diff --git a/charts/vaultwarden/Chart.yaml b/charts/vaultwarden/Chart.yaml index ee95cd4..91b189b 100644 --- a/charts/vaultwarden/Chart.yaml +++ b/charts/vaultwarden/Chart.yaml @@ -8,10 +8,10 @@ keywords: sources: - https://github.com/guerzon/vaultwarden - https://github.com/dani-garcia/vaultwarden -appVersion: 1.30.1 +appVersion: 1.30.3 maintainers: - name: guerzon email: guerzon@proton.me url: https://github.com/guerzon -version: 0.21.0 +version: 0.22.0 kubeVersion: ">=1.12.0-0" diff --git a/charts/vaultwarden/README.md b/charts/vaultwarden/README.md index 77d20c8..6ccda90 100644 --- a/charts/vaultwarden/README.md +++ b/charts/vaultwarden/README.md @@ -241,99 +241,33 @@ helm -n $NAMESPACE uninstall $RELEASE_NAME ## Parameters -### Vaultwarden settings - -| Name | Description | Value | -| ------------------- | --------------------------------------------- | -------------------- | -| `image.registry` | Vaultwarden image registry | `docker.io` | -| `image.repository` | Vaultwarden image repository | `vaultwarden/server` | -| `image.tag` | Vaultwarden image tag | `1.30.1-alpine` | -| `image.pullPolicy` | Vaultwarden image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names | `[]` | -| `domain` | Domain name where the application is accessed | `""` | -| `websocket.enabled` | Enable websocket notifications | `true` | -| `websocket.address` | Websocket listen address | `0.0.0.0` | -| `websocket.port` | Websocket listen port | `3012` | -| `rocket.address` | Address to bind to | `0.0.0.0` | -| `rocket.port` | Rocket port | `8080` | -| `rocket.workers` | Rocket number of workers | `10` | -| `webVaultEnabled` | Enable Web Vault | `true` | - -### Overwrite automatic resource type detection - -| Name | Description | Value | -| ---------------------- | --------------------------------------- | ----- | -| `resourceType` | Can be either Deployment or StatefulSet | `""` | -| `configMapAnnotations` | Add extra annotations to the configmap | `{}` | - -### Pod configuration - -| Name | Description | Value | -| ---------------- | -------------------------------- | ----- | -| `podAnnotations` | Add extra annotations to the pod | `{}` | -| `podLabels` | Add extra labels to the pod | `{}` | - -### Security settings - -| Name | Description | Value | -| -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | -| `adminToken.existingSecret` | Specify an existing Kubernetes secret containing the admin token. Also set adminToken.existingSecretKey. | `""` | -| `adminToken.existingSecretKey` | When using adminToken.existingSecret, specify the key containing the token. | `""` | -| `adminToken.value` | Plain or argon2 string containing the admin token. | `$argon2id$v=19$m=19456,t=2,p=1$Vkx1VkE4RmhDMUhwNm9YVlhPQkVOZk1Yc1duSDdGRVYzd0Y5ZkgwaVg0Yz0$PK+h1ANCbzzmEKaiQfCjWw+hWFaMKvLhG2PjRanH5Kk` | -| `signupsAllowed` | By default, anyone who can access your instance can register for a new account. | `true` | -| `invitationsAllowed` | Even when registration is disabled, organization administrators or owners can | `true` | -| `signupDomains` | List of domain names for users allowed to register. For example: | `""` | -| `signupsVerify` | Whether to require account verification for newly-registered users. | `true` | -| `showPassHint` | Whether a password hint should be shown in the page. | `false` | -| `fullnameOverride` | String to override the application name. | `""` | -| `invitationOrgName` | String Name shown in the invitation emails that don't come from a specific organization | `Vaultwarden` | -| `orgCreationUsers` | Controls which users can create new orgs. | `""` | -| `orgEventsEnabled` | Controls whether event logging is enabled for organizations | `false` | -| `sendsAllowed` | Controls whether users are allowed to create Bitwarden Sends. | `true` | -| `emergencyAccessAllowed` | Controls whether users can enable emergency access to their accounts. | `true` | -| `emergencyNotifReminderSched` | Cron schedule of the job that sends expiration reminders to emergency access grantors. | `0 3 * * * *` | -| `emergencyRqstTimeoutSched` | Cron schedule of the job that grants emergency access requests that have met the required wait time. | `0 7 * * * *` | -| `eventCleanupSched` | Cron schedule of the job that cleans old events from the event table. | `0 10 0 * * *` | -| `eventsDayRetain` | Number of days to retain events stored in the database. | `""` | -| `iconService` | The predefined icon services are: internal, bitwarden, duckduckgo, google. | `internal` | -| `invitationExpirationHours` | The number of hours after which an organization invite token, emergency access invite token, | `120` | -| `requireDeviceEmail` | Require new device emails. When a user logs in an email is required to be sent. | `false` | -| `trashAutoDeleteDays` | Number of days to wait before auto-deleting a trashed item. | `""` | -| `timeZone` | Specify timezone different from the default (UTC). | `""` | -| `iconBlacklistNonGlobalIps` | Whether block non-global IPs. | `true` | -| `ipHeader` | Client IP Header, used to identify the IP of the client | `X-Real-IP` | -| `serviceAccount.create` | Create a service account | `true` | -| `serviceAccount.name` | Name of the service account to create | `vaultwarden-svc` | -| `podSecurityContext` | Pod security options | `{}` | -| `securityContext` | Default security options to run vault as read only container without privilege escalation | `{}` | -| `yubico.clientId` | Yubico client ID | `""` | -| `yubico.secretKey` | Yubico secret key | `""` | -| `yubico.server` | Specify a Yubico server, otherwise the default servers will be used | `""` | -| `experimentalClientFeatureFlags` | Comma separated list of experimental features to enable in clients, make sure to check which features are already enabled by default (.env.template) | `nil` | - -### Exposure Parameters - -| Name | Description | Value | -| --------------------------------- | ------------------------------------------------------------------------------ | -------------------- | -| `ingress.enabled` | Deploy an ingress resource. | `false` | -| `ingress.class` | Ingress resource class | `nginx` | -| `ingress.nginxIngressAnnotations` | Add nginx specific ingress annotations | `true` | -| `ingress.additionalAnnotations` | Additional annotations for the ingress resource. | `{}` | -| `ingress.labels` | Additional labels for the ingress resource. | `{}` | -| `ingress.tls` | Enable TLS on the ingress resource. | `true` | -| `ingress.hostname` | Hostname for the ingress. | `warden.contoso.com` | -| `ingress.path` | Default application path for the ingress | `/` | -| `ingress.pathWs` | Path for the websocket ingress | `/notifications/hub` | -| `ingress.pathType` | Path type for the ingress | `Prefix` | -| `ingress.pathTypeWs` | Path type for the ingress | `Exact` | -| `ingress.tlsSecret` | Kubernetes secret containing the SSL certificate when using the "nginx" class. | `""` | -| `ingress.nginxAllowList` | Comma-separated list of IP addresses and subnets to allow. | `""` | -| `service.type` | Service type | `ClusterIP` | -| `service.annotations` | Additional annotations for the vaultwarden service | `{}` | -| `service.labels` | Additional labels for the service | `{}` | -| `service.ipFamilyPolicy` | IP family policy for the service | `SingleStack` | - -### Probe Parameters +### Kubernetes settings + +| Name | Description | Value | +| ----------------------- | ----------------------------------------------------------------------------------------- | -------------------- | +| `image.registry` | Vaultwarden image registry | `docker.io` | +| `image.repository` | Vaultwarden image repository | `vaultwarden/server` | +| `image.tag` | Vaultwarden image tag | `1.30.3-alpine` | +| `image.pullPolicy` | Vaultwarden image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names | `[]` | +| `fullnameOverride` | String to override the application name. | `""` | +| `resourceType` | Can be either Deployment or StatefulSet | `""` | +| `commonAnnotations` | Annotations for the deployment or statefulset | `{}` | +| `configMapAnnotations` | Add extra annotations to the configmap | `{}` | +| `podAnnotations` | Add extra annotations to the pod | `{}` | +| `commonLabels` | Additional labels for the deployment or statefulset | `{}` | +| `podLabels` | Add extra labels to the pod | `{}` | +| `initContainers` | extra init containers for initializing the vaultwarden instance | `[]` | +| `sidecars` | extra containers running alongside the vaultwarden instance | `[]` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `affinity` | Affinity for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `serviceAccount.create` | Create a service account | `true` | +| `serviceAccount.name` | Name of the service account to create | `vaultwarden-svc` | +| `podSecurityContext` | Pod security options | `{}` | +| `securityContext` | Default security options to run vault as read only container without privilege escalation | `{}` | + +### Reliability configuration | Name | Description | Value | | ------------------------------------ | ----------------------------------------------------------------------- | ------- | @@ -355,8 +289,21 @@ helm -n $NAMESPACE uninstall $RELEASE_NAME | `startupProbe.periodSeconds` | How often to perform the probe | `10` | | `startupProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful | `1` | | `startupProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed | `10` | +| `resources` | Resource configurations | `{}` | +| `strategy` | Resource configurations | `{}` | +| `podDisruptionBudget.enabled` | Enable PodDisruptionBudget settings | `false` | +| `podDisruptionBudget.minAvailable` | Minimum number/percentage of pods that should remain scheduled. | `1` | +| `podDisruptionBudget.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable | `nil` | + +### Persistent data configuration + +| Name | Description | Value | +| ----------------- | ------------------------------------------------------------------------- | ------ | +| `data` | Data directory configuration, refer to values.yaml for parameters. | `{}` | +| `attachments` | Attachments directory configuration, refer to values.yaml for parameters. | `{}` | +| `webVaultEnabled` | Enable Web Vault | `true` | -### Database Configuration +### Database settings | Name | Description | Value | | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | --------- | @@ -372,6 +319,82 @@ helm -n $NAMESPACE uninstall $RELEASE_NAME | `database.connectionRetries` | Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely. | `15` | | `database.maxConnections` | Define the size of the connection pool used for connecting to the database. | `10` | +### Push notifications + +| Name | Description | Value | +| ------------------- | ---------------------------------------------------------------- | ----- | +| `pushNotifications` | Enable mobile push notifications, see values.yaml for parameters | `{}` | + +### Scheduled jobs + +| Name | Description | Value | +| ----------------------------- | ---------------------------------------------------------------------------------------------------- | -------------- | +| `emergencyNotifReminderSched` | Cron schedule of the job that sends expiration reminders to emergency access grantors. | `0 3 * * * *` | +| `emergencyRqstTimeoutSched` | Cron schedule of the job that grants emergency access requests that have met the required wait time. | `0 7 * * * *` | +| `eventCleanupSched` | Cron schedule of the job that cleans old events from the event table. | `0 10 0 * * *` | +| `eventsDayRetain` | Number of days to retain events stored in the database. | `""` | + +### General settings + +| Name | Description | Value | +| --------------------------- | -------------------------------------------------------------------------------------------- | ------------- | +| `domain` | Domain name where the application is accessed | `""` | +| `sendsAllowed` | Controls whether users are allowed to create Bitwarden Sends. | `true` | +| `hibpApiKey` | HaveIBeenPwned API Key | `""` | +| `orgAttachmentLimit` | Max Kilobytes of attachment storage allowed per organization. | `""` | +| `userAttachmentLimit` | Max kilobytes of attachment storage allowed per user. | `""` | +| `userSendLimit` | Max kilobytes of send storage allowed per user. | `""` | +| `trashAutoDeleteDays` | Number of days to wait before auto-deleting a trashed item. | `""` | +| `signupsAllowed` | By default, anyone who can access your instance can register for a new account. | `true` | +| `signupsVerify` | Whether to require account verification for newly-registered users. | `true` | +| `signupDomains` | List of domain names for users allowed to register. For example: | `""` | +| `orgEventsEnabled` | Controls whether event logging is enabled for organizations | `false` | +| `orgCreationUsers` | Controls which users can create new orgs. | `""` | +| `invitationsAllowed` | Even when registration is disabled, organization administrators or owners can | `true` | +| `invitationOrgName` | String Name shown in the invitation emails that don't come from a specific organization | `Vaultwarden` | +| `invitationExpirationHours` | The number of hours after which an organization invite token, emergency access invite token, | `120` | +| `emergencyAccessAllowed` | Controls whether users can enable emergency access to their accounts. | `true` | +| `emailChangeAllowed` | Controls whether users can change their email. | `true` | +| `showPassHint` | Controls whether a password hint should be shown directly in the web page if | `false` | + +### Advanced settings + +| Name | Description | Value | +| -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | +| `ipHeader` | Client IP Header, used to identify the IP of the client | `X-Real-IP` | +| `iconService` | The predefined icon services are: internal, bitwarden, duckduckgo, google. | `internal` | +| `iconRedirectCode` | Icon redirect code | `302` | +| `iconBlacklistNonGlobalIps` | Whether block non-global IPs. | `true` | +| `experimentalClientFeatureFlags` | Comma separated list of experimental features to enable in clients, make sure to check which features are already enabled by default (.env.template) | `nil` | +| `requireDeviceEmail` | Require new device emails. When a user logs in an email is required to be sent. | `false` | +| `extendedLogging` | Enable extended logging, which shows timestamps and targets in the logs | `true` | +| `logTimestampFormat` | Timestamp format used in extended logging. | `%Y-%m-%d %H:%M:%S.%3f` | +| `logging.logLevel` | Specify the log level | `""` | +| `logging.logFile` | Log to a file | `""` | +| `adminToken.existingSecret` | Specify an existing Kubernetes secret containing the admin token. Also set adminToken.existingSecretKey. | `""` | +| `adminToken.existingSecretKey` | When using adminToken.existingSecret, specify the key containing the token. | `""` | +| `adminToken.value` | Plain or argon2 string containing the admin token. | `$argon2id$v=19$m=19456,t=2,p=1$Vkx1VkE4RmhDMUhwNm9YVlhPQkVOZk1Yc1duSDdGRVYzd0Y5ZkgwaVg0Yz0$PK+h1ANCbzzmEKaiQfCjWw+hWFaMKvLhG2PjRanH5Kk` | +| `adminRateLimitSeconds` | Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in. | `300` | +| `adminRateLimitMaxBurst` | Allow a burst of requests of up to this size, while maintaining the average indicated by adminRateLimitSeconds. | `3` | +| `timeZone` | Specify timezone different from the default (UTC). | `""` | + +### BETA Features + +| Name | Description | Value | +| ------------------ | ----------------------------------------------------------- | ------- | +| `orgGroupsEnabled` | Controls whether group support is enabled for organizations | `false` | + +### MFA/2FA settings + +| Name | Description | Value | +| ------------------ | ------------------------------------------------------------------- | ----- | +| `yubico.clientId` | Yubico client ID | `""` | +| `yubico.secretKey` | Yubico secret key | `""` | +| `yubico.server` | Specify a Yubico server, otherwise the default servers will be used | `""` | +| `duo.ikey` | Duo Integration Key | `""` | +| `duo.secretKey` | Duo Secret Key | `""` | +| `duo.hostname` | Duo API hostname | `""` | + ### SMTP Configuration | Name | Description | Value | @@ -391,41 +414,30 @@ helm -n $NAMESPACE uninstall $RELEASE_NAME | `smtp.acceptInvalidCerts` | Accept Invalid Certificates | `false` | | `smtp.debug` | SMTP debugging | `false` | -### Persistent data configuration - -| Name | Description | Value | -| ------------- | ------------------------------------------------------------------------- | ----- | -| `data` | Data directory configuration, refer to values.yaml for parameters. | `{}` | -| `attachments` | Attachments directory configuration, refer to values.yaml for parameters. | `{}` | - -### Logging Configuration - -| Name | Description | Value | -| ------------------ | ----------------------------------------------------------------------- | ------ | -| `logging.logLevel` | Specify the log level | `""` | -| `logging.logFile` | Log to a file | `""` | -| `extendedLogging` | Enable extended logging, which shows timestamps and targets in the logs | `true` | - -### Extra Configuration - -| Name | Description | Value | -| ------------------------------------ | --------------------------------------------------------------- | ------- | -| `initContainers` | extra init containers for initializing the vaultwarden instance | `[]` | -| `sidecars` | extra containers running alongside the vaultwarden instance | `[]` | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `affinity` | Affinity for pod assignment | `{}` | -| `tolerations` | Tolerations for pod assignment | `[]` | -| `commonLabels` | Additional labels for the deployment or statefulset | `{}` | -| `commonAnnotations` | Annotations for the deployment or statefulset | `{}` | -| `pushNotifications` | Enable mobile push notifications | `{}` | -| `resources` | Resource configurations | `{}` | -| `strategy` | Resource configurations | `{}` | -| `podDisruptionBudget.enabled` | Enable PodDisruptionBudget settings | `false` | -| `podDisruptionBudget.minAvailable` | Minimum number/percentage of pods that should remain scheduled. | `1` | -| `podDisruptionBudget.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable | `nil` | +### Exposure settings -### BETA Features - -| Name | Description | Value | -| ------------------ | ----------------------------------------------------------- | ------- | -| `orgGroupsEnabled` | Controls whether group support is enabled for organizations | `false` | +| Name | Description | Value | +| --------------------------------- | ------------------------------------------------------------------------------ | -------------------- | +| `websocket.enabled` | Enable websocket notifications | `true` | +| `websocket.address` | Websocket listen address | `0.0.0.0` | +| `websocket.port` | Websocket listen port | `3012` | +| `rocket.address` | Address to bind to | `0.0.0.0` | +| `rocket.port` | Rocket port | `8080` | +| `rocket.workers` | Rocket number of workers | `10` | +| `service.type` | Service type | `ClusterIP` | +| `service.annotations` | Additional annotations for the vaultwarden service | `{}` | +| `service.labels` | Additional labels for the service | `{}` | +| `service.ipFamilyPolicy` | IP family policy for the service | `SingleStack` | +| `ingress.enabled` | Deploy an ingress resource. | `false` | +| `ingress.class` | Ingress resource class | `nginx` | +| `ingress.nginxIngressAnnotations` | Add nginx specific ingress annotations | `true` | +| `ingress.additionalAnnotations` | Additional annotations for the ingress resource. | `{}` | +| `ingress.labels` | Additional labels for the ingress resource. | `{}` | +| `ingress.tls` | Enable TLS on the ingress resource. | `true` | +| `ingress.hostname` | Hostname for the ingress. | `warden.contoso.com` | +| `ingress.path` | Default application path for the ingress | `/` | +| `ingress.pathWs` | Path for the websocket ingress | `/notifications/hub` | +| `ingress.pathType` | Path type for the ingress | `Prefix` | +| `ingress.pathTypeWs` | Path type for the ingress | `Exact` | +| `ingress.tlsSecret` | Kubernetes secret containing the SSL certificate when using the "nginx" class. | `""` | +| `ingress.nginxAllowList` | Comma-separated list of IP addresses and subnets to allow. | `""` | diff --git a/charts/vaultwarden/templates/configmap.yaml b/charts/vaultwarden/templates/configmap.yaml index 7874945..12fe1d4 100644 --- a/charts/vaultwarden/templates/configmap.yaml +++ b/charts/vaultwarden/templates/configmap.yaml @@ -70,6 +70,11 @@ data: YUBICO_SERVER: {{ .Values.yubico.server | quote }} {{- end }} {{- end }} + {{- if and .Values.duo.ikey .Values.duo.secretKey .Values.duo.hostname }} + DUO_IKEY: {{ .Values.duo.ikey | quote }} + DUO_SKEY: {{ .Values.duo.secretKey | quote }} + DUO_HOST: {{ .Values.duo.hostname | quote }} + {{- end }} {{- with .Values.experimentalClientFeatureFlags }} EXPERIMENTAL_CLIENT_FEATURE_FLAGS: {{ . | quote }} {{- end }} @@ -87,8 +92,27 @@ data: EVENT_CLEANUP_SCHEDULE: {{ .Values.eventCleanupSched | quote }} {{- end }} EXTENDED_LOGGING: {{ .Values.extendedLogging | quote }} + LOG_TIMESTAMP_FORMAT: {{ .Values.logTimestampFormat | quote }} ICON_SERVICE: {{ .Values.iconService | quote }} + ICON_REDIRECT_CODE: {{ .Values.iconRedirectCode | quote }} INVITATION_EXPIRATION_HOURS: {{ .Values.invitationExpirationHours | quote}} REQUIRE_DEVICE_EMAIL: {{ .Values.requireDeviceEmail | quote }} TRASH_AUTO_DELETE_DAYS: {{ .Values.trashAutoDeleteDays | quote }} + {{- with .Values.timeZone }} TZ: {{ .Values.timeZone | quote }} + {{- with .Values.hibpApiKey }} + HIBP_API_KEY: {{ . | quote }} + {{- end }} + {{- end }} + {{- with .Values.orgAttachmentLimit }} + ORG_ATTACHMENT_LIMIT: {{ . | quote }} + {{- end }} + {{- with .Values.userAttachmentLimit }} + USER_ATTACHMENT_LIMIT: {{ . | quote }} + {{- end }} + {{- with .Values.userSendLimit }} + USER_SEND_LIMIT: {{ . | quote }} + {{- end }} + EMAIL_CHANGE_ALLOWED: {{ .Values.emailChangeAllowed | quote }} + ADMIN_RATELIMIT_SECONDS: {{ .Values.adminRateLimitSeconds | quote }} + ADMIN_RATELIMIT_MAX_BURST: {{ .Values.adminRateLimitMaxBurst | quote }} diff --git a/charts/vaultwarden/values.yaml b/charts/vaultwarden/values.yaml index 985a926..aab5f2a 100644 --- a/charts/vaultwarden/values.yaml +++ b/charts/vaultwarden/values.yaml @@ -1,4 +1,6 @@ -## @section Vaultwarden settings +## Instruction: when adding a new value, follow https://github.com/dani-garcia/vaultwarden/blob/main/.env.template as much as possible. + +## @section Kubernetes settings ## image: ## @param image.registry Vaultwarden image registry @@ -11,7 +13,7 @@ image: ## @param image.tag Vaultwarden image tag ## Ref: https://hub.docker.com/r/vaultwarden/server/tags ## - tag: "1.30.1-alpine" + tag: "1.30.3-alpine" ## @param image.pullPolicy Vaultwarden image pull policy ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## @@ -23,167 +25,58 @@ image: ## - myRegistryKeySecretName ## pullSecrets: [] -## @param domain Domain name where the application is accessed -## Example: https://warden.contoso.com:8443 -## -domain: "" -## @param websocket.enabled Enable websocket notifications -## @param websocket.address Websocket listen address -## @param websocket.port Websocket listen port -## -websocket: - enabled: true - address: "0.0.0.0" - port: 3012 -## @param rocket.address Address to bind to -## @param rocket.port Rocket port -## @param rocket.workers Rocket number of workers -## -rocket: - address: "0.0.0.0" - port: "8080" - workers: "10" -## @param webVaultEnabled Enable Web Vault -## -webVaultEnabled: "true" -## @section Overwrite automatic resource type detection +## @param fullnameOverride String to override the application name. ## +fullnameOverride: "" + ## @param resourceType Can be either Deployment or StatefulSet +## Overwrite automatic resource type detection by specifying the resource type ## resourceType: "" +## @param commonAnnotations Annotations for the deployment or statefulset +## +commonAnnotations: {} + ## @param configMapAnnotations Add extra annotations to the configmap ## configMapAnnotations: {} -## @section Pod configuration -## ## @param podAnnotations Add extra annotations to the pod ## podAnnotations: {} -## @param podLabels Add extra labels to the pod -## -podLabels: {} - -## @section Security settings -## - -adminToken: - ## @param adminToken.existingSecret Specify an existing Kubernetes secret containing the admin token. Also set adminToken.existingSecretKey. - ## Example: admincreds_secret - ## - existingSecret: "" - ## @param adminToken.existingSecretKey When using adminToken.existingSecret, specify the key containing the token. - ## Example: ADMIN_TOKEN - ## - existingSecretKey: "" - ## @param adminToken.value Plain or argon2 string containing the admin token. - ## This example is the argon2 has of "R@ndomTokenString" (no quotes). - ## - value: "$argon2id$v=19$m=19456,t=2,p=1$Vkx1VkE4RmhDMUhwNm9YVlhPQkVOZk1Yc1duSDdGRVYzd0Y5ZkgwaVg0Yz0$PK+h1ANCbzzmEKaiQfCjWw+hWFaMKvLhG2PjRanH5Kk" - -## @param signupsAllowed By default, anyone who can access your instance can register for a new account. -## To disable this, set this parameter to false. Even when signupsAllowed=false, an existing user who is -## an organization owner or admin can still invite new users. If you want to disable this as well, set -## invitationsAllowed to false. The vaultwarden admin can invite anyone via the admin page, regardless -## of any of the restrictions above -## -## If signupDomains is set, then the value of signupsAllowed is ignored -signupsAllowed: true -## @param invitationsAllowed Even when registration is disabled, organization administrators or owners can -## invite users to join organization. After they are invited, they can register with the invited email even -## if signupsAllowed is actually set to false. You can disable this functionality completely by setting -## invitationsAllowed env variable to false -invitationsAllowed: true -## @param signupDomains List of domain names for users allowed to register. For example: -## example.com,example.net,example.org. -## -signupDomains: "" -## @param signupsVerify Whether to require account verification for newly-registered users. -## -signupsVerify: "true" -## @param showPassHint Whether a password hint should be shown in the page. -## -showPassHint: "false" -## @param fullnameOverride String to override the application name. -## -fullnameOverride: "" - -## @param invitationOrgName String Name shown in the invitation emails that don't come from a specific organization -## -invitationOrgName: "Vaultwarden" - -## @param orgCreationUsers Controls which users can create new orgs. -## Blank or 'all' means all users can create orgs. -## 'none' means no users can create orgs. -## A comma-separated list means only those users can create orgs. -## -orgCreationUsers: "" - -## @param orgEventsEnabled Controls whether event logging is enabled for organizations -## -orgEventsEnabled: "false" - -## @param sendsAllowed Controls whether users are allowed to create Bitwarden Sends. -## -sendsAllowed: "true" -## @param emergencyAccessAllowed Controls whether users can enable emergency access to their accounts. -## -emergencyAccessAllowed: "true" - -## @param emergencyNotifReminderSched Cron schedule of the job that sends expiration reminders to emergency access grantors. -## Set to blank to disable this job. -## -emergencyNotifReminderSched: "0 3 * * * *" - -## @param emergencyRqstTimeoutSched Cron schedule of the job that grants emergency access requests that have met the required wait time. -## Set to blank to disable this job. -## -emergencyRqstTimeoutSched: "0 7 * * * *" - -## @param eventCleanupSched Cron schedule of the job that cleans old events from the event table. -## Set to blank to disable this job. Also without eventsDayRetain set, this job will not start. -## -eventCleanupSched: "0 10 0 * * *" - -## @param eventsDayRetain Number of days to retain events stored in the database. -## If unset (the default), events are kept indefinitely and the scheduled job is disabled! +## @param commonLabels Additional labels for the deployment or statefulset ## -eventsDayRetain: "" +commonLabels: {} -## @param iconService The predefined icon services are: internal, bitwarden, duckduckgo, google. +## @param podLabels Add extra labels to the pod ## -iconService: "internal" +podLabels: {} -## @param invitationExpirationHours The number of hours after which an organization invite token, emergency access invite token, -## email verification token and deletion request token will expire (must be at least 1) +## @param initContainers extra init containers for initializing the vaultwarden instance ## -invitationExpirationHours: "120" +initContainers: [] -## @param requireDeviceEmail Require new device emails. When a user logs in an email is required to be sent. +## @param sidecars extra containers running alongside the vaultwarden instance ## -requireDeviceEmail: "false" +sidecars: [] -## @param trashAutoDeleteDays Number of days to wait before auto-deleting a trashed item. -## If unset (the default), trashed items are not auto-deleted. -## This setting applies globally, so make sure to inform all users of any changes to this setting. +## @param nodeSelector Node labels for pod assignment +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector ## -trashAutoDeleteDays: "" +nodeSelector: {} -## @param timeZone Specify timezone different from the default (UTC). -## For example: "Europe/Berlin" +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity ## -timeZone: "" - -## @param iconBlacklistNonGlobalIps Whether block non-global IPs. -## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block -iconBlacklistNonGlobalIps: "true" +affinity: {} -## @param ipHeader Client IP Header, used to identify the IP of the client +## @param tolerations Tolerations for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ## -ipHeader: "X-Real-IP" +tolerations: [] ## @param serviceAccount.create Create a service account ## @param serviceAccount.name Name of the service account to create @@ -211,94 +104,8 @@ securityContext: {} # drop: # - ALL -## @param yubico.clientId Yubico client ID -## @param yubico.secretKey Yubico secret key -## @param yubico.server Specify a Yubico server, otherwise the default servers will be used -## -yubico: - clientId: "" - secretKey: "" - server: "" - -## @param experimentalClientFeatureFlags Comma separated list of experimental features to enable in clients, make sure to check which features are already enabled by default (.env.template) -## Possible values: -## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials. -## - "autofill-v2": Use the new autofill implementation. -## - "browser-fileless-import": Directly import credentials from other providers without a file. -## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor. -experimentalClientFeatureFlags: null - - -## @section Exposure Parameters -## - -## Ingress configuration -## Refer to the README for some examples -## -ingress: - ## @param ingress.enabled Deploy an ingress resource. - ## - enabled: false - ## @param ingress.class Ingress resource class - ## The Ingress class to use, e. g. "nginx" for a nginx ingress controller or "alb" for a AWS LB controller. - # - class: "nginx" - ## @param ingress.nginxIngressAnnotations Add nginx specific ingress annotations - ## This annotations are only makes sense for the kubernetes nginx ingress controller (https://kubernetes.github.io/ingress-nginx/) - ## - nginxIngressAnnotations: true - ## @param ingress.additionalAnnotations Additional annotations for the ingress resource. - ## - additionalAnnotations: {} - ## @param ingress.labels Additional labels for the ingress resource. - ## - labels: {} - ## @param ingress.tls Enable TLS on the ingress resource. - ## - tls: true - ## @param ingress.hostname Hostname for the ingress. - ## - hostname: "warden.contoso.com" - ## @param ingress.path Default application path for the ingress - ## - path: "/" - ## @param ingress.pathWs Path for the websocket ingress - ## - pathWs: "/notifications/hub" - ## @param ingress.pathType Path type for the ingress - ## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ - ## - pathType: "Prefix" - ## @param ingress.pathTypeWs Path type for the ingress - ## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ - ## - pathTypeWs: "Exact" - ## @param ingress.tlsSecret Kubernetes secret containing the SSL certificate when using the "nginx" class. - ## - tlsSecret: "" - ## @param ingress.nginxAllowList Comma-separated list of IP addresses and subnets to allow. - ## - nginxAllowList: "" - ## TODO: - ## - Add support for using cert-manager. - ## - Support for multiple TLS hostnames. - ## - -## Service configuration -service: - ## @param service.type Service type - ## - type: "ClusterIP" - ## @param service.annotations Additional annotations for the vaultwarden service - ## - annotations: {} - ## @param service.labels Additional labels for the service - ## - labels: {} - ## @param service.ipFamilyPolicy IP family policy for the service - ipFamilyPolicy: "SingleStack" -## @section Probe Parameters +## @section Reliability configuration ## ## Liveness probe configuration @@ -367,26 +174,86 @@ startupProbe: ## failureThreshold: 10 -## @section Database Configuration +## @param resources Resource configurations ## -database: - ## @param database.type Database type, either mysql or postgresql - ## Default is a sqlite database. - ## - type: "default" - ## @param database.host Database hostname or IP address - ## - host: "" - ## @param database.port Database port - ## Default for MySQL is 3306, default for PostgreSQL is 5432 - port: "" - ## @param database.username Database username - ## - username: "" - ## @param database.password Database password - ## - password: "" - ## @param database.dbName Database name +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 300m + # memory: 1Gi + # requests: + # cpu: 50m + # memory: 256Mi + +## @param strategy Resource configurations +## +strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 1 + # maxUnavailable: 0 + +podDisruptionBudget: + ## @param podDisruptionBudget.enabled Enable PodDisruptionBudget settings + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + ## @param podDisruptionBudget.minAvailable Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: 1 + ## @param podDisruptionBudget.maxUnavailable Maximum number/percentage of pods that may be made unavailable + maxUnavailable: null + + +## @section Persistent data configuration +## + +## @param data Data directory configuration, refer to values.yaml for parameters. +## +data: {} + # name: "vaultwarden-data" + # size: "15Gi" + # class: "" + # path: "/data" + # keepPvc: false + +## @param attachments Attachments directory configuration, refer to values.yaml for parameters. +## By default, attachments/ is located inside the data directory. +## +attachments: {} + # name: "vaultwarden-files" + # size: "100Gi" + # class: "" + # path: /files + # keepPvc: false + +## @param webVaultEnabled Enable Web Vault +## +webVaultEnabled: "true" + +## @section Database settings +## + +database: + ## @param database.type Database type, either mysql or postgresql + ## Default is a sqlite database. + ## + type: "default" + ## @param database.host Database hostname or IP address + ## + host: "" + ## @param database.port Database port + ## Default for MySQL is 3306, default for PostgreSQL is 5432 + port: "" + ## @param database.username Database username + ## + username: "" + ## @param database.password Database password + ## + password: "" + ## @param database.dbName Database name ## dbName: "" ## @param database.uriOverride Manually specify the DB connection string @@ -405,6 +272,251 @@ database: ## maxConnections: 10 +## @section Push notifications +## + +## @param pushNotifications Enable mobile push notifications, see values.yaml for parameters +## Supported since 1.29.0. +## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details +## +pushNotifications: {} + # installationId: "" + # installationKey: "" + +## @section Scheduled jobs +## + +## @param emergencyNotifReminderSched Cron schedule of the job that sends expiration reminders to emergency access grantors. +## Set to blank to disable this job. +## +emergencyNotifReminderSched: "0 3 * * * *" + +## @param emergencyRqstTimeoutSched Cron schedule of the job that grants emergency access requests that have met the required wait time. +## Set to blank to disable this job. +## +emergencyRqstTimeoutSched: "0 7 * * * *" + +## @param eventCleanupSched Cron schedule of the job that cleans old events from the event table. +## Set to blank to disable this job. Also without eventsDayRetain set, this job will not start. +## +eventCleanupSched: "0 10 0 * * *" + +## @param eventsDayRetain Number of days to retain events stored in the database. +## If unset (the default), events are kept indefinitely and the scheduled job is disabled! +## +eventsDayRetain: "" + +## @section General settings +## + +## @param domain Domain name where the application is accessed +## Example: https://warden.contoso.com:8443 +## +domain: "" + +## @param sendsAllowed Controls whether users are allowed to create Bitwarden Sends. +## +sendsAllowed: "true" + +## @param hibpApiKey HaveIBeenPwned API Key +## +hibpApiKey: "" + +## @param orgAttachmentLimit Max Kilobytes of attachment storage allowed per organization. +## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization. +## +orgAttachmentLimit: "" + +## @param userAttachmentLimit Max kilobytes of attachment storage allowed per user. +## When this limit is reached, the user will not be allowed to upload further attachments. +## +userAttachmentLimit: "" + +## @param userSendLimit Max kilobytes of send storage allowed per user. +## When this limit is reached, the user will not be allowed to upload further sends. +## +userSendLimit: "" + +## @param trashAutoDeleteDays Number of days to wait before auto-deleting a trashed item. +## If unset (the default), trashed items are not auto-deleted. +## This setting applies globally, so make sure to inform all users of any changes to this setting. +## +trashAutoDeleteDays: "" + +## @param signupsAllowed By default, anyone who can access your instance can register for a new account. +## To disable this, set this parameter to false. Even when signupsAllowed=false, an existing user who is +## an organization owner or admin can still invite new users. If you want to disable this as well, set +## invitationsAllowed to false. The vaultwarden admin can invite anyone via the admin page, regardless +## of any of the restrictions above +## +## If signupDomains is set, then the value of signupsAllowed is ignored +signupsAllowed: true + +## @param signupsVerify Whether to require account verification for newly-registered users. +## +signupsVerify: "true" + +## @param signupDomains List of domain names for users allowed to register. For example: +## example.com,example.net,example.org. +## +signupDomains: "" + +## @param orgEventsEnabled Controls whether event logging is enabled for organizations +## +orgEventsEnabled: "false" + +## @param orgCreationUsers Controls which users can create new orgs. +## Blank or 'all' means all users can create orgs. +## 'none' means no users can create orgs. +## A comma-separated list means only those users can create orgs. +## +orgCreationUsers: "" + +## @param invitationsAllowed Even when registration is disabled, organization administrators or owners can +## invite users to join organization. After they are invited, they can register with the invited email even +## if signupsAllowed is actually set to false. You can disable this functionality completely by setting +## invitationsAllowed env variable to false +## +invitationsAllowed: true + +## @param invitationOrgName String Name shown in the invitation emails that don't come from a specific organization +## +invitationOrgName: "Vaultwarden" + +## @param invitationExpirationHours The number of hours after which an organization invite token, emergency access invite token, +## email verification token and deletion request token will expire (must be at least 1) +## +invitationExpirationHours: "120" + +## @param emergencyAccessAllowed Controls whether users can enable emergency access to their accounts. +## +emergencyAccessAllowed: "true" + +## @param emailChangeAllowed Controls whether users can change their email. +## This setting applies globally to all users +## +emailChangeAllowed: "true" + +## @param showPassHint Controls whether a password hint should be shown directly in the web page if +## SMTP service is not configured. Not recommended for publicly-accessible instances +## as this provides unauthenticated access to potentially sensitive data. +## +showPassHint: "false" + + +## @section Advanced settings +## + +## @param ipHeader Client IP Header, used to identify the IP of the client +## +ipHeader: "X-Real-IP" + +## @param iconService The predefined icon services are: internal, bitwarden, duckduckgo, google. +## +iconService: "internal" + +## @param iconRedirectCode Icon redirect code +## +iconRedirectCode: "302" + +## @param iconBlacklistNonGlobalIps Whether block non-global IPs. +## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block +## +iconBlacklistNonGlobalIps: "true" + +## @param experimentalClientFeatureFlags Comma separated list of experimental features to enable in clients, make sure to check which features are already enabled by default (.env.template) +## Possible values: +## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials. +## - "autofill-v2": Use the new autofill implementation. +## - "browser-fileless-import": Directly import credentials from other providers without a file. +## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor. +## +experimentalClientFeatureFlags: null + +## @param requireDeviceEmail Require new device emails. When a user logs in an email is required to be sent. +## +requireDeviceEmail: "false" + +## @param extendedLogging Enable extended logging, which shows timestamps and targets in the logs +## +extendedLogging: "true" + +## @param logTimestampFormat Timestamp format used in extended logging. +## +logTimestampFormat: "%Y-%m-%d %H:%M:%S.%3f" + +logging: + ## @param logging.logLevel Specify the log level + ## + logLevel: "" + ## @param logging.logFile Log to a file + ## + logFile: "" + +## Token for the admin interface, preferably an Argon2 PCH string +adminToken: + ## @param adminToken.existingSecret Specify an existing Kubernetes secret containing the admin token. Also set adminToken.existingSecretKey. + ## Example: admincreds_secret + ## + existingSecret: "" + ## @param adminToken.existingSecretKey When using adminToken.existingSecret, specify the key containing the token. + ## Example: ADMIN_TOKEN + ## + existingSecretKey: "" + ## @param adminToken.value Plain or argon2 string containing the admin token. + ## This example is the argon2 has of "R@ndomTokenString" (no quotes). + ## + value: "$argon2id$v=19$m=19456,t=2,p=1$Vkx1VkE4RmhDMUhwNm9YVlhPQkVOZk1Yc1duSDdGRVYzd0Y5ZkgwaVg0Yz0$PK+h1ANCbzzmEKaiQfCjWw+hWFaMKvLhG2PjRanH5Kk" + +## @param adminRateLimitSeconds Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in. +## +adminRateLimitSeconds: "300" + +## @param adminRateLimitMaxBurst Allow a burst of requests of up to this size, while maintaining the average indicated by adminRateLimitSeconds. +## +adminRateLimitMaxBurst: "3" + +## @param timeZone Specify timezone different from the default (UTC). +## For example: "Europe/Berlin" +## +timeZone: "" + + +## @section BETA Features +## + +## @param orgGroupsEnabled Controls whether group support is enabled for organizations +orgGroupsEnabled: "false" + + +## @section MFA/2FA settings +## + +## Yubico (Yubikey) settings +yubico: + ## @param yubico.clientId Yubico client ID + ## + clientId: "" + ## @param yubico.secretKey Yubico secret key + ## + secretKey: "" + ## @param yubico.server Specify a Yubico server, otherwise the default servers will be used + ## + server: "" + +## Duo settings +duo: + ## @param duo.ikey Duo Integration Key + ## + ikey: "" + ## @param duo.secretKey Duo Secret Key + ## + secretKey: "" + ## @param duo.hostname Duo API hostname + ## + hostname: "" + + ## @section SMTP Configuration ## smtp: @@ -468,118 +580,90 @@ smtp: ## debug: false -## @section Persistent data configuration -## -## @param data Data directory configuration, refer to values.yaml for parameters. +## @section Exposure settings ## -data: {} - # name: "vaultwarden-data" - # size: "15Gi" - # class: "" - # path: "/data" - # keepPvc: false -## @param attachments Attachments directory configuration, refer to values.yaml for parameters. -## By default, attachments/ is located inside the data directory. +## @param websocket.enabled Enable websocket notifications +## @param websocket.address Websocket listen address +## @param websocket.port Websocket listen port ## -attachments: {} - # name: "vaultwarden-files" - # size: "100Gi" - # class: "" - # path: /files - # keepPvc: false +websocket: + enabled: true + address: "0.0.0.0" + port: 3012 -## @section Logging Configuration +## @param rocket.address Address to bind to +## @param rocket.port Rocket port +## @param rocket.workers Rocket number of workers ## -logging: - ## @param logging.logLevel Specify the log level +rocket: + address: "0.0.0.0" + port: "8080" + workers: "10" + +## Service configuration +service: + ## @param service.type Service type ## - logLevel: "" - ## @param logging.logFile Log to a file + type: "ClusterIP" + ## @param service.annotations Additional annotations for the vaultwarden service ## - logFile: "" - -## @param extendedLogging Enable extended logging, which shows timestamps and targets in the logs -## -extendedLogging: "true" - -## @section Extra Configuration -## - -## @param initContainers extra init containers for initializing the vaultwarden instance -## -initContainers: [] - -## @param sidecars extra containers running alongside the vaultwarden instance -## -sidecars: [] - -## @param nodeSelector Node labels for pod assignment -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector -## -nodeSelector: {} - -## @param affinity Affinity for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -## -affinity: {} - -## @param tolerations Tolerations for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -## -tolerations: [] - -## @param commonLabels Additional labels for the deployment or statefulset -## -commonLabels: {} - -## @param commonAnnotations Annotations for the deployment or statefulset -## -commonAnnotations: {} - -## @param pushNotifications Enable mobile push notifications -## Supported since 1.29.0. -## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details -## -pushNotifications: {} - # installationId: "" - # installationKey: "" - -## @param resources Resource configurations -## -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 300m - # memory: 1Gi - # requests: - # cpu: 50m - # memory: 256Mi + annotations: {} + ## @param service.labels Additional labels for the service + ## + labels: {} + ## @param service.ipFamilyPolicy IP family policy for the service + ipFamilyPolicy: "SingleStack" -## @param strategy Resource configurations +## Ingress configuration +## Refer to the README for some examples ## -strategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 1 - # maxUnavailable: 0 - -podDisruptionBudget: - ## @param podDisruptionBudget.enabled Enable PodDisruptionBudget settings - # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +ingress: + ## @param ingress.enabled Deploy an ingress resource. + ## enabled: false - ## @param podDisruptionBudget.minAvailable Minimum number/percentage of pods that should remain scheduled. - # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` - minAvailable: 1 - ## @param podDisruptionBudget.maxUnavailable Maximum number/percentage of pods that may be made unavailable - maxUnavailable: null - -## @section BETA Features -## - -## @param orgGroupsEnabled Controls whether group support is enabled for organizations -orgGroupsEnabled: "false" + ## @param ingress.class Ingress resource class + ## The Ingress class to use, e. g. "nginx" for a nginx ingress controller or "alb" for a AWS LB controller. + # + class: "nginx" + ## @param ingress.nginxIngressAnnotations Add nginx specific ingress annotations + ## This annotations are only makes sense for the kubernetes nginx ingress controller (https://kubernetes.github.io/ingress-nginx/) + ## + nginxIngressAnnotations: true + ## @param ingress.additionalAnnotations Additional annotations for the ingress resource. + ## + additionalAnnotations: {} + ## @param ingress.labels Additional labels for the ingress resource. + ## + labels: {} + ## @param ingress.tls Enable TLS on the ingress resource. + ## + tls: true + ## @param ingress.hostname Hostname for the ingress. + ## + hostname: "warden.contoso.com" + ## @param ingress.path Default application path for the ingress + ## + path: "/" + ## @param ingress.pathWs Path for the websocket ingress + ## + pathWs: "/notifications/hub" + ## @param ingress.pathType Path type for the ingress + ## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ + ## + pathType: "Prefix" + ## @param ingress.pathTypeWs Path type for the ingress + ## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ + ## + pathTypeWs: "Exact" + ## @param ingress.tlsSecret Kubernetes secret containing the SSL certificate when using the "nginx" class. + ## + tlsSecret: "" + ## @param ingress.nginxAllowList Comma-separated list of IP addresses and subnets to allow. + ## + nginxAllowList: "" + ## TODO: + ## - Add support for using cert-manager. + ## - Support for multiple TLS hostnames. + ##