titan-iac/services/vaultwarden/deployment.yaml

# services/vaultwarden/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vaultwarden
  namespace: vaultwarden
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 1
  selector:
    matchLabels:
      app: vaultwarden
  template:
    metadata:
      labels:
        app: vaultwarden
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "vaultwarden"
        vault.hashicorp.com/agent-inject-secret-vaultwarden-env.sh: "kv/data/atlas/vaultwarden/vaultwarden-db-url"
        vault.hashicorp.com/agent-inject-template-vaultwarden-env.sh: |
          {{ with secret "kv/data/atlas/vaultwarden/vaultwarden-db-url" }}
          export DATABASE_URL="{{ .Data.data.DATABASE_URL }}"
          {{ end }}
          {{ with secret "kv/data/atlas/vaultwarden/vaultwarden-admin" }}
          export ADMIN_TOKEN="{{ .Data.data.ADMIN_TOKEN }}"
          {{ end }}
          {{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }}
          export SMTP_PASSWORD="{{ .Data.data.password }}"
          {{ end }}
    spec:
      serviceAccountName: vaultwarden-vault
      nodeSelector:
        kubernetes.io/arch: arm64
        node-role.kubernetes.io/worker: "true"
      containers:
        - name: vaultwarden
          image: vaultwarden/server:1.33.2
          command: ["/bin/sh", "-c"]
          args:
            - >-
              . /vault/secrets/vaultwarden-env.sh
              && exec /start.sh
          env:
            - name: SIGNUPS_ALLOWED
              value: "false"
            - name: INVITATIONS_ALLOWED
              value: "true"
            - name: DOMAIN
              value: "https://vault.bstein.dev"
            - name: DB_CONNECTION_RETRIES
              value: "0"
            - name: DATABASE_TIMEOUT
              value: "60"
            - name: DATABASE_MIN_CONNS
              value: "2"
            - name: DATABASE_MAX_CONNS
              value: "20"
            - name: DATABASE_IDLE_TIMEOUT
              value: "600"
            - name: SMTP_HOST
              value: "mail.bstein.dev"
            - name: SMTP_PORT
              value: "587"
            - name: SMTP_SECURITY
              value: "starttls"
            - name: SMTP_ACCEPT_INVALID_HOSTNAMES
              value: "false"
            - name: SMTP_ACCEPT_INVALID_CERTS
              value: "false"
            - name: SMTP_USERNAME
              value: "no-reply-vaultwarden@bstein.dev"
            - name: SMTP_FROM
              value: "no-reply-vaultwarden@bstein.dev"
            - name: SMTP_FROM_NAME
              value: "Vaultwarden"
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
          volumeMounts:
            - name: vaultwarden-data
              mountPath: /data
      volumes:
        - name: vaultwarden-data
          persistentVolumeClaim:
            claimName: vaultwarden-data
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`# services/vaultwarden/deployment.yaml`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: vaultwarden`
			`namespace: vaultwarden`
			`spec:`
			`replicas: 1`
vaultwarden: use Recreate strategy 2026-01-03 17:07:48 -03:00			`strategy:`
vaultwarden: avoid RWO multi-attach rollout 2026-01-03 17:12:46 -03:00			`type: RollingUpdate`
			`rollingUpdate:`
			`maxSurge: 0`
			`maxUnavailable: 1`
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`selector:`
			`matchLabels:`
			`app: vaultwarden`
			`template:`
			`metadata:`
			`labels:`
			`app: vaultwarden`
vault: move core apps to injector 2026-01-14 12:28:10 -03:00			`annotations:`
			`vault.hashicorp.com/agent-inject: "true"`
			`vault.hashicorp.com/role: "vaultwarden"`
			`vault.hashicorp.com/agent-inject-secret-vaultwarden-env.sh: "kv/data/atlas/vaultwarden/vaultwarden-db-url"`
			`vault.hashicorp.com/agent-inject-template-vaultwarden-env.sh: \|`
vault: stabilize injector templates and add health apps 2026-01-14 13:40:29 -03:00			`{{ with secret "kv/data/atlas/vaultwarden/vaultwarden-db-url" }}`
vault: move core apps to injector 2026-01-14 12:28:10 -03:00			`export DATABASE_URL="{{ .Data.data.DATABASE_URL }}"`
vault: stabilize injector templates and add health apps 2026-01-14 13:40:29 -03:00			`{{ end }}`
			`{{ with secret "kv/data/atlas/vaultwarden/vaultwarden-admin" }}`
vault: move core apps to injector 2026-01-14 12:28:10 -03:00			`export ADMIN_TOKEN="{{ .Data.data.ADMIN_TOKEN }}"`
vault: stabilize injector templates and add health apps 2026-01-14 13:40:29 -03:00			`{{ end }}`
vaultwarden: use mailu smtp creds 2026-01-19 02:17:16 -03:00			`{{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }}`
			`export SMTP_PASSWORD="{{ .Data.data.password }}"`
vault: stabilize injector templates and add health apps 2026-01-14 13:40:29 -03:00			`{{ end }}`
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`spec:`
vault: wire more services to CSI 2026-01-14 02:54:59 -03:00			`serviceAccountName: vaultwarden-vault`
vaultwarden: pin to arm64 workers 2026-01-18 03:09:40 -03:00			`nodeSelector:`
			`kubernetes.io/arch: arm64`
			`node-role.kubernetes.io/worker: "true"`
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`containers:`
			`- name: vaultwarden`
			`image: vaultwarden/server:1.33.2`
vault: wire more services to CSI 2026-01-14 02:54:59 -03:00			`command: ["/bin/sh", "-c"]`
			`args:`
			`- >-`
vault: move core apps to injector 2026-01-14 12:28:10 -03:00			`. /vault/secrets/vaultwarden-env.sh`
vault: wire more services to CSI 2026-01-14 02:54:59 -03:00			`&& exec /start.sh`
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`env:`
			`- name: SIGNUPS_ALLOWED`
vaultwarden: disable signups and sync invites 2026-01-03 16:55:02 -03:00			`value: "false"`
			`- name: INVITATIONS_ALLOWED`
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`value: "true"`
vaultwarden: enable SMTP via Mailu 2026-01-03 17:44:24 -03:00			`- name: DOMAIN`
			`value: "https://vault.bstein.dev"`
vaultwarden: add retry safeguards and db tuning 2026-01-18 03:00:24 -03:00			`- name: DB_CONNECTION_RETRIES`
			`value: "0"`
			`- name: DATABASE_TIMEOUT`
			`value: "60"`
			`- name: DATABASE_MIN_CONNS`
			`value: "2"`
			`- name: DATABASE_MAX_CONNS`
			`value: "20"`
			`- name: DATABASE_IDLE_TIMEOUT`
			`value: "600"`
vaultwarden: enable SMTP via Mailu 2026-01-03 17:44:24 -03:00			`- name: SMTP_HOST`
vaultwarden: use mail hostname 2026-01-19 02:31:41 -03:00			`value: "mail.bstein.dev"`
vaultwarden: enable SMTP via Mailu 2026-01-03 17:44:24 -03:00			`- name: SMTP_PORT`
vault: sync harbor pulls 2026-01-14 10:07:31 -03:00			`value: "587"`
vaultwarden: enable SMTP via Mailu 2026-01-03 17:44:24 -03:00			`- name: SMTP_SECURITY`
			`value: "starttls"`
vaultwarden: allow internal SMTP TLS 2026-01-03 17:54:27 -03:00			`- name: SMTP_ACCEPT_INVALID_HOSTNAMES`
vault: sync harbor pulls 2026-01-14 10:07:31 -03:00			`value: "false"`
vaultwarden: allow internal SMTP TLS 2026-01-03 17:54:27 -03:00			`- name: SMTP_ACCEPT_INVALID_CERTS`
vault: sync harbor pulls 2026-01-14 10:07:31 -03:00			`value: "false"`
vaultwarden: use mailu smtp creds 2026-01-19 02:17:16 -03:00			`- name: SMTP_USERNAME`
			`value: "no-reply-vaultwarden@bstein.dev"`
vaultwarden: enable SMTP via Mailu 2026-01-03 17:44:24 -03:00			`- name: SMTP_FROM`
vault: sync harbor pulls 2026-01-14 10:07:31 -03:00			`value: "no-reply-vaultwarden@bstein.dev"`
vaultwarden: enable SMTP via Mailu 2026-01-03 17:44:24 -03:00			`- name: SMTP_FROM_NAME`
vault: sync harbor pulls 2026-01-14 10:07:31 -03:00			`value: "Vaultwarden"`
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`ports:`
			`- name: http`
			`containerPort: 80`
			`protocol: TCP`
			`volumeMounts:`
			`- name: vaultwarden-data`
			`mountPath: /data`
			`volumes:`
			`- name: vaultwarden-data`
			`persistentVolumeClaim:`
			`claimName: vaultwarden-data`