Move vaultwarden to softplayer-lib

This commit is contained in:
Nikolai Rodionov 2024-07-15 19:53:19 +02:00
parent 8a0cf86d26
commit bba8748576
Signed by: allanger
GPG Key ID: 0AA46A90E25592AD
19 changed files with 141 additions and 405 deletions

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
bin bin
custom custom
*.tgz

View File

@ -70,6 +70,7 @@ steps:
--password $REGISTRY_PASSWORD --password $REGISTRY_PASSWORD
- | - |
for chart in $(find charts -maxdepth 1 -mindepth 1 -type d); do for chart in $(find charts -maxdepth 1 -mindepth 1 -type d); do
helm dependency update $chart
helm package $chart -d chart-packages; helm package $chart -d chart-packages;
done done
- | - |

View File

@ -1,6 +1,6 @@
dependencies: dependencies:
- name: softplayer-lib-workload - name: softplayer-lib-workload
repository: oci://git.badhouseplants.net/softplayer repository: oci://git.badhouseplants.net/softplayer
version: 0.2.0 version: 0.2.1
digest: sha256:e6bf909ead48b331a49921e1cf504791fb5ec0a80561d797ae06c7a44ad8a9cd digest: sha256:a3a4a69717a3549841454a0e27a1a9114ea8a03543caf5c0c9a184d5a98f36b4
generated: "2024-07-15T08:45:21.509772+02:00" generated: "2024-07-15T19:51:29.734002+02:00"

View File

@ -10,7 +10,7 @@ maintainers:
url: https://badhouseplants.net url: https://badhouseplants.net
dependencies: dependencies:
- name: softplayer-lib-workload - name: softplayer-lib-workload
version: 0.2.0 version: 0.2.1
repository: oci://git.badhouseplants.net/softplayer repository: oci://git.badhouseplants.net/softplayer
annotations: annotations:
allowed_workload_kinds: "Deployment" allowed_workload_kinds: "Deployment"

View File

@ -2,6 +2,5 @@
{{ include "lib.service" . }} {{ include "lib.service" . }}
{{ include "lib.ingress" . }} {{ include "lib.ingress" . }}
{{ include "lib.config.env" . }} {{ include "lib.config.env" . }}
{{ include "lib.config.files" . }}
{{ include "lib.pvc" . }} {{ include "lib.pvc" . }}
{{ include "lib.raw" . }} {{ include "lib.raw" . }}

View File

@ -66,6 +66,7 @@ storage:
- ReadWriteOnce - ReadWriteOnce
env: env:
environment: environment:
enabled: true
sensitive: false sensitive: false
data: data:
ALLOW_SIGNUP: true ALLOW_SIGNUP: true
@ -77,10 +78,11 @@ env:
BASE_URL: https://mealie.softplayer.com BASE_URL: https://mealie.softplayer.com
DB_ENGINE: postgres DB_ENGINE: postgres
secrets: secrets:
enabled: true
sensitive: true sensitive: true
data: data:
POSTGRES_USER: mealie POSTGRES_USER: ~
POSTGRES_PASSWORD: mealie POSTGRES_PASSWORD: ~
POSTGRES_SERVER: postgres POSTGRES_SERVER: ~
POSTGRES_PORT: 5432 POSTGRES_PORT: ~
POSTGRES_DB: mealie POSTGRES_DB: ~

View File

@ -0,0 +1,6 @@
dependencies:
- name: softplayer-lib-workload
repository: file://../../../softplayer-helm-lib/charts/workload/
version: 0.2.1
digest: sha256:a640e69a2823f6b5534cef9c3c7e8513e0ec6ce6c26904e32da03eb40bcd3143
generated: "2024-07-15T19:46:39.750564+02:00"

View File

@ -2,12 +2,18 @@ apiVersion: v2
name: vaultwarden name: vaultwarden
description: Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs description: Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
type: application type: application
version: 1.2.0 version: 2.0.0
appVersion: 1.30.5 appVersion: 1.31.0
maintainers: maintainers:
- name: allanger - name: allanger
email: allanger@zohomail.com email: allanger@zohomail.com
url: https://badhouseplants.net url: https://badhouseplants.net
dependencies:
- name: softplayer-lib-workload
version: 0.2.1
repository: oci://git.badhouseplants.net/softplayer
annotations:
allowed_workload_kinds: "Deployment"
sources: sources:
- https://github.com/dani-garcia/vaultwarden/tree/main - https://github.com/dani-garcia/vaultwarden/tree/main
keywords: keywords:

View File

@ -1,22 +0,0 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "vaultwarden.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "vaultwarden.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "vaultwarden.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "vaultwarden.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}

View File

@ -1,46 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "vaultwarden.fullname" . }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
data:
DOMAIN: {{ .Values.vaultwarden.domain | quote }}
{{- if and .Values.vaultwarden.smtp.host .Values.vaultwarden.smtp.from | quote }}
SMTP_HOST: {{ .Values.vaultwarden.smtp.host | quote }}
SMTP_SECURITY: {{ .Values.vaultwarden.smtp.security | quote }}
SMTP_PORT: {{ .Values.vaultwarden.smtp.port | quote }}
{{- if .Values.vaultwarden.smtp.authMechanism }}
SMTP_AUTH_MECHANISM: {{ .Values.vaultwarden.smtp.authMechanism | quote }}
{{- end }}
SMTP_FROM: {{ .Values.vaultwarden.smtp.from | quote }}
SMTP_FROM_NAME: {{ default "Vaultwarden" .Values.vaultwarden.smtp.fromName | quote }}
SMTP_DEBUG: {{ .Values.vaultwarden.smtp.debug | quote }}
SMTP_ACCEPT_INVALID_HOSTNAMES: {{ .Values.vaultwarden.smtp.acceptInvalidHostnames | quote }}
SMTP_ACCEPT_INVALID_CERTS: {{ .Values.vaultwarden.smtp.acceptInvalidCerts | quote }}
SMTP_USERNAME: {{ .Values.vaultwarden.smtp.username | quote }}
{{- end }}
{{- if .Values.vaultwarden.websocket.enabled }}
WEBSOCKET_ENABLED: "true"
WEBSOCKET_ADDRESS: {{ .Values.vaultwarden.websocket.address | quote }}
WEBSOCKET_PORT: {{ .Values.vaultwarden.websocket.port | quote }}
{{- end }}
DATA_FOLDER: {{ .Values.vaultwarden.storage.dataDir | quote }}
ROCKET_PORT: {{ .Values.vaultwarden.rocket.port | quote }}
ROCKET_WORKERS: {{ .Values.vaultwarden.rocket.workers | quote }}
SHOW_PASSWORD_HINT: {{ .Values.vaultwarden.showPassHint | quote }}
SIGNUPS_ALLOWED: {{ .Values.vaultwarden.signupsAllowed | quote }}
INVITATIONS_ALLOWED: {{ .Values.vaultwarden.invitationsAllowed | quote }}
SIGNUPS_DOMAINS_WHITELIST: {{ .Values.vaultwarden.signupDomains | quote }}
SIGNUPS_VERIFY: {{ .Values.vaultwarden.signupsVerify | quote }}
WEB_VAULT_ENABLED: {{ .Values.vaultwarden.webVaultEnabled | quote }}
{{- if .Values.vaultwarden.logging.enabled }}
LOG_FILE: {{ .Values.vaultwarden.logging.logfile | quote }}
LOG_LEVEL: {{ .Values.vaultwarden.logging.loglevel | quote }}
{{- end }}
DB_CONNECTION_RETRIES: {{ .Values.vaultwarden.database.connectionRetries | quote }}
DATABASE_MAX_CONNS: {{ .Values.vaultwarden.database.maxConnections | quote }}
# -------------------------------------------------------------------
ORG_GROUPS_ENABLED: {{ .Values.vaultwarden.organizations.enabled | quote }}
ORG_EVENTS_ENABLED: {{ .Values.vaultwarden.organizations.orgEvents | quote }}
ORG_CREATION_USERS: {{ .Values.vaultwarden.organizations.crationUsers | quote }}

View File

@ -1,96 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "vaultwarden.fullname" . }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
spec:
replicas: 1
selector:
matchLabels:
{{- include "vaultwarden.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
{{- end }}
labels:
{{- include "vaultwarden.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- if .Values.vaultwarden.storage.enabled }}
volumes:
- name: data
persistentVolumeClaim:
claimName: {{ include "vaultwarden.fullname" . }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
livenessProbe:
exec:
command:
- sh
- /healthcheck.sh
readinessProbe:
exec:
command:
- sh
- /healthcheck.sh
resources:
{{- toYaml .Values.resources | nindent 12 }}
envFrom:
- configMapRef:
name: {{ include "vaultwarden.fullname" . }}
env:
{{- if or (.Values.vaultwarden.smtp.password.value) (.Values.vaultwarden.smtp.password.existingSecretKey )}}
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.smtp.password.existingSecret | default ( printf "%s-smtp" ( include "vaultwarden.fullname" . )) }}
key: {{ default "SMTP_PASSWORD" .Values.vaultwarden.smtp.password.existingSecretKey }}
{{- end }}
- name: ADMIN_TOKEN
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.adminToken.existingSecret | default ( printf "%s-admin-token" ( include "vaultwarden.fullname" . )) }}
key: {{ default "ADMIN_TOKEN" .Values.vaultwarden.adminToken.existingSecretKey }}
{{- if ne "default" .Values.vaultwarden.database.type }}
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.database.existingSecret | default ( printf "%s-db-creds" ( include "vaultwarden.fullname" . )) }}
key: {{ default "DATABASE_URL" .Values.vaultwarden.database.existingSecretKey }}
{{- end }}
{{- if .Values.vaultwarden.storage.enabled }}
volumeMounts:
- mountPath: {{ .Values.vaultwarden.storage.dataDir }}
name: data
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

View File

@ -1,61 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "vaultwarden.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,6 @@
{{ include "lib.workload" . }}
{{ include "lib.service" . }}
{{ include "lib.ingress" . }}
{{ include "lib.config.env" . }}
{{ include "lib.pvc" . }}
{{ include "lib.raw" . }}

View File

@ -1,15 +0,0 @@
{{- if .Values.vaultwarden.storage.enabled }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "vaultwarden.fullname" . }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.vaultwarden.storage.size }}
storageClassName: {{ .Values.vaultwarden.storage.class }}
{{- end }}

View File

@ -1,38 +0,0 @@
{{- if not .Values.vaultwarden.adminToken.existingSecret }}
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ include "vaultwarden.fullname" . }}-admin-token
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
data:
ADMIN_TOKEN: {{ .Values.vaultwarden.adminToken.value | b64enc | quote }}
{{- end }}
{{- if not .Values.vaultwarden.database.existingSecret }}
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ include "vaultwarden.fullname" . }}-db-creds
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
data:
DATABASE_URL: {{ .Values.vaultwarden.database.connectionString | b64enc | quote }}
{{- end }}
{{- if not .Values.vaultwarden.smtp.password.existingSecret }}
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ include "vaultwarden.fullname" . }}-smtp
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
data:
SMTP_PASSWORD: {{ .Values.vaultwarden.smtp.password.value | b64enc | quote }}
{{- end }}

View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "vaultwarden.fullname" . }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "vaultwarden.selectorLabels" . | nindent 4 }}

View File

@ -1,106 +1,114 @@
---
workload:
kind: Deployment
strategy:
type: RollingUpdate
containers:
mealie:
image: image:
repository: registry.hub.docker.com/vaultwarden/server registry: registry.hub.docker.com
pullPolicy: IfNotPresent repository: vaultwarden/server
# Overrides the image tag whose default is the chart appVersion. tag:
tag: "" pullPolicy: Always
imagePullSecrets: [] ports:
nameOverride: "" - vaultwarden
fullnameOverride: "" mounts:
podAnnotations: {} storage:
podSecurityContext: {} data:
# fsGroup: 2000 path: /app/data/
# logs:
# path: /app/logs
envFrom:
- environment
- secrets
livenessProbe:
exec:
command:
- sh
- /healthcheck.sh
readinessProbe:
exec:
command:
- sh
- /healthcheck.sh
initialDelaySeconds: 10
periodSeconds: 10
securityContext: {} ingress:
# capabilities: main:
# drop: class: traefik
# - ALL annotations:
# readOnlyRootFilesystem: true annotation: test
# runAsNonRoot: true rules:
# runAsUser: 1000 - hosts: vaultwarden.softplayer.net
http:
paths:
- backend:
service:
name: '{{ include "chart.fullname" $ }}'
port: 8080
tls:
- hosts:
- vaultwarden.softplayer.net
secretName: vaultwarden.softplayer.net
service: service:
type: ClusterIP type: ClusterIP
port: 8080 ports:
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
vaultwarden: vaultwarden:
smtp: port: 9000
host: "" targetPort: 9000
security: "starttls" protocol: TCP
port: 25
from: vaultwarden@badhouseplants.net
fromName: vaultwarden
username: vaultwarden
password:
value: "VerySecurePassword"
existingSecret: ""
existingSecretKey: ""
authMechanism: "Plain"
acceptInvalidHostnames: "false"
acceptInvalidCerts: "false"
debug: false
adminToken:
existingSecret: ""
existingSecretKey: ""
value: "R@ndomToken$tring"
domain: "https://badhouseplants.vaultwarden.com"
websocket:
enabled: true
address: "0.0.0.0"
port: 3012
rocket:
port: "8080"
workers: "10"
webVaultEnabled: "true"
signupsAllowed: true
invitationsAllowed: true
signupDomains: "https://badhouseplants.vaultwarden.com"
signupsVerify: "true"
showPassHint: "false"
database:
connectionString: "data/db.sqlite3"
existingSecret: ""
existingSecretKey: ""
connectionRetries: 15
maxConnections: 10
storage: storage:
enabled: false data:
size: 1Gi storageClassName: default
class: default size: 1G
dataDir: /data accessModes:
logging: - ReadWriteOnce
enabled: false # logs:
logfile: "/data/vaultwarden.log" # storageClassName: default
loglevel: "warn" # size: 1G
organizations: # accessModes:
enabled: false # - ReadWriteOnce
orgEvents: false # -- ORG_GROUPS_ENABLED
crationUsers: "" # -- ORG_CREATION_USERS # -- Please have a look here: https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
env:
environment:
enabled: true
sensitive: false
data:
DOMAIN: vaultwarden.softplayer.net
SMTP_HOST: ~
SMTP_SECURITY: startls
SMTP_PORT: 587
SMTP_AUTH_MECHANISM: Plain
SMTP_FROM: vaultwarden@softplayer.net
SMTP_FROM_NAME: Soft Player
SMTP_DEBUG: false
SMTP_ACCEPT_INVALID_HOSTNAMES: false
SMTP_ACCEPT_INVALID_CERTS: false
SMTP_USERNAME: ~
DATA_FOLDER: /app/data/
ROCKET_PORT: 8080
SHOW_PASSWORD_HINT: true
SIGNUPS_ALLOWED: false
INVITATIONS_ALLOWED: true
SIGNUPS_DOMAINS_WHITELIST: "*"
SIGNUPS_VERIFY: true
WEB_VAULT_ENABLED: true
LOG_FILE: /app/logs
LOG_LEVEL: info
DB_CONNECTION_RETRIES: 10
DATABASE_MAX_CONNS: 10
ORG_GROUPS_ENABLED: true
ORG_EVENTS_ENABLED: true
ORG_CREATION_USERS: ""
secrets:
enabled: true
sensitive: true
data:
ADMIN_TOKEN: "R@ndomToken$tring"
DATABASE_URL: ~
SMTP_PASSWORD: ~