truenas/chart
1
0
Fork 0
mirror of https://github.com/truenas/charts.git synced 2026-04-03 02:38:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

NAS-121156 / 23.10 / Add vaultwarden to community train (#1055)

Browse Source 
* Add vaultwarden to community train

* add variable only when set

* Update library/ix-dev/community/vaultwarden/values.yaml

* Update library/ix-dev/community/vaultwarden/values.yaml

* add NET_BIND_SERVICE

* minor typo

* use the new common

* Update common

* add upgrade_info.json

* remove the capability, and bump to fixed version
This commit is contained in:
Stavros Kois
2023-04-04 09:52:19 +03:00
committed by GitHub
parent e0dd979524
commit 846a6a02c4
22 changed files with 825 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
library/ix-dev/community/vaultwarden/Chart.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: common
repository: file://../../../common
version: 1.0.1
digest: sha256:ec8784f128039af68613a8268208bde360d5b178f811c4a16c79a1650ca8be92
generated: "2023-04-03T17:51:26.178586108+03:00"

24
library/ix-dev/community/vaultwarden/Chart.yaml Normal file
View File

@@ -0,0 +1,24 @@
name: vaultwarden
description: Alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients.
annotations:
title: Vaultwarden
type: application
version: 1.0.0
apiVersion: v2
appVersion: '1.27.0'
kubeVersion: '>=1.16.0-0'
maintainers:
- name: truenas
url: https://www.truenas.com/
dependencies:
- name: common
repository: file://../../../common
version: 1.0.1
home: https://github.com/dani-garcia/vaultwarden
icon: https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/src/static/images/vaultwarden-icon.png
sources:
- https://github.com/dani-garcia/vaultwarden
- https://github.com/truenas/charts/tree/master/community/vaultwarden
keywords:
- password
- manager

18
library/ix-dev/community/vaultwarden/README.md Normal file
View File

@@ -0,0 +1,18 @@
# Vaultwarden
[Vaultwarden](https://github.com/dani-garcia/vaultwarden) Alternative implementation of the `Bitwarden` server API written in Rust and compatible with upstream Bitwarden clients
> During the installation process, a container will be launched with **root** privileges. This is required
> in order to apply the correct permissions to the `Vaultwarden` data directory. Afterward, the `Vaultwarden` container
> will run as a **non**-root user (default `568`).
> Same applies to the `postgres` container. This will run afterwards as a **non**-root user (`999`).
> On each upgrade, a container will be launched with **root** privileges in order to apply the correct
> permissions to the `postgres` **backups** directory. Container that performs the backup will run as a **non**-root user (`999`) afterwards.
> Keep in mind the permissions on the backup directory will be changed to `999:999` on **every** update.
> But will only be changed once for the `Vaultwarden` and `postgres` data directories.
While the option to use `Rocket` for TLS is there, it is not
[recommended](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS#via-rocket).
Instead, use a reverse proxy to handle TLS termination.
Using `HTTPS` is **required** for the most of the features to work (correctly).

18
library/ix-dev/community/vaultwarden/app-readme.md Normal file
View File

@@ -0,0 +1,18 @@
# Vaultwarden
[Vaultwarden](https://github.com/dani-garcia/vaultwarden) Alternative implementation of the `Bitwarden` server API written in Rust and compatible with upstream Bitwarden clients
> During the installation process, a container will be launched with **root** privileges. This is required
> in order to apply the correct permissions to the `Vaultwarden` data directory. Afterward, the `Vaultwarden` container
> will run as a **non**-root user (default `568`).
> Same applies to the `postgres` container. This will run afterwards as a **non**-root user (`999`).
> On each upgrade, a container will be launched with **root** privileges in order to apply the correct
> permissions to the `postgres` **backups** directory. Container that performs the backup will run as a **non**-root user (`999`) afterwards.
> Keep in mind the permissions on the backup directory will be changed to `999:999` on **every** update.
> But will only be changed once for the `Vaultwarden` and `postgres` data directories.
While the option to use `Rocket` for TLS is there, it is not
[recommended](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS#via-rocket).
Instead, use a reverse proxy to handle TLS termination.
Using `HTTPS` is **required** for the most of the features to work (correctly).

BIN
library/ix-dev/community/vaultwarden/charts/common-1.0.1.tgz Normal file
View File

Binary file not shown.

17
library/ix-dev/community/vaultwarden/ci/additional-env-values.yaml Normal file
View File

@@ -0,0 +1,17 @@
vaultwardenStorage:
data:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/data
pgData:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/pgData
pgBackup:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/pgBackup
vaultwardenConfig:
additionalEnvs:
- name: LOG_LEVEL
value: debug
- name: SIGNUPS_ALLOWED
value: false

13
library/ix-dev/community/vaultwarden/ci/admin-values.yaml Normal file
View File

@@ -0,0 +1,13 @@
vaultwardenStorage:
data:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/data
pgData:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/pgData
pgBackup:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/pgBackup
vaultwardenConfig:
adminToken: "super-long-secret-password"

10
library/ix-dev/community/vaultwarden/ci/basic-values.yaml Normal file
View File

@@ -0,0 +1,10 @@
vaultwardenStorage:
data:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/data
pgData:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/pgData
pgBackup:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/pgBackup

100
library/ix-dev/community/vaultwarden/ci/https-values.yaml Normal file
View File

@@ -0,0 +1,100 @@
vaultwardenStorage:
data:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/data
pgData:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/pgData
pgBackup:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/pgBackup
vaultwardenNetwork:
certificateID: 1
domain: https://vault.example.com:30000
ixCertificates:
"1":
certificate: |
-----BEGIN CERTIFICATE-----
MIIEdjCCA16gAwIBAgIDYFMYMA0GCSqGSIb3DQEBCwUAMGwxDDAKBgNVBAMMA2Fz
ZDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBGFzZGYxCzAJBgNVBAcMAmFmMQ0wCwYD
VQQKDARhc2RmMQwwCgYDVQQLDANhc2QxFjAUBgkqhkiG9w0BCQEWB2FAYS5jb20w
HhcNMjEwODMwMjMyMzU0WhcNMjMxMjAzMjMyMzU0WjBuMQswCQYDVQQDDAJhZDEL
MAkGA1UEBhMCVVMxDTALBgNVBAgMBGFzZGYxDTALBgNVBAcMBGFzZGYxDTALBgNV
BAoMBGFkc2YxDTALBgNVBAsMBGFzZGYxFjAUBgkqhkiG9w0BCQEWB2FAYS5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7+1xOHRQyOnQTHFcrdasX
Zl0gzutVlA890a1wiQpdD5dOtCLo7+eqVYjqVKo9W8RUIArXWmBu/AbkH7oVFWC1
P973W1+ArF5sA70f7BZgqRKJTIisuIFIlRETgfnP2pfQmHRZtGaIJRZI4vQCdYgW
2g0KOvvNcZJCVq1OrhKiNiY1bWCp66DGg0ic6OEkZFHTm745zUNQaf2dNgsxKU0H
PGjVLJI//yrRFAOSBUqgD4c50krnMF7fU/Fqh+UyOu8t6Y/HsySh3urB+Zie331t
AzV6QV39KKxRflNx/yuWrtIEslGTm+xHKoCYJEk/nZ3mX8Y5hG6wWAb7A/FuDVg3
AgMBAAGjggEdMIIBGTAnBgNVHREEIDAehwTAqAADhwTAqAAFhwTAqAC2hwTAqACB
hwTAqACSMB0GA1UdDgQWBBQ4G2ff4tgZl4vmo4xCfqmJhdqShzAMBgNVHRMBAf8E
AjAAMIGYBgNVHSMEgZAwgY2AFLlYf9L99nxJDcpCM/LT3V5hQ/a3oXCkbjBsMQww
CgYDVQQDDANhc2QxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARhc2RmMQswCQYDVQQH
DAJhZjENMAsGA1UECgwEYXNkZjEMMAoGA1UECwwDYXNkMRYwFAYJKoZIhvcNAQkB
FgdhQGEuY29tggNgUxcwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEwDgYDVR0PAQH/
BAQDAgWgMA0GCSqGSIb3DQEBCwUAA4IBAQA6FpOInEHB5iVk3FP67GybJ29vHZTD
KQHbQgmg8s4L7qIsA1HQ+DMCbdylpA11x+t/eL/n48BvGw2FNXpN6uykhLHJjbKR
h8yITa2KeD3LjLYhScwIigXmTVYSP3km6s8jRL6UKT9zttnIHyXVpBDya6Q4WTMx
fmfC6O7t1PjQ5ZyVtzizIUP8ah9n4TKdXU4A3QIM6WsJXpHb+vqp1WDWJ7mKFtgj
x5TKv3wcPnktx0zMPfLb5BTSE9rc9djcBG0eIAsPT4FgiatCUChe7VhuMnqskxEz
MymJLoq8+mzucRwFkOkR2EIt1x+Irl2mJVMeBow63rVZfUQBD8h++LqB
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEhDCCA2ygAwIBAgIDYFMXMA0GCSqGSIb3DQEBCwUAMGwxDDAKBgNVBAMMA2Fz
ZDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBGFzZGYxCzAJBgNVBAcMAmFmMQ0wCwYD
VQQKDARhc2RmMQwwCgYDVQQLDANhc2QxFjAUBgkqhkiG9w0BCQEWB2FAYS5jb20w
HhcNMjEwODMwMjMyMDQ1WhcNMzEwODI4MjMyMDQ1WjBsMQwwCgYDVQQDDANhc2Qx
CzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARhc2RmMQswCQYDVQQHDAJhZjENMAsGA1UE
CgwEYXNkZjEMMAoGA1UECwwDYXNkMRYwFAYJKoZIhvcNAQkBFgdhQGEuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq//c0hEEr83CS1pMgsHX50jt
2MqIbcf63UUNJTiYpUUvUQSFJFc7m/dr+RTZvu97eDCnD5K2qkHHvTPaPZwY+Djf
iy7N641Sz6u/y3Yo3xxs1Aermsfedh48vusJpjbkT2XS44VjbkrpKcWDNVpp3Evd
M7oJotXeUsZ+imiyVCfr4YhoY5gbGh/r+KN9Wf9YKoUyfLLZGwdZkhtX2zIbidsL
Thqi9YTaUHttGinjiBBum234u/CfvKXsfG3yP2gvBGnlvZnM9ktv+lVffYNqlf7H
VmB1bKKk84HtzuW5X76SGAgOG8eHX4x5ZLI1WQUuoQOVRl1I0UCjBtbz8XhwvQID
AQABo4IBLTCCASkwLQYDVR0RBCYwJIcEwKgABYcEwKgAA4cEwKgAkocEwKgAtYcE
wKgAgYcEwKgAtjAdBgNVHQ4EFgQUuVh/0v32fEkNykIz8tPdXmFD9rcwDwYDVR0T
AQH/BAUwAwEB/zCBmAYDVR0jBIGQMIGNgBS5WH/S/fZ8SQ3KQjPy091eYUP2t6Fw
pG4wbDEMMAoGA1UEAwwDYXNkMQswCQYDVQQGEwJVUzENMAsGA1UECAwEYXNkZjEL
MAkGA1UEBwwCYWYxDTALBgNVBAoMBGFzZGYxDDAKBgNVBAsMA2FzZDEWMBQGCSqG
SIb3DQEJARYHYUBhLmNvbYIDYFMXMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAKEocOmVuWlr
zegtKYMe8NhHIkFY9oVn5ym6RHNOJpPH4QF8XYC3Z5+iC5yGh4P/jVe/4I4SF6Ql
PtofU0jNq5vzapt/y+m008eXqPQFmoUOvu+JavoRVcRx2LIP5AgBA1mF56CSREsX
TkuJAA9IUQ8EjnmAoAeKINuPaKxGDuU8BGCMqr/qd564MKNf9XYL+Fb2rlkA0O2d
2No34DQLgqSmST/LAvPM7Cbp6knYgnKmGr1nETCXasg1cueHLnWWTvps2HiPp2D/
+Fq0uqcZLu4Mdo0CPs4e5sHRyldEnRSKh0DVLprq9zr/GMipmPLJUsT5Jed3sj0w
M7Y3vwxshpo=
-----END CERTIFICATE-----
privatekey: |
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7+1xOHRQyOnQT
HFcrdasXZl0gzutVlA890a1wiQpdD5dOtCLo7+eqVYjqVKo9W8RUIArXWmBu/Abk
H7oVFWC1P973W1+ArF5sA70f7BZgqRKJTIisuIFIlRETgfnP2pfQmHRZtGaIJRZI
4vQCdYgW2g0KOvvNcZJCVq1OrhKiNiY1bWCp66DGg0ic6OEkZFHTm745zUNQaf2d
NgsxKU0HPGjVLJI//yrRFAOSBUqgD4c50krnMF7fU/Fqh+UyOu8t6Y/HsySh3urB
+Zie331tAzV6QV39KKxRflNx/yuWrtIEslGTm+xHKoCYJEk/nZ3mX8Y5hG6wWAb7
A/FuDVg3AgMBAAECggEAapt30rj9DitGTtxAt13pJMEhyYxvvD3WkvmJwguF/Bbu
eW0Ba1c668fMeRCA54FWi1sMqusPS4HUqqUvk+tmyAOsAF4qgD/A4MMSC7uJSVI5
N/JWhJWyhCY94/FPakiO1nbPbVw41bcqtzU2qvparpME2CtxSCbDiqm7aaag3Kqe
EF0fGSUdZ+TYl9JM05+eIyiX+UY19Fg0OjTHMn8nGpxcNTfDBdQ68TKvdo/dtIKL
PLKzJUNNdM8odC4CvQtfGMqaslwZwXkiOl5VJcW21ncj/Y0ngEMKeD/i65ZoqGdR
0FKCQYEAGtM2FvJcZQ92Wsw7yj2bK2MSegVUyLK32QKBgQDe8syVCepPzRsfjfxA
6TZlWcGuTZLhwIx97Ktw3VcQ1f4rLoEYlv0xC2VWBORpzIsJo4I/OLmgp8a+Ga8z
FkVRnq90dV3t4NP9uJlHgcODHnOardC2UUka4olBSCG6zmK4Jxi34lOxhGRkshOo
L4IBeOIB5g+ZrEEXkzfYJHESRQKBgQDX2YhFhGIrT8BAnC5BbXbhm8h6Bhjz8DYL
d+qhVJjef7L/aJxViU0hX9Ba2O8CLK3FZeREFE3hJPiJ4TZSlN4evxs5p+bbNDcA
0mhRI/o3X4ac6IxdRebyYnCOB/Cu94/MzppcZcotlCekKNike7eorCcX4Qavm7Pu
MUuQ+ifmSwKBgEnchoqZzlbBzMqXb4rRuIO7SL9GU/MWp3TQg7vQmJerTZlgvsQ2
wYsOC3SECmhCq4117iCj2luvOdihCboTFsQDnn0mpQe6BIF6Ns3J38wAuqv0CcFd
DKsrge1uyD3rQilgSoAhKzkUc24o0PpXQurZ8YZPgbuXpbj5vPaOnCdBAoGACYc7
wb3XS4wos3FxhUfcwJbM4b4VKeeHqzfu7pI6cU/3ydiHVitKcVe2bdw3qMPqI9Wc
nvi6e17Tbdq4OCsEJx1OiVwFD9YdO3cOTc6lw/3+hjypvZBRYo+/4jUthbu96E+S
dtOzehGZMmDvN0uSzupSi3ZOgkAAUFpyuIKickMCgYAId0PCRjonO2thn/R0rZ7P
//L852uyzYhXKw5/fjFGhQ6LbaLgIRFaCZ0L2809u0HFnNvJjHv4AKP6j+vFQYYY
qQ+66XnfsA9G/bu4MDS9AX83iahD9IdLXQAy8I19prAbpVumKegPbMnNYNB/TYEc
3G15AKCXo7jjOUtHY01DCQ==
-----END PRIVATE KEY-----

14
library/ix-dev/community/vaultwarden/ci/other-user-values.yaml Normal file
View File

@@ -0,0 +1,14 @@
vaultwardenStorage:
data:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/data
pgData:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/pgData
pgBackup:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/pgBackup
vaultwardenRunAs:
user: 1000
group: 1000

13
library/ix-dev/community/vaultwarden/ci/ws-disabled-values.yaml Normal file
View File

@@ -0,0 +1,13 @@
vaultwardenStorage:
data:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/data
pgData:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/pgData
pgBackup:
type: hostPath
hostPath: /mnt/{{ .Release.Name }}/pgBackup
vaultwardenNetwork:
wsEnabled: false

4
library/ix-dev/community/vaultwarden/item.yaml Normal file
View File

@@ -0,0 +1,4 @@
icon: https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/src/static/images/vaultwarden-icon.png
categories:
- password
- manager

285
library/ix-dev/community/vaultwarden/questions.yaml Normal file
View File

@@ -0,0 +1,285 @@
groups:
- name: Vaultwarden Configuration
description: Configure Vaultwarden
- name: User and Group Configuration
description: Configure User and Group for Vaultwarden
- name: Network Configuration
description: Configure Network for Vaultwarden
- name: Storage Configuration
description: Configure Storage for Vaultwarden
- name: Resources Configuration
description: Configure Resources for Vaultwarden
portals:
web_portal:
protocols:
- "$kubernetes-resource_configmap_portal_protocol"
host:
- "$kubernetes-resource_configmap_portal_host"
ports:
- "$kubernetes-resource_configmap_portal_port"
path: "$kubernetes-resource_configmap_portal_path"
admin_portal:
protocols:
- "$kubernetes-resource_configmap_portal_protocol"
host:
- "$kubernetes-resource_configmap_portal_host"
ports:
- "$kubernetes-resource_configmap_portal_port"
path: "$kubernetes-resource_configmap_portal_admin_path"
questions:
- variable: vaultwardenConfig
label: ""
group: Vaultwarden Configuration
schema:
type: dict
attrs:
- variable: adminToken
label: Admin Token
description: Setting this, will enable the admin portal
schema:
type: string
private: true
max_length: 20
default: ""
- variable: additionalEnvs
label: Additional Environment Variables
description: Configure additional environment variables for Vaultwarden.
schema:
type: list
default: []
items:
- variable: env
label: Environment Variable
schema:
type: dict
attrs:
- variable: name
label: Name
schema:
type: string
required: true
- variable: value
label: Value
schema:
type: string
required: true
- variable: vaultwardenRunAs
label: ""
group: User and Group Configuration
schema:
type: dict
attrs:
- variable: user
label: User ID
description: The user id that Vaultwarden will run as.
schema:
type: int
min: 1
default: 568
required: true
- variable: group
label: Group ID
description: The group id that Vaultwarden will run as.
schema:
type: int
min: 1
default: 568
required: true
- variable: vaultwardenNetwork
label: ""
group: Network Configuration
schema:
type: dict
attrs:
- variable: webPort
label: Web Port
description: The port for the Vaultwarden Web UI.
schema:
type: int
default: 30000
min: 9000
max: 65535
required: true
- variable: wsEnabled
label: Enable Websocket
schema:
type: boolean
default: true
- variable: wsPort
label: Websocket Port
description: The port for the Vaultwarden Websocket.
schema:
type: int
show_if: [["wsEnabled", "=", true]]
default: 30001
min: 9000
max: 65535
required: true
- variable: hostNetwork
label: Host Network
description: |
Bind to the host network. It's recommended to keep this disabled.</br>
schema:
type: boolean
default: false
- variable: domain
label: Domain
description: |
The domain to use for Vaultwarden </br>
Format is: https://sub.domain.tld:port
schema:
type: string
default: ""
- variable: certificateID
label: Certificate
description: |
The certificate to use for Vaultwarden </br>
Using the Rocket method for TLS setup is NOT recommended </br>
Prefer a reverse proxy with a valid certificate </br>
schema:
type: int
"null": true
$ref:
- "definitions/certificate"
- variable: vaultwardenStorage
label: ""
group: Storage Configuration
schema:
type: dict
attrs:
- variable: data
label: Vaultwarden Data Storage
description: The path to store Vaultwarden attachments, icons, etc.
schema:
type: dict
attrs:
- variable: type
label: Type
schema:
type: string
required: true
default: ixVolume
enum:
- value: hostPath
description: Host Path
- value: ixVolume
description: ixVolume
- variable: datasetName
label: Dataset Name
schema:
type: string
show_if: [["type", "=", "ixVolume"]]
required: true
hidden: true
immutable: true
default: data
$ref:
- "normalize/ixVolume"
- variable: hostPath
label: Host Path
schema:
type: hostpath
show_if: [["type", "=", "hostPath"]]
immutable: true
required: true
- variable: pgData
label: Vaultwarden Postgres Data Storage
description: The path to store Vaultwarden Postgres Data.
schema:
type: dict
attrs:
- variable: type
label: Type
schema:
type: string
required: true
default: ixVolume
enum:
- value: hostPath
description: Host Path
- value: ixVolume
description: ixVolume
- variable: datasetName
label: Dataset Name
schema:
type: string
show_if: [["type", "=", "ixVolume"]]
required: true
hidden: true
immutable: true
default: pgData
$ref:
- "normalize/ixVolume"
- variable: hostPath
label: Host Path
schema:
type: hostpath
show_if: [["type", "=", "hostPath"]]
immutable: true
required: true
- variable: pgBackup
label: Vaultwarden Postgres Backup Storage
description: The path to store Vaultwarden Postgres Backup.
schema:
type: dict
attrs:
- variable: type
label: Type
schema:
type: string
required: true
default: ixVolume
enum:
- value: hostPath
description: Host Path
- value: ixVolume
description: ixVolume
- variable: datasetName
label: Dataset Name
schema:
type: string
show_if: [["type", "=", "ixVolume"]]
required: true
hidden: true
immutable: true
default: pgBackup
$ref:
- "normalize/ixVolume"
- variable: hostPath
label: Host Path
schema:
type: hostpath
show_if: [["type", "=", "hostPath"]]
immutable: true
required: true
- variable: resources
label: ""
group: Resources Configuration
schema:
type: dict
attrs:
- variable: limits
label: Limits
schema:
type: dict
attrs:
- variable: cpu
label: CPU
description: CPU limit for Vaultwarden.
schema:
type: string
default: 4000m
required: true
- variable: memory
label: Memory
description: Memory limit for Vaultwarden.
schema:
type: string
default: 8Gi
required: true

1
library/ix-dev/community/vaultwarden/templates/NOTES.txt Normal file
View File

@@ -0,0 +1 @@
{{ include "ix.v1.common.lib.chart.notes" $ }}

34
library/ix-dev/community/vaultwarden/templates/_configuration.tpl Normal file
View File

@@ -0,0 +1,34 @@
{{- define "vaultwarden.configuration" -}}
{{- if and .Values.vaultwardenNetwork.domain (not (hasPrefix "http" .Values.vaultwardenNetwork.domain)) -}}
{{- fail "Vaultwarden - Expected [Domain] to have the following format [http(s)://(sub).domain.tld(:port)]." -}}
{{- end -}}
{{- $fullname := (include "ix.v1.common.lib.chart.names.fullname" $) -}}
{{- $dbHost := (printf "%s-postgres" $fullname) -}}
{{- $dbUser := "vaultwarden" -}}
{{- $dbName := "vaultwarden" -}}
{{- $dbPass := (randAlphaNum 32) -}}
{{- with (lookup "v1" "Secret" .Release.Namespace (printf "%s-postgres-creds" $fullname)) -}}
{{- $dbPass = ((index .data "POSTGRES_PASSWORD") | b64dec) -}}
{{- end -}}
{{ $dbURL := (printf "postgres://%s:%s@%s:5432/%s?sslmode=disable" $dbUser $dbPass $dbHost $dbName) }}
secret:
postgres-creds:
enabled: true
data:
POSTGRES_USER: {{ $dbUser }}
POSTGRES_DB: {{ $dbName }}
POSTGRES_PASSWORD: {{ $dbPass }}
POSTGRES_HOST: {{ $dbHost }}
POSTGRES_URL: {{ $dbURL }}
{{ with .Values.vaultwardenConfig.adminToken }}
vaultwarden:
enabled: true
data:
ADMIN_TOKEN: {{ . | quote }}
{{ end }}
{{- end -}}

24
library/ix-dev/community/vaultwarden/templates/_portal.tpl Normal file
View File

@@ -0,0 +1,24 @@
{{- define "vaultwarden.portal" -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: portal
data:
path: /
admin_path: /admin
port: {{ .Values.vaultwardenNetwork.webPort | quote }}
{{ if or (hasPrefix "https://" .Values.vaultwardenNetwork.domain) .Values.vaultwardenNetwork.certificateID }}
protocol: https
{{ else }}
protocol: http
{{ end }}
{{- $host := "$node_ip" -}}
{{ with .Values.vaultwardenNetwork.domain }} {{/* Trim protocol and trailing slash */}}
{{ $host = (. | trimPrefix "https://" | trimPrefix "http://" | trimSuffix "/") }}
{{ $host = mustRegexReplaceAll "(.*):[0-9]+" $host "${1}" }}
{{ end }}
host: {{ $host }}
{{- end -}}

48
library/ix-dev/community/vaultwarden/templates/_postgres.tpl Normal file
View File

@@ -0,0 +1,48 @@
{{- define "postgres.workload" -}}
{{/* Postgres Database */}}
workload:
{{- include "ix.v1.common.app.postgres" (dict "secretName" "postgres-creds" "resources" .Values.resources) | nindent 2 }}
{{/* Service */}}
service:
postgres:
enabled: true
type: ClusterIP
targetSelector: postgres
ports:
postgres:
enabled: true
primary: true
port: 5432
targetSelector: postgres
{{/* Persistence */}}
persistence:
postgresdata:
enabled: true
type: {{ .Values.vaultwardenStorage.pgData.type }}
datasetName: {{ .Values.vaultwardenStorage.pgData.datasetName | default "" }}
hostPath: {{ .Values.vaultwardenStorage.pgData.hostPath | default "" }}
targetSelector:
# Postgres pod
postgres:
# Postgres container
postgres:
mountPath: /var/lib/postgresql/data
# Permissions container, for postgres, container is named "permissions"
permissions:
mountPath: /mnt/directories/postgres_data
postgresbackup:
enabled: true
type: {{ .Values.vaultwardenStorage.pgBackup.type }}
datasetName: {{ .Values.vaultwardenStorage.pgBackup.datasetName | default "" }}
hostPath: {{ .Values.vaultwardenStorage.pgBackup.hostPath | default "" }}
targetSelector:
# Postgres backup pod
postgresbackup:
# Postgres backup container
postgresbackup:
mountPath: /postgres_backup
# Permissions container, for postgres, container is named "permissions"
permissions:
mountPath: /mnt/directories/postgres_backup
{{- end -}}

119
library/ix-dev/community/vaultwarden/templates/_vaultwarden.tpl Normal file
View File

@@ -0,0 +1,119 @@
{{- define "vaultwarden.workload" -}}
workload:
vaultwarden:
enabled: true
primary: true
type: Deployment
podSpec:
hostNetwork: {{ .Values.vaultwardenNetwork.hostNetwork }}
containers:
vaultwarden:
enabled: true
primary: true
imageSelector: image
securityContext:
runAsUser: {{ .Values.vaultwardenRunAs.user }}
runAsGroup: {{ .Values.vaultwardenRunAs.group }}
env:
ROCKET_PORT: {{ .Values.vaultwardenNetwork.webPort }}
WEBSOCKET_PORT: {{ .Values.vaultwardenNetwork.wsPort }}
WEBSOCKET_ENABLED: {{ .Values.vaultwardenNetwork.wsEnabled }}
DATABASE_URL:
secretKeyRef:
name: postgres-creds
key: POSTGRES_URL
{{ if .Values.vaultwardenConfig.adminToken }}
ADMIN_TOKEN:
secretKeyRef:
name: vaultwarden
key: ADMIN_TOKEN
{{ end }}
{{ if .Values.vaultwardenNetwork.certificateID }}
ROCKET_TLS: '{certs="/certs/public.crt",key="/certs/private.key"}'
{{ end }}
{{ with .Values.vaultwardenNetwork.domain }}
DOMAIN: {{ . }}
{{ end }}
{{ with .Values.vaultwardenConfig.additionalEnvs }}
{{ range $env := . }}
{{ $env.name }}: {{ $env.value }}
{{ end }}
{{ end }}
probes:
liveness:
enabled: true
type: exec
command: /healthcheck.sh
readiness:
enabled: true
type: exec
command: /healthcheck.sh
startup:
enabled: true
type: exec
command: /healthcheck.sh
initContainers:
{{- include "ix.v1.common.app.permissions" (dict "containerName" "01-permissions"
"UID" .Values.vaultwardenRunAs.user
"GID" .Values.vaultwardenRunAs.group
"type" "install") | nindent 8 }}
{{- include "ix.v1.common.app.postgresWait" (dict "name" "postgres-wait"
"secretName" "postgres-creds") | nindent 8 }}
{{/* Service */}}
service:
vaultwarden:
enabled: true
primary: true
type: NodePort
targetSelector: vaultwarden
ports:
webui:
enabled: true
primary: true
port: {{ .Values.vaultwardenNetwork.webPort }}
nodePort: {{ .Values.vaultwardenNetwork.webPort }}
targetSelector: vaultwarden
ws:
enabled: {{ .Values.vaultwardenNetwork.wsEnabled }}
port: {{ .Values.vaultwardenNetwork.wsPort }}
nodePort: {{ .Values.vaultwardenNetwork.wsPort }}
targetSelector: vaultwarden
{{/* Persistence */}}
persistence:
data:
enabled: true
type: {{ .Values.vaultwardenStorage.data.type }}
datasetName: {{ .Values.vaultwardenStorage.data.datasetName | default "" }}
hostPath: {{ .Values.vaultwardenStorage.data.hostPath | default "" }}
targetSelector:
vaultwarden:
vaultwarden:
mountPath: /data
01-permissions:
mountPath: /mnt/directories/data
{{- if .Values.vaultwardenNetwork.certificateID }}
cert:
enabled: true
type: secret
objectName: vaultwarden-cert
defaultMode: "0600"
items:
- key: tls.key
path: private.key
- key: tls.crt
path: public.crt
targetSelector:
vaultwarden:
vaultwarden:
mountPath: /certs
readOnly: true
scaleCertificate:
vaultwarden-cert:
enabled: true
id: {{ .Values.vaultwardenNetwork.certificateID }}
{{- end -}}
{{- end -}}

11
library/ix-dev/community/vaultwarden/templates/common.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- include "ix.v1.common.loader.init" . -}}
{{/* Merge the templates with Values */}}
{{- $_ := mustMergeOverwrite .Values (include "vaultwarden.configuration" $ | fromYaml) -}}
{{- $_ := mustMergeOverwrite .Values (include "vaultwarden.workload" $ | fromYaml) -}}
{{- $_ := mustMergeOverwrite .Values (include "postgres.workload" $ | fromYaml) -}}
{{/* Create the configmap for portal manually*/}}
{{- include "vaultwarden.portal" $ -}}
{{- include "ix.v1.common.loader.apply" . -}}

1
library/ix-dev/community/vaultwarden/upgrade_info.json Normal file
View File

@@ -0,0 +1 @@
{"filename": "values.yaml", "keys": ["image"]}

26
library/ix-dev/community/vaultwarden/upgrade_strategy Executable file
View File

@@ -0,0 +1,26 @@
#!/usr/bin/python3
import json
import sys
from catalog_update.upgrade_strategy import semantic_versioning
def newer_mapping(image_tags):
key = list(image_tags.keys())[0]
version = semantic_versioning(image_tags[key])
if not version:
return {}
return {
'tags': {key: f'v{version}'},
'app_version': f'v{version}',
}
if __name__ == '__main__':
try:
versions_json = json.loads(sys.stdin.read())
except ValueError:
raise ValueError('Invalid json specified')
print(json.dumps(newer_mapping(versions_json)))

39
library/ix-dev/community/vaultwarden/values.yaml Normal file
View File

@@ -0,0 +1,39 @@
image:
repository: vaultwarden/server
pullPolicy: IfNotPresent
tag: "1.28.1"
resources:
limits:
cpu: 4000m
memory: 8Gi
vaultwardenConfig:
adminToken: ""
additionalEnvs: []
vaultwardenNetwork:
webPort: 30000
wsEnabled: true
wsPort: 30001
hostNetwork: false
certificateID: ""
domain: ""
vaultwardenRunAs:
user: 568
group: 568
vaultwardenStorage:
data:
type: ixVolume
hostPath: ""
datasetName: data
pgData:
type: ixVolume
hostPath: ""
datasetName: pgData
pgBackup:
type: ixVolume
hostPath: ""
datasetName: pgBackup