diff --git a/charts/vaultwarden/Chart.yaml b/charts/vaultwarden/Chart.yaml index c2394e2..ee95cd4 100644 --- a/charts/vaultwarden/Chart.yaml +++ b/charts/vaultwarden/Chart.yaml @@ -13,5 +13,5 @@ maintainers: - name: guerzon email: guerzon@proton.me url: https://github.com/guerzon -version: 0.20.0 +version: 0.21.0 kubeVersion: ">=1.12.0-0" diff --git a/charts/vaultwarden/README.md b/charts/vaultwarden/README.md index 0d1ef7f..77d20c8 100644 --- a/charts/vaultwarden/README.md +++ b/charts/vaultwarden/README.md @@ -275,27 +275,41 @@ helm -n $NAMESPACE uninstall $RELEASE_NAME ### Security settings -| Name | Description | Value | -| ------------------------------ | -------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | -| `adminToken.existingSecret` | Specify an existing Kubernetes secret containing the admin token. Also set adminToken.existingSecretKey. | `""` | -| `adminToken.existingSecretKey` | When using adminToken.existingSecret, specify the key containing the token. | `""` | -| `adminToken.value` | Plain or argon2 string containing the admin token. | `$argon2id$v=19$m=19456,t=2,p=1$Vkx1VkE4RmhDMUhwNm9YVlhPQkVOZk1Yc1duSDdGRVYzd0Y5ZkgwaVg0Yz0$PK+h1ANCbzzmEKaiQfCjWw+hWFaMKvLhG2PjRanH5Kk` | -| `signupsAllowed` | By default, anyone who can access your instance can register for a new account. | `true` | -| `invitationsAllowed` | Even when registration is disabled, organization administrators or owners can | `true` | -| `signupDomains` | List of domain names for users allowed to register. For example: | `""` | -| `signupsVerify` | Whether to require account verification for newly-registered users. | `true` | -| `showPassHint` | Whether a password hint should be shown in the page. | `false` | -| `fullnameOverride` | String to override the application name. | `""` | -| `invitationOrgName` | String Name shown in the invitation emails that don't come from a specific organization | `Vaultwarden` | -| `iconBlacklistNonGlobalIps` | Whether block non-global IPs. | `true` | -| `ipHeader` | Client IP Header, used to identify the IP of the client | `X-Real-IP` | -| `serviceAccount.create` | Create a service account | `true` | -| `serviceAccount.name` | Name of the service account to create | `vaultwarden-svc` | -| `podSecurityContext` | Pod security options | `{}` | -| `securityContext` | Default security options to run vault as read only container without privilege escalation | `{}` | -| `yubico.clientId` | Yubico client ID | `""` | -| `yubico.secretKey` | Yubico secret key | `""` | -| `yubico.server` | Specify a Yubico server, otherwise the default servers will be used | `""` | +| Name | Description | Value | +| -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | +| `adminToken.existingSecret` | Specify an existing Kubernetes secret containing the admin token. Also set adminToken.existingSecretKey. | `""` | +| `adminToken.existingSecretKey` | When using adminToken.existingSecret, specify the key containing the token. | `""` | +| `adminToken.value` | Plain or argon2 string containing the admin token. | `$argon2id$v=19$m=19456,t=2,p=1$Vkx1VkE4RmhDMUhwNm9YVlhPQkVOZk1Yc1duSDdGRVYzd0Y5ZkgwaVg0Yz0$PK+h1ANCbzzmEKaiQfCjWw+hWFaMKvLhG2PjRanH5Kk` | +| `signupsAllowed` | By default, anyone who can access your instance can register for a new account. | `true` | +| `invitationsAllowed` | Even when registration is disabled, organization administrators or owners can | `true` | +| `signupDomains` | List of domain names for users allowed to register. For example: | `""` | +| `signupsVerify` | Whether to require account verification for newly-registered users. | `true` | +| `showPassHint` | Whether a password hint should be shown in the page. | `false` | +| `fullnameOverride` | String to override the application name. | `""` | +| `invitationOrgName` | String Name shown in the invitation emails that don't come from a specific organization | `Vaultwarden` | +| `orgCreationUsers` | Controls which users can create new orgs. | `""` | +| `orgEventsEnabled` | Controls whether event logging is enabled for organizations | `false` | +| `sendsAllowed` | Controls whether users are allowed to create Bitwarden Sends. | `true` | +| `emergencyAccessAllowed` | Controls whether users can enable emergency access to their accounts. | `true` | +| `emergencyNotifReminderSched` | Cron schedule of the job that sends expiration reminders to emergency access grantors. | `0 3 * * * *` | +| `emergencyRqstTimeoutSched` | Cron schedule of the job that grants emergency access requests that have met the required wait time. | `0 7 * * * *` | +| `eventCleanupSched` | Cron schedule of the job that cleans old events from the event table. | `0 10 0 * * *` | +| `eventsDayRetain` | Number of days to retain events stored in the database. | `""` | +| `iconService` | The predefined icon services are: internal, bitwarden, duckduckgo, google. | `internal` | +| `invitationExpirationHours` | The number of hours after which an organization invite token, emergency access invite token, | `120` | +| `requireDeviceEmail` | Require new device emails. When a user logs in an email is required to be sent. | `false` | +| `trashAutoDeleteDays` | Number of days to wait before auto-deleting a trashed item. | `""` | +| `timeZone` | Specify timezone different from the default (UTC). | `""` | +| `iconBlacklistNonGlobalIps` | Whether block non-global IPs. | `true` | +| `ipHeader` | Client IP Header, used to identify the IP of the client | `X-Real-IP` | +| `serviceAccount.create` | Create a service account | `true` | +| `serviceAccount.name` | Name of the service account to create | `vaultwarden-svc` | +| `podSecurityContext` | Pod security options | `{}` | +| `securityContext` | Default security options to run vault as read only container without privilege escalation | `{}` | +| `yubico.clientId` | Yubico client ID | `""` | +| `yubico.secretKey` | Yubico secret key | `""` | +| `yubico.server` | Specify a Yubico server, otherwise the default servers will be used | `""` | +| `experimentalClientFeatureFlags` | Comma separated list of experimental features to enable in clients, make sure to check which features are already enabled by default (.env.template) | `nil` | ### Exposure Parameters @@ -386,10 +400,11 @@ helm -n $NAMESPACE uninstall $RELEASE_NAME ### Logging Configuration -| Name | Description | Value | -| ------------------ | --------------------- | ----- | -| `logging.logLevel` | Specify the log level | `""` | -| `logging.logFile` | Log to a file | `""` | +| Name | Description | Value | +| ------------------ | ----------------------------------------------------------------------- | ------ | +| `logging.logLevel` | Specify the log level | `""` | +| `logging.logFile` | Log to a file | `""` | +| `extendedLogging` | Enable extended logging, which shows timestamps and targets in the logs | `true` | ### Extra Configuration @@ -408,3 +423,9 @@ helm -n $NAMESPACE uninstall $RELEASE_NAME | `podDisruptionBudget.enabled` | Enable PodDisruptionBudget settings | `false` | | `podDisruptionBudget.minAvailable` | Minimum number/percentage of pods that should remain scheduled. | `1` | | `podDisruptionBudget.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable | `nil` | + +### BETA Features + +| Name | Description | Value | +| ------------------ | ----------------------------------------------------------- | ------- | +| `orgGroupsEnabled` | Controls whether group support is enabled for organizations | `false` | diff --git a/charts/vaultwarden/templates/configmap.yaml b/charts/vaultwarden/templates/configmap.yaml index 5594906..7874945 100644 --- a/charts/vaultwarden/templates/configmap.yaml +++ b/charts/vaultwarden/templates/configmap.yaml @@ -72,4 +72,23 @@ data: {{- end }} {{- with .Values.experimentalClientFeatureFlags }} EXPERIMENTAL_CLIENT_FEATURE_FLAGS: {{ . | quote }} - {{- end }} \ No newline at end of file + {{- end }} + {{- with .Values.orgCreationUsers }} + ORG_CREATION_USERS: {{ . | quote }} + {{- end }} + ORG_EVENTS_ENABLED: {{ .Values.orgEventsEnabled | quote }} + ORG_GROUPS_ENABLED: {{ .Values.orgGroupsEnabled | quote }} + SENDS_ALLOWED: {{ .Values.sendsAllowed | quote }} + EMERGENCY_ACCESS_ALLOWED: {{ .Values.emergencyAccessAllowed | quote }} + EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE: {{ .Values.emergencyNotifReminderSched | quote }} + EMERGENCY_REQUEST_TIMEOUT_SCHEDULE: {{ .Values.emergencyRqstTimeoutSched | quote }} + {{- if .Values.eventsDayRetain }} + EVENTS_DAYS_RETAIN: {{ .Values.eventsDayRetain | quote }} + EVENT_CLEANUP_SCHEDULE: {{ .Values.eventCleanupSched | quote }} + {{- end }} + EXTENDED_LOGGING: {{ .Values.extendedLogging | quote }} + ICON_SERVICE: {{ .Values.iconService | quote }} + INVITATION_EXPIRATION_HOURS: {{ .Values.invitationExpirationHours | quote}} + REQUIRE_DEVICE_EMAIL: {{ .Values.requireDeviceEmail | quote }} + TRASH_AUTO_DELETE_DAYS: {{ .Values.trashAutoDeleteDays | quote }} + TZ: {{ .Values.timeZone | quote }} diff --git a/charts/vaultwarden/values.yaml b/charts/vaultwarden/values.yaml index b4e16fe..985a926 100644 --- a/charts/vaultwarden/values.yaml +++ b/charts/vaultwarden/values.yaml @@ -114,6 +114,69 @@ fullnameOverride: "" ## invitationOrgName: "Vaultwarden" +## @param orgCreationUsers Controls which users can create new orgs. +## Blank or 'all' means all users can create orgs. +## 'none' means no users can create orgs. +## A comma-separated list means only those users can create orgs. +## +orgCreationUsers: "" + +## @param orgEventsEnabled Controls whether event logging is enabled for organizations +## +orgEventsEnabled: "false" + +## @param sendsAllowed Controls whether users are allowed to create Bitwarden Sends. +## +sendsAllowed: "true" + +## @param emergencyAccessAllowed Controls whether users can enable emergency access to their accounts. +## +emergencyAccessAllowed: "true" + +## @param emergencyNotifReminderSched Cron schedule of the job that sends expiration reminders to emergency access grantors. +## Set to blank to disable this job. +## +emergencyNotifReminderSched: "0 3 * * * *" + +## @param emergencyRqstTimeoutSched Cron schedule of the job that grants emergency access requests that have met the required wait time. +## Set to blank to disable this job. +## +emergencyRqstTimeoutSched: "0 7 * * * *" + +## @param eventCleanupSched Cron schedule of the job that cleans old events from the event table. +## Set to blank to disable this job. Also without eventsDayRetain set, this job will not start. +## +eventCleanupSched: "0 10 0 * * *" + +## @param eventsDayRetain Number of days to retain events stored in the database. +## If unset (the default), events are kept indefinitely and the scheduled job is disabled! +## +eventsDayRetain: "" + +## @param iconService The predefined icon services are: internal, bitwarden, duckduckgo, google. +## +iconService: "internal" + +## @param invitationExpirationHours The number of hours after which an organization invite token, emergency access invite token, +## email verification token and deletion request token will expire (must be at least 1) +## +invitationExpirationHours: "120" + +## @param requireDeviceEmail Require new device emails. When a user logs in an email is required to be sent. +## +requireDeviceEmail: "false" + +## @param trashAutoDeleteDays Number of days to wait before auto-deleting a trashed item. +## If unset (the default), trashed items are not auto-deleted. +## This setting applies globally, so make sure to inform all users of any changes to this setting. +## +trashAutoDeleteDays: "" + +## @param timeZone Specify timezone different from the default (UTC). +## For example: "Europe/Berlin" +## +timeZone: "" + ## @param iconBlacklistNonGlobalIps Whether block non-global IPs. ## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block iconBlacklistNonGlobalIps: "true" @@ -437,6 +500,10 @@ logging: ## logFile: "" +## @param extendedLogging Enable extended logging, which shows timestamps and targets in the logs +## +extendedLogging: "true" + ## @section Extra Configuration ## @@ -510,3 +577,9 @@ podDisruptionBudget: minAvailable: 1 ## @param podDisruptionBudget.maxUnavailable Maximum number/percentage of pods that may be made unavailable maxUnavailable: null + +## @section BETA Features +## + +## @param orgGroupsEnabled Controls whether group support is enabled for organizations +orgGroupsEnabled: "false"