aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/namespaces/tooling/bitwarden
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/namespaces/tooling/bitwarden')
-rw-r--r--kubernetes/namespaces/tooling/bitwarden/README.md14
-rw-r--r--kubernetes/namespaces/tooling/bitwarden/configmap.yaml24
-rw-r--r--kubernetes/namespaces/tooling/bitwarden/deployment.yaml35
-rw-r--r--kubernetes/namespaces/tooling/bitwarden/ingress.yaml25
-rw-r--r--kubernetes/namespaces/tooling/bitwarden/secrets.yamlbin0 -> 345 bytes
-rw-r--r--kubernetes/namespaces/tooling/bitwarden/service.yaml10
6 files changed, 108 insertions, 0 deletions
diff --git a/kubernetes/namespaces/tooling/bitwarden/README.md b/kubernetes/namespaces/tooling/bitwarden/README.md
new file mode 100644
index 0000000..37f01eb
--- /dev/null
+++ b/kubernetes/namespaces/tooling/bitwarden/README.md
@@ -0,0 +1,14 @@
+# BitWarden
+
+Our internal password manager, used by the admins to share passwords for our services. Hosted at https://bitwarden.pythondiscord.com
+
+To deploy this, first set up the secrets (see below) and then run `kubectl apply -f .` in this folder.
+
+## Secrets
+This deployment expects a few secrets to exist in a secret called `bitwarden-secret-env`.
+
+
+| Environment | Description |
+|-----------------------|-------------------------------------------|
+| ADMIN_TOKEN | 64-character token used for initial login |
+| DATABASE_URL | Database string: host://user:pass/db |
diff --git a/kubernetes/namespaces/tooling/bitwarden/configmap.yaml b/kubernetes/namespaces/tooling/bitwarden/configmap.yaml
new file mode 100644
index 0000000..29b9a84
--- /dev/null
+++ b/kubernetes/namespaces/tooling/bitwarden/configmap.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: bitwarden-config-env
+ namespace: tooling
+data:
+ # Domain to access bitwarden by
+ DOMAIN: "https://bitwarden.pythondiscord.com"
+
+ # Password hint must be sent to an email when this is false.
+ # When it's true, it'll be shown right on the page.
+ SHOW_PASSWORD_HINT: "false"
+
+ # Admins only, please!
+ SIGNUPS_ALLOWED: "false"
+
+ # Used for LiveSync
+ WEBSOCKET_ENABLED: "true"
+
+ # Max conns to the DB
+ DATABASE_MAX_CONNS: "2"
+
+ # Force bitwarden to use postgres, rather than it's own volume
+ I_REALLY_WANT_VOLATILE_STORAGE: "true"
diff --git a/kubernetes/namespaces/tooling/bitwarden/deployment.yaml b/kubernetes/namespaces/tooling/bitwarden/deployment.yaml
new file mode 100644
index 0000000..24177ae
--- /dev/null
+++ b/kubernetes/namespaces/tooling/bitwarden/deployment.yaml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: bitwarden
+ namespace: tooling
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: bitwarden
+ template:
+ metadata:
+ labels:
+ app: bitwarden
+ spec:
+ containers:
+ - name: bitwarden
+ image: vaultwarden/server:latest
+ imagePullPolicy: Always
+ resources:
+ requests:
+ cpu: 1m
+ memory: 50Mi
+ limits:
+ cpu: 50m
+ memory: 100Mi
+ ports:
+ - containerPort: 80
+ envFrom:
+ - secretRef:
+ name: bitwarden-secret-env
+ - configMapRef:
+ name: bitwarden-config-env
+ securityContext:
+ readOnlyRootFilesystem: true
diff --git a/kubernetes/namespaces/tooling/bitwarden/ingress.yaml b/kubernetes/namespaces/tooling/bitwarden/ingress.yaml
new file mode 100644
index 0000000..e7eab59
--- /dev/null
+++ b/kubernetes/namespaces/tooling/bitwarden/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ annotations:
+ nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+ nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle"
+ nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+ name: bitwarden
+ namespace: tooling
+spec:
+ tls:
+ - hosts:
+ - "*.pythondiscord.com"
+ secretName: pythondiscord.com-tls
+ rules:
+ - host: bitwarden.pythondiscord.com
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: bitwarden
+ port:
+ number: 80
diff --git a/kubernetes/namespaces/tooling/bitwarden/secrets.yaml b/kubernetes/namespaces/tooling/bitwarden/secrets.yaml
new file mode 100644
index 0000000..c22e91b
--- /dev/null
+++ b/kubernetes/namespaces/tooling/bitwarden/secrets.yaml
Binary files differ
diff --git a/kubernetes/namespaces/tooling/bitwarden/service.yaml b/kubernetes/namespaces/tooling/bitwarden/service.yaml
new file mode 100644
index 0000000..f937bed
--- /dev/null
+++ b/kubernetes/namespaces/tooling/bitwarden/service.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: bitwarden
+ namespace: tooling
+spec:
+ ports:
+ - port: 80
+ selector:
+ app: bitwarden
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-31 06:31:48 +0000