Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add yubikey support, update docs #66

Merged
merged 2 commits into from
Dec 22, 2023
Merged

feat: add yubikey support, update docs #66

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
94b96eb
docs: update values.yaml annotations
guerzon Dec 22, 2023
a425aa4
feat: add support for Yubikey OTP authentication
guerzon Dec 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/vaultwarden/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,5 @@ maintainers:
- name: guerzon
email: [email protected]
url: https://github.com/guerzon
version: 0.18.3
version: 0.19.0
kubeVersion: ">=1.12.0-0"
70 changes: 53 additions & 17 deletions charts/vaultwarden/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -247,17 +247,25 @@ helm -n $NAMESPACE uninstall $RELEASE_NAME
| ------------------- | --------------------------------------------- | -------------------- |
| `image.registry` | Vaultwarden image registry | `docker.io` |
| `image.repository` | Vaultwarden image repository | `vaultwarden/server` |
| `image.tag` | Vaultwarden image tag | `1.29.2-alpine` |
| `image.tag` | Vaultwarden image tag | `1.30.1-alpine` |
| `image.pullPolicy` | Vaultwarden image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names | `[]` |
| `domain` | Domain name where the application is accessed | `""` |
| `websocket.enabled` | Enable websocket notifications | `true` |
| `websocket.address` | Websocket listen address | `0.0.0.0` |
| `websocket.port` | Websocket listen port | `3012` |
| `rocket.address` | Address to bind to | `0.0.0.0` |
| `rocket.port` | Rocket port | `8080` |
| `rocket.workers` | Rocket number of workers | `10` |
| `webVaultEnabled` | Enable Web Vault | `true` |

### Overwrite automatic resource type detection

| Name | Description | Value |
| ---------------------- | --------------------------------------- | ----- |
| `resourceType` | Can be either Deployment or StatefulSet | `""` |
| `configMapAnnotations` | Add extra annotations to the configmap | `{}` |

### Pod configuration

| Name | Description | Value |
Expand All @@ -283,6 +291,11 @@ helm -n $NAMESPACE uninstall $RELEASE_NAME
| `ipHeader` | Client IP Header, used to identify the IP of the client | `X-Real-IP` |
| `serviceAccount.create` | Create a service account | `true` |
| `serviceAccount.name` | Name of the service account to create | `vaultwarden-svc` |
| `podSecurityContext` | Pod security options | `{}` |
| `securityContext` | Default security options to run vault as read only container without privilege escalation | `{}` |
| `yubico.clientId` | Yubico client ID | `""` |
| `yubico.secretKey` | Yubico secret key | `""` |
| `yubico.server` | Specify a Yubico server, otherwise the default servers will be used | `""` |

### Exposure Parameters

Expand All @@ -304,6 +317,30 @@ helm -n $NAMESPACE uninstall $RELEASE_NAME
| `service.type` | Service type | `ClusterIP` |
| `service.annotations` | Additional annotations for the vaultwarden service | `{}` |
| `service.labels` | Additional labels for the service | `{}` |
| `service.ipFamilyPolicy` | IP family policy for the service | `SingleStack` |

### Probe Parameters

| Name | Description | Value |
| ------------------------------------ | ----------------------------------------------------------------------- | ------- |
| `livenessProbe.enabled` | Enable liveness probe | `true` |
| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | `5` |
| `livenessProbe.timeoutSeconds` | How long to wait for the probe to succeed | `1` |
| `livenessProbe.periodSeconds` | How often to perform the probe | `10` |
| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful | `1` |
| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed | `10` |
| `readinessProbe.enabled` | Enable readiness probe | `true` |
| `readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | `5` |
| `readinessProbe.timeoutSeconds` | How long to wait for the probe to succeed | `1` |
| `readinessProbe.periodSeconds` | How often to perform the probe | `10` |
| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful | `1` |
| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed | `3` |
| `startupProbe.enabled` | Enable startup probe | `false` |
| `startupProbe.initialDelaySeconds` | Delay before startup probe is initiated | `5` |
| `startupProbe.timeoutSeconds` | How long to wait for the probe to succeed | `1` |
| `startupProbe.periodSeconds` | How often to perform the probe | `10` |
| `startupProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful | `1` |
| `startupProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed | `10` |

### Database Configuration

Expand Down Expand Up @@ -354,21 +391,20 @@ helm -n $NAMESPACE uninstall $RELEASE_NAME
| `logging.logLevel` | Specify the log level | `""` |
| `logging.logFile` | Log to a file | `""` |

### Extra containers Configuration

| Name | Description | Value |
| ---------------- | --------------------------------------------------------------- | ----- |
| `initContainers` | extra init containers for initializing the vaultwarden instance | `[]` |
| `sidecars` | extra containers running alongside the vaultwarden instance | `[]` |

### Extra Configuration

| Name | Description | Value |
| ------------------------ | ------------------------------------- | ----- |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `affinity` | Affinity for pod assignment | `{}` |
| `tolerations` | Tolerations for pod assignment | `[]` |
| `statefulsetlabels` | Additional labels for the statefulset | `{}` |
| `statefulsetAnnotations` | Annotations for the statefulset | `{}` |
| `pushNotifications` | Enable mobile push notifications | `{}` |
| `resources` | Resource configurations | `{}` |
| Name | Description | Value |
| ------------------------------------ | --------------------------------------------------------------- | ------- |
| `initContainers` | extra init containers for initializing the vaultwarden instance | `[]` |
| `sidecars` | extra containers running alongside the vaultwarden instance | `[]` |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `affinity` | Affinity for pod assignment | `{}` |
| `tolerations` | Tolerations for pod assignment | `[]` |
| `commonLabels` | Additional labels for the deployment or statefulset | `{}` |
| `commonAnnotations` | Annotations for the deployment or statefulset | `{}` |
| `pushNotifications` | Enable mobile push notifications | `{}` |
| `resources` | Resource configurations | `{}` |
| `strategy` | Resource configurations | `{}` |
| `podDisruptionBudget.enabled` | Enable PodDisruptionBudget settings | `false` |
| `podDisruptionBudget.minAvailable` | Minimum number/percentage of pods that should remain scheduled. | `1` |
| `podDisruptionBudget.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable | `nil` |
7 changes: 7 additions & 0 deletions charts/vaultwarden/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,3 +63,10 @@ data:
PUSH_INSTALLATION_ID: {{ .Values.pushNotifications.installationId | quote }}
PUSH_INSTALLATION_KEY: {{ .Values.pushNotifications.installationKey | quote }}
{{- end }}
{{- if and .Values.yubico.clientId .Values.yubico.secretKey }}
YUBICO_CLIENT_ID: {{ .Values.yubico.clientId | quote }}
YUBICO_SECRET_KEY: {{ .Values.yubico.secretKey | quote }}
{{- if .Values.yubico.server }}
YUBICO_SERVER: {{ .Values.yubico.server | quote }}
{{- end }}
{{- end }}
93 changes: 51 additions & 42 deletions charts/vaultwarden/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ websocket:
enabled: true
address: "0.0.0.0"
port: 3012
## @param rocket.address Address to bind to
## @param rocket.port Rocket port
## @param rocket.workers Rocket number of workers
##
Expand All @@ -47,7 +48,8 @@ rocket:
webVaultEnabled: "true"

## @section Overwrite automatic resource type detection
## Can be either Deployment or StatefulSet
##
## @param resourceType Can be either Deployment or StatefulSet
##
resourceType: ""

Expand Down Expand Up @@ -127,6 +129,34 @@ serviceAccount:
create: true
name: "vaultwarden-svc"

## @param podSecurityContext Pod security options
##
podSecurityContext: {}
# fsGroup: 1001
# supplementalGroups:
# - 1001

## @param securityContext Default security options to run vault as read only container without privilege escalation
securityContext: {}
# allowPrivilegeEscalation: false
# privileged: false
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsGroup: 1001
# runAsUser: 1001
# capabilities:
# drop:
# - ALL

## @param yubico.clientId Yubico client ID
## @param yubico.secretKey Yubico secret key
## @param yubico.server Specify a Yubico server, otherwise the default servers will be used
##
yubico:
clientId: ""
secretKey: ""
server: ""


## @section Exposure Parameters
##
Expand Down Expand Up @@ -183,6 +213,20 @@ ingress:
## - Support for multiple TLS hostnames.
##

## Service configuration
service:
## @param service.type Service type
##
type: "ClusterIP"
## @param service.annotations Additional annotations for the vaultwarden service
##
annotations: {}
## @param service.labels Additional labels for the service
##
labels: {}
## @param service.ipFamilyPolicy IP family policy for the service
ipFamilyPolicy: "SingleStack"

## @section Probe Parameters
##

Expand Down Expand Up @@ -230,7 +274,6 @@ readinessProbe:
##
failureThreshold: 3


## Startup probe configuration
##
startupProbe:
Expand All @@ -253,38 +296,6 @@ startupProbe:
##
failureThreshold: 10

## Pod security options
podSecurityContext: {}
# fsGroup: 1001
# supplementalGroups:
# - 1001

## Default security options to run vault as read only container without privilege escalation
securityContext: {}
# allowPrivilegeEscalation: false
# privileged: false
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsGroup: 1001
# runAsUser: 1001
# capabilities:
# drop:
# - ALL

## Service configuration
service:
## @param service.type Service type
##
type: "ClusterIP"
## @param service.annotations Additional annotations for the vaultwarden service
##
annotations: {}
## @param service.labels Additional labels for the service
##
labels: {}
## @param service.ipFamilyPolicy IP family policy for the service
ipFamilyPolicy: "SingleStack"

## @section Database Configuration
##
database:
Expand Down Expand Up @@ -418,7 +429,7 @@ logging:
##
logFile: ""

## @section Extra containers Configuration
## @section Extra Configuration
##

## @param initContainers extra init containers for initializing the vaultwarden instance
Expand All @@ -429,9 +440,6 @@ initContainers: []
##
sidecars: []

## @section Extra Configuration
##

## @param nodeSelector Node labels for pod assignment
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
##
Expand Down Expand Up @@ -477,19 +485,20 @@ resources: {}
# cpu: 50m
# memory: 256Mi

## @param strategy Resource configurations
##
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 1
# maxUnavailable: 0

# PodDisruptionBudget settings
podDisruptionBudget:
# -- enable PodDisruptionBudget
## @param podDisruptionBudget.enabled Enable PodDisruptionBudget settings
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
enabled: false
# -- Minimum number/percentage of pods that should remain scheduled.
## @param podDisruptionBudget.minAvailable Minimum number/percentage of pods that should remain scheduled.
# When it's set, maxUnavailable must be disabled by `maxUnavailable: null`
minAvailable: 1
# -- Maximum number/percentage of pods that may be made unavailable
## @param podDisruptionBudget.maxUnavailable Maximum number/percentage of pods that may be made unavailable
maxUnavailable: null
Loading