245 lines
8.7 KiB
YAML
245 lines
8.7 KiB
YAML
# Default values for Bitwarden.
|
|
|
|
image:
|
|
repository: vaultwarden/server
|
|
pullPolicy: IfNotPresent
|
|
tag: 1.22.2
|
|
|
|
strategy:
|
|
type: Recreate
|
|
|
|
service:
|
|
main:
|
|
ports:
|
|
main:
|
|
port: 8080
|
|
ws:
|
|
ports:
|
|
ws:
|
|
enabled: true
|
|
port: 3012
|
|
|
|
env: {}
|
|
|
|
# -- Configure the ingresses for the chart here.
|
|
# Additional ingresses can be added by adding a dictionary key similar to the 'main' ingress.
|
|
# @default -- See below
|
|
ingress:
|
|
main:
|
|
# -- Enables or disables the ingress
|
|
enabled: true
|
|
|
|
# -- Make this the primary ingress (used in probes, notes, etc...).
|
|
# If there is more than 1 ingress, make sure that only 1 ingress is marked as primary.
|
|
primary: true
|
|
|
|
# -- Override the name suffix that is used for this ingress.
|
|
nameOverride:
|
|
|
|
# -- List of middlewares in the traefikmiddlewares k8s namespace to add automatically
|
|
# Creates an annotation with the middlewares and appends k8s and traefik namespaces to the middleware names
|
|
# Primarily used for TrueNAS SCALE to add additional (seperate) middlewares without exposing them to the end-user
|
|
fixedMiddlewares:
|
|
- chain-basic
|
|
|
|
# -- Additional List of middlewares in the traefikmiddlewares k8s namespace to add automatically
|
|
# Creates an annotation with the middlewares and appends k8s and traefik namespaces to the middleware names
|
|
middlewares: []
|
|
annotationsList: []
|
|
# - name: somename
|
|
# value: somevalue
|
|
# -- Provide additional annotations which may be required.
|
|
annotations: {}
|
|
# kubernetes.io/ingress.class: nginx
|
|
# kubernetes.io/tls-acme: "true"
|
|
|
|
labelsList: []
|
|
# - name: somename
|
|
# value: somevalue
|
|
# -- Set labels on the deployment/statefulset/daemonset
|
|
# -- Provide additional labels which may be required.
|
|
# -- Provide additional labels which may be required.
|
|
labels: {}
|
|
|
|
# -- Set the ingressClass that is used for this ingress.
|
|
# Requires Kubernetes >=1.19
|
|
ingressClassName: # "nginx"
|
|
|
|
## Configure the hosts for the ingress
|
|
hosts:
|
|
- # -- Host address. Helm template can be passed.
|
|
host: chart-example.local
|
|
## Configure the paths for the host
|
|
paths:
|
|
- # -- Path. Helm template can be passed.
|
|
path: /
|
|
# -- Ignored if not kubeVersion >= 1.14-0
|
|
pathType: Prefix
|
|
service:
|
|
# -- Overrides the service name reference for this path
|
|
name:
|
|
# -- Overrides the service port reference for this path
|
|
port:
|
|
|
|
# -- Configure TLS for the ingress. Both secretName and hosts can process a Helm template.
|
|
tls: []
|
|
# - secretName: chart-example-tls
|
|
# -- Create a secret from a GUI selected TrueNAS SCALE certificate
|
|
# scaleCert: true
|
|
# hosts:
|
|
# - chart-example.local
|
|
|
|
initContainers:
|
|
init-postgresdb:
|
|
image: postgres:13.1
|
|
command:
|
|
- "sh"
|
|
- "-c"
|
|
- "until pg_isready -U authelia -h ${pghost} ; do sleep 2 ; done"
|
|
imagePullPolicy: IfNotPresent
|
|
env:
|
|
- name: pghost
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: dbcreds
|
|
key: plainhost
|
|
|
|
envTpl:
|
|
DOMAIN: "https://{{ if .Values.ingress }}{{ if .Values.ingress.main.enabled }}{{ ( index .Values.ingress.main.hosts 0 ).host }}{{ else }}placeholder.com{{ end }}{{ else }}placeholder.com{{ end }}"
|
|
|
|
envFrom:
|
|
- configMapRef:
|
|
name: vaultwardenconfig
|
|
- secretRef:
|
|
name: vaultwardensecret
|
|
|
|
envValueFrom:
|
|
DATABASE_URL:
|
|
secretKeyRef:
|
|
name: dbcreds
|
|
key: url
|
|
|
|
database:
|
|
# Database type, must be one of: 'sqlite', 'mysql' or 'postgresql'.
|
|
type: postgresql
|
|
# Enable DB Write-Ahead-Log for SQLite, disabled for other databases. https://github.com/dani-garcia/bitwarden_rs/wiki/Running-without-WAL-enabled
|
|
wal: true
|
|
## URL for external databases (mysql://user:pass@host:port or postgresql://user:pass@host:port).
|
|
# url: ""
|
|
## Set the size of the database connection pool.
|
|
# maxConnections: 10
|
|
## Connection retries during startup, 0 for infinite. 1 second between retries.
|
|
# retries: 15
|
|
|
|
# Set Bitwarden_rs application variables
|
|
vaultwarden:
|
|
# Allow any user to sign-up: https://github.com/dani-garcia/bitwarden_rs/wiki/Disable-registration-of-new-users
|
|
allowSignups: true
|
|
## Whitelist domains allowed to sign-up. 'allowSignups' is ignored if set.
|
|
# signupDomains:
|
|
# - domain.tld
|
|
# Verify e-mail before login is enabled. SMTP must be enabled.
|
|
verifySignup: false
|
|
# When a user logs in an email is required to be sent. If sending the email fails the login attempt will fail. SMTP must be enabled.
|
|
requireEmail: false
|
|
## Maximum attempts before an email token is reset and a new email will need to be sent.
|
|
# emailAttempts: 3
|
|
## Email token validity in seconds.
|
|
# emailTokenExpiration: 600
|
|
# Allow invited users to sign-up even feature is disabled: https://github.com/dani-garcia/bitwarden_rs/wiki/Disable-invitations
|
|
allowInvitation: true
|
|
# Show password hints: https://github.com/dani-garcia/bitwarden_rs/wiki/Password-hint-display
|
|
## Default organization name in invitation e-mails that are not coming from a specific organization.
|
|
# defaultInviteName: ""
|
|
showPasswordHint: true
|
|
# Enable Websockets for notification. https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-WebSocket-notifications
|
|
# Redirect HTTP path "/notifications/hub" to port 3012. Ingress/IngressRoute controllers are automatically configured.
|
|
enableWebsockets: true
|
|
# Enable Web Vault (static content). https://github.com/dani-garcia/bitwarden_rs/wiki/Disabling-or-overriding-the-Vault-interface-hosting
|
|
enableWebVault: true
|
|
# Restrict creation of orgs. Options are: 'all', 'none' or a comma-separated list of users.
|
|
orgCreationUsers: all
|
|
## Limit attachment disk usage per organization.
|
|
# attachmentLimitOrg:
|
|
## Limit attachment disk usage per user.
|
|
# attachmentLimitUser:
|
|
## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key.
|
|
# hibpApiKey:
|
|
|
|
admin:
|
|
# Enable admin portal.
|
|
enabled: false
|
|
# Disabling the admin token will make the admin portal accessible to anyone, use carefully: https://github.com/dani-garcia/bitwarden_rs/wiki/Disable-admin-token
|
|
disableAdminToken: false
|
|
## Token for admin login, will be generated if not defined. https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-admin-page
|
|
# token:
|
|
|
|
# Enable SMTP. https://github.com/dani-garcia/bitwarden_rs/wiki/SMTP-configuration
|
|
smtp:
|
|
enabled: false
|
|
# SMTP hostname, required if SMTP is enabled.
|
|
host: ""
|
|
# SMTP sender e-mail address, required if SMTP is enabled.
|
|
from: ""
|
|
## SMTP sender name, defaults to 'Bitwarden_RS'.
|
|
# fromName: ""
|
|
## Enable SSL connection.
|
|
# ssl: true
|
|
## SMTP port. Defaults to 25 without SSL, 587 with SSL.
|
|
# port: 587
|
|
## SMTP Authentication Mechanisms. Comma-separated options: 'Plain', 'Login' and 'Xoauth2'. Defaults to 'Plain'.
|
|
# authMechanism: Plain
|
|
## Hostname to be sent for SMTP HELO. Defaults to pod name.
|
|
# heloName: ""
|
|
## SMTP timeout.
|
|
# timeout: 15
|
|
## Accept SSL session if certificate is valid but hostname doesn't match. DANGEROUS, vulnerable to men-in-the-middle attacks!
|
|
# invalidHostname: false
|
|
## Accept invalid certificates. DANGEROUS, vulnerable to men-in-the-middle attacks!
|
|
# invalidCertificate: false
|
|
## SMTP username.
|
|
# user: ""
|
|
## SMTP password. Required is user is specified, ignored if no user provided.
|
|
# password: ""
|
|
|
|
## Enable Yubico OTP authentication. https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-Yubikey-OTP-authentication
|
|
yubico:
|
|
enabled: false
|
|
## Yubico server. Defaults to YubiCloud.
|
|
# server:
|
|
## Yubico ID and Secret Key.
|
|
# clientId:
|
|
# secretKey:
|
|
|
|
## Logging options. https://github.com/dani-garcia/bitwarden_rs/wiki/Logging
|
|
log:
|
|
# Log to file.
|
|
file: ""
|
|
# Log level. Options are "trace", "debug", "info", "warn", "error" or "off".
|
|
level: "trace"
|
|
## Log timestamp format. See https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html. Defaults to time in milliseconds.
|
|
# timeFormat: ""
|
|
|
|
icons:
|
|
# Disables download of external icons. Setting to true will still serve icons from cache (/data/icon_cache). TTL will default to zero.
|
|
disableDownload: false
|
|
## Cache time-to-live for icons fetched. 0 means no purging.
|
|
# cache: 2592000
|
|
## Cache time-to-live for icons that were not available. 0 means no purging.
|
|
# cacheFailed: 259200
|
|
|
|
persistence:
|
|
data:
|
|
enabled: true
|
|
mountPath: "/data"
|
|
type: pvc
|
|
accessMode: ReadWriteOnce
|
|
size: "100Gi"
|
|
|
|
# Enabled postgres
|
|
postgresql:
|
|
enabled: true
|
|
postgresqlUsername: vaultwarden
|
|
postgresqlDatabase: vaultwarden
|
|
existingSecret: dbcreds
|