Last active
January 17, 2022 18:23
-
-
Save ondrejmo/6d56011a5506a02c814addc5ad8fff41 to your computer and use it in GitHub Desktop.
Example k8s deployment of Vaultwarden (requirements: cert-manager, traefik-ingress, longhorn)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| name: vaultwarden | |
| --- | |
| apiVersion: networking.k8s.io/v1 | |
| kind: NetworkPolicy | |
| metadata: | |
| name: vaultwarden | |
| namespace: vaultwarden | |
| spec: | |
| podSelector: {} | |
| policyTypes: | |
| - Egress | |
| --- | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: vaultwarden-config | |
| namespace: vaultwarden | |
| data: | |
| config.json: | | |
| { | |
| "domain": "https://vaultwarden.example.home.arpa", | |
| "sends_allowed": true, | |
| "disable_icon_download": true, | |
| "signups_allowed": false, | |
| "signups_verify": false, | |
| "signups_verify_resend_time": 3600, | |
| "signups_verify_resend_limit": 6, | |
| "invitations_allowed": false, | |
| "password_iterations": 100000, | |
| "show_password_hint": false, | |
| "ip_header": "X-Real-IP", | |
| "icon_cache_ttl": 0, | |
| "icon_cache_negttl": 0, | |
| "icon_download_timeout": 10, | |
| "icon_blacklist_non_global_ips": false, | |
| "disable_2fa_remember": false, | |
| "authenticator_disable_time_drift": false, | |
| "require_device_email": false, | |
| "reload_templates": false, | |
| "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", | |
| "disable_admin_token": true, | |
| "_enable_yubico": false, | |
| "_enable_duo": false, | |
| "_enable_smtp": false, | |
| "smtp_ssl": true, | |
| "smtp_explicit_tls": false, | |
| "smtp_port": 587, | |
| "smtp_from_name": "Vaultwarden", | |
| "smtp_timeout": 15, | |
| "smtp_accept_invalid_certs": false, | |
| "smtp_accept_invalid_hostnames": false, | |
| "_enable_email_2fa": false, | |
| "email_token_size": 6, | |
| "email_expiration_time": 600, | |
| "email_attempts_limit": 3 | |
| } | |
| --- | |
| apiVersion: v1 | |
| kind: PersistentVolumeClaim | |
| metadata: | |
| name: vaultwarden-data | |
| namespace: vaultwarden | |
| spec: | |
| accessModes: | |
| - ReadWriteOnce | |
| storageClassName: longhorn | |
| resources: | |
| requests: | |
| storage: 4Gi | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: vaultwarden | |
| namespace: vaultwarden | |
| spec: | |
| selector: | |
| app.kubernetes.io/name: vaultwarden | |
| ports: | |
| - name: http | |
| port: 80 | |
| - name: websocket | |
| port: 3012 | |
| --- | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: vaultwarden | |
| namespace: vaultwarden | |
| spec: | |
| replicas: 1 | |
| strategy: | |
| type: Recreate | |
| selector: | |
| matchLabels: | |
| app.kubernetes.io/name: vaultwarden | |
| template: | |
| metadata: | |
| labels: | |
| app.kubernetes.io/name: vaultwarden | |
| spec: | |
| automountServiceAccountToken: false | |
| initContainers: | |
| - name: vaultwarden-init | |
| image: vaultwarden/server:1.23.1 | |
| command: | |
| - cp | |
| - -f | |
| - /config/config.json | |
| - /data/config.json | |
| volumeMounts: | |
| - name: vaultwarden-data | |
| mountPath: /data | |
| - name: vaultwarden-config | |
| mountPath: /config | |
| containers: | |
| - name: vaultwarden | |
| image: vaultwarden/server:1.23.1 | |
| ports: | |
| - containerPort: 80 | |
| livenessProbe: | |
| httpGet: | |
| path: /alive | |
| port: 80 | |
| env: | |
| - name: LOG_LEVEL | |
| value: info | |
| - name: EXTENDED_LOGGING | |
| value: "true" | |
| - name: WEBSOCKET_ENABLED | |
| value: "true" | |
| volumeMounts: | |
| - name: vaultwarden-data | |
| mountPath: /data | |
| volumes: | |
| - name: vaultwarden-data | |
| persistentVolumeClaim: | |
| claimName: vaultwarden-data | |
| - name: vaultwarden-config | |
| configMap: | |
| name: vaultwarden-config | |
| items: | |
| - key: config.json | |
| path: config.json | |
| --- | |
| apiVersion: cert-manager.io/v1 | |
| kind: Certificate | |
| metadata: | |
| name: vaultwarden | |
| namespace: vaultwarden | |
| spec: | |
| dnsNames: | |
| - vaultwarden.example.home.arpa | |
| secretName: vaultwarden-certificate | |
| issuerRef: | |
| name: cert-manager-default-clusterissuer | |
| kind: ClusterIssuer | |
| --- | |
| apiVersion: traefik.containo.us/v1alpha1 | |
| kind: IngressRoute | |
| metadata: | |
| name: vaultwarden | |
| namespace: vaultwarden | |
| spec: | |
| entryPoints: | |
| - websecure | |
| routes: | |
| - match: Host(`vaultwarden.example.home.arpa`) | |
| kind: Rule | |
| services: | |
| - name: vaultwarden | |
| port: 80 | |
| - match: Host(`vaultwarden.example.home.arpa`) && Path(`/notifications/hub`) | |
| kind: Rule | |
| services: | |
| - name: vaultwarden | |
| port: 3012 | |
| tls: | |
| secretName: vaultwarden-certificate |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment