From 94b96eb6216edd9d1e1141acc800a4585bb320a2 Mon Sep 17 00:00:00 2001 From: Lester Guerzon Date: Fri, 22 Dec 2023 13:46:33 +0000 Subject: [PATCH 1/2] docs: update values.yaml annotations --- charts/vaultwarden/README.md | 67 ++++++++++++++++++++------- charts/vaultwarden/values.yaml | 84 +++++++++++++++++----------------- 2 files changed, 92 insertions(+), 59 deletions(-) diff --git a/charts/vaultwarden/README.md b/charts/vaultwarden/README.md index a4056da..9bf2a7d 100644 --- a/charts/vaultwarden/README.md +++ b/charts/vaultwarden/README.md @@ -247,17 +247,25 @@ helm -n $NAMESPACE uninstall $RELEASE_NAME | ------------------- | --------------------------------------------- | -------------------- | | `image.registry` | Vaultwarden image registry | `docker.io` | | `image.repository` | Vaultwarden image repository | `vaultwarden/server` | -| `image.tag` | Vaultwarden image tag | `1.29.2-alpine` | +| `image.tag` | Vaultwarden image tag | `1.30.1-alpine` | | `image.pullPolicy` | Vaultwarden image pull policy | `IfNotPresent` | | `image.pullSecrets` | Specify docker-registry secret names | `[]` | | `domain` | Domain name where the application is accessed | `""` | | `websocket.enabled` | Enable websocket notifications | `true` | | `websocket.address` | Websocket listen address | `0.0.0.0` | | `websocket.port` | Websocket listen port | `3012` | +| `rocket.address` | Address to bind to | `0.0.0.0` | | `rocket.port` | Rocket port | `8080` | | `rocket.workers` | Rocket number of workers | `10` | | `webVaultEnabled` | Enable Web Vault | `true` | +### Overwrite automatic resource type detection + +| Name | Description | Value | +| ---------------------- | --------------------------------------- | ----- | +| `resourceType` | Can be either Deployment or StatefulSet | `""` | +| `configMapAnnotations` | Add extra annotations to the configmap | `{}` | + ### Pod configuration | Name | Description | Value | @@ -283,6 +291,8 @@ helm -n $NAMESPACE uninstall $RELEASE_NAME | `ipHeader` | Client IP Header, used to identify the IP of the client | `X-Real-IP` | | `serviceAccount.create` | Create a service account | `true` | | `serviceAccount.name` | Name of the service account to create | `vaultwarden-svc` | +| `podSecurityContext` | Pod security options | `{}` | +| `securityContext` | Default security options to run vault as read only container without privilege escalation | `{}` | ### Exposure Parameters @@ -304,6 +314,30 @@ helm -n $NAMESPACE uninstall $RELEASE_NAME | `service.type` | Service type | `ClusterIP` | | `service.annotations` | Additional annotations for the vaultwarden service | `{}` | | `service.labels` | Additional labels for the service | `{}` | +| `service.ipFamilyPolicy` | IP family policy for the service | `SingleStack` | + +### Probe Parameters + +| Name | Description | Value | +| ------------------------------------ | ----------------------------------------------------------------------- | ------- | +| `livenessProbe.enabled` | Enable liveness probe | `true` | +| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | `5` | +| `livenessProbe.timeoutSeconds` | How long to wait for the probe to succeed | `1` | +| `livenessProbe.periodSeconds` | How often to perform the probe | `10` | +| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful | `1` | +| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed | `10` | +| `readinessProbe.enabled` | Enable readiness probe | `true` | +| `readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | `5` | +| `readinessProbe.timeoutSeconds` | How long to wait for the probe to succeed | `1` | +| `readinessProbe.periodSeconds` | How often to perform the probe | `10` | +| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful | `1` | +| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed | `3` | +| `startupProbe.enabled` | Enable startup probe | `false` | +| `startupProbe.initialDelaySeconds` | Delay before startup probe is initiated | `5` | +| `startupProbe.timeoutSeconds` | How long to wait for the probe to succeed | `1` | +| `startupProbe.periodSeconds` | How often to perform the probe | `10` | +| `startupProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful | `1` | +| `startupProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed | `10` | ### Database Configuration @@ -354,21 +388,20 @@ helm -n $NAMESPACE uninstall $RELEASE_NAME | `logging.logLevel` | Specify the log level | `""` | | `logging.logFile` | Log to a file | `""` | -### Extra containers Configuration - -| Name | Description | Value | -| ---------------- | --------------------------------------------------------------- | ----- | -| `initContainers` | extra init containers for initializing the vaultwarden instance | `[]` | -| `sidecars` | extra containers running alongside the vaultwarden instance | `[]` | - ### Extra Configuration -| Name | Description | Value | -| ------------------------ | ------------------------------------- | ----- | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `affinity` | Affinity for pod assignment | `{}` | -| `tolerations` | Tolerations for pod assignment | `[]` | -| `statefulsetlabels` | Additional labels for the statefulset | `{}` | -| `statefulsetAnnotations` | Annotations for the statefulset | `{}` | -| `pushNotifications` | Enable mobile push notifications | `{}` | -| `resources` | Resource configurations | `{}` | +| Name | Description | Value | +| ------------------------------------ | --------------------------------------------------------------- | ------- | +| `initContainers` | extra init containers for initializing the vaultwarden instance | `[]` | +| `sidecars` | extra containers running alongside the vaultwarden instance | `[]` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `affinity` | Affinity for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `commonLabels` | Additional labels for the deployment or statefulset | `{}` | +| `commonAnnotations` | Annotations for the deployment or statefulset | `{}` | +| `pushNotifications` | Enable mobile push notifications | `{}` | +| `resources` | Resource configurations | `{}` | +| `strategy` | Resource configurations | `{}` | +| `podDisruptionBudget.enabled` | Enable PodDisruptionBudget settings | `false` | +| `podDisruptionBudget.minAvailable` | Minimum number/percentage of pods that should remain scheduled. | `1` | +| `podDisruptionBudget.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable | `nil` | diff --git a/charts/vaultwarden/values.yaml b/charts/vaultwarden/values.yaml index 09a8755..312f086 100644 --- a/charts/vaultwarden/values.yaml +++ b/charts/vaultwarden/values.yaml @@ -35,6 +35,7 @@ websocket: enabled: true address: "0.0.0.0" port: 3012 +## @param rocket.address Address to bind to ## @param rocket.port Rocket port ## @param rocket.workers Rocket number of workers ## @@ -47,7 +48,8 @@ rocket: webVaultEnabled: "true" ## @section Overwrite automatic resource type detection -## Can be either Deployment or StatefulSet +## +## @param resourceType Can be either Deployment or StatefulSet ## resourceType: "" @@ -127,6 +129,25 @@ serviceAccount: create: true name: "vaultwarden-svc" +## @param podSecurityContext Pod security options +## +podSecurityContext: {} + # fsGroup: 1001 + # supplementalGroups: + # - 1001 + +## @param securityContext Default security options to run vault as read only container without privilege escalation +securityContext: {} + # allowPrivilegeEscalation: false + # privileged: false + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsGroup: 1001 + # runAsUser: 1001 + # capabilities: + # drop: + # - ALL + ## @section Exposure Parameters ## @@ -183,6 +204,20 @@ ingress: ## - Support for multiple TLS hostnames. ## +## Service configuration +service: + ## @param service.type Service type + ## + type: "ClusterIP" + ## @param service.annotations Additional annotations for the vaultwarden service + ## + annotations: {} + ## @param service.labels Additional labels for the service + ## + labels: {} + ## @param service.ipFamilyPolicy IP family policy for the service + ipFamilyPolicy: "SingleStack" + ## @section Probe Parameters ## @@ -230,7 +265,6 @@ readinessProbe: ## failureThreshold: 3 - ## Startup probe configuration ## startupProbe: @@ -253,38 +287,6 @@ startupProbe: ## failureThreshold: 10 -## Pod security options -podSecurityContext: {} - # fsGroup: 1001 - # supplementalGroups: - # - 1001 - -## Default security options to run vault as read only container without privilege escalation -securityContext: {} - # allowPrivilegeEscalation: false - # privileged: false - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsGroup: 1001 - # runAsUser: 1001 - # capabilities: - # drop: - # - ALL - -## Service configuration -service: - ## @param service.type Service type - ## - type: "ClusterIP" - ## @param service.annotations Additional annotations for the vaultwarden service - ## - annotations: {} - ## @param service.labels Additional labels for the service - ## - labels: {} - ## @param service.ipFamilyPolicy IP family policy for the service - ipFamilyPolicy: "SingleStack" - ## @section Database Configuration ## database: @@ -418,7 +420,7 @@ logging: ## logFile: "" -## @section Extra containers Configuration +## @section Extra Configuration ## ## @param initContainers extra init containers for initializing the vaultwarden instance @@ -429,9 +431,6 @@ initContainers: [] ## sidecars: [] -## @section Extra Configuration -## - ## @param nodeSelector Node labels for pod assignment ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector ## @@ -477,19 +476,20 @@ resources: {} # cpu: 50m # memory: 256Mi +## @param strategy Resource configurations +## strategy: {} # type: RollingUpdate # rollingUpdate: # maxSurge: 1 # maxUnavailable: 0 -# PodDisruptionBudget settings podDisruptionBudget: - # -- enable PodDisruptionBudget + ## @param podDisruptionBudget.enabled Enable PodDisruptionBudget settings # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ enabled: false - # -- Minimum number/percentage of pods that should remain scheduled. + ## @param podDisruptionBudget.minAvailable Minimum number/percentage of pods that should remain scheduled. # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` minAvailable: 1 - # -- Maximum number/percentage of pods that may be made unavailable + ## @param podDisruptionBudget.maxUnavailable Maximum number/percentage of pods that may be made unavailable maxUnavailable: null From a425aa47bdac6f4e65d476ecd2592c4ab91f516f Mon Sep 17 00:00:00 2001 From: Lester Guerzon Date: Fri, 22 Dec 2023 14:02:09 +0000 Subject: [PATCH 2/2] feat: add support for Yubikey OTP authentication Signed-off-by: Lester Guerzon --- charts/vaultwarden/Chart.yaml | 2 +- charts/vaultwarden/README.md | 3 +++ charts/vaultwarden/templates/configmap.yaml | 7 +++++++ charts/vaultwarden/values.yaml | 9 +++++++++ 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/charts/vaultwarden/Chart.yaml b/charts/vaultwarden/Chart.yaml index dff6b36..3cf0374 100644 --- a/charts/vaultwarden/Chart.yaml +++ b/charts/vaultwarden/Chart.yaml @@ -13,5 +13,5 @@ maintainers: - name: guerzon email: guerzon@proton.me url: https://github.com/guerzon -version: 0.18.3 +version: 0.19.0 kubeVersion: ">=1.12.0-0" diff --git a/charts/vaultwarden/README.md b/charts/vaultwarden/README.md index 9bf2a7d..0d1ef7f 100644 --- a/charts/vaultwarden/README.md +++ b/charts/vaultwarden/README.md @@ -293,6 +293,9 @@ helm -n $NAMESPACE uninstall $RELEASE_NAME | `serviceAccount.name` | Name of the service account to create | `vaultwarden-svc` | | `podSecurityContext` | Pod security options | `{}` | | `securityContext` | Default security options to run vault as read only container without privilege escalation | `{}` | +| `yubico.clientId` | Yubico client ID | `""` | +| `yubico.secretKey` | Yubico secret key | `""` | +| `yubico.server` | Specify a Yubico server, otherwise the default servers will be used | `""` | ### Exposure Parameters diff --git a/charts/vaultwarden/templates/configmap.yaml b/charts/vaultwarden/templates/configmap.yaml index 038bef0..7f326ba 100644 --- a/charts/vaultwarden/templates/configmap.yaml +++ b/charts/vaultwarden/templates/configmap.yaml @@ -63,3 +63,10 @@ data: PUSH_INSTALLATION_ID: {{ .Values.pushNotifications.installationId | quote }} PUSH_INSTALLATION_KEY: {{ .Values.pushNotifications.installationKey | quote }} {{- end }} + {{- if and .Values.yubico.clientId .Values.yubico.secretKey }} + YUBICO_CLIENT_ID: {{ .Values.yubico.clientId | quote }} + YUBICO_SECRET_KEY: {{ .Values.yubico.secretKey | quote }} + {{- if .Values.yubico.server }} + YUBICO_SERVER: {{ .Values.yubico.server | quote }} + {{- end }} + {{- end }} diff --git a/charts/vaultwarden/values.yaml b/charts/vaultwarden/values.yaml index 312f086..b583fa0 100644 --- a/charts/vaultwarden/values.yaml +++ b/charts/vaultwarden/values.yaml @@ -148,6 +148,15 @@ securityContext: {} # drop: # - ALL +## @param yubico.clientId Yubico client ID +## @param yubico.secretKey Yubico secret key +## @param yubico.server Specify a Yubico server, otherwise the default servers will be used +## +yubico: + clientId: "" + secretKey: "" + server: "" + ## @section Exposure Parameters ##