Skip to content

Commit 3e3ba71

Browse files
soerenschneidersoerenschneider
committed
add vaultwarden
1 parent a4fba37 commit 3e3ba71

File tree

10 files changed

+269
-0
lines changed

10 files changed

+269
-0
lines changed

apps/vaultwarden/components/istio-proxy/kustomization.yaml

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
---
2+
apiVersion: kustomize.config.k8s.io/v1alpha1
3+
kind: Component
4+
patches:
5+
- target:
6+
kind: "Namespace"
7+
patch: |-
8+
- op: "add"
9+
path: "/metadata/labels/istio-injection"
10+
value: "enabled"
11+
- target:
12+
kind: "NetworkPolicy"
13+
patch: |-
14+
- op: add
15+
path: "/spec/egress/-"
16+
value:
17+
to:
18+
- namespaceSelector:
19+
matchLabels:
20+
kubernetes.io/metadata.name: "kube-system"
21+
podSelector:
22+
matchLabels:
23+
k8s-app: "kube-dns"
24+
ports:
25+
- port: 53
26+
protocol: "UDP"
27+
- port: 53
28+
protocol: "TCP"
29+
- op: add
30+
path: "/spec/egress/-"
31+
value:
32+
to:
33+
- namespaceSelector:
34+
matchLabels:
35+
kubernetes.io/metadata.name: "istio-system"
36+
podSelector: {}
37+
ports:
38+
- port: 15012
39+
protocol: "TCP"
40+
- port: 15014
41+
protocol: "TCP"

apps/vaultwarden/components/istio/istio-virtualservice.yaml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
---
2+
apiVersion: "networking.istio.io/v1alpha3"
3+
kind: "VirtualService"
4+
metadata:
5+
name: "vaultwarden"
6+
spec:
7+
hosts:
8+
- "vaultwarden"
9+
gateways:
10+
- "istio-system/gateway"
11+
http:
12+
- match:
13+
- uri:
14+
prefix: "/"
15+
route:
16+
- destination:
17+
host: "vaultwarden"
18+
port:
19+
number: 80

apps/vaultwarden/components/istio/kustomization.yaml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
---
2+
apiVersion: "kustomize.config.k8s.io/v1alpha1"
3+
kind: "Component"
4+
resources:
5+
- "istio-virtualservice.yaml"
6+
patches:
7+
- target:
8+
kind: "NetworkPolicy"
9+
name: "vaultwarden"
10+
patch: |-
11+
- op: "add"
12+
path: "/spec/ingress/0/from/-"
13+
value:
14+
namespaceSelector:
15+
matchLabels:
16+
kubernetes.io/metadata.name: "istio-system"
17+
podSelector:
18+
matchLabels:
19+
istio: "ingressgateway"

apps/vaultwarden/components/pvc/kustomization.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
---
2+
apiVersion: "kustomize.config.k8s.io/v1alpha1"
3+
kind: "Component"
4+
resources:
5+
- "pvc.yaml"
6+
patches:
7+
- target:
8+
kind: "Deployment"
9+
patch: |-
10+
- op: "replace"
11+
path: "/spec/template/spec/volumes/0"
12+
value:
13+
name: "storage"
14+
persistentVolumeClaim:
15+
claimName: "vaultwarden"

apps/vaultwarden/components/pvc/pvc.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
---
2+
kind: "PersistentVolumeClaim"
3+
apiVersion: "v1"
4+
metadata:
5+
name: "vaultwarden"
6+
spec:
7+
accessModes:
8+
- "ReadWriteOnce"
9+
resources:
10+
requests:
11+
storage: "10Gi"

apps/vaultwarden/components/restic-pvc/kustomization.yaml

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
---
2+
apiVersion: kustomize.config.k8s.io/v1alpha1
3+
kind: Component
4+
resources:
5+
- "../../../../infra/restic-pvc"
6+
patches:
7+
- target:
8+
kind: "CronJob"
9+
patch: |
10+
- op: "replace"
11+
path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom"
12+
value:
13+
- configMapRef:
14+
name: "vaultwarden-restic-pvc"
15+
- secretRef:
16+
name: "vaultwarden-restic-pvc"
17+
- op: "replace"
18+
path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name"
19+
value: "vaultwarden"
20+
- op: "replace"
21+
path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsUser"
22+
value: 44413
23+
- op: "replace"
24+
path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsGroup"
25+
value: 44413
26+
- op: "replace"
27+
path: "/spec/jobTemplate/spec/template/spec/securityContext/fsGroup"
28+
value: 44413
29+
- op: "replace"
30+
path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsUser"
31+
value: 44413
32+
- op: "replace"
33+
path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsGroup"
34+
value: 44413
35+
- op: "test"
36+
path: "/spec/jobTemplate/spec/template/spec/containers/0/env/0/name"
37+
value: "_RESTIC_TYPE"
38+
- op: "replace"
39+
path: "/spec/jobTemplate/spec/template/spec/containers/0/env/0/value"
40+
value: "sqlite"
41+
- target:
42+
kind: "CronJob"
43+
name: "restic-pvc-backup"
44+
patch: |
45+
- op: "replace"
46+
path: "/spec/schedule"
47+
value: "5 6 * * *"
48+
- op: "replace"
49+
path: "/spec/jobTemplate/spec/template/spec/volumes/0/persistentVolumeClaim/claimName"
50+
value: "vaultwarden"
51+
- target:
52+
kind: "CronJob"
53+
name: "restic-pvc-restore"
54+
patch: |
55+
- op: "replace"
56+
path: "/spec/jobTemplate/spec/template/spec/volumes/0/persistentVolumeClaim/claimName"
57+
value: "vaultwarden"
58+
- target:
59+
kind: "CronJob"
60+
name: "restic-pvc-prune"
61+
patch: |-
62+
- op: "replace"
63+
path: "/spec/schedule"
64+
value: "5 22 * * *"

apps/vaultwarden/deployment.yaml

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
---
2+
apiVersion: "apps/v1"
3+
kind: "Deployment"
4+
metadata:
5+
name: "vaultwarden"
6+
labels:
7+
app.kubernetes.io/name: "vaultwarden"
8+
spec:
9+
replicas: 1
10+
selector:
11+
matchLabels:
12+
app.kubernetes.io/name: "vaultwarden"
13+
strategy:
14+
type: "Recreate"
15+
template:
16+
metadata:
17+
labels:
18+
app: "vaultwarden"
19+
app.kubernetes.io/name: "vaultwarden"
20+
app.kubernetes.io/component: "vaultwarden"
21+
app.kubernetes.io/part-of: "vaultwarden"
22+
spec:
23+
securityContext:
24+
runAsUser: 44413
25+
runAsGroup: 44413
26+
fsGroup: 44413
27+
runAsNonRoot: true
28+
seccompProfile:
29+
type: "RuntimeDefault"
30+
containers:
31+
- name: "vaultwarden"
32+
image: "ghcr.io/dani-garcia/vaultwarden:1.33.2-alpine"
33+
imagePullPolicy: "IfNotPresent"
34+
securityContext:
35+
runAsUser: 44413
36+
runAsGroup: 44413
37+
allowPrivilegeEscalation: false
38+
readOnlyRootFilesystem: true
39+
privileged: false
40+
seccompProfile:
41+
type: "RuntimeDefault"
42+
capabilities:
43+
drop:
44+
- "ALL"
45+
env:
46+
- name: ROCKET_PORT
47+
value: "8000"
48+
resources:
49+
requests:
50+
memory: "148Mi"
51+
cpu: "10m"
52+
limits:
53+
memory: "256Mi"
54+
ports:
55+
- containerPort: 8000
56+
name: "vaultwarden"
57+
volumeMounts:
58+
- name: "storage"
59+
mountPath: "/data"
60+
topologySpreadConstraints:
61+
- maxSkew: 1
62+
topologyKey: "location"
63+
whenUnsatisfiable: "ScheduleAnyway"
64+
volumes:
65+
- name: "storage"
66+
emptyDir:
67+
sizeLimit: "100Mi"

apps/vaultwarden/kustomization.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
---
2+
apiVersion: "kustomize.config.k8s.io/v1beta1"
3+
kind: "Kustomization"
4+
resources:
5+
- "deployment.yaml"
6+
- "service.yaml"
7+
- "networkpolicy.yaml"

apps/vaultwarden/networkpolicy.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
---
2+
apiVersion: "networking.k8s.io/v1"
3+
kind: "NetworkPolicy"
4+
metadata:
5+
name: "vaultwarden"
6+
spec:
7+
podSelector: {}
8+
policyTypes:
9+
- "Ingress"
10+
ingress:
11+
- ports:
12+
- protocol: "TCP"
13+
port: "vaultwarden"
14+
from: []
15+
egress: []

apps/vaultwarden/service.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
---
2+
apiVersion: "v1"
3+
kind: "Service"
4+
metadata:
5+
name: "vaultwarden"
6+
spec:
7+
ports:
8+
- port: 80
9+
targetPort: "vaultwarden"
10+
selector:
11+
app.kubernetes.io/name: "vaultwarden"

0 commit comments

Comments
 (0)