
    # Supported values: 'mysql', 'postgresql'.
    type: ""
    # Database host. Required if external database is enabled.
    host: ""
    # Database port. Optional, default value is specific to the database backend.
    port: ""
    # Database name.
    database: ""
    # Database user.
    user: ""
    # Database password. Special characters must be escaped with percent encoding.
    password: ""
    # Use existing secret for database credentials.
    existingSecret:
      enabled: false
      name: ""
      userKey: ""
      # Special characters in the password value must be escaped with percent encoding.
      passwordKey: ""
  # Enable SMTP. https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
  smtp:
    enabled: false
    # SMTP hostname, required if SMTP is enabled
    host: ""
    # SMTP sender e-mail address, required if SMTP is enabled
    from: ""
    # SMTP sender name, defaults to 'Bitwarden_RS'
    fromName: ""
    # Enable a secure connection
    security: force_tls
    # SMTP port
    port: 465
    # Timeout
    timeout: 120
    # SMTP username
    user: ""
    # SMTP password. Required is user is specified, ignored if no user provided
    password: ""
    # Use existing secret for SMTP authentication
    existingSecret:
      enabled: false
      name: ""
      userKey: ""
      passwordKey: ""
  # Enable Yubikey 2FA: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication
  yubico:
    enabled: false
    # OTP verification server. Will use the default YubiCloud servers if not specified
    server: ""
    # API Client ID for OTP server. Ignored if existingSecret is provided.
    clientId: ""
    # API Secret Key for OTP server. Required if clientId is specified, ignored when using existingSecret.
    secretKey: ""
    # Use existing secret for API keys
    existingSecret:
      enabled: false
      name: ""
      clientIdKey: ""
      secretKeyKey: ""

env: {}
# If you plan to run the WebUI on a port other than port 80, specify that here:
# For example, if running the container as a non-root user.
#  ROCKET_PORT: "80"

persistence:
  type: statefulset
  enabled: false
  size: 1Gi
  accessMode: ReadWriteOnce
  ## Persistent Volume storage class
  # storageClass: "-"
  ## Use existing Persistent Volume Claim
  # existingClaim:

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

podAnnotations: {}

podSecurityContext: {}
  # fsGroup: 2000

securityContext: {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

service:
  type: ClusterIP
  port: 80
  ## Provide any additional annotations which may be required. This can be used to
  ## set the LoadBalancer service type to internal only.
  ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
  ##
  annotations: {}
  labels: {}
  additionalSpec: {}

ingress:
  enabled: false
  className: ""
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: chart-example.local
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80

nodeSelector: {}

tolerations: []

affinity: {}