| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137 |
- {{- define "vaultwarden.workload" -}}
- workload:
- vaultwarden:
- enabled: true
- primary: true
- type: Deployment
- podSpec:
- hostNetwork: {{ .Values.vaultwardenNetwork.hostNetwork }}
- containers:
- vaultwarden:
- enabled: true
- primary: true
- imageSelector: image
- securityContext:
- runAsUser: {{ .Values.vaultwardenRunAs.user }}
- runAsGroup: {{ .Values.vaultwardenRunAs.group }}
- env:
- ROCKET_PORT: {{ .Values.vaultwardenNetwork.webPort }}
- WEBSOCKET_PORT: {{ .Values.vaultwardenNetwork.wsPort }}
- WEBSOCKET_ENABLED: {{ .Values.vaultwardenNetwork.wsEnabled }}
- DATABASE_URL:
- secretKeyRef:
- name: postgres-creds
- key: POSTGRES_URL
- {{ if .Values.vaultwardenConfig.adminToken }}
- ADMIN_TOKEN:
- secretKeyRef:
- name: vaultwarden
- key: ADMIN_TOKEN
- {{ end }}
- {{ if .Values.vaultwardenNetwork.certificateID }}
- ROCKET_TLS: '{certs="/certs/public.crt",key="/certs/private.key"}'
- {{ end }}
- {{ with .Values.vaultwardenNetwork.domain }}
- DOMAIN: {{ . }}
- {{ end }}
- {{ with .Values.vaultwardenConfig.additionalEnvs }}
- envList:
- {{ range $env := . }}
- - name: {{ $env.name }}
- value: {{ $env.value }}
- {{ end }}
- {{ end }}
- probes:
- liveness:
- enabled: true
- type: exec
- command: /healthcheck.sh
- readiness:
- enabled: true
- type: exec
- command: /healthcheck.sh
- startup:
- enabled: true
- type: exec
- command: /healthcheck.sh
- initContainers:
- {{- include "ix.v1.common.app.permissions" (dict "containerName" "01-permissions"
- "UID" .Values.vaultwardenRunAs.user
- "GID" .Values.vaultwardenRunAs.group
- "mode" "check"
- "type" "install") | nindent 8 }}
- {{- include "ix.v1.common.app.postgresWait" (dict "name" "postgres-wait"
- "secretName" "postgres-creds") | nindent 8 }}
- {{/* Service */}}
- service:
- vaultwarden:
- enabled: true
- primary: true
- type: NodePort
- targetSelector: vaultwarden
- ports:
- webui:
- enabled: true
- primary: true
- port: {{ .Values.vaultwardenNetwork.webPort }}
- nodePort: {{ .Values.vaultwardenNetwork.webPort }}
- targetSelector: vaultwarden
- ws:
- enabled: {{ .Values.vaultwardenNetwork.wsEnabled }}
- port: {{ .Values.vaultwardenNetwork.wsPort }}
- nodePort: {{ .Values.vaultwardenNetwork.wsPort }}
- targetSelector: vaultwarden
- {{/* Persistence */}}
- persistence:
- data:
- enabled: true
- {{- include "ix.v1.common.app.storageOptions" (dict "storage" .Values.vaultwardenStorage.data) | nindent 4 }}
- targetSelector:
- vaultwarden:
- vaultwarden:
- mountPath: /data
- {{- if and (eq .Values.vaultwardenStorage.data.type "ixVolume")
- (not (.Values.vaultwardenStorage.data.ixVolumeConfig | default dict).aclEnable) }}
- 01-permissions:
- mountPath: /mnt/directories/data
- {{- end }}
- {{- range $idx, $storage := .Values.vaultwardenStorage.additionalStorages }}
- {{ printf "vaultwarden-%v:" (int $idx) }}
- enabled: true
- {{- include "ix.v1.common.app.storageOptions" (dict "storage" $storage) | nindent 4 }}
- targetSelector:
- vaultwarden:
- vaultwarden:
- mountPath: {{ $storage.mountPath }}
- {{- if and (eq $storage.type "ixVolume") (not ($storage.ixVolumeConfig | default dict).aclEnable) }}
- 01-permissions:
- mountPath: /mnt/directories{{ $storage.mountPath }}
- {{- end }}
- {{- end }}
- {{- if .Values.vaultwardenNetwork.certificateID }}
- cert:
- enabled: true
- type: secret
- objectName: vaultwarden-cert
- defaultMode: "0600"
- items:
- - key: tls.key
- path: private.key
- - key: tls.crt
- path: public.crt
- targetSelector:
- vaultwarden:
- vaultwarden:
- mountPath: /certs
- readOnly: true
- scaleCertificate:
- vaultwarden-cert:
- enabled: true
- id: {{ .Values.vaultwardenNetwork.certificateID }}
- {{- end -}}
- {{- end -}}
|
