test(testwarden): add testwarden app to test moving to cnpg

This commit is contained in:
Kjeld Schouten-Lebbing
2022-11-15 12:15:25 +01:00
parent b7afe30148
commit e39a8d8a68
13 changed files with 3030 additions and 0 deletions

View File

@@ -0,0 +1,30 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# OWNERS file for Kubernetes
OWNERS
# helm-docs templates
*.gotmpl
# docs folder
/docs
# icon
icon.png

File diff suppressed because it is too large Load Diff

View File

@@ -0,0 +1,37 @@
apiVersion: v2
appVersion: "1.26.0"
dependencies:
- name: common
repository: https://library-charts.truecharts.org
version: 11.0.0
- condition: postgresql.enabled
name: postgresql
repository: https://charts.truecharts.org/
version: 10.0.0
deprecated: false
description: testapplication for moving to operator based postgresql
home: https://truecharts.org/docs/charts/stable/vaultwarden
icon: https://truecharts.org/img/hotlink-ok/chart-icons/vaultwarden.png
keywords:
- bitwarden
- bitwardenrs
- bitwarden_rs
- vaultwarden
- password
- rust
kubeVersion: ">=1.16.0-0"
maintainers:
- email: info@truecharts.org
name: TrueCharts
url: https://truecharts.org
name: testwarden
sources:
- https://github.com/truecharts/charts/tree/master/charts/stable/vaultwarden
- https://github.com/dani-garcia/vaultwarden
type: application
version: 19.0.0
annotations:
truecharts.org/catagories: |
- security
truecharts.org/SCALE-support: "true"
truecharts.org/grade: U

View File

@@ -0,0 +1,107 @@
# vaultwarden
Unofficial Bitwarden compatible server written in Rust
TrueCharts can be installed as both *normal* Helm Charts or as Apps on TrueNAS SCALE.
This readme is just an automatically generated general guide on installing our Helm Charts and Apps.
For more information, please click here: [vaultwarden](https://truecharts.org/docs/charts/stable/vaultwarden)
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)**
## Source Code
* <https://github.com/truecharts/charts/tree/master/charts/stable/vaultwarden>
* <https://github.com/dani-garcia/vaultwarden>
## Requirements
Kubernetes: `>=1.16.0-0`
## Dependencies
| Repository | Name | Version |
|------------|------|---------|
| https://charts.truecharts.org/ | postgresql | 8.0.122 |
| https://library-charts.truecharts.org | common | 10.9.4 |
## Installing the Chart
### TrueNAS SCALE
To install this Chart on TrueNAS SCALE check our [Quick-Start Guide](https://truecharts.org/docs/manual/SCALE%20Apps/Installing-an-App).
### Helm
To install the chart with the release name `vaultwarden`
```console
helm repo add TrueCharts https://charts.truecharts.org
helm repo update
helm install vaultwarden TrueCharts/vaultwarden
```
## Uninstall
### TrueNAS SCALE
**Upgrading, Rolling Back and Uninstalling the Chart**
To upgrade, rollback or delete this Chart from TrueNAS SCALE check our [Quick-Start Guide](https://truecharts.org/docs/manual/SCALE%20Apps/Upgrade-rollback-delete-an-App).
### Helm
To uninstall the `vaultwarden` deployment
```console
helm uninstall vaultwarden
```
## Configuration
### Helm
#### Available Settings
Read through the values.yaml file. It has several commented out suggested values.
Other values may be used from the [values.yaml](https://github.com/truecharts/library-charts/tree/main/charts/stable/common/values.yaml) from the [common library](https://github.com/truecharts/library-charts/tree/main/charts/common).
#### Configure using the command line
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
```console
helm install vaultwarden \
--set env.TZ="America/New York" \
TrueCharts/vaultwarden
```
#### Configure using a yaml file
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart.
```console
helm install vaultwarden TrueCharts/vaultwarden -f values.yaml
```
#### Connecting to other charts
If you need to connect this Chart to other Charts on TrueNAS SCALE, please refer to our [Linking Charts Internally](https://truecharts.org/docs/manual/SCALE%20Apps/linking-apps) quick-start guide.
## Support
- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/docs/manual/SCALE%20Apps/Important-MUST-READ).
- See the [Website](https://truecharts.org)
- Check our [Discord](https://discord.gg/tVsPTHWTtr)
- Open a [issue](https://github.com/truecharts/apps/issues/new/choose)
---
## Sponsor TrueCharts
TrueCharts can only exist due to the incredible effort of our staff.
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
---
All Rights Reserved - The TrueCharts Project

View File

@@ -0,0 +1,7 @@
# -- Configure the ingresses for the chart here.
# Additional ingresses can be added by adding a dictionary key similar to the 'main' ingress.
# @default -- See below
ingress:
main:
# -- Enables or disables the ingress
enabled: true

Binary file not shown.

After

Width:  |  Height:  |  Size: 6.7 KiB

View File

@@ -0,0 +1,424 @@
# Include{groups}
portals:
open:
# Include{portalLink}
admin:
# Include{portalLink}
path: "/admin/"
questions:
# Include{global}
# Include{controller}
# Include{replicas}
# Include{replica1}
# Include{controllerExpertExtraArgs}
# Include{containerConfig}
- variable: vaultwarden
label: ""
group: "App Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: yubico
label: "Yubico OTP authentication"
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: "Enable Yubico OTP authentication"
description: "Please refer to the manual at: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication"
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: server
label: "Yubico server"
description: "Defaults to YubiCloud"
schema:
type: string
default: ""
- variable: clientId
label: "Yubico ID"
schema:
type: string
default: ""
- variable: secretKey
label: "Yubico Secret Key"
schema:
type: string
default: ""
- variable: admin
label: "Admin Portal"
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: "Enable Admin Portal"
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: disableAdminToken
label: "Make Accessible Without Password/Token"
schema:
type: boolean
default: false
- variable: token
label: "Admin Portal Password/Token"
description: "Will be automatically generated if not defined"
schema:
type: string
default: ""
- variable: icons
label: "Icon Download Settings"
schema:
additional_attrs: true
type: dict
attrs:
- variable: disableDownload
label: "Disable Icon Download"
description: "Disables download of external icons. Setting to true will still serve icons from cache (/data/icon_cache)"
schema:
type: boolean
default: false
- variable: cache
label: "Cache time-to-live"
description: "Cache time-to-live for icons fetched. 0 means no purging"
schema:
type: int
default: 2592000
- variable: token
label: "Failed Downloads Cache time-to-live"
description: "Cache time-to-live for icons that were not available. 0 means no purging."
schema:
type: int
default: 2592000
- variable: log
label: "Logging"
schema:
additional_attrs: true
type: dict
attrs:
- variable: level
label: "Log level"
schema:
type: string
default: "info"
required: true
enum:
- value: "trace"
description: "trace"
- value: "debug"
description: "debug"
- value: "info"
description: "info"
- value: "warn"
description: "warn"
- value: "error"
description: "error"
- value: "off"
description: "off"
- variable: file
label: "Log-File Location"
schema:
type: string
default: ""
- variable: smtp
label: "SMTP Settings (Email)"
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: "Enable SMTP Support"
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: host
label: "SMTP hostname"
schema:
type: string
required: true
default: ""
- variable: from
label: "SMTP sender e-mail address"
schema:
type: string
required: true
default: ""
- variable: fromName
label: "SMTP sender name"
schema:
type: string
required: true
default: ""
- variable: user
label: "SMTP username"
schema:
type: string
required: true
default: ""
- variable: password
label: "SMTP password"
description: "Required is user is specified, ignored if no user provided"
schema:
type: string
default: ""
- variable: ssl
label: "Enable SSL connection"
schema:
type: boolean
default: true
- variable: port
label: "SMTP port"
description: "Usually: 25 without SSL, 587 with SSL"
schema:
type: int
default: 587
- variable: authMechanism
label: "SMTP Authentication Mechanisms"
description: "Comma-separated options: Plain, Login and Xoauth2"
schema:
type: string
default: "Plain"
- variable: heloName
label: "SMTP HELO - Hostname"
description: "Hostname to be sent for SMTP HELO. Defaults to pod name"
schema:
type: string
default: ""
- variable: timeout
label: "SMTP timeout"
schema:
type: int
default: 15
- variable: invalidHostname
label: "Accept Invalid Hostname"
description: "Accept SSL session if certificate is valid but hostname doesn't match. DANGEROUS, vulnerable to men-in-the-middle attacks!"
schema:
type: boolean
default: false
- variable: invalidCertificate
label: "Accept Invalid Certificate"
description: "Accept invalid certificates. DANGEROUS, vulnerable to men-in-the-middle attacks!"
schema:
type: boolean
default: false
- variable: allowSignups
label: "Allow Signup"
description: "Allow any user to sign-up: https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users"
schema:
type: boolean
default: true
- variable: allowInvitation
label: "Always allow Invitation"
description: "Allow invited users to sign-up even feature is disabled: https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations"
schema:
type: boolean
default: true
- variable: defaultInviteName
label: "Default Invite Organisation Name"
description: "Default organization name in invitation e-mails that are not coming from a specific organization."
schema:
type: string
default: ""
- variable: showPasswordHint
label: "Show password hints"
description: "https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display"
schema:
type: boolean
default: true
- variable: signupwhitelistenable
label: "Enable Signup Whitelist"
description: "allowSignups is ignored if set"
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: signupDomains
label: "Signup Whitelist Domains"
schema:
type: list
default: []
items:
- variable: domain
label: "Domain"
schema:
type: string
default: ""
- variable: verifySignup
label: "Verifiy Signup"
description: "Verify e-mail before login is enabled. SMTP must be enabled"
schema:
type: boolean
default: false
- variable: requireEmail
label: "Block Login if email fails"
description: "When a user logs in an email is required to be sent. If sending the email fails the login attempt will fail. SMTP must be enabled"
schema:
type: boolean
default: false
- variable: emailAttempts
label: "Email token reset attempts"
description: "Maximum attempts before an email token is reset and a new email will need to be sent"
schema:
type: int
default: 3
- variable: emailTokenExpiration
label: "Email token validity in seconds"
schema:
type: int
default: 600
- variable: enableWebVault
label: "Enable Webvault"
description: "Enable Web Vault (static content). https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting"
schema:
type: boolean
default: true
- variable: orgCreationUsers
label: "Limit Organisation Creation to (users)"
description: "Restrict creation of orgs. Options are: 'all', 'none' or a comma-separated list of users."
schema:
type: string
default: "all"
- variable: attachmentLimitOrg
label: "Limit Attachment Disk Usage per Organisation"
schema:
type: string
default: ""
- variable: attachmentLimitUser
label: "Limit Attachment Disk Usage per User"
schema:
type: string
default: ""
- variable: hibpApiKey
label: "HaveIBeenPwned API Key"
description: "Can be purchased at https://haveibeenpwned.com/API/Key"
schema:
type: string
default: ""
# Include{serviceRoot}
- variable: main
label: "Main Service"
description: "The Primary service on which the healthcheck runs, often the webUI"
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelectorLoadBalancer}
# Include{serviceSelectorExtras}
- variable: main
label: "Main Service Port Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: "Port"
description: "This port exposes the container port on the service"
schema:
type: int
default: 10102
required: true
- variable: ws
label: "WebSocket Service"
description: "WebSocket Service"
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelectorLoadBalancer}
# Include{serviceSelectorExtras}
- variable: ws
label: "WebSocket Service Port Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: "Port"
description: "This port exposes the container port on the service"
schema:
type: int
default: 3012
required: true
# Include{serviceExpertRoot}
default: false
# Include{serviceExpert}
# Include{serviceList}
# Include{persistenceRoot}
- variable: data
label: "App Config Storage"
description: "Stores the Application Configuration."
schema:
additional_attrs: true
type: dict
attrs:
# Include{persistenceBasic}
# Include{persistenceList}
# Include{ingressRoot}
- variable: main
label: "Main Ingress"
schema:
additional_attrs: true
type: dict
attrs:
# Include{ingressDefault}
# Include{ingressTLS}
# Include{ingressTraefik}
# Include{ingressList}
# Include{security}
# Include{securityContextAdvancedRoot}
- variable: privileged
label: "Privileged mode"
schema:
type: boolean
default: false
- variable: readOnlyRootFilesystem
label: "ReadOnly Root Filesystem"
schema:
type: boolean
default: true
- variable: allowPrivilegeEscalation
label: "Allow Privilege Escalation"
schema:
type: boolean
default: false
- variable: runAsNonRoot
label: "runAsNonRoot"
schema:
type: boolean
default: true
# Include{podSecurityContextRoot}
- variable: runAsUser
label: "runAsUser"
description: "The UserID of the user running the application"
schema:
type: int
default: 568
- variable: runAsGroup
label: "runAsGroup"
description: "The groupID this App of the user running the application"
schema:
type: int
default: 568
- variable: fsGroup
label: "fsGroup"
description: "The group that should own ALL storage."
schema:
type: int
default: 568
# Include{podSecurityContextAdvanced}
# Include{resources}
# Include{advanced}
# Include{addons}
# Include{codeserver}
# Include{vpn}
# Include{documentation}

View File

@@ -0,0 +1,116 @@
{{/* Define the configmap */}}
{{- define "vaultwarden.configmap" -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: vaultwardenconfig
data:
ROCKET_PORT: "8080"
SIGNUPS_ALLOWED: {{ .Values.vaultwarden.allowSignups | quote }}
{{- if .Values.vaultwarden.signupDomains }}
SIGNUPS_DOMAINS_WHITELIST: {{ join "," .Values.vaultwarden.signupDomains | quote }}
{{- end }}
{{- if and (eq .Values.vaultwarden.verifySignup true) (eq .Values.vaultwarden.smtp.enabled false) }}{{ required "Signup verification requires SMTP to be enabled" nil}}{{end}}
SIGNUPS_VERIFY: {{ .Values.vaultwarden.verifySignup | quote }}
{{- if and (eq .Values.vaultwarden.requireEmail true) (eq .Values.vaultwarden.smtp.enabled false) }}{{ required "Requiring emails for login depends on SMTP" nil}}{{end}}
REQUIRE_DEVICE_EMAIL: {{ .Values.vaultwarden.requireEmail | quote }}
{{- if .Values.vaultwarden.emailAttempts }}
EMAIL_ATTEMPTS_LIMIT: {{ .Values.vaultwarden.emailAttempts | quote }}
{{- end }}
{{- if .Values.vaultwarden.emailTokenExpiration }}
EMAIL_EXPIRATION_TIME: {{ .Values.vaultwarden.emailTokenExpiration | quote }}
{{- end }}
INVITATIONS_ALLOWED: {{ .Values.vaultwarden.allowInvitation | quote }}
{{- if .Values.vaultwarden.defaultInviteName }}
INVITATION_ORG_NAME: {{ .Values.vaultwarden.defaultInviteName | quote }}
{{- end }}
SHOW_PASSWORD_HINT: {{ .Values.vaultwarden.showPasswordHint | quote }}
WEBSOCKET_ENABLED: {{ .Values.vaultwarden.enableWebsockets | quote }}
WEB_VAULT_ENABLED: {{ .Values.vaultwarden.enableWebVault | quote }}
ORG_CREATION_USERS: {{ .Values.vaultwarden.orgCreationUsers | quote }}
{{- if .Values.vaultwarden.attachmentLimitOrg }}
ORG_ATTACHMENT_LIMIT: {{ .Values.vaultwarden.attachmentLimitOrg | quote }}
{{- end }}
{{- if .Values.vaultwarden.attachmentLimitUser }}
USER_ATTACHMENT_LIMIT: {{ .Values.vaultwarden.attachmentLimitUser | quote }}
{{- end }}
{{- if .Values.vaultwarden.hibpApiKey }}
HIBP_API_KEY: {{ .Values.vaultwarden.hibpApiKey | quote }}
{{- end }}
{{- include "vaultwarden.dbTypeValid" . }}
{{- if .Values.database.retries }}
DB_CONNECTION_RETRIES: {{ .Values.database.retries | quote }}
{{- end }}
{{- if .Values.database.maxConnections }}
DATABASE_MAX_CONNS: {{ .Values.database.maxConnections | quote }}
{{- end }}
{{- if eq .Values.vaultwarden.smtp.enabled true }}
SMTP_HOST: {{ required "SMTP host is required to enable SMTP" .Values.vaultwarden.smtp.host | quote }}
SMTP_FROM: {{ required "SMTP sender address ('from') is required to enable SMTP" .Values.vaultwarden.smtp.from | quote }}
{{- if .Values.vaultwarden.smtp.fromName }}
SMTP_FROM_NAME: {{ .Values.vaultwarden.smtp.fromName | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.ssl }}
SMTP_SSL: {{ .Values.vaultwarden.smtp.ssl | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.port }}
SMTP_PORT: {{ .Values.vaultwarden.smtp.port | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.authMechanism }}
SMTP_AUTH_MECHANISM: {{ .Values.vaultwarden.smtp.authMechanism | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.heloName }}
HELO_NAME: {{ .Values.vaultwarden.smtp.heloName | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.timeout }}
SMTP_TIMEOUT: {{ .Values.vaultwarden.smtp.timeout | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.invalidHostname }}
SMTP_ACCEPT_INVALID_HOSTNAMES: {{ .Values.vaultwarden.smtp.invalidHostname | quote }}
{{- end }}
{{- if .Values.vaultwarden.smtp.invalidCertificate }}
SMTP_ACCEPT_INVALID_CERTS: {{ .Values.vaultwarden.smtp.invalidCertificate | quote }}
{{- end }}
{{- end }}
{{- if .Values.vaultwarden.log.file }}
LOG_FILE: {{ .Values.vaultwarden.log.file | quote }}
{{- end }}
{{- if or .Values.vaultwarden.log.level .Values.vaultwarden.log.timeFormat }}
EXTENDED_LOGGING: "true"
{{- end }}
{{- if .Values.vaultwarden.log.level }}
{{- include "vaultwarden.logLevelValid" . }}
LOG_LEVEL: {{ .Values.vaultwarden.log.level | quote }}
{{- end }}
{{- if .Values.vaultwarden.log.timeFormat }}
LOG_TIMESTAMP_FORMAT: {{ .Values.vaultwarden.log.timeFormat | quote }}
{{- end }}
{{- if .Values.vaultwarden.icons.disableDownload }}
DISABLE_ICON_DOWNLOAD: {{ .Values.vaultwarden.icons.disableDownload | quote }}
{{- if and (not .Values.vaultwarden.icons.cache) (eq .Values.vaultwarden.icons.disableDownload "true") }}
ICON_CACHE_TTL: "0"
{{- end }}
{{- end }}
{{- if .Values.vaultwarden.icons.cache }}
ICON_CACHE_TTL: {{ .Values.vaultwarden.icons.cache | quote }}
{{- end }}
{{- if .Values.vaultwarden.icons.cacheFailed }}
ICON_CACHE_NEGTTL: {{ .Values.vaultwarden.icons.cacheFailed | quote }}
{{- end }}
{{- if eq .Values.vaultwarden.admin.enabled true }}
{{- if eq .Values.vaultwarden.admin.disableAdminToken true }}
DISABLE_ADMIN_TOKEN: "true"
{{- end }}
{{- end }}
{{- if eq .Values.vaultwarden.yubico.enabled true }}
{{- if .Values.vaultwarden.yubico.server }}
YUBICO_SERVER: {{ .Values.vaultwarden.yubico.server | quote }}
{{- end }}
{{- end }}
{{- if eq .Values.database.type "sqlite" }}
ENABLE_DB_WAL: {{ .Values.database.wal | quote }}
{{- else }}
ENABLE_DB_WAL: "false"
{{- end }}
{{- end -}}

View File

@@ -0,0 +1,36 @@
{{/* Define the secrets */}}
{{- define "vaultwarden.secrets" -}}
{{- $adminToken := "" }}
{{- if eq .Values.vaultwarden.admin.enabled true }}
{{- $adminToken = .Values.vaultwarden.admin.token | default (randAlphaNum 48) | b64enc | quote }}
{{- end -}}
{{- $smtpUser := "" }}
{{- if and (eq .Values.vaultwarden.smtp.enabled true ) (.Values.vaultwarden.smtp.user) }}
{{- $smtpUser = .Values.vaultwarden.smtp.user | b64enc | quote }}
{{- end -}}
{{- $yubicoClientId := "" }}
{{- if eq .Values.vaultwarden.yubico.enabled true }}
{{- $yubicoClientId = required "Yubico Client ID required" .Values.vaultwarden.yubico.clientId | toString | b64enc | quote }}
{{- end -}}
---
apiVersion: v1
kind: Secret
metadata:
name: vaultwardensecret
data:
{{- if ne $adminToken "" }}
ADMIN_TOKEN: {{ $adminToken }}
{{- end }}
{{- if ne $smtpUser "" }}
SMTP_USERNAME: {{ $smtpUser }}
SMTP_PASSWORD: {{ required "Must specify SMTP password" .Values.vaultwarden.smtp.password | b64enc | quote }}
{{- end }}
{{- if ne $yubicoClientId "" }}
YUBICO_CLIENT_ID: {{ $yubicoClientId }}
YUBICO_SECRET_KEY: {{ required "Yubico Secret Key required" .Values.vaultwarden.yubico.secretKey | b64enc | quote }}
{{- end }}
{{- end -}}

View File

@@ -0,0 +1,17 @@
{{/*
Ensure valid DB type is select, defaults to SQLite
*/}}
{{- define "vaultwarden.dbTypeValid" -}}
{{- if not (or (eq .Values.database.type "postgresql") (eq .Values.database.type "mysql") (eq .Values.database.type "sqlite")) }}
{{- required "Invalid database type" nil }}
{{- end -}}
{{- end -}}
{{/*
Ensure log type is valid
*/}}
{{- define "vaultwarden.logLevelValid" -}}
{{- if not (or (eq .Values.vaultwarden.log.level "trace") (eq .Values.vaultwarden.log.level "debug") (eq .Values.vaultwarden.log.level "info") (eq .Values.vaultwarden.log.level "warn") (eq .Values.vaultwarden.log.level "error") (eq .Values.vaultwarden.log.level "off")) }}
{{- required "Invalid log level" nil }}
{{- end }}
{{- end }}

View File

@@ -0,0 +1,39 @@
{{/* Make sure all variables are set properly */}}
{{- include "tc.common.loader.init" . }}
{{/* Render configmap for vaultwarden */}}
{{- include "vaultwarden.configmap" . }}
{{/* Render secrets for vaultwarden */}}
{{- include "vaultwarden.secrets" . }}
{{/* Define path for websocket */}}
{{- define "vaultwarden.websocket" -}}
{{- $fullname := include "tc.common.names.fullname" . -}}
path: "/notifications/hub"
# -- Ignored if not kubeVersion >= 1.14-0
pathType: Prefix
service:
# -- Overrides the service name reference for this path
name: {{ printf "%s-ws" $fullname }}
port: {{ .Values.service.ws.ports.ws.port }}
{{- end -}}
{{/* inject websocket path to all main ingress hosts*/}}
{{- define "vaultwarden.websocketinjector" -}}
{{- $path := list (include "vaultwarden.websocket" . | fromYaml) -}}
{{- if .Values.ingress.main.enabled }}
{{- range .Values.ingress.main.hosts }}
{{- $newpaths := list }}
{{- $newpaths := concat .paths $path }}
{{- $_ := set . "paths" ( deepCopy $newpaths ) -}}
{{- end }}
{{- end }}
{{- end -}}
{{/* inject websocket paths in ingress */}}
{{- include "vaultwarden.websocketinjector" . }}
{{/* Render the templates */}}
{{ include "tc.common.loader.apply" . }}

View File

@@ -0,0 +1,164 @@
image:
repository: tccr.io/truecharts/vaultwarden
pullPolicy: IfNotPresent
tag: 1.26.0@sha256:c96156c6788a4e6104456a57c48767719147dba3dde1f0a76dfaa7bc98d62581
service:
main:
ports:
main:
port: 10102
targetPort: 8080
ws:
enabled: true
ports:
ws:
enabled: true
port: 3012
targetPort: 3012
env:
DOMAIN: "https://{{ if .Values.ingress }}{{ if .Values.ingress.main.enabled }}{{ ( index .Values.ingress.main.hosts 0 ).host }}{{ else }}placeholder.com{{ end }}{{ else }}placeholder.com{{ end }}"
DATABASE_URL:
secretKeyRef:
name: cnpgcreds
key: std
envFrom:
- configMapRef:
name: vaultwardenconfig
- secretRef:
name: vaultwardensecret
database:
# -- Database type,
# must be one of: 'sqlite', 'mysql' or 'postgresql'.
type: postgresql
# -- Enable DB Write-Ahead-Log for SQLite,
# disabled for other databases. https://github.com/dani-garcia/bitwarden_rs/wiki/Running-without-WAL-enabled
wal: true
## URL for external databases (mysql://user:pass@host:port or postgresql://user:pass@host:port).
# url: ""
## Set the size of the database connection pool.
# maxConnections: 10
## Connection retries during startup, 0 for infinite. 1 second between retries.
# retries: 15
# Set Bitwarden_rs application variables
vaultwarden:
# -- Allow any user to sign-up
# see: https://github.com/dani-garcia/bitwarden_rs/wiki/Disable-registration-of-new-users
allowSignups: true
## Whitelist domains allowed to sign-up. 'allowSignups' is ignored if set.
# signupDomains:
# - domain.tld
# -- Verify e-mail before login is enabled.
# SMTP must be enabled.
verifySignup: false
# When a user logs in an email is required to be sent. If sending the email fails the login attempt will fail. SMTP must be enabled.
requireEmail: false
## Maximum attempts before an email token is reset and a new email will need to be sent.
# emailAttempts: 3
## Email token validity in seconds.
# emailTokenExpiration: 600
# Allow invited users to sign-up even feature is disabled: https://github.com/dani-garcia/bitwarden_rs/wiki/Disable-invitations
allowInvitation: true
# Show password hints: https://github.com/dani-garcia/bitwarden_rs/wiki/Password-hint-display
## Default organization name in invitation e-mails that are not coming from a specific organization.
# defaultInviteName: ""
showPasswordHint: true
# Enable Websockets for notification. https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-WebSocket-notifications
# Redirect HTTP path "/notifications/hub" to port 3012. Ingress/IngressRoute controllers are automatically configured.
enableWebsockets: true
# Enable Web Vault (static content). https://github.com/dani-garcia/bitwarden_rs/wiki/Disabling-or-overriding-the-Vault-interface-hosting
enableWebVault: true
# Restrict creation of orgs. Options are: 'all', 'none' or a comma-separated list of users.
orgCreationUsers: all
## Limit attachment disk usage per organization.
# attachmentLimitOrg:
## Limit attachment disk usage per user.
# attachmentLimitUser:
## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key.
# hibpApiKey:
admin:
# Enable admin portal.
enabled: false
# Disabling the admin token will make the admin portal accessible to anyone, use carefully: https://github.com/dani-garcia/bitwarden_rs/wiki/Disable-admin-token
disableAdminToken: false
## Token for admin login, will be generated if not defined. https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-admin-page
# token:
# Enable SMTP. https://github.com/dani-garcia/bitwarden_rs/wiki/SMTP-configuration
smtp:
enabled: false
# SMTP hostname, required if SMTP is enabled.
host: ""
# SMTP sender e-mail address, required if SMTP is enabled.
from: ""
## SMTP sender name, defaults to 'Bitwarden_RS'.
# fromName: ""
## Enable SSL connection.
# ssl: true
## SMTP port. Defaults to 25 without SSL, 587 with SSL.
# port: 587
## SMTP Authentication Mechanisms. Comma-separated options: 'Plain', 'Login' and 'Xoauth2'. Defaults to 'Plain'.
# authMechanism: Plain
## Hostname to be sent for SMTP HELO. Defaults to pod name.
# heloName: ""
## SMTP timeout.
# timeout: 15
## Accept SSL session if certificate is valid but hostname doesn't match. DANGEROUS, vulnerable to men-in-the-middle attacks!
# invalidHostname: false
## Accept invalid certificates. DANGEROUS, vulnerable to men-in-the-middle attacks!
# invalidCertificate: false
## SMTP username.
# user: ""
## SMTP password. Required is user is specified, ignored if no user provided.
# password: ""
## Enable Yubico OTP authentication. https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-Yubikey-OTP-authentication
yubico:
enabled: false
## Yubico server. Defaults to YubiCloud.
# server:
## Yubico ID and Secret Key.
# clientId:
# secretKey:
## Logging options. https://github.com/dani-garcia/bitwarden_rs/wiki/Logging
log:
# Log to file.
file: ""
# Log level. Options are "trace", "debug", "info", "warn", "error" or "off".
level: "trace"
## Log timestamp format. See https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html. Defaults to time in milliseconds.
# timeFormat: ""
icons:
# Disables download of external icons. Setting to true will still serve icons from cache (/data/icon_cache). TTL will default to zero.
disableDownload: false
## Cache time-to-live for icons fetched. 0 means no purging.
# cache: 2592000
## Cache time-to-live for icons that were not available. 0 means no purging.
# cacheFailed: 259200
persistence:
data:
enabled: true
mountPath: "/data"
# enable cnpg
cnpg:
enabled: true
user: vaultwarden
# Enabled postgres
postgresql:
enabled: false
existingSecret: "dbcreds"
postgresqlUsername: vaultwarden
postgresqlDatabase: vaultwarden
portal:
enabled: true