Vaultwarden, formerly known as Bitwarden_RS, is an "alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal."
git clone https://github.com/guerzon/vaultwarden
cd vaultwarden
helm install my-vaultwarden-release charts/vaultwarden/
This Helm chart is used to deploy vaultwarden
with a stable configuration to Kubernetes clusters.
The upstream repository for the vaultwarden
project can be found here. To learn more about Vaultwarden, please visit the wiki.
- Kubernetes 1.12+
- Helm 3.1.0
To deploy the chart with the release name vaultwarden-release
:
export NAMESPACE=vaultwarden
export DOMAIN_NAME=pass.company.com
helm install vaultwarden-release charts/vaultwarden/ \
--namespace $NAMESPACE \
--set "ingress.enabled=true" \
--set "ingress.hostname=$DOMAIN_NAME"
To deploy the chart to another namespace using custom values in the file demo.yaml
:
export NAMESPACE=vaultwarden-demo
export RELEASE_NAME=vaultwarden-demo
helm upgrade -i \
-n $NAMESPACE $RELEASE_NAME charts/vaultwarden/ \
-f demo.yaml
This chart deploys vaultwarden
from pre-built images on Docker Hub: vaultwarden/server
. The image can be defined by specifying the tag with image.tag
.
Example that uses the Alpine-based image 1.24.0-alpine
and an existing secret that contains registry credentials:
image:
tag: "1.24.0-alpine"
pullSecrets:
- myRegKey
Important: specify the URL used by users with the domain
variable, otherwise, some functionalities might not work:
domain: "https://vaultwarden.contoso.com:9443/"
Detailed configuration options can be found in the Vaultwarden settings section.
By default, vaultwarden
uses a SQLite database located in /data/db.sqlite3
. However, it is also possible to make use of an external database, in particular either MySQL or PostgreSQL.
To configure an external database, set database.type
to either mysql
or postgresql
and specify the datase connection information.
Example for using an external MySQL database:
database:
type: mysql
host: database.contoso.eu
username: appuser
password: apppassword
dbName: prodapp
You can also specify the connection string:
database:
type: postgresql
uriOverride: "postgresql://appuser:[email protected]:5433/qualdb"
Alternatively, you could create a Kubernetes secret containing the database URI:
DB_STRING="postgresql://appuser:[email protected]:5433/qualdb"
kubectl -n vaultwarden create secret generic prod-db-creds --from-literal=secret-uri=$DB_STRING
Then pass the name of the secret and the key to the chart:
database:
type: postgresql
existingSecret: "prod-db-creds"
existingSecretKey: "secret-uri"
Detailed configuration options can be found in the Database Configuration section.
This chart supports the usage of existing Ingress Controllers for exposing the vaultwarden
deployment.
Nginx ingress controller can be installed by following this guide. An SSL certificate can be added as a secret with a few commands:
cd <dir-containing-the-certs>
kubectl create secret -n vaultwarden \
tls vw-constoso-com-crt \
--key privkey.pem \
--cert fullchain.pem
Once both prerequisites are ready, values can be set as follows:
ingress:
enabled: true
class: "nginx"
tlsSecret: vw-constoso-com-crt
hostname: vaultwarden.contoso.com
allowList: "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16"
When using AWS, the AWS Load Balancer controller can be used together with ACM.
Example for AWS:
ingress:
enabled: true
class: "alb"
hostname: vaultwarden.contoso.com
additionalAnnotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/tags: Environment=dev,Team=test
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:eu-central-1:ACCOUNT:certificate/LONGID"
Detailed configuration options can be found in the Exposure Parameters section.
An admin token can be generated with: openssl rand -base64 48
.
By default, the chart deploys a service account called vaultwarden-svc
.
serviceAccount:
create: true
name: "vaultwarden-svc"
Detailed configuration options can be found in the Security settings section.
To enable the SMTP service, make sure that at a minimum, smtp.host
and smtp.from
are set.
smtp:
host: mx01.contoso.com
from: [email protected]
fromName: "Vault Administrator"
username: admin
password: password
acceptInvalidHostnames: "true"
acceptInvalidCerts: "true"
Detailed configuration options can be found in the SMTP Configuration section.
To use persistent storage using a claim, set storage.enabled
to true
. The following example sets the storage class to an already-installed Rancher's local path storage provisioner.
storage:
enabled: true
size: "10Gi"
class: "local-path"
Example for AWS:
storage:
enabled: true
size: "10Gi"
class: "gp2"
Detailed configuration options can be found in the Storage Configuration section.
I have written a detailed post about deploying Vaultwarden in Google Kubernetes Engine here.
Refer to the detailed parameter documentation here.
To uninstall/delete the vaultwarden-demo
release:
export NAMESPACE=vaultwarden
export RELEASE_NAME=vaultwarden-demo
helm -n $NAMESPACE uninstall $RELEASE_NAME
Please do your due-diligence before using this chart for a production deployment.
Nevertheless, if you find any issues while using this chart, or have any suggestions, I would appreciate it if you would submit an issue. Alternatively, PRs are appreciated!
MIT.
This Helm chart was created and is being maintained by Lester Guerzon.