This projects contains Kubernetes manifest files for deploying a production-ready self-hosted Bitwarden solution in Kubernetes. It utilizes the Rust-based implementation from https://github.com/dani-garcia/bitwarden_rs.
This project is no longer maintained. If you are interested with running Bitwarden on Kubernetes, please consider vaultwarden instead.
- Objects are created in the
bitwarden
namespace. - This project specifically deploys to Amazon AWS and uses an nginx ingress controller, and thus provisions an NLB instance. Refer to this guide on Ingress Controllers for more options.
- Application image: the statefulset deploys the default Debian-based image, which in turn uses SQLite for the database. In most use-cases this should be enough. Otherwise, please refer to this guide for choosing the right application image.
secrets.yaml:
- SMTP credentials: The base64-encoded SMTP username and password.
- Admin token: The admin token used to login to the admin page (
/admin
). Hint: generate one usingopenssl rand -base64 48
.
configmap.yaml:
- Set the application URL with the variable DOMAIN.
- Set the domain with the variable SIGNUPS_DOMAINS_WHITELIST to restrict email sign-ups for users with that domain. Please note that the administrator would still be able to invite users outside of this domain using the admin page (
/admin
). - For more configuration parameters, such as adding U2F and YubiKey support, please refer to the bitwarden-rs wiki.
For simplicity, the statefulset makes use of a storage class. Here is a working example for a storage class manifest which provisions Elastic Block storage.
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: sc-ebs-gp2-zone1
annotations:
storageclass.kubernetes.io/is-default-class: "true"
provisioner: kubernetes.io/aws-ebs
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
parameters:
type: gp2
allowedTopologies:
- matchLabelExpressions:
- key: failure-domain.beta.kubernetes.io/zone
values:
- ap-southeast-1a
This project expects a secret named foo-io-wildcardssl
in the bitwarden namespace. I find this guide useful for adding SSL certificates as Kubernetes secrets.
Finally, run the following command to apply the manifests:
kubectl apply -f .
- icicimov's repo, although it appears to have been outdated, for the inspiration.
This work is licensed under GNU GPL v3.