---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
  name: vaultwarden
  namespace: flux-system
spec:
  interval: 1h
  url: https://guerzon.github.io/vaultwarden/
---
apiVersion: v1
kind: Namespace
metadata:
  name: vaultwarden
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: vaultwarden
  namespace: flux-system
spec:
  interval: 1h
  targetNamespace: vaultwarden
  install:
    createNamespace: true
  chart:
    spec:
      chart: vaultwarden
      sourceRef:
        kind: HelmRepository
        name: vaultwarden
      interval: 1h
  valuesFrom:
  - kind: Secret
    name: vaultwarden-admin
    valuesKey: ADMIN_TOKEN
    targetPath: adminToken.value
  values:
    domain: "https://vault.davidepiu.xyz"
    signupsAllowed: false
    invitationsAllowed: false
    ingress:
      enabled: true
      class: traefik
      nginxIngressAnnotations: false
      additionalAnnotations:
        cert-manager.io/cluster-issuer: letsencrypt-prod
        traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
      hostname: vault.davidepiu.xyz
      tls: true
      tlsSecret: vaultwarden-tls
    data:
      name: vaultwarden-data
      size: 5Gi
    resources:
      requests:
        cpu: 10m
        memory: 64Mi
      limits:
        cpu: 200m
        memory: 128Mi
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-from-traefik
  namespace: vaultwarden
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system