diff --git a/charts/bitwardenrs/Chart.yaml b/charts/bitwardenrs/Chart.yaml index 28e7f695..ff5c82d1 100644 --- a/charts/bitwardenrs/Chart.yaml +++ b/charts/bitwardenrs/Chart.yaml @@ -2,15 +2,15 @@ apiVersion: v2 name: bitwardenrs description: Unofficial Bitwarden compatible server written in Rust type: application -version: 1.1.1 -appVersion: 1.16.3 +version: 2.0.0 +appVersion: 1.18.0 keywords: - bitwarden - bitwardenrs - bitwarden_rs - password - rust -home: https://github.com/k8s-at-home/charts/tree/master/charts/bitwarden_rs +home: https://github.com/k8s-at-home/charts/tree/master/charts/bitwardenrs sources: - https://github.com/dani-garcia/bitwarden_rs maintainers: diff --git a/charts/bitwardenrs/README.md b/charts/bitwardenrs/README.md index b8854383..350ad331 100644 --- a/charts/bitwardenrs/README.md +++ b/charts/bitwardenrs/README.md @@ -46,3 +46,13 @@ Alternatively, a YAML file that specifies the values for the above parameters ca ```console helm install bitwarden k8s-at-home/bitwardenrs --values values.yaml ``` + +## Upgrading an existing Release to a new major version + +A major chart version change (like 1.1.1 -> 2.0.0) indicates that there is an incompatible breaking change potentially needing manual actions. + +### Upgrading from 1.x.x to 2.x.x + +Chart version 2.0.0 introduces external database support. + * No actions required to continue with the default sqlite backend. + * Refer to the `bitwardenrs.externalDatabase` section of [values.yaml](https://github.com/k8s-at-home/charts/blob/master/charts/bitwardenrs/values.yaml) to configure MySQL or PostgreSQL database backends. diff --git a/charts/bitwardenrs/templates/_database.tpl b/charts/bitwardenrs/templates/_database.tpl new file mode 100644 index 00000000..dc762b6e --- /dev/null +++ b/charts/bitwardenrs/templates/_database.tpl @@ -0,0 +1,38 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate environment variables for external database +*/}} +{{- define "bitwardenrs.externalDatabaseConfigMap" -}} +{{- with .Values.bitwardenrs.externalDatabase }} +{{- if and .enabled (or (eq .type "postgresql") (eq .type "mysql")) }} +{{- if and (not .existingSecret.enabled) .user }} +DATABASE_USER: {{ .user | quote }} +{{- end }} +{{- if and (not .existingSecret.enabled) .password }} +DATABASE_PASSWORD: {{ .password | quote }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "bitwardenrs.externalDatabaseEnv" -}} +{{- with .Values.bitwardenrs.externalDatabase }} +{{- if and .enabled (or (eq .type "postgresql") (eq .type "mysql")) }} +{{- if .existingSecret.enabled }} +- name: DATABASE_USER + valueFrom: + secretKeyRef: + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.userKey | quote }} +- name: DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.passwordKey | quote }} +{{- end }} +{{- $dbport := not (empty .port) | ternary (printf ":%v" .port) "" }} +- name: DATABASE_URL + value: {{ printf "%v://$(DATABASE_USER):$(DATABASE_PASSWORD)@%v%v/%v" .type .host $dbport .database }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/bitwardenrs/templates/configmap.yaml b/charts/bitwardenrs/templates/configmap.yaml index e7a5216f..5e17a684 100644 --- a/charts/bitwardenrs/templates/configmap.yaml +++ b/charts/bitwardenrs/templates/configmap.yaml @@ -12,8 +12,8 @@ data: WEBSOCKET_ENABLED: {{ .Values.bitwardenrs.websockets.enabled | quote }} {{- if and .Values.bitwardenrs.admin.enabled .Values.bitwardenrs.admin.disableAdminToken }} DISABLE_ADMIN_TOKEN: "true" - {{- end }} - {{- with .Values.bitwardenrs.smtp }} + {{- end }} + {{- with .Values.bitwardenrs.smtp }} {{- if .enabled }} SMTP_HOST: {{ required "SMTP host is required to enable SMTP" .host | quote }} SMTP_FROM: {{ required "SMTP sender address ('from') is required to enable SMTP" .from | quote }} @@ -31,6 +31,20 @@ data: {{- end }} {{- end }} {{- end }} + {{- with .Values.bitwardenrs.yubico }} + {{- if .enabled }} + {{- if .server }} + YUBICO_SERVER: {{ .server | quote }} + {{- end }} + {{- if and (not .existingSecret.enabled) .clientId }} + YUBICO_CLIENT_ID: {{ .clientId | quote }} + {{- end }} + {{- if and (not .existingSecret.enabled) .secretKey }} + YUBICO_SECRET_KEY: {{ .secretKey | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- include "bitwardenrs.externalDatabaseConfigMap" . | nindent 2 }} {{- if .Values.env }} {{- toYaml .Values.env | nindent 2 }} {{- end }} \ No newline at end of file diff --git a/charts/bitwardenrs/templates/deployment.yaml b/charts/bitwardenrs/templates/deployment.yaml index f42fcc94..8d3990dd 100644 --- a/charts/bitwardenrs/templates/deployment.yaml +++ b/charts/bitwardenrs/templates/deployment.yaml @@ -54,11 +54,11 @@ spec: {{- else }} name: {{ $fullName }} key: admin-token - {{- end }} - {{- end }} - {{- end }} - {{- with .Values.bitwardenrs.smtp }} - {{- if eq .enabled true }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.bitwardenrs.smtp }} + {{- if eq .enabled true }} {{- if and .existingSecret.enabled (not .user) }} - name: SMTP_USERNAME valueFrom: @@ -70,9 +70,24 @@ spec: secretKeyRef: name: {{ .existingSecret.name | quote }} key: {{ .existingSecret.passwordKey | quote }} - {{- end }} - {{- end }} - {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.bitwardenrs.yubico }} + {{- if and .enabled .existingSecret.enabled }} + - name: YUBICO_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.clientIdKey | quote }} + - name: YUBICO_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.secretKeyKey | quote }} + {{- end }} + {{- end }} + {{- include "bitwardenrs.externalDatabaseEnv" . | nindent 12 }} ports: - name: http containerPort: {{ .Values.bitwardenrs.gui.port }} diff --git a/charts/bitwardenrs/templates/ingress.yaml b/charts/bitwardenrs/templates/ingress.yaml index 7766f068..c23fcfef 100644 --- a/charts/bitwardenrs/templates/ingress.yaml +++ b/charts/bitwardenrs/templates/ingress.yaml @@ -1,6 +1,7 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "bitwardenrs.fullname" . -}} {{- $svcPort := .Values.service.port -}} +{{- $websockets := .Values.bitwardenrs.websockets -}} {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} apiVersion: networking.k8s.io/v1beta1 {{- else -}} @@ -36,6 +37,16 @@ spec: backend: serviceName: {{ $fullName }} servicePort: {{ $svcPort }} + {{- if $websockets.enabled }} + - path: {{ . | trimSuffix "/" }}/notifications/hub + backend: + serviceName: {{ $fullName }} + servicePort: {{ $websockets.port }} + - path: {{ . | trimSuffix "/" }}/notifications/hub/negotiate + backend: + serviceName: {{ $fullName }} + servicePort: {{ $svcPort}} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/bitwardenrs/templates/statefulset.yaml b/charts/bitwardenrs/templates/statefulset.yaml index 5515677c..4a6936d4 100644 --- a/charts/bitwardenrs/templates/statefulset.yaml +++ b/charts/bitwardenrs/templates/statefulset.yaml @@ -55,11 +55,11 @@ spec: {{- else }} name: {{ $fullName }} key: admin-token - {{- end }} - {{- end }} - {{- end }} - {{- with .Values.bitwardenrs.smtp }} - {{- if eq .enabled true }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.bitwardenrs.smtp }} + {{- if eq .enabled true }} {{- if and .existingSecret.enabled (not .user) }} - name: SMTP_USERNAME valueFrom: @@ -71,9 +71,24 @@ spec: secretKeyRef: name: {{ .existingSecret.name | quote }} key: {{ .existingSecret.passwordKey | quote }} - {{- end }} - {{- end }} - {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.bitwardenrs.yubico }} + {{- if and .enabled .existingSecret.enabled }} + - name: YUBICO_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.clientIdKey | quote }} + - name: YUBICO_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ .existingSecret.name | quote }} + key: {{ .existingSecret.secretKeyKey | quote }} + {{- end }} + {{- end }} + {{- include "bitwardenrs.externalDatabaseEnv" . | nindent 12 }} ports: - name: http containerPort: {{ .Values.bitwardenrs.gui.port }} diff --git a/charts/bitwardenrs/values.yaml b/charts/bitwardenrs/values.yaml index 98243779..39bd41a9 100644 --- a/charts/bitwardenrs/values.yaml +++ b/charts/bitwardenrs/values.yaml @@ -27,6 +27,31 @@ bitwardenrs: enabled: false name: "" tokenKey: "" + # External database configuration. + # Requires bitwardenrs/server >= 1.17.0 or bitwardenrs/server-{mysql,postgres} images + # ref: https://github.com/dani-garcia/bitwarden_rs/wiki/Using-the-MySQL-Backend + # https://github.com/dani-garcia/bitwarden_rs/wiki/Using-the-PostgreSQL-Backend + externalDatabase: + enabled: false + # Supported values: 'mysql', 'postgresql'. + type: "" + # Database host. Required if external database is enabled. + host: "" + # Database port. Optional, default value is specific to the database backend. + port: "" + # Database name. + database: "" + # Database user. + user: "" + # Database password. Special characters must be escaped with percent encoding. + password: "" + # Use existing secret for database credentials. + existingSecret: + enabled: false + name: "" + userKey: "" + # Special characters in the password value must be escaped with percent encoding. + passwordKey: "" # Enable SMTP. https://github.com/dani-garcia/bitwarden_rs/wiki/SMTP-configuration smtp: enabled: false @@ -50,6 +75,21 @@ bitwardenrs: name: "" userKey: "" passwordKey: "" + # Enable Yubikey 2FA: https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-Yubikey-OTP-authentication + yubico: + enabled: false + # OTP verification server. Will use the default YubiCloud servers if not specified + server: "" + # API Client ID for OTP server. Ignored if existingSecret is provided. + clientId: "" + # API Secret Key for OTP server. Required if clientId is specified, ignored when using existingSecret. + secretKey: "" + # Use existing secret for API keys + existingSecret: + enabled: false + name: "" + clientIdKey: "" + secretKeyKey: "" env: {} # If you plan to run the WebUI on a port other than port 80, specify that here: