Self-host with Helm
This article will walk you through the procedure to install and deploy Bitwarden in different Kubernetes deployments using a Helm chart.
This article will describe the generic steps for hosting Bitwarden on Kubernetes. Provider-specific guides are available to dive into how you might alter a deployment based on each provider's specific offerings:
Before proceeding with the installation, ensure the following requirements are met:
kubectl is installed.
Helm 3 is installed.
You have an SSL certificate and key or access to creating one via a certificate provider.
You have a SMTP server or access to a cloud SMTP provider.
A storage class that supports ReadWriteMany.
You have an installation id and key retrieved from https://bitwarden.com/host.
Add the repo to Helm using the following commands:
Create a namespace to deploy Bitwarden to. Our documentation assumes a namespace called
bitwarden, so be sure to modify commands if you choose a different name.
my-values.yaml configuration file, which you will use to customize your deployment, using the following command:
At a minimum, you must configure the following values in your
Create a Kubernetes secret object to set, at a minimum, the following values:
For example, using the
kubectl create secret command to set these values would look like the following:
This example will record commands to your shell history. Other methods may be considered to securely set a secret.
Don't forget to set the
secrets.secretName: value in
my-values.yaml to the name of the created secret, in this case
Deployment requires a TLS certificate and key, or access to a creating one via certificate provider. The following example will walk you through using cert-manager to generate a certificate with Let's Encrypt:
Install cert-manager on the cluster using the following command:Bash
Define a certificate issuer. Bitwarden recommends using the Staging configuration in this example until your DNS records have been pointed to your cluster. Be sure to replace the
email:placeholder with a valid value:BashBash
If you haven't already, be sure to set the
my-values.yaml. In this example, you would set:
The Bitwarden self-host Helm Chart allows you to include other Kubernetes manifest files either pre- or post-install. To do this, update the
rawManifests section of the chart (learn more). This is useful, for example, in scenarios where you want to use an ingress controller other than the nginx controller defined by default.
To install Bitwarden with the configuration setup in
my-values.yaml, run the following command:
Congratulations! Bitwarden is now up and running at
https://your.domain.com, as defined in
my-values.yaml. Visit the web vault in your web browser to confirm that it's working. You may now register a new account and log in.
You will need to have setup an SMTP configuration and related secrets in order to verify the email for your new account.
In this repository, we have provided two illustrative example jobs for backing up and restoring the database in the Bitwarden database pod. If you are using your own SQL Server instance that is not deployed as part of this Helm chart, please follow your corporate backup and restore policies.
Database backups and backup policies are ultimately up to the implementor. The backup could be scheduled outside of the cluster to run at a regular interval, or it could be modified to create a CronJob object within Kubernetes for scheduling purposes.
The backup job will create timestamped versions of the previous backups. The current backup is simply called
vault.bak. These files are placed in the MS SQL backups persistent volume. The restore job will look for
vault.bak in the same persistent volume.