Skip to content

guerzon/bitwarden-kubernetes

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

LICENSE

LICENSE

 
 

README.md

README.md

 
 

configmap.yaml

configmap.yaml

 
 

ingress.yaml

ingress.yaml

 
 

namespace.yaml

namespace.yaml

 
 

rbac.yaml

rbac.yaml

 
 

secrets.yaml

secrets.yaml

 
 

service.yaml

service.yaml

 
 

statefulset.yaml

statefulset.yaml

 
 

Repository files navigation

Deploy Bitwarden in Kubernetes

This projects contains Kubernetes manifest files for deploying a production-ready self-hosted Bitwarden solution in Kubernetes. It utilizes the Rust-based implementation from https://github.com/dani-garcia/bitwarden_rs.

Advisory

This project is no longer maintained. If you are interested with running Bitwarden on Kubernetes, please consider vaultwarden instead.

Configuration

  • Objects are created in the bitwarden namespace.
  • This project specifically deploys to Amazon AWS and uses an nginx ingress controller, and thus provisions an NLB instance. Refer to this guide on Ingress Controllers for more options.
  • Application image: the statefulset deploys the default Debian-based image, which in turn uses SQLite for the database. In most use-cases this should be enough. Otherwise, please refer to this guide for choosing the right application image.

secrets.yaml:

  • SMTP credentials: The base64-encoded SMTP username and password.
  • Admin token: The admin token used to login to the admin page (/admin). Hint: generate one using openssl rand -base64 48.

configmap.yaml:

  • Set the application URL with the variable DOMAIN.
  • Set the domain with the variable SIGNUPS_DOMAINS_WHITELIST to restrict email sign-ups for users with that domain. Please note that the administrator would still be able to invite users outside of this domain using the admin page (/admin).
  • For more configuration parameters, such as adding U2F and YubiKey support, please refer to the bitwarden-rs wiki.

Prerequisites

Storage class

For simplicity, the statefulset makes use of a storage class. Here is a working example for a storage class manifest which provisions Elastic Block storage.

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: sc-ebs-gp2-zone1
  annotations:
    storageclass.kubernetes.io/is-default-class: "true"
provisioner: kubernetes.io/aws-ebs
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
parameters:
  type: gp2
allowedTopologies:
  - matchLabelExpressions:
    - key: failure-domain.beta.kubernetes.io/zone
      values:
        - ap-southeast-1a

SSL certificate

This project expects a secret named foo-io-wildcardssl in the bitwarden namespace. I find this guide useful for adding SSL certificates as Kubernetes secrets.

Usage

Finally, run the following command to apply the manifests:

kubectl apply -f .

Credits

  • icicimov's repo, although it appears to have been outdated, for the inspiration.

License

This work is licensed under GNU GPL v3.

About

Deploy Bitwarden in Kubernetes using the bitwarden_rs Rust-based server implementation

github.com/dani-garcia/bitwarden_rs

Topics

kubernetes bitwarden kubernetes-manifests bitwarden-rs

Resources

Readme

License

GPL-3.0 license
Activity

Stars

9 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published