Skip to content

Setup Vaultwarden on Kubernetes cluster #127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 40 commits into from
May 30, 2025
Merged

Setup Vaultwarden on Kubernetes cluster #127

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
05633e1
create argocd app
lowpolyneko May 13, 2025
8774b2e
add deployment
lowpolyneko May 13, 2025
158795a
use my branch for testing
lowpolyneko May 13, 2025
a8d57ac
use default project
lowpolyneko May 13, 2025
0d05c0d
use https instead of ssh
lowpolyneko May 13, 2025
76f42b5
correct invalid indent
lowpolyneko May 13, 2025
cd638a9
add ingressroute
lowpolyneko May 13, 2025
6f4958d
use self-signed CA
lowpolyneko May 13, 2025
d04b23f
expose container port
lowpolyneko May 13, 2025
cc9e8b5
add name to container port
lowpolyneko May 13, 2025
07af0a8
admin_token secret
lowpolyneko May 14, 2025
275382c
setup ldap sync
lowpolyneko May 14, 2025
3f1de89
missing valueFrom
lowpolyneko May 14, 2025
36aca00
disable TLS verify
lowpolyneko May 14, 2025
6fa194e
use localhost to prevent SSL
lowpolyneko May 14, 2025
4c4a593
use internal dns domain
lowpolyneko May 15, 2025
039fc01
use annotations instead of VaultStaticSecret
lowpolyneko May 15, 2025
86557aa
source injected template before running
lowpolyneko May 15, 2025
1f6d045
pass self-signed CA to agent
lowpolyneko May 15, 2025
7a22254
typo
lowpolyneko May 15, 2025
291b5a9
Revert "typo"
lowpolyneko May 15, 2025
146603b
Revert "pass self-signed CA to agent"
lowpolyneko May 15, 2025
4de57c6
Revert "source injected template before running"
lowpolyneko May 15, 2025
0d07c32
Revert "use annotations instead of VaultStaticSecret"
lowpolyneko May 15, 2025
f27dfdf
base64 decode ldap creds
lowpolyneko May 15, 2025
5dab868
templateSpecs not templates
lowpolyneko May 15, 2025
50a0e6b
decode ADMIN_TOKEN
lowpolyneko May 15, 2025
2340321
Revert "decode ADMIN_TOKEN"
lowpolyneko May 15, 2025
a8f77a9
http not https
lowpolyneko May 15, 2025
6b796e4
Revert "templateSpecs not templates"
lowpolyneko May 15, 2025
4a2db87
Revert "base64 decode ldap creds"
lowpolyneko May 15, 2025
f8b24fd
case insensitive?
lowpolyneko May 15, 2025
5ab6462
field not filter
lowpolyneko May 15, 2025
4be4e35
Revert "field not filter"
lowpolyneko May 15, 2025
ff7542f
Revert "case insensitive?"
lowpolyneko May 15, 2025
a519475
use SSL
lowpolyneko May 15, 2025
67954f2
no tls verify
lowpolyneko May 15, 2025
59ba113
fix search filter
lowpolyneko May 15, 2025
293fc21
give up on vaultwarden-ldap
lowpolyneko May 30, 2025
ad732ea
switch branch to main
lowpolyneko May 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions kubernetes/argocd/stacks/common/vaultwarden.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: vaultwarden
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: vaultwarden
server: 'https://kubernetes.default.svc'
sources:
- path: kubernetes/argocd/stacks/vaultwarden
repoURL: 'https://github.com/lowpolyneko/IaC'
targetRevision: feature/vaultwarden
directory:
recurse: true
include: '*.yml'
exclude: values.yml
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
168 changes: 168 additions & 0 deletions kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,168 @@
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: vaultwarden
namespace: vaultwarden
annotations:
external-dns.alpha.kubernetes.io/target: app.acmuic.org
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: "Host(`bitwarden.acmuic.org`)"
services:
- kind: Service
name: vaultwarden
namespace: vaultwarden
passHostHeader: true
port: http
responseForwarding:
flushInterval: 1ms
scheme: http
strategy: RoundRobin
weight: 10
tls:
secretName: vaultwarden-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: vaultwarden-tls
spec:
dnsNames:
- bitwarden.acmuic.org
secretName: vaultwarden-tls
issuerRef:
kind: ClusterIssuer
name: acmuic-self-ca
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vaultwarden-pvc
namespace: vaultwarden
spec:
accessModes:
- ReadWriteOnce
storageClassName: nfs
resources:
requests:
storage: 20Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vaultwarden
namespace: vaultwarden
spec:
strategy:
type:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: vaultwarden
template:
metadata:
annotations:
labels:
app.kubernetes.io/name: vaultwarden
spec:
volumes:
- name: vaultwarden-data
persistentVolumeClaim:
claimName: vaultwarden-pvc
containers:
- name: vaultwarden
image: vaultwarden/server:latest
env:
- name: DOMAIN
value: 'https://bitwarden.acmuic.org'
- name: ADMIN_TOKEN
valueFrom:
secretKeyRef:
name: vaultwarden-admin-token
key: admin_token
ports:
- containerPort: 80
name: http
volumeMounts:
- name: vaultwarden-data
mountPath: /data
- name: vaultwarden-ldap
image: vividboarder/vaultwarden_ldap:latest
env:
- name: APP_VAULTWARDEN_URL
value: 'http://localhost'
- name: APP_VAULTWARDEN_ADMIN_TOKEN
valueFrom:
secretKeyRef:
name: vaultwarden-admin-token
key: admin_token
- name: APP_LDAP_HOST
value: 'activedirectory.acmuic.org'
- name: APP_LDAP_BIND_DN
valueFrom:
secretKeyRef:
name: vaultwarden-admin-token
key: ldap_user
- name: APP_LDAP_BIND_PASSWORD
valueFrom:
secretKeyRef:
name: vaultwarden-admin-token
key: ldap_password
- name: APP_LDAP_SEARCH_BASE_DN
value: 'dc=acmuic,dc=org'
- name: APP_LDAP_SEARCH_FILTER
value: 'memberOf=CN=ACMLANAdmins,OU=ACMGroups,DC=acmuic,DC=org'
- name: APP_LDAP_MAIL_FIELD
value: 'userPrincipalName'
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vaultwarden
namespace: vaultwarden
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vaultwarden-vault-static-auth
namespace: vaultwarden
spec:
method: kubernetes
mount: kubernetes
namespace: vaultwarden
kubernetes:
role: vaultwarden
serviceAccount: vaultwarden
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: vaultwarden-admin-token
namespace: vaultwarden
spec:
vaultAuthRef: vaultwarden-vault-static-auth
type: kv-v2
mount: kv
path: vaultwarden
destination:
name: vaultwarden-admin-token
create: true
---
apiVersion: v1
kind: Service
metadata:
name: vaultwarden
namespace: vaultwarden
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: vaultwarden
Loading