From 834a194816abc4e16b8337795dbefe27642b9d50 Mon Sep 17 00:00:00 2001 From: Rohmilchkaese Date: Wed, 18 Feb 2026 17:59:53 +0100 Subject: [PATCH] feat(helm): add env, secretEnv maps for flexible env var configuration Add three layers for setting environment variables: - env: plain key-value map for any vaultwarden env var - secretEnv: shorthand for secretKeyRef without verbose YAML - extraEnv: raw Kubernetes env spec for complex cases (fieldRef, etc.) This lets users set any vaultwarden env var without requiring chart changes, while the structured values (vaultwarden.smtp.*, database.*, etc.) remain available for validation and existingSecret integration. --- helm/vaultwarden/README.md | 38 +++++++++++++++++++++- helm/vaultwarden/templates/deployment.yaml | 15 ++++++++- helm/vaultwarden/values.yaml | 34 +++++++++++++++---- 3 files changed, 78 insertions(+), 9 deletions(-) diff --git a/helm/vaultwarden/README.md b/helm/vaultwarden/README.md index 30da661a..2f1f6479 100644 --- a/helm/vaultwarden/README.md +++ b/helm/vaultwarden/README.md @@ -326,12 +326,48 @@ The chart runs vaultwarden as a non-root user (UID 1000) by default with a read- | `terminationGracePeriodSeconds` | Termination grace period | `30` | | `startupProbe` | Startup probe config (for slow starts) | `{}` | | `initContainers` | Init containers | `[]` | -| `extraEnv` | Additional environment variables | `[]` | | `extraVolumes` | Additional volumes | `[]` | | `extraVolumeMounts` | Additional volume mounts | `[]` | | `podAnnotations` | Pod annotations | `{}` | | `podLabels` | Additional pod labels | `{}` | +### Environment Variables + +The chart provides three layers for setting environment variables, from simplest to most flexible: + +**`env`** — plain key-value map for any vaultwarden env var: + +```yaml +env: + SIGNUPS_ALLOWED: "true" + INVITATION_ORG_NAME: "My Org" + SENDS_ALLOWED: "true" +``` + +**`secretEnv`** — shorthand for sourcing env vars from Kubernetes secrets: + +```yaml +secretEnv: + ADMIN_TOKEN: + secretName: my-admin-secret + secretKey: admin-token + DATABASE_URL: + secretName: my-db-secret + secretKey: database-url +``` + +**`extraEnv`** — raw Kubernetes env spec for complex cases (fieldRef, resourceFieldRef, etc.): + +```yaml +extraEnv: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP +``` + +These layers are additive and render in order: structured values (from `vaultwarden.*`), then `env`, then `secretEnv`, then `extraEnv`. Later values override earlier ones for the same env var name. + ## Using Existing Secrets For production deployments, use `existingSecret` references instead of putting credentials in `values.yaml`. All sensitive values support `existingSecret`: diff --git a/helm/vaultwarden/templates/deployment.yaml b/helm/vaultwarden/templates/deployment.yaml index 724fdc6b..c14d7897 100644 --- a/helm/vaultwarden/templates/deployment.yaml +++ b/helm/vaultwarden/templates/deployment.yaml @@ -154,7 +154,20 @@ spec: name: {{ include "vaultwarden.yubicoSecretName" . }} key: {{ .Values.vaultwarden.yubico.existingSecretSecretKeyKey | default "yubico-secret-key" }} {{- end }} - {{- /* Extra env vars */}} + {{- /* Plain env vars from env map */}} + {{- range $name, $value := .Values.env }} + - name: {{ $name }} + value: {{ $value | quote }} + {{- end }} + {{- /* Secret env vars from secretEnv map */}} + {{- range $name, $ref := .Values.secretEnv }} + - name: {{ $name }} + valueFrom: + secretKeyRef: + name: {{ $ref.secretName }} + key: {{ $ref.secretKey }} + {{- end }} + {{- /* Raw extra env vars */}} {{- with .Values.extraEnv }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/helm/vaultwarden/values.yaml b/helm/vaultwarden/values.yaml index ac940128..60c247d5 100644 --- a/helm/vaultwarden/values.yaml +++ b/helm/vaultwarden/values.yaml @@ -324,15 +324,35 @@ topologySpreadConstraints: [] # -- Init containers initContainers: [] -# -- Additional environment variables +# -- Additional environment variables (plain key-value). +# Use this to set any vaultwarden env var not covered by the structured values above. +# These are added to the container env directly. +env: {} +# SIGNUPS_ALLOWED: "false" +# INVITATION_ORG_NAME: "My Org" +# SENDS_ALLOWED: "true" +# EMERGENCY_ACCESS_ALLOWED: "true" + +# -- Environment variables sourced from Kubernetes secrets (secretKeyRef shorthand). +# Each key is the env var name, value specifies the secret and key to read from. +secretEnv: {} +# ADMIN_TOKEN: +# secretName: my-admin-secret +# secretKey: admin-token +# DATABASE_URL: +# secretName: my-db-secret +# secretKey: database-url +# SMTP_PASSWORD: +# secretName: my-smtp-secret +# secretKey: password + +# -- Additional environment variables (raw Kubernetes env spec). +# Use this for complex env definitions like fieldRef, resourceFieldRef, etc. extraEnv: [] -# - name: EXAMPLE_VAR -# value: "example" -# - name: SECRET_VAR +# - name: POD_IP # valueFrom: -# secretKeyRef: -# name: my-secret -# key: my-key +# fieldRef: +# fieldPath: status.podIP # -- Additional volume mounts for the vaultwarden container extraVolumeMounts: []