From 90f8d57e8483b49cd64ec9b86086a3fd3a13e7f1 Mon Sep 17 00:00:00 2001 From: Lester Guerzon Date: Sun, 5 Nov 2023 00:52:45 +0800 Subject: [PATCH] chore: artifactoryhub Signed-off-by: Lester Guerzon --- README.md | 206 ++-------------------------------- artifacthub-repo.yml | 4 + charts/vaultwarden/Chart.yaml | 4 +- charts/vaultwarden/README.md | 195 ++++++++++++++++++++++++++++++++ 4 files changed, 209 insertions(+), 200 deletions(-) create mode 100644 artifacthub-repo.yml diff --git a/README.md b/README.md index 1d53473..ef61605 100644 --- a/README.md +++ b/README.md @@ -1,222 +1,30 @@ # Helm chart for Vaultwarden [![MIT Licensed](https://img.shields.io/github/license/guerzon/vaultwarden)](https://github.com/guerzon/vaultwarden/blob/main/LICENSE) -[![Helm Release](https://img.shields.io/docker/v/vaultwarden/server/latest)](https://img.shields.io/docker/v/vaultwarden/server/latest) +[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/vaultwarden)](https://artifacthub.io/packages/search?repo=vaultwarden) [Vaultwarden](https://github.com/dani-garcia/vaultwarden), formerly known as **Bitwarden_RS**, is an "alternative implementation of the Bitwarden server API written in Rust and compatible with [upstream Bitwarden clients](https://bitwarden.com/download/), perfect for self-hosted deployment where running the official resource-heavy service might not be ideal." -## TL;DR - -```bash -helm repo add vaultwarden https://guerzon.github.io/vaultwarden -helm install my-vaultwarden-release vaultwarden/vaultwarden -``` - ## Description This [Helm](https://helm.sh/docs/) chart is used to deploy `vaultwarden` with a stable configuration to Kubernetes clusters. -The upstream repository for the `vaultwarden` project can be found [here](https://github.com/dani-garcia/vaultwarden). To learn more about Vaultwarden, please visit the [wiki](https://github.com/dani-garcia/vaultwarden/wiki). +The `vaultwarden` project can be found [here](https://github.com/dani-garcia/vaultwarden). To learn more about Vaultwarden, please visit the [wiki](https://github.com/dani-garcia/vaultwarden/wiki). ## Prerequisites -- Kubernetes 1.12+ -- Helm 3.1.0 +- Kubernetes >= 1.12 +- Helm >= 3.1.0 ## Usage -To deploy the chart with the release name `vaultwarden-release`: +Add the repository: ```bash -export NAMESPACE=vaultwarden -export DOMAIN_NAME=pass.company.com helm repo add vaultwarden https://guerzon.github.io/vaultwarden -helm install vaultwarden-release vaultwarden/vaultwarden \ - --namespace $NAMESPACE \ - --set "ingress.enabled=true" \ - --set "ingress.hostname=$DOMAIN_NAME" -``` - -To deploy the chart to another namespace using custom values in the file `demo.yaml`: - -```bash -export NAMESPACE=vaultwarden-demo -export RELEASE_NAME=vaultwarden-demo -helm upgrade -i \ - -n $NAMESPACE $RELEASE_NAME vaultwarden/vaultwarden \ - -f demo.yaml -``` - -### General configuration - -This chart deploys `vaultwarden` from pre-built images on [Docker Hub](https://hub.docker.com/r/vaultwarden/server/tags): `vaultwarden/server`. The image can be defined by specifying the tag with `image.tag`. - -Example that uses the Alpine-based image `1.24.0-alpine` and an existing secret that contains registry credentials: - -```yaml -image: - tag: "1.24.0-alpine" - pullSecrets: - - myRegKey -``` - -**Important**: specify the URL used by users with the `domain` variable, otherwise, some functionalities might not work: - -```yaml -domain: "https://vaultwarden.contoso.com:9443/" ``` -Detailed configuration options can be found in the [Vaultwarden settings](./charts/vaultwarden/README.md#vaultwarden-settings) section. - -### Database options - -By default, `vaultwarden` uses a SQLite database located in `/data/db.sqlite3`. However, it is also possible to make use of an external database, in particular either [MySQL](https://www.mysql.com/downloads/) or [PostgreSQL](https://www.postgresql.org). - -To configure an external database, set `database.type` to either `mysql` or `postgresql` and specify the datase connection information. - -Example for using an external MySQL database: - -```yaml -database: - type: mysql - host: database.contoso.eu - username: appuser - password: apppassword - dbName: prodapp -``` - -You can also specify the connection string: - -```yaml -database: - type: postgresql - uriOverride: "postgresql://appuser:apppassword@pg.contoso.eu:5433/qualdb" -``` - -Alternatively, you could create a Kubernetes secret containing the database URI: - -```bash -DB_STRING="postgresql://appuser:apppassword@pg.contoso.eu:5433/qualdb" -kubectl -n vaultwarden create secret generic prod-db-creds --from-literal=secret-uri=$DB_STRING -``` - -Then pass the name of the secret and the key to the chart: - -```yaml -database: - type: postgresql - existingSecret: "prod-db-creds" - existingSecretKey: "secret-uri" -``` - -Detailed configuration options can be found in the [Database Configuration](./charts/vaultwarden/README.md#database-configuration) section. - -### SSL and Ingress - -This chart supports the usage of existing Ingress Controllers for exposing the `vaultwarden` deployment. - -#### nginx-ingress - -Nginx ingress controller can be installed by following [this](https://kubernetes.github.io/ingress-nginx/deploy/) guide. An SSL certificate can be added as a secret with a few commands: - -```bash -cd -kubectl create secret -n vaultwarden \ - tls vw-constoso-com-crt \ - --key privkey.pem \ - --cert fullchain.pem -``` - -Once both prerequisites are ready, values can be set as follows: - -```yaml -ingress: - enabled: true - class: "nginx" - tlsSecret: vw-constoso-com-crt - hostname: vaultwarden.contoso.com - allowList: "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16" -``` - -#### AWS LB Controller - -When using AWS, the [AWS Load Balancer controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/installation/) can be used together with [ACM](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/ingress/cert_discovery/). - -Example for AWS: - -```yaml -ingress: - enabled: true - class: "alb" - hostname: vaultwarden.contoso.com - additionalAnnotations: - alb.ingress.kubernetes.io/scheme: internet-facing - alb.ingress.kubernetes.io/tags: Environment=dev,Team=test - alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:eu-central-1:ACCOUNT:certificate/LONGID" -``` - -Detailed configuration options can be found in the [Exposure Parameters](./charts/vaultwarden/README.md#exposure-parameters) section. - -### Security - -An admin token can be generated with: `openssl rand -base64 48`. - -By default, the chart deploys a [service account](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/) called `vaultwarden-svc`. - -```yaml -serviceAccount: - create: true - name: "vaultwarden-svc" -``` - -Detailed configuration options can be found in the [Security settings](./charts/vaultwarden/README.md#security-settings) section. - -### Mail settings - -To enable the SMTP service, make sure that at a minimum, `smtp.host` and `smtp.from` are set. - -```yaml -smtp: - host: mx01.contoso.com - from: no-reply@contoso.com - fromName: "Vault Administrator" - username: admin - password: password - acceptInvalidHostnames: "true" - acceptInvalidCerts: "true" -``` - -Detailed configuration options can be found in the [SMTP Configuration](./charts/vaultwarden/README.md#smtp-configuration) section. - -### Storage - -To use persistent storage using a claim, set `storage.enabled` to `true`. The following example sets the storage class to an already-installed Rancher's [local path storage](https://github.com/rancher/local-path-provisioner) provisioner. - -```yaml -storage: - enabled: true - size: "10Gi" - class: "local-path" -``` - -Example for AWS: - -```yaml -storage: - enabled: true - size: "10Gi" - class: "gp2" -``` - -Detailed configuration options can be found in the [Storage Configuration](./charts/vaultwarden/README.md#storage-configuration) section. - -## Deployment in GKE - -I have written a detailed post about deploying Vaultwarden in Google Kubernetes Engine [here](https://medium.com/@sreafterhours/terraform-helm-external-dns-cert-manager-nginx-and-vaultwarden-on-gke-5080f3b4909f). - -## Parameters - -Refer to the detailed parameter documentation [here](./charts/vaultwarden/README.md). +Refer to the detailed documentation [here](./charts/vaultwarden/README.md). ## Uninstall @@ -240,7 +48,7 @@ Nevertheless, if you find any issues while using this chart, or have any suggest ## Author -This Helm chart was created and is being maintained by [Lester Guerzon](https://blog.pidnull.io). +This Helm chart was created and maintained by [Lester Guerzon](https://blog.pidnull.io). ### Credits diff --git a/artifacthub-repo.yml b/artifacthub-repo.yml new file mode 100644 index 0000000..7502051 --- /dev/null +++ b/artifacthub-repo.yml @@ -0,0 +1,4 @@ +repositoryID: 0c334844-c49c-45a8-bf8e-b086fa93ddae +owners: + - name: guerzon + email: guerzon@proton.me diff --git a/charts/vaultwarden/Chart.yaml b/charts/vaultwarden/Chart.yaml index c91985d..210d6b8 100644 --- a/charts/vaultwarden/Chart.yaml +++ b/charts/vaultwarden/Chart.yaml @@ -1,6 +1,7 @@ apiVersion: v2 name: vaultwarden description: vaultwarden is an unofficial Bitwarden-compatible server written in Rust +type: application keywords: - Rust - vaultwarden @@ -12,4 +13,5 @@ maintainers: - name: guerzon email: guerzon@proton.me url: https://github.com/guerzon -version: 0.15.1 +version: 0.15.2 +kubeVersion: ">=1.12.0-0" diff --git a/charts/vaultwarden/README.md b/charts/vaultwarden/README.md index 74acf20..e82202a 100644 --- a/charts/vaultwarden/README.md +++ b/charts/vaultwarden/README.md @@ -1,4 +1,199 @@ +# Vaultwarden + +[Vaultwarden](https://github.com/dani-garcia/vaultwarden), is an alternative implementation of the Bitwarden server API written in Rust and compatible with [upstream Bitwarden clients](https://bitwarden.com/download/). + +## Usage + +Basic usage: + +```bash +export NAMESPACE=vaultwarden +export DOMAIN_NAME=pass.company.com + +helm install vaultwarden-release vaultwarden/vaultwarden \ + --namespace $NAMESPACE \ + --set "ingress.enabled=true" \ + --set "ingress.hostname=$DOMAIN_NAME" +``` + +To deploy the chart to another namespace using custom values in the file `demo.yaml`: + +```bash +export NAMESPACE=vaultwarden-demo +export RELEASE_NAME=vaultwarden-demo +helm upgrade -i \ + -n $NAMESPACE $RELEASE_NAME vaultwarden/vaultwarden \ + -f demo.yaml +``` + +### General configuration + +This chart deploys `vaultwarden` from pre-built images on [Docker Hub](https://hub.docker.com/r/vaultwarden/server/tags): `vaultwarden/server`. The image can be defined by specifying the tag with `image.tag`. + +Example that uses the Alpine-based image `1.24.0-alpine` and an existing secret that contains registry credentials: + +```yaml +image: + tag: "1.24.0-alpine" + pullSecrets: + - myRegKey +``` + +**Important**: specify the URL used by users with the `domain` variable, otherwise, some functionalities might not work: + +```yaml +domain: "https://vaultwarden.contoso.com:9443/" +``` + +Detailed configuration options can be found in the [Vaultwarden settings](./charts/vaultwarden/README.md#vaultwarden-settings) section. + +### Database options + +By default, `vaultwarden` uses a SQLite database located in `/data/db.sqlite3`. However, it is also possible to make use of an external database, in particular either [MySQL](https://www.mysql.com/downloads/) or [PostgreSQL](https://www.postgresql.org). + +To configure an external database, set `database.type` to either `mysql` or `postgresql` and specify the datase connection information. + +Example for using an external MySQL database: + +```yaml +database: + type: mysql + host: database.contoso.eu + username: appuser + password: apppassword + dbName: prodapp +``` + +You can also specify the connection string: + +```yaml +database: + type: postgresql + uriOverride: "postgresql://appuser:apppassword@pg.contoso.eu:5433/qualdb" +``` + +Alternatively, you could create a Kubernetes secret containing the database URI: + +```bash +DB_STRING="postgresql://appuser:apppassword@pg.contoso.eu:5433/qualdb" +kubectl -n vaultwarden create secret generic prod-db-creds --from-literal=secret-uri=$DB_STRING +``` + +Then pass the name of the secret and the key to the chart: + +```yaml +database: + type: postgresql + existingSecret: "prod-db-creds" + existingSecretKey: "secret-uri" +``` + +Detailed configuration options can be found in the [Database Configuration](./charts/vaultwarden/README.md#database-configuration) section. + +### SSL and Ingress + +This chart supports the usage of existing Ingress Controllers for exposing the `vaultwarden` deployment. + +#### nginx-ingress + +Nginx ingress controller can be installed by following [this](https://kubernetes.github.io/ingress-nginx/deploy/) guide. An SSL certificate can be added as a secret with a few commands: + +```bash +cd +kubectl create secret -n vaultwarden \ + tls vw-constoso-com-crt \ + --key privkey.pem \ + --cert fullchain.pem +``` + +Once both prerequisites are ready, values can be set as follows: + +```yaml +ingress: + enabled: true + class: "nginx" + tlsSecret: vw-constoso-com-crt + hostname: vaultwarden.contoso.com + allowList: "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16" +``` + +#### AWS LB Controller + +When using AWS, the [AWS Load Balancer controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/installation/) can be used together with [ACM](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/ingress/cert_discovery/). + +Example for AWS: + +```yaml +ingress: + enabled: true + class: "alb" + hostname: vaultwarden.contoso.com + additionalAnnotations: + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/tags: Environment=dev,Team=test + alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:eu-central-1:ACCOUNT:certificate/LONGID" +``` + +Detailed configuration options can be found in the [Exposure Parameters](./charts/vaultwarden/README.md#exposure-parameters) section. + +### Security + +An admin token can be generated with: `openssl rand -base64 48`. + +By default, the chart deploys a [service account](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/) called `vaultwarden-svc`. + +```yaml +serviceAccount: + create: true + name: "vaultwarden-svc" +``` + +Detailed configuration options can be found in the [Security settings](./charts/vaultwarden/README.md#security-settings) section. + +### Mail settings + +To enable the SMTP service, make sure that at a minimum, `smtp.host` and `smtp.from` are set. + +```yaml +smtp: + host: mx01.contoso.com + from: no-reply@contoso.com + fromName: "Vault Administrator" + username: admin + password: password + acceptInvalidHostnames: "true" + acceptInvalidCerts: "true" +``` + +Detailed configuration options can be found in the [SMTP Configuration](./charts/vaultwarden/README.md#smtp-configuration) section. + +### Storage + +To use persistent storage using a claim, set `storage.enabled` to `true`. The following example sets the storage class to an already-installed Rancher's [local path storage](https://github.com/rancher/local-path-provisioner) provisioner. + +```yaml +storage: + enabled: true + size: "10Gi" + class: "local-path" +``` + +Example for AWS: + +```yaml +storage: + enabled: true + size: "10Gi" + class: "gp2" +``` + +Detailed configuration options can be found in the [Storage Configuration](./charts/vaultwarden/README.md#storage-configuration) section. + +## Deployment in GKE + +I have written a detailed post about deploying Vaultwarden in Google Kubernetes Engine [here](https://medium.com/@sreafterhours/terraform-helm-external-dns-cert-manager-nginx-and-vaultwarden-on-gke-5080f3b4909f). + ## Parameters ### Vaultwarden settings