dahjah/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-06-07 09:14:58 -06:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

feat(helm): add env, secretEnv maps for flexible env var configuration

Browse Source 
Add three layers for setting environment variables:
- env: plain key-value map for any vaultwarden env var
- secretEnv: shorthand for secretKeyRef without verbose YAML
- extraEnv: raw Kubernetes env spec for complex cases (fieldRef, etc.)

This lets users set any vaultwarden env var without requiring chart
changes, while the structured values (vaultwarden.smtp.*, database.*, etc.)
remain available for validation and existingSecret integration.
This commit is contained in:
Rohmilchkaese 2026-02-18 17:59:53 +01:00
parent 761d40699a
commit 834a194816
3 changed files with 78 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
helm/vaultwarden/README.md
View File

@ -326,12 +326,48 @@ The chart runs vaultwarden as a non-root user (UID 1000) by default with a read-
| `terminationGracePeriodSeconds` | Termination grace period | `30` | | `terminationGracePeriodSeconds` | Termination grace period | `30` |
| `startupProbe` | Startup probe config (for slow starts) | `{}` | | `startupProbe` | Startup probe config (for slow starts) | `{}` |
| `initContainers` | Init containers | `[]` | | `initContainers` | Init containers | `[]` |
| `extraEnv` | Additional environment variables | `[]` |
| `extraVolumes` | Additional volumes | `[]` | | `extraVolumes` | Additional volumes | `[]` |
| `extraVolumeMounts` | Additional volume mounts | `[]` | | `extraVolumeMounts` | Additional volume mounts | `[]` |
| `podAnnotations` | Pod annotations | `{}` | | `podAnnotations` | Pod annotations | `{}` |
| `podLabels` | Additional pod labels | `{}` | | `podLabels` | Additional pod labels | `{}` |
### Environment Variables
The chart provides three layers for setting environment variables, from simplest to most flexible:
**`env`** — plain key-value map for any vaultwarden env var:
```yaml
env:
SIGNUPS_ALLOWED: "true"
INVITATION_ORG_NAME: "My Org"
SENDS_ALLOWED: "true"
```
**`secretEnv`** — shorthand for sourcing env vars from Kubernetes secrets:
```yaml
secretEnv:
ADMIN_TOKEN:
secretName: my-admin-secret
secretKey: admin-token
DATABASE_URL:
secretName: my-db-secret
secretKey: database-url
```
**`extraEnv`** — raw Kubernetes env spec for complex cases (fieldRef, resourceFieldRef, etc.):
```yaml
extraEnv:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
```
These layers are additive and render in order: structured values (from `vaultwarden.*`), then `env`, then `secretEnv`, then `extraEnv`. Later values override earlier ones for the same env var name.
## Using Existing Secrets ## Using Existing Secrets
For production deployments, use `existingSecret` references instead of putting credentials in `values.yaml`. All sensitive values support `existingSecret`: For production deployments, use `existingSecret` references instead of putting credentials in `values.yaml`. All sensitive values support `existingSecret`:

15
helm/vaultwarden/templates/deployment.yaml
View File

@ -154,7 +154,20 @@ spec:
name: {{ include "vaultwarden.yubicoSecretName" . }} name: {{ include "vaultwarden.yubicoSecretName" . }}
key: {{ .Values.vaultwarden.yubico.existingSecretSecretKeyKey | default "yubico-secret-key" }} key: {{ .Values.vaultwarden.yubico.existingSecretSecretKeyKey | default "yubico-secret-key" }}
{{- end }} {{- end }}
{{- /* Extra env vars */}} {{- /* Plain env vars from env map */}}
{{- range $name, $value := .Values.env }}
- name: {{ $name }}
value: {{ $value | quote }}
{{- end }}
{{- /* Secret env vars from secretEnv map */}}
{{- range $name, $ref := .Values.secretEnv }}
- name: {{ $name }}
valueFrom:
secretKeyRef:
name: {{ $ref.secretName }}
key: {{ $ref.secretKey }}
{{- end }}
{{- /* Raw extra env vars */}}
{{- with .Values.extraEnv }} {{- with .Values.extraEnv }}
{{- toYaml . | nindent 12 }} {{- toYaml . | nindent 12 }}
{{- end }} {{- end }}

34
helm/vaultwarden/values.yaml
View File

@ -324,15 +324,35 @@ topologySpreadConstraints: []
# -- Init containers # -- Init containers
initContainers: [] initContainers: []
# -- Additional environment variables # -- Additional environment variables (plain key-value).
# Use this to set any vaultwarden env var not covered by the structured values above.
# These are added to the container env directly.
env: {}
# SIGNUPS_ALLOWED: "false"
# INVITATION_ORG_NAME: "My Org"
# SENDS_ALLOWED: "true"
# EMERGENCY_ACCESS_ALLOWED: "true"
# -- Environment variables sourced from Kubernetes secrets (secretKeyRef shorthand).
# Each key is the env var name, value specifies the secret and key to read from.
secretEnv: {}
# ADMIN_TOKEN:
# secretName: my-admin-secret
# secretKey: admin-token
# DATABASE_URL:
# secretName: my-db-secret
# secretKey: database-url
# SMTP_PASSWORD:
# secretName: my-smtp-secret
# secretKey: password
# -- Additional environment variables (raw Kubernetes env spec).
# Use this for complex env definitions like fieldRef, resourceFieldRef, etc.
extraEnv: [] extraEnv: []
# - name: EXAMPLE_VAR # - name: POD_IP
# value: "example"
# - name: SECRET_VAR
# valueFrom: # valueFrom:
# secretKeyRef: # fieldRef:
# name: my-secret # fieldPath: status.podIP
# key: my-key
# -- Additional volume mounts for the vaultwarden container # -- Additional volume mounts for the vaultwarden container
extraVolumeMounts: [] extraVolumeMounts: []