feat(helm): add env, secretEnv maps for flexible env var configuration

Add three layers for setting environment variables: - env: plain key-value map for any vaultwarden env var - secretEnv: shorthand for secretKeyRef without verbose YAML - extraEnv: raw Kubernetes env spec for complex cases (fieldRef, etc.) This lets users set any vaultwarden env var without requiring chart changes, while the structured values (vaultwarden.smtp.*, database.*, etc.) remain available for validation and existingSecret integration.
2026-04-08 18:31:36 -06:00 · 2026-02-18 17:59:53 +01:00 · 2026-02-18 17:59:53 +01:00 · 834a194816
commit 834a194816
parent 761d40699a
3 changed files with 78 additions and 9 deletions
--- a/helm/vaultwarden/README.md
+++ b/helm/vaultwarden/README.md
@ -326,12 +326,48 @@ The chart runs vaultwarden as a non-root user (UID 1000) by default with a read-
 | `terminationGracePeriodSeconds` | Termination grace period | `30` |
 | `startupProbe` | Startup probe config (for slow starts) | `{}` |
 | `initContainers` | Init containers | `[]` |
-| `extraEnv` | Additional environment variables | `[]` |
 | `extraVolumes` | Additional volumes | `[]` |
 | `extraVolumeMounts` | Additional volume mounts | `[]` |
 | `podAnnotations` | Pod annotations | `{}` |
 | `podLabels` | Additional pod labels | `{}` |

+### Environment Variables
+
+The chart provides three layers for setting environment variables, from simplest to most flexible:
+
+**`env`** — plain key-value map for any vaultwarden env var:
+
+```yaml
+env:
+  SIGNUPS_ALLOWED: "true"
+  INVITATION_ORG_NAME: "My Org"
+  SENDS_ALLOWED: "true"
+```
+
+**`secretEnv`** — shorthand for sourcing env vars from Kubernetes secrets:
+
+```yaml
+secretEnv:
+  ADMIN_TOKEN:
+    secretName: my-admin-secret
+    secretKey: admin-token
+  DATABASE_URL:
+    secretName: my-db-secret
+    secretKey: database-url
+```
+
+**`extraEnv`** — raw Kubernetes env spec for complex cases (fieldRef, resourceFieldRef, etc.):
+
+```yaml
+extraEnv:
+  - name: POD_IP
+    valueFrom:
+      fieldRef:
+        fieldPath: status.podIP
+```
+
+These layers are additive and render in order: structured values (from `vaultwarden.*`), then `env`, then `secretEnv`, then `extraEnv`. Later values override earlier ones for the same env var name.
+
 ## Using Existing Secrets

 For production deployments, use `existingSecret` references instead of putting credentials in `values.yaml`. All sensitive values support `existingSecret`:
--- a/helm/vaultwarden/templates/deployment.yaml
+++ b/helm/vaultwarden/templates/deployment.yaml
@ -154,7 +154,20 @@ spec:
                  name: {{ include "vaultwarden.yubicoSecretName" . }}
                  key: {{ .Values.vaultwarden.yubico.existingSecretSecretKeyKey | default "yubico-secret-key" }}
            {{- end }}
-            {{- /* Extra env vars */}}
+            {{- /* Plain env vars from env map */}}
+            {{- range $name, $value := .Values.env }}
+            - name: {{ $name }}
+              value: {{ $value | quote }}
+            {{- end }}
+            {{- /* Secret env vars from secretEnv map */}}
+            {{- range $name, $ref := .Values.secretEnv }}
+            - name: {{ $name }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $ref.secretName }}
+                  key: {{ $ref.secretKey }}
+            {{- end }}
+            {{- /* Raw extra env vars */}}
            {{- with .Values.extraEnv }}
            {{- toYaml . | nindent 12 }}
            {{- end }}
--- a/helm/vaultwarden/values.yaml
+++ b/helm/vaultwarden/values.yaml
@ -324,15 +324,35 @@ topologySpreadConstraints: []
 # -- Init containers
 initContainers: []

-# -- Additional environment variables
+# -- Additional environment variables (plain key-value).
+# Use this to set any vaultwarden env var not covered by the structured values above.
+# These are added to the container env directly.
+env: {}
+#  SIGNUPS_ALLOWED: "false"
+#  INVITATION_ORG_NAME: "My Org"
+#  SENDS_ALLOWED: "true"
+#  EMERGENCY_ACCESS_ALLOWED: "true"
+
+# -- Environment variables sourced from Kubernetes secrets (secretKeyRef shorthand).
+# Each key is the env var name, value specifies the secret and key to read from.
+secretEnv: {}
+#  ADMIN_TOKEN:
+#    secretName: my-admin-secret
+#    secretKey: admin-token
+#  DATABASE_URL:
+#    secretName: my-db-secret
+#    secretKey: database-url
+#  SMTP_PASSWORD:
+#    secretName: my-smtp-secret
+#    secretKey: password
+
+# -- Additional environment variables (raw Kubernetes env spec).
+# Use this for complex env definitions like fieldRef, resourceFieldRef, etc.
 extraEnv: []
-#  - name: EXAMPLE_VAR
-#    value: "example"
-#  - name: SECRET_VAR
+#  - name: POD_IP
 #    valueFrom:
-#      secretKeyRef:
-#        name: my-secret
-#        key: my-key
+#      fieldRef:
+#        fieldPath: status.podIP

 # -- Additional volume mounts for the vaultwarden container
 extraVolumeMounts: []