github-starred/vaultwarden
2
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-09 04:32:44 -05:00
Code Issues 79 Packages Projects Releases 78 Wiki Activity

[PR #6844] feat: add official Helm chart #7488

New Issue
Open
opened 2026-03-07 21:18:23 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-03-07 21:18:23 -06:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/6844
Author: @Rohmilchkaese
Created: 2/17/2026
Status: 🔄 Open

Base: mainHead: helm-chart

📝 Commits (2)

  • 761d406 feat: add official Helm chart
  • 834a194 feat(helm): add env, secretEnv maps for flexible env var configuration

📊 Changes

14 files changed (+1508 additions, -0 deletions)

View changed files

helm/vaultwarden/.helmignore (+12 -0)
helm/vaultwarden/Chart.yaml (+18 -0)
helm/vaultwarden/README.md (+437 -0)
helm/vaultwarden/templates/NOTES.txt (+52 -0)
helm/vaultwarden/templates/_helpers.tpl (+133 -0)
helm/vaultwarden/templates/configmap.yaml (+40 -0)
helm/vaultwarden/templates/deployment.yaml (+228 -0)
helm/vaultwarden/templates/ingress.yaml (+45 -0)
helm/vaultwarden/templates/pvc.yaml (+33 -0)
helm/vaultwarden/templates/secret.yaml (+81 -0)
helm/vaultwarden/templates/service.yaml (+32 -0)
helm/vaultwarden/templates/serviceaccount.yaml (+14 -0)
helm/vaultwarden/templates/tests/test-connection.yaml (+16 -0)
helm/vaultwarden/values.yaml (+367 -0)

📄 Description

Summary

Adds a production-ready Helm chart under helm/vaultwarden/. Closes #316.

Vaultwarden has no official Helm chart — issue #316 from 2019 only linked community charts, all of which are outdated or unmaintained. This chart provides a first-party, maintained deployment option for Kubernetes users.

Highlights

  • Database flexibility: SQLite default (matching vaultwarden defaults), PostgreSQL and MySQL selectable. Supports both full DATABASE_URL from a secret and composing the URL from parts via separate secretKeyRef (ideal for Zalano Postgres Operator, CloudNativePG, etc.)
  • Security hardened by default: non-root (UID 1000), readOnlyRootFilesystem: true, capabilities.drop: ["ALL"], seccompProfile: RuntimeDefault, runAsNonRoot: true, automountServiceAccountToken: false, tmpfs /tmp mount
  • All credentials via secretKeyRef: Admin token, SMTP, SSO/OIDC, database, push notifications, Yubico — all support existingSecret for external secret management (ExternalSecrets, Sealed Secrets, etc.)
  • Ingress: ingressClassName (not deprecated annotation), annotations, labels, multi-host TLS
  • Persistence: helm.sh/resource-policy: keep (prevents data loss on uninstall), storageClassName 3-way handling (nil=cluster default, "-"=disable dynamic provisioning, "name"=explicit class), custom annotations/labels
  • Template validation: fail on misconfiguration (e.g. admin enabled without token, postgresql without credentials)
  • Extensible: extraEnv, extraVolumes, extraVolumeMounts, initContainers, topologySpreadConstraints, priorityClassName, startupProbe

Chart structure

helm/vaultwarden/
├── .helmignore
├── Chart.yaml
├── README.md
├── values.yaml
└── templates/
    ├── _helpers.tpl
    ├── configmap.yaml
    ├── deployment.yaml
    ├── ingress.yaml
    ├── NOTES.txt
    ├── pvc.yaml
    ├── secret.yaml
    ├── service.yaml
    ├── serviceaccount.yaml
    └── tests/
        └── test-connection.yaml

All env var names verified against source

Every environment variable in the chart was verified against src/config.rs in the vaultwarden source.

Test plan

  • helm lint --strict — passes
  • helm template — tested with 6 configurations (SQLite default, PostgreSQL URL, PostgreSQL compose-from-parts, Ingress+TLS, SSO+SMTP, all existingSecret refs)
  • Template validation — confirmed fail triggers for: admin without token, postgresql without credentials, postgresql without any DB config
  • Deployed on real Kubernetes cluster (k3s v1.35.0):
    • Pod starts, 1/1 Running, 0 restarts
    • Liveness and readiness probes pass
    • readOnlyRootFilesystem: true works (with /tmp tmpfs and /data PVC)
    • Vaultwarden logs show clean startup
    • helm test passes (busybox wget to /alive)
    • PVC retained on helm uninstall (resource-policy: keep)

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/6844 **Author:** [@Rohmilchkaese](https://github.com/Rohmilchkaese) **Created:** 2/17/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `helm-chart` --- ### 📝 Commits (2) - [`761d406`](https://github.com/dani-garcia/vaultwarden/commit/761d40699af3c1a8516e9b387112b234e99b0751) feat: add official Helm chart - [`834a194`](https://github.com/dani-garcia/vaultwarden/commit/834a194816abc4e16b8337795dbefe27642b9d50) feat(helm): add env, secretEnv maps for flexible env var configuration ### 📊 Changes **14 files changed** (+1508 additions, -0 deletions) <details> <summary>View changed files</summary> ➕ `helm/vaultwarden/.helmignore` (+12 -0) ➕ `helm/vaultwarden/Chart.yaml` (+18 -0) ➕ `helm/vaultwarden/README.md` (+437 -0) ➕ `helm/vaultwarden/templates/NOTES.txt` (+52 -0) ➕ `helm/vaultwarden/templates/_helpers.tpl` (+133 -0) ➕ `helm/vaultwarden/templates/configmap.yaml` (+40 -0) ➕ `helm/vaultwarden/templates/deployment.yaml` (+228 -0) ➕ `helm/vaultwarden/templates/ingress.yaml` (+45 -0) ➕ `helm/vaultwarden/templates/pvc.yaml` (+33 -0) ➕ `helm/vaultwarden/templates/secret.yaml` (+81 -0) ➕ `helm/vaultwarden/templates/service.yaml` (+32 -0) ➕ `helm/vaultwarden/templates/serviceaccount.yaml` (+14 -0) ➕ `helm/vaultwarden/templates/tests/test-connection.yaml` (+16 -0) ➕ `helm/vaultwarden/values.yaml` (+367 -0) </details> ### 📄 Description ## Summary Adds a production-ready Helm chart under `helm/vaultwarden/`. Closes #316. Vaultwarden has no official Helm chart — [issue #316](https://github.com/dani-garcia/vaultwarden/issues/316) from 2019 only linked community charts, all of which are outdated or unmaintained. This chart provides a first-party, maintained deployment option for Kubernetes users. ### Highlights - **Database flexibility**: SQLite default (matching vaultwarden defaults), PostgreSQL and MySQL selectable. Supports both full `DATABASE_URL` from a secret and composing the URL from parts via separate `secretKeyRef` (ideal for Zalano Postgres Operator, CloudNativePG, etc.) - **Security hardened by default**: non-root (UID 1000), `readOnlyRootFilesystem: true`, `capabilities.drop: ["ALL"]`, `seccompProfile: RuntimeDefault`, `runAsNonRoot: true`, `automountServiceAccountToken: false`, tmpfs `/tmp` mount - **All credentials via `secretKeyRef`**: Admin token, SMTP, SSO/OIDC, database, push notifications, Yubico — all support `existingSecret` for external secret management (ExternalSecrets, Sealed Secrets, etc.) - **Ingress**: `ingressClassName` (not deprecated annotation), annotations, labels, multi-host TLS - **Persistence**: `helm.sh/resource-policy: keep` (prevents data loss on uninstall), `storageClassName` 3-way handling (nil=cluster default, `"-"`=disable dynamic provisioning, `"name"`=explicit class), custom annotations/labels - **Template validation**: `fail` on misconfiguration (e.g. admin enabled without token, postgresql without credentials) - **Extensible**: `extraEnv`, `extraVolumes`, `extraVolumeMounts`, `initContainers`, `topologySpreadConstraints`, `priorityClassName`, `startupProbe` ### Chart structure ``` helm/vaultwarden/ ├── .helmignore ├── Chart.yaml ├── README.md ├── values.yaml └── templates/ ├── _helpers.tpl ├── configmap.yaml ├── deployment.yaml ├── ingress.yaml ├── NOTES.txt ├── pvc.yaml ├── secret.yaml ├── service.yaml ├── serviceaccount.yaml └── tests/ └── test-connection.yaml ``` ### All env var names verified against source Every environment variable in the chart was verified against `src/config.rs` in the vaultwarden source. ## Test plan - [x] `helm lint --strict` — passes - [x] `helm template` — tested with 6 configurations (SQLite default, PostgreSQL URL, PostgreSQL compose-from-parts, Ingress+TLS, SSO+SMTP, all existingSecret refs) - [x] Template validation — confirmed `fail` triggers for: admin without token, postgresql without credentials, postgresql without any DB config - [x] Deployed on real Kubernetes cluster (k3s v1.35.0): - Pod starts, `1/1 Running`, 0 restarts - Liveness and readiness probes pass - `readOnlyRootFilesystem: true` works (with `/tmp` tmpfs and `/data` PVC) - Vaultwarden logs show clean startup - `helm test` passes (busybox wget to `/alive`) - PVC retained on `helm uninstall` (resource-policy: keep) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-03-07 21:18:23 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#7488
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?