Skip to content

Instantly share code, notes, and snippets.

@ondrejmo
Last active January 17, 2022 18:23
Show Gist options
  • Save ondrejmo/6d56011a5506a02c814addc5ad8fff41 to your computer and use it in GitHub Desktop.
Save ondrejmo/6d56011a5506a02c814addc5ad8fff41 to your computer and use it in GitHub Desktop.
Example k8s deployment of Vaultwarden (requirements: cert-manager, traefik-ingress, longhorn)
---
apiVersion: v1
kind: Namespace
metadata:
name: vaultwarden
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: vaultwarden
namespace: vaultwarden
spec:
podSelector: {}
policyTypes:
- Egress
---
apiVersion: v1
kind: ConfigMap
metadata:
name: vaultwarden-config
namespace: vaultwarden
data:
config.json: |
{
"domain": "https://vaultwarden.example.home.arpa",
"sends_allowed": true,
"disable_icon_download": true,
"signups_allowed": false,
"signups_verify": false,
"signups_verify_resend_time": 3600,
"signups_verify_resend_limit": 6,
"invitations_allowed": false,
"password_iterations": 100000,
"show_password_hint": false,
"ip_header": "X-Real-IP",
"icon_cache_ttl": 0,
"icon_cache_negttl": 0,
"icon_download_timeout": 10,
"icon_blacklist_non_global_ips": false,
"disable_2fa_remember": false,
"authenticator_disable_time_drift": false,
"require_device_email": false,
"reload_templates": false,
"log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
"disable_admin_token": true,
"_enable_yubico": false,
"_enable_duo": false,
"_enable_smtp": false,
"smtp_ssl": true,
"smtp_explicit_tls": false,
"smtp_port": 587,
"smtp_from_name": "Vaultwarden",
"smtp_timeout": 15,
"smtp_accept_invalid_certs": false,
"smtp_accept_invalid_hostnames": false,
"_enable_email_2fa": false,
"email_token_size": 6,
"email_expiration_time": 600,
"email_attempts_limit": 3
}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vaultwarden-data
namespace: vaultwarden
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 4Gi
---
apiVersion: v1
kind: Service
metadata:
name: vaultwarden
namespace: vaultwarden
spec:
selector:
app.kubernetes.io/name: vaultwarden
ports:
- name: http
port: 80
- name: websocket
port: 3012
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vaultwarden
namespace: vaultwarden
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: vaultwarden
template:
metadata:
labels:
app.kubernetes.io/name: vaultwarden
spec:
automountServiceAccountToken: false
initContainers:
- name: vaultwarden-init
image: vaultwarden/server:1.23.1
command:
- cp
- -f
- /config/config.json
- /data/config.json
volumeMounts:
- name: vaultwarden-data
mountPath: /data
- name: vaultwarden-config
mountPath: /config
containers:
- name: vaultwarden
image: vaultwarden/server:1.23.1
ports:
- containerPort: 80
livenessProbe:
httpGet:
path: /alive
port: 80
env:
- name: LOG_LEVEL
value: info
- name: EXTENDED_LOGGING
value: "true"
- name: WEBSOCKET_ENABLED
value: "true"
volumeMounts:
- name: vaultwarden-data
mountPath: /data
volumes:
- name: vaultwarden-data
persistentVolumeClaim:
claimName: vaultwarden-data
- name: vaultwarden-config
configMap:
name: vaultwarden-config
items:
- key: config.json
path: config.json
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: vaultwarden
namespace: vaultwarden
spec:
dnsNames:
- vaultwarden.example.home.arpa
secretName: vaultwarden-certificate
issuerRef:
name: cert-manager-default-clusterissuer
kind: ClusterIssuer
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: vaultwarden
namespace: vaultwarden
spec:
entryPoints:
- websecure
routes:
- match: Host(`vaultwarden.example.home.arpa`)
kind: Rule
services:
- name: vaultwarden
port: 80
- match: Host(`vaultwarden.example.home.arpa`) && Path(`/notifications/hub`)
kind: Rule
services:
- name: vaultwarden
port: 3012
tls:
secretName: vaultwarden-certificate
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment