feat: Automatically use Deployment instead of StatefulSet (#59)

README.md

@@ -11,6 +11,10 @@ This [Helm](https://helm.sh/docs/) chart is used to deploy `vaultwarden` with a
 
 The `vaultwarden` project can be found [here](https://github.com/dani-garcia/vaultwarden). To learn more about Vaultwarden, please visit the [wiki](https://github.com/dani-garcia/vaultwarden/wiki).
 
+### Change of Resource Type in Versions >= 0.18.0
+
+Starting from version 0.18.0, when a stateless configuration is detected that utilizes an external database and persistent storage, a `Deployment` is automatically used in favor of the current `StatefulSet`. This enables running multiple pods simultaneously, thereby enhancing the processes of updates, rollbacks, and scalability for load balancing. This automatic detection can be overridden by manually specifying a `resourceType`.
+
 ## Prerequisites
 
 - Kubernetes >= 1.12

charts/vaultwarden/Chart.yaml

@@ -8,10 +8,10 @@ keywords:
 sources:
   - https://github.com/guerzon/vaultwarden
   - https://github.com/dani-garcia/vaultwarden
-appVersion: 1.29.2
+appVersion: 1.30.1
 maintainers:
   - name: guerzon
     email: [email protected]
     url: https://github.com/guerzon
-version: 0.17.0
+version: 0.18.0
 kubeVersion: ">=1.12.0-0"

charts/vaultwarden/templates/_helpers.tpl

@@ -66,3 +66,29 @@ Return the database string
 {{- $var := print .Values.database.type "://" .Values.database.username ":" .Values.database.password "@" .Values.database.host (include "dbPort" . ) "/" .Values.database.dbName }}
 {{- printf "%s" $var }}
 {{- end -}}
+
+{{/*
+Return the appropriate apiVersion for podDisruptionBudget.
+*/}}
+{{- define "podDisruptionBudget.apiVersion" -}}
+{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version -}}
+{{- print "policy/v1" -}}
+{{- else -}}
+{{- print "policy/v1beta1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Determine whether to use deployment or statefulset
+*/}}
+{{- define "vaultwarden.resourceType" -}}
+{{- if .Values.resourceType }}
+{{- .Values.resourceType }}
+{{- else }}
+{{- if (and .Values.data (ne .Values.database.type "default")) }}
+{{- "Deployment" }}
+{{- else }}
+{{- "StatefulSet" }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/vaultwarden/templates/_podSpec.tpl

@@ -0,0 +1,128 @@
+{{- define "vaultwarden.podSpec" }}
+{{- with .Values.nodeSelector }}
+nodeSelector:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.affinity }}
+affinity:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.tolerations }}
+tolerations:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.initContainers }}
+initContainers:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+containers:
+  - image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}
+    imagePullPolicy: {{ .Values.image.pullPolicy }}
+    name: vaultwarden
+    envFrom:
+      - configMapRef:
+          name: {{ include "vaultwarden.fullname" . }}
+    env:
+      {{- if or (.Values.smtp.username.value) (.Values.smtp.username.existingSecretKey )}}
+      - name: SMTP_USERNAME
+        valueFrom:
+          secretKeyRef:
+            name: {{ default (include "vaultwarden.fullname" .) .Values.smtp.existingSecret }}
+            key: {{ default "SMTP_USERNAME" .Values.smtp.username.existingSecretKey }}
+      {{- end }}
+      {{- if or (.Values.smtp.password.value) (.Values.smtp.password.existingSecretKey )}}
+      - name: SMTP_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: {{ default (include "vaultwarden.fullname" .) .Values.smtp.existingSecret }}
+            key: {{ default "SMTP_PASSWORD" .Values.smtp.password.existingSecretKey }}
+      {{- end }}
+      {{- if .Values.adminToken }}
+      - name: ADMIN_TOKEN
+        valueFrom:
+          secretKeyRef:
+            name: {{ default (include "vaultwarden.fullname" .) .Values.adminToken.existingSecret }}
+            key: {{ default "ADMIN_TOKEN" .Values.adminToken.existingSecretKey }}
+      {{- else }}
+      - name: DISABLE_ADMIN_TOKEN
+        value: "true"
+      {{- end }}
+      {{- if ne "default" .Values.database.type }}
+      - name: DATABASE_URL
+        {{- if .Values.database.existingSecret }}
+        valueFrom:
+          secretKeyRef:
+            name: {{ .Values.database.existingSecret }}
+            key: {{ .Values.database.existingSecretKey }}
+        {{- else }}
+        {{- if .Values.database.uriOverride }}
+        value: {{ .Values.database.uriOverride }}
+        {{- else }}
+        value: {{ include "dbString" . | quote }}
+        {{- end }}
+        {{- end }}
+      {{- end }}
+    ports:
+      - containerPort: 8080
+        name: http
+        protocol: TCP
+      - containerPort: {{ .Values.websocket.port }}
+        name: websocket
+        protocol: TCP
+    {{- if or (.Values.data) (.Values.attachments) }}
+    volumeMounts:
+      {{- with .Values.data }}
+      - name: {{ .name }}
+        mountPath: {{ default "/data" .path }}
+      {{- end }}
+      {{- with .Values.attachments }}
+      - name: {{ .name }}
+        mountPath: {{ default "/data/attachments" .path }}
+      {{- end }}
+    {{- end }}
+    resources:
+    {{- toYaml .Values.resources | nindent 12 }}
+    {{- with .Values.securityContext }}
+    securityContext:
+    {{- toYaml . | nindent 12 }}
+    {{- end }}
+    {{- if .Values.livenessProbe.enabled }}
+    livenessProbe:
+      httpGet:
+        path: /alive
+        port: http
+      initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+      periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+      timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+      successThreshold: {{ .Values.livenessProbe.successThreshold }}
+      failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
+    {{- end }}
+    {{- if .Values.readinessProbe.enabled }}
+    readinessProbe:
+      httpGet:
+        path: /alive
+        port: http
+      initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+      periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+      timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+      successThreshold: {{ .Values.readinessProbe.successThreshold }}
+      failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+    {{- end }}
+    {{- if .Values.startupProbe.enabled }}
+    startupProbe:
+      httpGet:
+        path: /alive
+        port: http
+      initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
+      periodSeconds: {{ .Values.startupProbe.periodSeconds }}
+      timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
+      successThreshold: {{ .Values.startupProbe.successThreshold }}
+      failureThreshold: {{ .Values.startupProbe.failureThreshold }}
+    {{- end }}
+    {{- with .Values.sidecars }}
+    {{- toYaml . | nindent 8 }}
+    {{- end }}
+{{- if .Values.serviceAccount.create }}
+serviceAccountName: {{ .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/vaultwarden/templates/_pvcSpec.tpl

@@ -0,0 +1,38 @@
+{{- define "vaultwarden.pvcSpec" }}
+{{- if (or .Values.data .Values.attachments) -}}
+volumeClaimTemplates:
+  {{- with .Values.data }}
+  - metadata:
+      name: {{ .name }}
+      labels:
+        {{- include "vaultwarden.labels" $ | nindent 10 }}
+      annotations:
+        meta.helm.sh/release-name: {{ $.Release.Name | quote }}
+        meta.helm.sh/release-namespace: {{ $.Release.Namespace | quote }}
+    spec:
+      accessModes:
+        - "ReadWriteOnce"
+      resources:
+        requests:
+          storage: {{ .size }}
+      {{- with .class }}
+      storageClassName: {{ . | quote }}
+      {{- end }}
+  {{- end }}
+  {{- with .Values.attachments }}
+  - metadata:
+      name: {{ .name }}
+      labels:
+        {{- include "vaultwarden.labels" $ | nindent 10 }}
+    spec:
+      accessModes:
+        - "ReadWriteOnce"
+      resources:
+        requests:
+          storage: {{ .size }}
+      {{- with .class }}
+      storageClassName: {{ . | quote }}
+      {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}

charts/vaultwarden/templates/configmap.yaml

@@ -6,6 +6,10 @@ metadata:
   labels:
     app.kubernetes.io/component: vaultwarden
     {{- include "vaultwarden.labels" . | nindent 4 }}
+{{- with .Values.configMapAnnotations }}
+  annotations:
+    {{- . | toYaml | nindent 4 }}
+{{- end }}
 data:
   DOMAIN: {{ .Values.domain | quote }}
   {{- if and .Values.smtp.host .Values.smtp.from }}
@@ -32,6 +36,7 @@ data:
   {{- if .Values.attachments }}
   ATTACHMENTS_FOLDER: {{ default "/data/attachments" .Values.attachments.path | quote }}
   {{- end }}
+  ROCKET_ADDRESS: {{ .Values.rocket.address | quote }}
   ROCKET_PORT: {{ .Values.rocket.port | quote }}
   ROCKET_WORKERS: {{ .Values.rocket.workers | quote }}
   SHOW_PASSWORD_HINT: {{ .Values.showPassHint | quote }}

charts/vaultwarden/templates/deployment.yaml

@@ -0,0 +1,50 @@
+{{- if eq (include "vaultwarden.resourceType" .) "Deployment" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "vaultwarden.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: vaultwarden
+    {{- include "vaultwarden.labels" . | nindent 4 }}
+    {{- range $key, $value := .Values.commonLabels }}
+    {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
+    {{- end }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: vaultwarden
+      {{- include "vaultwarden.selectorLabels" . | nindent 6 }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- . | toYaml | nindent 8 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: vaultwarden
+        {{- include "vaultwarden.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha1sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha1sum }}
+        {{- with .Values.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- include "vaultwarden.podSpec" . | nindent 6 }}
+      volumes:
+        {{- range $pvc := (fromYaml (include "vaultwarden.pvcSpec" .)).volumeClaimTemplates }}
+        {{- $newName := printf "%s-%s-0" $pvc.metadata.name $.Release.Name }}
+        - name: {{ $pvc.metadata.name }}
+          persistentVolumeClaim:
+            claimName: {{ $newName }}
+        {{- end }}
+{{- end }}

charts/vaultwarden/templates/poddisruptionbudget.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.podDisruptionBudget.enabled }}
+{{- $component := .Values.podDisruptionBudget }}
+apiVersion: {{ include "podDisruptionBudget.apiVersion" . }}
+kind: PodDisruptionBudget
+metadata:
+  name: vaultwarden
+  namespace: {{ .Release.Namespace }}
+  labels:
+    k8s-app: vaultwarden
+    app.kubernetes.io/name: vaultwarden
+    app.kubernetes.io/part-of: vaultwarden
+spec:
+  {{- with $component.maxUnavailable }}
+  maxUnavailable: {{ . }}
+  {{- end }}
+  {{- with $component.minAvailable }}
+  minAvailable: {{ . }}
+  {{- end }}
+  selector:
+    matchLabels:
+      k8s-app: vaultwarden
+{{- end }}

charts/vaultwarden/templates/pvc.yaml

@@ -0,0 +1,10 @@
+{{- if eq (include "vaultwarden.resourceType" .) "Deployment" }}
+{{- range $pvc := (fromYaml (include "vaultwarden.pvcSpec" .)).volumeClaimTemplates }}
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+{{- $newName := printf "%s-%s-0" $pvc.metadata.name $.Release.Name }}
+{{- $newPvc := merge (dict "metadata" (dict "name" $newName)) $pvc }}
+{{ $newPvc | toYaml }}
+{{- end }}
+{{- end }}

charts/vaultwarden/templates/secrets.yaml

@@ -13,7 +13,7 @@ data:
   SMTP_PASSWORD: {{ .Values.smtp.password.value | b64enc | quote }}
   SMTP_USERNAME: {{ .Values.smtp.username.value | b64enc | quote }}
   {{- end }}
-  {{- if ( .Values.adminToken ) }}
+  {{- if not ( .Values.adminToken.existingSecret ) }}
   ADMIN_TOKEN: {{ .Values.adminToken.value | b64enc | quote }}
   {{- end }}
 {{ end }}

charts/vaultwarden/templates/service.yaml

@@ -28,3 +28,6 @@ spec:
       protocol: TCP
       targetPort: {{ .Values.websocket.port }}
     {{- end }}
+{{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+{{- end }}