These manifests provide way to deploy fully functional and secure bitwarden_rs
application behind nginx-ingress-controller
and AWS ELBv1 in Kubernetes hosted in AWS. It provides little bit more than just simple deployment but you can use all or just part of the manifests depending on your needs and setup.
This has been deployed and tested with Kubernetes 1.10
but should work with 1.9
and 1.8
too.
To install run:
$ kubectl apply -f kubernets/ -n some-namespace
To remove run:
$ kubectl delete -f kubernets/ -n some-namespace
The nginx-ingress-controller is an excellent ingress controller for Kubernetes. See this gist to deploy the controller in K8S cluster in AWS if you don't have one already running. It will create an ELB with proxy-protocol
enabled and TCP backend protocol so we can have support for Websockets needed for notifications (the controller has built in support for upgrade headers).
If you already have a domain TLS certificate (maybe wildcard one) place it in a secret called tls-secret
in the default
namespace so Nginx can use it (optional).
Apart from that the gist provides features like RBAC, HPA and PDB to insure smooth proxy operation.
To find out more see the project's excellent documentation.
See this gist for help about setting cert-manager
in Kubernetes to manage Let's Encrypt certificates for your domain(s). If you decide to use it then apply this changes to ingress.yml
:
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: bitwarden
labels:
app: bitwarden
annotations:
...
kubernetes.io/tls-acme: "true"
certmanager.k8s.io/cluster-issuer: "letsencrypt-[staging|prod]"
spec:
tls:
- hosts:
- bitwarden.domain.tld
secretName: bitwarden-tls
rules:
...
If successful, cert-manager
will place the obtained LE certificate in the bitwarden-tls
secret and manage it's renewal in the future.
The Bitwarden related settings are set in the configmap.yml
file.
In case you want to use the email feature, the SMTP username and password need to be set in the smtp-secret.yml
file as base64
encoded values.
There is another option to provide TLS certificate for the domain in the ingress.yml
via the secretName
parameter if you haven't done that already in the Nginx proxy settings (the difference is this certificate applies to this Ingress only versus globally for all domains when set in Nginx as default certificate).
The application gets deployed as Kubernetes StatefulSet and uses the AWSElasticBlockStore storage class to provide a persistent EBS volume for our data. Some other settings like CPU and memory resources are set in the statefulset.yml
file and can be modified as needed. The app will run as user id 33 (www-data) instead of default root user for increased security. The included RBAC settings in the rbac.yml
file provide access only to Kubernetes resources the app needs.