[bitwardenrs] Update to 1.18.0 and add some missing features (#346)

2025-01-23 15:39:02 +00:00 · 2021-01-17 16:33:15 -08:00 · 2021-01-17 16:33:15 -08:00 · e928c2a4bd
commit e928c2a4bd
parent 8a5bd34f6a
8 changed files with 164 additions and 21 deletions
--- a/charts/bitwardenrs/Chart.yaml
+++ b/charts/bitwardenrs/Chart.yaml
@ -2,15 +2,15 @@ apiVersion: v2
 name: bitwardenrs
 description: Unofficial Bitwarden compatible server written in Rust
 type: application
-version: 1.1.1
-appVersion: 1.16.3
+version: 2.0.0
+appVersion: 1.18.0
 keywords:
  - bitwarden
  - bitwardenrs
  - bitwarden_rs
  - password
  - rust
-home: https://github.com/k8s-at-home/charts/tree/master/charts/bitwarden_rs
+home: https://github.com/k8s-at-home/charts/tree/master/charts/bitwardenrs
 sources:
  - https://github.com/dani-garcia/bitwarden_rs
 maintainers:
--- a/charts/bitwardenrs/README.md
+++ b/charts/bitwardenrs/README.md
@ -46,3 +46,13 @@ Alternatively, a YAML file that specifies the values for the above parameters ca
 ```console
 helm install bitwarden k8s-at-home/bitwardenrs  --values values.yaml 
 ```
+
+## Upgrading an existing Release to a new major version
+
+A major chart version change (like 1.1.1 -> 2.0.0) indicates that there is an incompatible breaking change potentially needing manual actions.
+
+### Upgrading from 1.x.x to 2.x.x
+
+Chart version 2.0.0 introduces external database support.
+ * No actions required to continue with the default sqlite backend.
+ * Refer to the `bitwardenrs.externalDatabase` section of [values.yaml](https://github.com/k8s-at-home/charts/blob/master/charts/bitwardenrs/values.yaml) to configure MySQL or PostgreSQL database backends.
--- a/charts/bitwardenrs/templates/_database.tpl
+++ b/charts/bitwardenrs/templates/_database.tpl
@ -0,0 +1,38 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Generate environment variables for external database
+*/}}
+{{- define "bitwardenrs.externalDatabaseConfigMap" -}}
+{{- with .Values.bitwardenrs.externalDatabase }}
+{{- if and .enabled (or (eq .type "postgresql") (eq .type "mysql")) }}
+{{- if and (not .existingSecret.enabled) .user }}
+DATABASE_USER: {{ .user | quote }}
+{{- end }}
+{{- if and (not .existingSecret.enabled) .password }}
+DATABASE_PASSWORD: {{ .password | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "bitwardenrs.externalDatabaseEnv" -}}
+{{- with .Values.bitwardenrs.externalDatabase }}
+{{- if and .enabled (or (eq .type "postgresql") (eq .type "mysql")) }}
+{{- if .existingSecret.enabled }}
+- name: DATABASE_USER
+  valueFrom:
+    secretKeyRef:
+      name: {{ .existingSecret.name | quote }}
+      key: {{ .existingSecret.userKey | quote }}
+- name: DATABASE_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ .existingSecret.name | quote }}
+      key: {{ .existingSecret.passwordKey | quote }}
+{{- end }}
+{{- $dbport := not (empty .port) | ternary (printf ":%v" .port) "" }}
+- name: DATABASE_URL
+  value: {{ printf "%v://$(DATABASE_USER):$(DATABASE_PASSWORD)@%v%v/%v" .type .host $dbport .database }}
+{{- end }}
+{{- end }}
+{{- end }}
--- a/charts/bitwardenrs/templates/configmap.yaml
+++ b/charts/bitwardenrs/templates/configmap.yaml
@ -12,8 +12,8 @@ data:
  WEBSOCKET_ENABLED: {{ .Values.bitwardenrs.websockets.enabled | quote }}
  {{- if and .Values.bitwardenrs.admin.enabled .Values.bitwardenrs.admin.disableAdminToken }}
  DISABLE_ADMIN_TOKEN: "true"
-    {{- end }}
-    {{- with .Values.bitwardenrs.smtp }}
+  {{- end }}
+  {{- with .Values.bitwardenrs.smtp }}
  {{- if .enabled }}
  SMTP_HOST: {{ required "SMTP host is required to enable SMTP" .host | quote }}
  SMTP_FROM: {{ required "SMTP sender address ('from') is required to enable SMTP" .from | quote }}
@ -31,6 +31,20 @@ data:
  {{- end }}
  {{- end }}
  {{- end }}
+  {{- with .Values.bitwardenrs.yubico }}
+  {{- if .enabled }}
+  {{- if .server }}
+  YUBICO_SERVER: {{ .server | quote }}
+  {{- end }}
+  {{- if and (not .existingSecret.enabled) .clientId }}
+  YUBICO_CLIENT_ID: {{ .clientId | quote }}
+  {{- end }}
+  {{- if and (not .existingSecret.enabled) .secretKey }}
+  YUBICO_SECRET_KEY: {{ .secretKey | quote }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
+  {{- include "bitwardenrs.externalDatabaseConfigMap" . | nindent 2 }}
  {{- if .Values.env }}
  {{- toYaml .Values.env | nindent 2 }}
  {{- end }}
--- a/charts/bitwardenrs/templates/deployment.yaml
+++ b/charts/bitwardenrs/templates/deployment.yaml
@ -54,11 +54,11 @@ spec:
                  {{- else }}
                  name: {{ $fullName }}
                  key: admin-token
-                {{- end }}
-                {{- end }}
-                {{- end }}
-                {{- with .Values.bitwardenrs.smtp }}
-                {{- if eq .enabled true }}
+                  {{- end }}
+            {{- end }}
+            {{- end }}
+            {{- with .Values.bitwardenrs.smtp }}
+            {{- if eq .enabled true }}
            {{- if and .existingSecret.enabled (not .user) }}
            - name: SMTP_USERNAME
              valueFrom:
@ -70,9 +70,24 @@ spec:
                secretKeyRef:
                  name: {{ .existingSecret.name | quote }}
                  key: {{ .existingSecret.passwordKey | quote }}
-              {{- end }}
-          {{- end }}
-          {{- end }}
+            {{- end }}
+            {{- end }}
+            {{- end }}
+            {{- with .Values.bitwardenrs.yubico }}
+            {{- if and .enabled .existingSecret.enabled }}
+            - name: YUBICO_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .existingSecret.name | quote }}
+                  key: {{ .existingSecret.clientIdKey | quote }}
+            - name: YUBICO_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .existingSecret.name | quote }}
+                  key: {{ .existingSecret.secretKeyKey | quote }}
+            {{- end }}
+            {{- end }}
+            {{- include "bitwardenrs.externalDatabaseEnv" . | nindent 12 }}
          ports:
            - name: http
              containerPort: {{ .Values.bitwardenrs.gui.port }}
--- a/charts/bitwardenrs/templates/ingress.yaml
+++ b/charts/bitwardenrs/templates/ingress.yaml
@ -1,6 +1,7 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "bitwardenrs.fullname" . -}}
 {{- $svcPort := .Values.service.port -}}
+{{- $websockets := .Values.bitwardenrs.websockets -}}
 {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1beta1
 {{- else -}}
@ -36,6 +37,16 @@ spec:
            backend:
              serviceName: {{ $fullName }}
              servicePort: {{ $svcPort }}
+          {{- if $websockets.enabled }}
+          - path: {{ . | trimSuffix "/" }}/notifications/hub
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: {{ $websockets.port }}
+          - path: {{ . | trimSuffix "/" }}/notifications/hub/negotiate
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort}}
+          {{- end }}
          {{- end }}
    {{- end }}
  {{- end }}
--- a/charts/bitwardenrs/templates/statefulset.yaml
+++ b/charts/bitwardenrs/templates/statefulset.yaml
@ -55,11 +55,11 @@ spec:
                  {{- else }}
                  name: {{ $fullName }}
                  key: admin-token
-                {{- end }}
-                {{- end }}
-                {{- end }}
-                {{- with .Values.bitwardenrs.smtp }}
-                {{- if eq .enabled true }}
+                  {{- end }}
+            {{- end }}
+            {{- end }}
+            {{- with .Values.bitwardenrs.smtp }}
+            {{- if eq .enabled true }}
            {{- if and .existingSecret.enabled (not .user) }}
            - name: SMTP_USERNAME
              valueFrom:
@ -71,9 +71,24 @@ spec:
                secretKeyRef:
                  name: {{ .existingSecret.name | quote }}
                  key: {{ .existingSecret.passwordKey | quote }}
-              {{- end }}
-          {{- end }}
-          {{- end }}
+            {{- end }}
+            {{- end }}
+            {{- end }}
+            {{- with .Values.bitwardenrs.yubico }}
+            {{- if and .enabled .existingSecret.enabled }}
+            - name: YUBICO_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .existingSecret.name | quote }}
+                  key: {{ .existingSecret.clientIdKey | quote }}
+            - name: YUBICO_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .existingSecret.name | quote }}
+                  key: {{ .existingSecret.secretKeyKey | quote }}
+            {{- end }}
+            {{- end }}
+            {{- include "bitwardenrs.externalDatabaseEnv" . | nindent 12 }}
          ports:
            - name: http
              containerPort: {{ .Values.bitwardenrs.gui.port }}
--- a/charts/bitwardenrs/values.yaml
+++ b/charts/bitwardenrs/values.yaml
@ -27,6 +27,31 @@ bitwardenrs:
      enabled: false
      name: ""
      tokenKey: ""
+  # External database configuration.
+  # Requires bitwardenrs/server >= 1.17.0 or bitwardenrs/server-{mysql,postgres} images
+  # ref: https://github.com/dani-garcia/bitwarden_rs/wiki/Using-the-MySQL-Backend
+  #      https://github.com/dani-garcia/bitwarden_rs/wiki/Using-the-PostgreSQL-Backend
+  externalDatabase:
+    enabled: false
+    # Supported values: 'mysql', 'postgresql'.
+    type: ""
+    # Database host. Required if external database is enabled.
+    host: ""
+    # Database port. Optional, default value is specific to the database backend.
+    port: ""
+    # Database name.
+    database: ""
+    # Database user.
+    user: ""
+    # Database password. Special characters must be escaped with percent encoding.
+    password: ""
+    # Use existing secret for database credentials.
+    existingSecret:
+      enabled: false
+      name: ""
+      userKey: ""
+      # Special characters in the password value must be escaped with percent encoding.
+      passwordKey: ""
  # Enable SMTP. https://github.com/dani-garcia/bitwarden_rs/wiki/SMTP-configuration
  smtp:
    enabled: false
@ -50,6 +75,21 @@ bitwardenrs:
      name: ""
      userKey: ""
      passwordKey: ""
+  # Enable Yubikey 2FA: https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-Yubikey-OTP-authentication
+  yubico:
+    enabled: false
+    # OTP verification server. Will use the default YubiCloud servers if not specified
+    server: ""
+    # API Client ID for OTP server. Ignored if existingSecret is provided.
+    clientId: ""
+    # API Secret Key for OTP server. Required if clientId is specified, ignored when using existingSecret.
+    secretKey: ""
+    # Use existing secret for API keys
+    existingSecret:
+      enabled: false
+      name: ""
+      clientIdKey: ""
+      secretKeyKey: ""

 env: {}
 # If you plan to run the WebUI on a port other than port 80, specify that here: