Vaultwarden, formerly known as Bitwarden_RS, is an "alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal."
git clone https://github.com/guerzon/vaultwarden
cd vaultwarden
helm install my-vaultwarden-release .
In 2020, I built a simple project for deploying Bitwarden_RS to Kubernetes, which can be found here. That project is made up of various YAML files which have to be edited manually when adding required customizations.
The aim of this project is to deploy vaultwarden
with a stable configuration to Kubernetes clusters using Helm.
The upstream repository for the vaultwarden
project can be found here.
To learn more about Vaultwarden, please visit the wiki.
- Kubernetes 1.12+
- Helm 3.1.0
To deploy the chart with the release name vaultwarden-release
:
export NAMESPACE=vaultwarden
export DOMAIN_NAME=pass.company.com
helm install vaultwarden-release . \
--namespace $NAMESPACE \
--set "ingress.enabled=true" \
--set "ingress.hostname=$DOMAIN_NAME"
To deploy the chart to another namespace using custom values in the file demo.yaml
:
export NAMESPACE=vaultwarden-demo
export RELEASE_NAME=vaultwarden-demo
helm upgrade -i \
-n $NAMESPACE $RELEASE_NAME . \
-f demo.yaml
This chart deploys vaultwarden
from pre-built images on Docker Hub: vaultwarden/server
. The image can be defined by specifying the tag with image.tag
.
Example that uses the Alpine-based image 1.24.0-alpine
and an existing secret that contains registry credentials:
image:
tag: "1.24.0-alpine"
pullSecrets:
- myRegKey
Important: specify the URL used by users with the domain
variable, otherwise, some functionalities might not work:
domain: "https://vaultwarden.contoso.com:9443/"
Detailed configuration options can be found in the Vaultwarden settings section below.
By default, vaultwarden
uses a SQLite database located in /data/db.sqlite3
. However, it is also possible to make use of an external database, in particular either MySQL or PostgreSQL.
To configure an external database, set database.type
to either mysql
or postgresql
and specify the datase connection information.
Example for using an external MySQL database:
database:
type: mysql
host: database.contoso.eu
username: appuser
password: apppassword
dbName: prodapp
You can also specify the connection string:
database:
type: postgresql
uriOverride: "postgresql://appuser:[email protected]:5433/qualdb"
Detailed configuration options can be found in the Database Configuration section below.
This chart supports the usage of existing Ingress Controllers for exposing the vaultwarden
deployment.
Nginx ingress controller can be installed by following this guide. An SSL certificate can be added as a secret with a few commands:
cd <dir-containing-the-certs>
kubectl create secret -n vaultwarden \
tls vw-constoso-com-crt \
--key privkey.pem \
--cert fullchain.pem
Once both prerequisites are ready, values can be set as follows:
ingress:
enabled: true
class: "nginx"
tlsSecret: vw-constoso-com-crt
hostname: vaultwarden.contoso.com
allowList: "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16"
When using AWS, the AWS Load Balancer controller can be used together with ACM.
Example for AWS:
ingress:
enabled: true
class: "alb"
hostname: vaultwarden.contoso.com
additionalAnnotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/tags: Environment=dev,Team=test
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:eu-central-1:ACCOUNT:certificate/LONGID"
Detailed configuration options can be found in the Exposure Parameters section below.
An admin token can be generated with: openssl rand -base64 48
.
Detailed configuration options can be found in the Security Settings section below.
By default, the chart deploys a service account called vaultwarden-svc
.
serviceAccount:
create: true
name: "vaultwarden-svc"
Detailed configuration options can be found in the Security settings section below.
To enable the SMTP service, make sure that at a minimum, smtp.host
and smtp.from
are set.
smtp:
host: mx01.contoso.com
from: [email protected]
fromName: "Vault Administrator"
username: admin
password: password
acceptInvalidHostnames: "true"
acceptInvalidCerts: "true"
Detailed configuration options can be found in the SMTP Configuration section below.
To use persistent storage using a claim, set storage.enabled
to true
. The following example sets the storage class to an already-installed Rancher's local path storage provisioner.
storage:
enabled: true
size: "10Gi"
class: "local-path"
Example for AWS:
storage:
enabled: true
size: "10Gi"
class: "gp2"
Detailed configuration options can be found in the Storage Configuration section below.
Name | Description | Value |
---|---|---|
image.registry |
Vaultwarden image registry | docker.io |
image.repository |
Vaultwarden image repository | vaultwarden/server |
image.tag |
Vaultwarden image tag | 1.28.1 |
image.pullPolicy |
Vaultwarden image pull policy | IfNotPresent |
image.pullSecrets |
Specify docker-registry secret names | [] |
domain |
Domain name where the application is accessed | "" |
websocket.enabled |
Enable websocket notifications | true |
websocket.address |
Websocket listen address | 0.0.0.0 |
websocket.port |
Websocket listen port | 3012 |
rocket.port |
Rocket port | 8080 |
rocket.workers |
Rocket number of workers | 10 |
webVaultEnabled |
Enable Web Vault | true |
Name | Description | Value |
---|---|---|
podAnnotations |
Add extra annotations to the pod | {} |
podLabels |
Add extra labels to the pod | {} |
Name | Description | Value |
---|---|---|
adminToken.existingSecret |
Specify an existing Kubernetes secret containing the admin token. Also set adminToken.existingSecretKey. | "" |
adminToken.existingSecretKey |
When using adminToken.existingSecret, specify the key containing the token. | "" |
adminToken.value |
Plain string containing the admin token. | R@ndomToken$tring |
signupsAllowed |
By default, anyone who can access your instance can register for a new account. | true |
invitationsAllowed |
Even when registration is disabled, organization administrators or owners can | true |
signupDomains |
List of domain names for users allowed to register | contoso.com |
signupsVerify |
Whether to require account verification for newly-registered users. | true |
showPassHint |
Whether a password hint should be shown in the page. | false |
fullnameOverride |
String to override the application name. | "" |
serviceAccount.create |
Create a service account | true |
serviceAccount.name |
Name of the service account to create | vaultwarden-svc |
Name | Description | Value |
---|---|---|
ingress.enabled |
Deploy an ingress resource. | false |
ingress.class |
Ingress resource class | nginx |
ingress.nginxIngressAnnotations |
Add nginx specific ingress annotations | true |
ingress.additionalAnnotations |
Additional annotations for the ingress resource. | {} |
ingress.tls |
Enable TLS on the ingress resource. | true |
ingress.hostname |
Hostname for the ingress. | warden.contoso.com |
ingress.path |
Default application path for the ingress | / |
ingress.pathWs |
Path for the websocket ingress | /notifications/hub |
ingress.pathType |
Path type for the ingress | ImplementationSpecific |
ingress.pathTypeWs |
Path type for the ingress | ImplementationSpecific |
ingress.tlsSecret |
Kubernetes secret containing the SSL certificate when using the "nginx" class. | "" |
ingress.nginxAllowList |
Comma-separated list of IP addresses and subnets to allow. | "" |
service.type |
Service type | ClusterIP |
service.annotations |
Additional annotations for the vaultwarden service | {} |
Name | Description | Value |
---|---|---|
database.type |
Database type, either mysql or postgresql | default |
database.host |
Database hostname or IP address | "" |
database.port |
Database port | "" |
database.username |
Database username | "" |
database.password |
Database password | "" |
database.dbName |
Database name | "" |
database.uriOverride |
Manually specify the DB connection string | "" |
Name | Description | Value |
---|---|---|
smtp.existingSecret |
Name of an existing secret containing the SMTP username and password. Also set smtp.username.existingSecretKey and smtp.password.existingSecretKey. | "" |
smtp.host |
SMTP host | "" |
smtp.security |
SMTP Encryption method | starttls |
smtp.port |
SMTP port | 25 |
smtp.from |
SMTP sender email address | "" |
smtp.fromName |
SMTP sender FROM | "" |
smtp.username.value |
Username string for the SMTP authentication. | "" |
smtp.username.existingSecretKey |
When using an existing secret, specify the key which contains the username. | "" |
smtp.password.value |
Password string for the SMTP authentication. | "" |
smtp.password.existingSecretKey |
When using an existing secret, specify the key which contains the password. | "" |
smtp.authMechanism |
SMTP authentication mechanism | Plain |
smtp.acceptInvalidHostnames |
Accept Invalid Hostnames | false |
smtp.acceptInvalidCerts |
Accept Invalid Certificates | false |
smtp.debug |
SMTP debugging | false |
Name | Description | Value |
---|---|---|
storage.enabled |
Enable configuration for persistent storage | false |
storage.size |
Storage size for /data | 15Gi |
storage.class |
Specify the storage class | default |
storage.dataDir |
Specify the data directory | /data |
Name | Description | Value |
---|---|---|
logging.enabled |
Enable logging to a file | false |
logging.logfile |
Specify logfile path for output log | /data/vaultwarden.log |
logging.loglevel |
Specify the log level | warn |
Name | Description | Value |
---|---|---|
initContainers |
extra init containers for initializing the vaultwarden instance | [] |
sidecars |
extra containers running alongside the vaultwarden instance | [] |
Name | Description | Value |
---|---|---|
nodeSelector |
Node labels for pod assignment | {} |
affinity |
Affinity for pod assignment | {} |
tolerations |
Tolerations for pod assignment | [] |
To uninstall/delete the vaultwarden-demo
release:
export NAMESPACE=vaultwarden
export RELEASE_NAME=vaultwarden-demo
helm -n $NAMESPACE uninstall $RELEASE_NAME
I initially built this Helm chart for the purposes of learning Helm chart development, brush up on my Kubernetes skills, and in general, learn how to better manage application releases in Kubernetes.
Thus, I have to mention that this chart has to be tested more thoroughly before it is used in a production environment.
Nevertheless, if you find any issues while using this chart, or have any suggestions, I would appreciate it if you would submit an issue.
- Implement more configuration options.
- Prometheus metrics scraping would be nice to have.
- Automated testing, CI
MIT.
This Helm chart was created and is being maintained by Lester Guerzon.