Last active
January 17, 2022 18:23
Example k8s deployment of Vaultwarden (requirements: cert-manager, traefik-ingress, longhorn)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: vaultwarden | |
--- | |
apiVersion: networking.k8s.io/v1 | |
kind: NetworkPolicy | |
metadata: | |
name: vaultwarden | |
namespace: vaultwarden | |
spec: | |
podSelector: {} | |
policyTypes: | |
- Egress | |
--- | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: vaultwarden-config | |
namespace: vaultwarden | |
data: | |
config.json: | | |
{ | |
"domain": "https://vaultwarden.example.home.arpa", | |
"sends_allowed": true, | |
"disable_icon_download": true, | |
"signups_allowed": false, | |
"signups_verify": false, | |
"signups_verify_resend_time": 3600, | |
"signups_verify_resend_limit": 6, | |
"invitations_allowed": false, | |
"password_iterations": 100000, | |
"show_password_hint": false, | |
"ip_header": "X-Real-IP", | |
"icon_cache_ttl": 0, | |
"icon_cache_negttl": 0, | |
"icon_download_timeout": 10, | |
"icon_blacklist_non_global_ips": false, | |
"disable_2fa_remember": false, | |
"authenticator_disable_time_drift": false, | |
"require_device_email": false, | |
"reload_templates": false, | |
"log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", | |
"disable_admin_token": true, | |
"_enable_yubico": false, | |
"_enable_duo": false, | |
"_enable_smtp": false, | |
"smtp_ssl": true, | |
"smtp_explicit_tls": false, | |
"smtp_port": 587, | |
"smtp_from_name": "Vaultwarden", | |
"smtp_timeout": 15, | |
"smtp_accept_invalid_certs": false, | |
"smtp_accept_invalid_hostnames": false, | |
"_enable_email_2fa": false, | |
"email_token_size": 6, | |
"email_expiration_time": 600, | |
"email_attempts_limit": 3 | |
} | |
--- | |
apiVersion: v1 | |
kind: PersistentVolumeClaim | |
metadata: | |
name: vaultwarden-data | |
namespace: vaultwarden | |
spec: | |
accessModes: | |
- ReadWriteOnce | |
storageClassName: longhorn | |
resources: | |
requests: | |
storage: 4Gi | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: vaultwarden | |
namespace: vaultwarden | |
spec: | |
selector: | |
app.kubernetes.io/name: vaultwarden | |
ports: | |
- name: http | |
port: 80 | |
- name: websocket | |
port: 3012 | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: vaultwarden | |
namespace: vaultwarden | |
spec: | |
replicas: 1 | |
strategy: | |
type: Recreate | |
selector: | |
matchLabels: | |
app.kubernetes.io/name: vaultwarden | |
template: | |
metadata: | |
labels: | |
app.kubernetes.io/name: vaultwarden | |
spec: | |
automountServiceAccountToken: false | |
initContainers: | |
- name: vaultwarden-init | |
image: vaultwarden/server:1.23.1 | |
command: | |
- cp | |
- -f | |
- /config/config.json | |
- /data/config.json | |
volumeMounts: | |
- name: vaultwarden-data | |
mountPath: /data | |
- name: vaultwarden-config | |
mountPath: /config | |
containers: | |
- name: vaultwarden | |
image: vaultwarden/server:1.23.1 | |
ports: | |
- containerPort: 80 | |
livenessProbe: | |
httpGet: | |
path: /alive | |
port: 80 | |
env: | |
- name: LOG_LEVEL | |
value: info | |
- name: EXTENDED_LOGGING | |
value: "true" | |
- name: WEBSOCKET_ENABLED | |
value: "true" | |
volumeMounts: | |
- name: vaultwarden-data | |
mountPath: /data | |
volumes: | |
- name: vaultwarden-data | |
persistentVolumeClaim: | |
claimName: vaultwarden-data | |
- name: vaultwarden-config | |
configMap: | |
name: vaultwarden-config | |
items: | |
- key: config.json | |
path: config.json | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: vaultwarden | |
namespace: vaultwarden | |
spec: | |
dnsNames: | |
- vaultwarden.example.home.arpa | |
secretName: vaultwarden-certificate | |
issuerRef: | |
name: cert-manager-default-clusterissuer | |
kind: ClusterIssuer | |
--- | |
apiVersion: traefik.containo.us/v1alpha1 | |
kind: IngressRoute | |
metadata: | |
name: vaultwarden | |
namespace: vaultwarden | |
spec: | |
entryPoints: | |
- websecure | |
routes: | |
- match: Host(`vaultwarden.example.home.arpa`) | |
kind: Rule | |
services: | |
- name: vaultwarden | |
port: 80 | |
- match: Host(`vaultwarden.example.home.arpa`) && Path(`/notifications/hub`) | |
kind: Rule | |
services: | |
- name: vaultwarden | |
port: 3012 | |
tls: | |
secretName: vaultwarden-certificate |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment