apps/vaultwarden
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
163 commits 1 branch 0 tags 530 KiB
  • Smarty 51.6%
  • Shell 48.4%
Find a file
Exact
Joseph Blasi b360a64cf5
Some checks failed
Release Charts / release (push) Has been cancelled
Details
line fix
2026-03-06 14:06:42 -06:00
.github feat: volume improvements (#109) 2024-08-22 19:11:41 +08:00
.teamcity edit readme.md 2026-03-05 13:36:23 -06:00
charts/vaultwarden password pass argon2 testing 2026-01-16 14:20:19 -06:00
.env edit readme.md 2026-03-05 13:36:23 -06:00
.gitignore feat: imagePullSecrets support (#119) 2024-09-09 10:50:29 +08:00
.helmignore Initial Helm chart release 2022-03-19 17:01:51 +01:00
appinfo.md edit readme.md 2026-03-05 13:36:23 -06:00
cf-dns.sh update env base and README.md 2026-02-16 14:40:28 -06:00
install.sh line fix 2026-03-06 14:06:42 -06:00
k8.sh update env base and README.md 2026-02-16 14:40:28 -06:00
README.md edit readme.md 2026-03-05 13:36:23 -06:00
remote-bridge.sh update env base and README.md 2026-02-16 14:40:28 -06:00
ssoconfig.sh update env base and README.md 2026-02-16 14:40:28 -06:00

README.md

🚀 Vaultwarden K8s Automation Suite

Professional automation suite for deploying [Vaultwarden] with full Keycloak SSO integration and Argon2 secured admin panels.

🛠 Requirements

The machine executing the installation must have:

  • bash, jq, openssl, argon2
  • kubectl/helm
  • running an k8 cluster or has direct access over cli to an remote cluster

🚀 Execution Flow

1. Manual / Standard Installation

For most users, the installation is a single-step process after configuration.

  1. Configure Environment: Create and fill your .env file.
  2. Run Install: source .env && ./install.sh

🔐 Security Architecture

Argon2id & Kubernetes Secrets

To ensure maximum security and compatibility across different shell environments (local vs. remote bridge), this suite uses a decoupled hashing and storage mechanism.

  1. Local Hashing: The install.sh generates a random password and hashes it using argon2id locally. This prevents the plain-text password from being sent over the wire during the Kubernetes API calls.
  2. Secret Encapsulation: Instead of passing the hash as a raw environment variable (which often fails due to the $ characters and commas), k8.sh creates a Kubernetes Secret.
  3. Volume Mapping: Vaultwarden consumes this secret as an environment variable (ADMIN_TOKEN), ensuring the hash remains "literal" and untouched by shell expansion.

📡 Automated DNS & Discovery

The suite includes a smart discovery loop in cf-dns.sh to handle the delay between Helm installation and Cloud Provider LoadBalancer provisioning.

  • The Wait Loop: The script polls the Kubernetes API for 120 seconds (12 attempts every 10 seconds).
  • Dual Support: It automatically detects both IP-based endpoints (typically Bare Metal/GCP/Azure) and Hostname-based endpoints (typically AWS ELB).
  • Cloudflare Integration: Once the endpoint is found, it creates/updates a proxied A or CNAME record to match your FQDN.

Login

  1. Go to app FQDN and enter ANY EMAIL address then click on Use single sign-on to be redirected to keycloak login.
  2. After keycloak you will be asked to setup an master password you must do this and remember it.

Admin Login

  1. Go to app FQDN/admin and enter the admin password found in the deployment-summary.json

🛠 Troubleshooting

"Invalid Admin Token"

If you cannot log in to /admin despite having the correct password:

  • Check the Secret: Run kubectl get secret vaultwarden-admin-token -n <namespace> -o jsonpath='{.data.token}' | base64 -d. Verify the output starts with $argon2id$.
  • Shell Expansion: If you see a truncated string (e.g., starting with =19), it means your shell ate the $ during deployment. Ensure you are using the latest k8.sh which uses the from-literal secret flag.