## @section Vaultwarden settings ## image: ## @param image.registry Vaultwarden image registry ## registry: docker.io ## @param image.repository Vaultwarden image repository ## repository: vaultwarden/server ## ## @param image.tag Vaultwarden image tag ## Ref: https://hub.docker.com/r/vaultwarden/server/tags ## tag: "1.24.0" ## @param image.pullPolicy Vaultwarden image pull policy ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## pullPolicy: IfNotPresent ## @param image.pullSecrets Specify docker-registry secret names ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## Example: ## pullSecrets: ## - myRegistryKeySecretName ## pullSecrets: [] ## @param domain Domain name where the application is accessed ## Example: https://warden.contoso.com:8443 ## domain: "" ## @param websocket.enabled Enable websocket notifications ## @param websocket.address Websocket listen address ## @param websocket.port Websocket listen port ## websocket: enabled: true address: "0.0.0.0" port: 3012 ## @param rocket.port Rocket port ## @param rocket.workers Rocket number of workers ## rocket: port: "8080" workers: "10" ## @param webVaultEnabled Enable Web Vault ## webVaultEnabled: "true" ## @section Security settings ## ## @param adminToken The admin token used for /admin ## adminToken: #existingSecret: vaultwarden existingSecretKey: ADMIN_TOKEN value: "R@ndomToken$tring" ## @param signupsAllowed By default, anyone who can access your instance can register for a new account. ## To disable this, set this parameter to false. Even when signupsAllowed=false, an existing user who is ## an organization owner or admin can still invite new users. If you want to disable this as well, set ## invitationsAllowed to false. The vaultwarden admin can invite anyone via the admin page, regardless ## of any of the restrictions above ## ## If signupDomains is set, then the value of signupsAllowed is ignored signupsAllowed: true ## @param invitationsAllowed Even when registration is disabled, organization administrators or owners can ## invite users to join organization. After they are invited, they can register with the invited email even ## if signupsAllowed is actually set to false. You can disable this functionality completely by setting ## invitationsAllowed env variable to false invitationsAllowed: true ## @param signupDomains List of domain names for users allowed to register ## signupDomains: "contoso.com" ## @param signupsVerify Whether to require account verification for newly-registered users. ## signupsVerify: "true" ## @param showPassHint Whether a password hint should be shown in the page. ## showPassHint: "false" ## @param fullnameOverride String to override the application name. ## fullnameOverride: "" ## @param serviceAccount.create Create a service account ## @param serviceAccount.name Name of the service account to create ## serviceAccount: create: true name: "vaultwarden-svc" ## @section Exposure Parameters ## ## Ingress configuration ## Refer to the README for some examples ## ingress: ## @param ingress.enabled Deploy an ingress resource. ## enabled: false ## @param ingress.class Ingress resource class ## The Ingress class to use, e. g. "nginx" for a nginx ingress controller or "alb" for a AWS LB controller. # class: "nginx" ## @param ingress.nginxIngressAnnotations Add nginx specific ingress annotations ## This annotations are only makes sense for the kubernetes nginx ingress controller (https://kubernetes.github.io/ingress-nginx/) ## nginxIngressAnnotations: true ## @param ingress.additionalAnnotations Additional annotations for the ingress resource. ## additionalAnnotations: {} ## @param ingress.tls Enable TLS on the ingress resource. ## tls: true ## @param ingress.hostname Hostname for the ingress. ## hostname: "warden.contoso.com" ## @param ingress.path Default application path for the ingress ## path: "/" ## @param ingress.pathWs Path for the websocket ingress ## pathWs: "/notifications/hub" ## @param ingress.pathType Path type for the ingress ## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## pathType: "ImplementationSpecific" ## @param ingress.pathTypeWs Path type for the ingress ## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## pathTypeWs: "ImplementationSpecific" ## @param ingress.tlsSecret Kubernetes secret containing the SSL certificate when using the "nginx" class. ## tlsSecret: "" ## @param ingress.nginxAllowList Comma-separated list of IP addresses and subnets to allow. ## nginxAllowList: "" ## TODO: ## - Add support for using cert-manager. ## - Support for multiple TLS hostnames. ## ## Service configuration service: ## @param service.type Service type ## type: "ClusterIP" ## @param service.annotations Additional annotations for the vaultwarden service ## annotations: {} ## @section Database Configuration ## database: ## @param database.type Database type, either mysql or postgresql ## Default is a sqlite database. ## type: "default" ## @param database.host Database hostname or IP address ## host: "" ## @param database.port Database port ## Default for MySQL is 3306, default for PostgreSQL is 5432 port: "" ## @param database.username Database username ## username: "" ## @param database.password Database password ## password: "" ## @param database.dbName Database name ## dbName: "" ## @param database.uriOverride Manually specify the DB connection string ## uriOverride: "" ## @section SMTP Configuration ## smtp: #existingSecret: vaultwarden ## @param smtp.host SMTP host ## host: "" ## @param smtp.security SMTP Encryption method ## Possible values: ## - starttls: explicit TLS using ports 587 or 25 ## - force_tls: implicit TLS using port 465 ## - off: no encryption, using port 25, unless using STARTTLS ## security: "starttls" ## @param smtp.port SMTP port ## port: 25 ## @param smtp.from SMTP sender email address ## Example: juan.delacruz@gmail.com ## from: "" ## @param smtp.fromName SMTP sender FROM ## fromName: "" ## @param smtp.username Username for the SMTP authentication. ## Example: juan ## username: existingSecretKey: SMTP_USERNAME value: "" ## @param smtp.password Password for the SMTP service. ## password: existingSecretKey: SMTP_PASSWORD value: "" ## @param smtp.authMechanism SMTP authentication mechanism ## Possible values: "Plain", "Login", "Xoauth2" ## Multiple options need to be separated by a comma. (not tested) ## authMechanism: "Plain" ## @param smtp.acceptInvalidHostnames Accept Invalid Hostnames ## acceptInvalidHostnames: "false" ## @param smtp.acceptInvalidCerts Accept Invalid Certificates ## acceptInvalidCerts: "false" ## @param smtp.debug SMTP debugging ## debug: false ## @section Storage Configuration ## storage: ## @param storage.enabled Enable configuration for persistent storage ## enabled: false ## @param storage.size Storage size for /data ## size: "15Gi" ## @param storage.class Specify the storage class ## class: "default" ## @param storage.dataDir Specify the data directory ## dataDir: "/data" ## @section Logging Configuration ## logging: ## @param logging.enabled Enable logging to a file ## enabled: false ## @param logging.logfile Specify logfile path for output log ## logfile: "/data/vaultwarden.log" ## @param logging.loglevel Specify the log level ## loglevel: "warn" ## @section Extra containers Configuration ## ## @param initContainers extra init containers for initializing the vaultwarden instance ## initContainers: [] ## @param sidecars extra containers running alongside the vaultwarden instance ## sidecars: [] ## @section Extra Configuration ## ## @param nodeSelector Node labels for pod assignment ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector ## nodeSelector: {} ## @param affinity Affinity for pod assignment ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity ## affinity: {} ## @param tolerations Tolerations for pod assignment ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ## tolerations: []