titan-iac/services/vaultwarden/deployment.yaml

# services/vaultwarden/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vaultwarden
  namespace: vaultwarden
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 1
  selector:
    matchLabels:
      app: vaultwarden
  template:
    metadata:
      labels:
        app: vaultwarden
    spec:
      serviceAccountName: vaultwarden-vault
      containers:
        - name: vaultwarden
          image: vaultwarden/server:1.33.2
          command: ["/bin/sh", "-c"]
          args:
            - >-
              . /vault/scripts/vaultwarden_vault_env.sh
              && exec /start.sh
          env:
            - name: SIGNUPS_ALLOWED
              value: "false"
            - name: INVITATIONS_ALLOWED
              value: "true"
            - name: DOMAIN
              value: "https://vault.bstein.dev"
            - name: SMTP_HOST
              value: "smtp.postmarkapp.com"
            - name: SMTP_PORT
              value: "587"
            - name: SMTP_SECURITY
              value: "starttls"
            - name: SMTP_ACCEPT_INVALID_HOSTNAMES
              value: "false"
            - name: SMTP_ACCEPT_INVALID_CERTS
              value: "false"
            - name: SMTP_FROM
              value: "no-reply-vaultwarden@bstein.dev"
            - name: SMTP_FROM_NAME
              value: "Vaultwarden"
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
          volumeMounts:
            - name: vaultwarden-data
              mountPath: /data
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
      volumes:
        - name: vaultwarden-data
          persistentVolumeClaim:
            claimName: vaultwarden-data
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: vaultwarden-vault
        - name: vault-scripts
          configMap:
            name: vaultwarden-vault-env
            defaultMode: 0555
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`# services/vaultwarden/deployment.yaml`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: vaultwarden`
			`namespace: vaultwarden`
			`spec:`
			`replicas: 1`
vaultwarden: use Recreate strategy 2026-01-03 17:07:48 -03:00			`strategy:`
vaultwarden: avoid RWO multi-attach rollout 2026-01-03 17:12:46 -03:00			`type: RollingUpdate`
			`rollingUpdate:`
			`maxSurge: 0`
			`maxUnavailable: 1`
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`selector:`
			`matchLabels:`
			`app: vaultwarden`
			`template:`
			`metadata:`
			`labels:`
			`app: vaultwarden`
			`spec:`
vault: wire more services to CSI 2026-01-14 02:54:59 -03:00			`serviceAccountName: vaultwarden-vault`
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`containers:`
			`- name: vaultwarden`
			`image: vaultwarden/server:1.33.2`
vault: wire more services to CSI 2026-01-14 02:54:59 -03:00			`command: ["/bin/sh", "-c"]`
			`args:`
			`- >-`
			`. /vault/scripts/vaultwarden_vault_env.sh`
			`&& exec /start.sh`
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`env:`
			`- name: SIGNUPS_ALLOWED`
vaultwarden: disable signups and sync invites 2026-01-03 16:55:02 -03:00			`value: "false"`
			`- name: INVITATIONS_ALLOWED`
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`value: "true"`
vaultwarden: enable SMTP via Mailu 2026-01-03 17:44:24 -03:00			`- name: DOMAIN`
			`value: "https://vault.bstein.dev"`
			`- name: SMTP_HOST`
vault: sync harbor pulls 2026-01-14 10:07:31 -03:00			`value: "smtp.postmarkapp.com"`
vaultwarden: enable SMTP via Mailu 2026-01-03 17:44:24 -03:00			`- name: SMTP_PORT`
vault: sync harbor pulls 2026-01-14 10:07:31 -03:00			`value: "587"`
vaultwarden: enable SMTP via Mailu 2026-01-03 17:44:24 -03:00			`- name: SMTP_SECURITY`
			`value: "starttls"`
vaultwarden: allow internal SMTP TLS 2026-01-03 17:54:27 -03:00			`- name: SMTP_ACCEPT_INVALID_HOSTNAMES`
vault: sync harbor pulls 2026-01-14 10:07:31 -03:00			`value: "false"`
vaultwarden: allow internal SMTP TLS 2026-01-03 17:54:27 -03:00			`- name: SMTP_ACCEPT_INVALID_CERTS`
vault: sync harbor pulls 2026-01-14 10:07:31 -03:00			`value: "false"`
vaultwarden: enable SMTP via Mailu 2026-01-03 17:44:24 -03:00			`- name: SMTP_FROM`
vault: sync harbor pulls 2026-01-14 10:07:31 -03:00			`value: "no-reply-vaultwarden@bstein.dev"`
vaultwarden: enable SMTP via Mailu 2026-01-03 17:44:24 -03:00			`- name: SMTP_FROM_NAME`
vault: sync harbor pulls 2026-01-14 10:07:31 -03:00			`value: "Vaultwarden"`
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`ports:`
			`- name: http`
			`containerPort: 80`
			`protocol: TCP`
			`volumeMounts:`
			`- name: vaultwarden-data`
			`mountPath: /data`
vault: wire more services to CSI 2026-01-14 02:54:59 -03:00			`- name: vault-secrets`
			`mountPath: /vault/secrets`
			`readOnly: true`
			`- name: vault-scripts`
			`mountPath: /vault/scripts`
			`readOnly: true`
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`volumes:`
			`- name: vaultwarden-data`
			`persistentVolumeClaim:`
			`claimName: vaultwarden-data`
vault: wire more services to CSI 2026-01-14 02:54:59 -03:00			`- name: vault-secrets`
			`csi:`
			`driver: secrets-store.csi.k8s.io`
			`readOnly: true`
			`volumeAttributes:`
			`secretProviderClass: vaultwarden-vault`
			`- name: vault-scripts`
			`configMap:`
			`name: vaultwarden-vault-env`
			`defaultMode: 0555`