titan-iac/services/vaultwarden/deployment.yaml

# services/vaultwarden/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vaultwarden
  namespace: vaultwarden
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 1
  selector:
    matchLabels:
      app: vaultwarden
  template:
    metadata:
      labels:
        app: vaultwarden
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "vaultwarden"
        vault.hashicorp.com/agent-inject-secret-vaultwarden-env.sh: "kv/data/atlas/vaultwarden/vaultwarden-db-url"
        vault.hashicorp.com/agent-inject-template-vaultwarden-env.sh: |
          {{ with secret "kv/data/atlas/vaultwarden/vaultwarden-db-url" }}
          export DATABASE_URL="{{ .Data.data.DATABASE_URL }}"
          {{ end }}
          {{ with secret "kv/data/atlas/vaultwarden/vaultwarden-admin" }}
          export ADMIN_TOKEN="{{ .Data.data.ADMIN_TOKEN }}"
          {{ end }}
          {{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }}
          export SMTP_PASSWORD="{{ .Data.data.password }}"
          {{ end }}
    spec:
      serviceAccountName: vaultwarden-vault
      nodeSelector:
        kubernetes.io/arch: arm64
        node-role.kubernetes.io/worker: "true"
      containers:
        - name: vaultwarden
          image: vaultwarden/server:1.33.2
          command: ["/bin/sh", "-c"]
          args:
            - >-
              . /vault/secrets/vaultwarden-env.sh
              && exec /start.sh
          env:
            - name: SIGNUPS_ALLOWED
              value: "false"
            - name: INVITATIONS_ALLOWED
              value: "true"
            - name: DOMAIN
              value: "https://vault.bstein.dev"
            - name: DB_CONNECTION_RETRIES
              value: "0"
            - name: DATABASE_TIMEOUT
              value: "60"
            - name: DATABASE_MIN_CONNS
              value: "2"
            - name: DATABASE_MAX_CONNS
              value: "20"
            - name: DATABASE_IDLE_TIMEOUT
              value: "600"
            - name: SMTP_HOST
              value: "mail.bstein.dev"
            - name: SMTP_PORT
              value: "587"
            - name: SMTP_SECURITY
              value: "starttls"
            - name: SMTP_ACCEPT_INVALID_HOSTNAMES
              value: "false"
            - name: SMTP_ACCEPT_INVALID_CERTS
              value: "false"
            - name: SMTP_USERNAME
              value: "no-reply-vaultwarden@bstein.dev"
            - name: SMTP_FROM
              value: "no-reply-vaultwarden@bstein.dev"
            - name: SMTP_FROM_NAME
              value: "Vaultwarden"
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
          volumeMounts:
            - name: vaultwarden-data
              mountPath: /data
      volumes:
        - name: vaultwarden-data
          persistentVolumeClaim:
            claimName: vaultwarden-data