Bitwarden Kubernetes

Posted on by



I’m trying to get fail2ban to work with bitwardenrs as a sidecar in Kubernetes. I have been able to get fail2ban to see the bitwarden logs and successfully ‘bans’ an IP, but nothing actually happens. I don’t actually get banned and can still connect to the site. I’m using k3s with Traefik 1.X as a reverse proxy for bitwarden. Backup of bitwardenrs docker container using cron. Pulls 1M+ Overview Tags. Bitwardenrs Backup. Docker Containers for bitwardenrs Backup. Since version v0.0.7. Bitwarden, the open source password manager, makes it easy to generate and store unique passwords for any browser or device. Create your free account on the platform with end-to-end encryption and flexible integration options for you or your business. I’m deploying on Kubernetes. I was hoping to deploy the Bitwarden server in a deployment with 3 replicas and then have a single stateful state postgres instance with an open ebs volume. Do bitwarden rs instance have any state to worry about if the postgres db is not colocated?

This article is part of the series Build your very own self-hosting platform with Raspberry Pi and Kubernetes

  1. Self-host your password manager with Bitwarden

Introduction

Bitwarden is a free, open-source and audited Password Manager, it provides a large range of clients (desktop, web, browser extension and mobiles) to access your password easily and safely from anywhere. While Bitwarden offers a SaaS solutions (they host your passwords in an encrypted way), because Bitwarden is open-source, you can decide to host yourself your password and this is what we are going to learn in this tutorial.

For information, we will deploy Bitwarden-rs, Unofficial Bitwarden compatible server written in Rust, ideal for self-hosting.

This is a Bitwarden server API implementation written in Rust compatible with upstream Bitwarden clients*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. This project is not associated with the Bitwarden project nor 8bit Solutions LLC.

Prerequisite

In order to run entirely the tutorial, we will need:

  • A running Kubernetes cluster (see previous articles if you haven't set this up yet)
  • A domain name in order to access our Bitwarden instance from outside our network. (replace <domain.com> by your domain)
  • Have a external static IP (usually the case by default)
  • Access to your router admin console to port-forward an incoming request to our Kubernetes Ingress service.

Namespace

We are going to isolate all the Kubernetes objects related to Bitwarden in the namespace bitwarden.

To create a namespace, run the following command:

Persistence

The first step consists in setting up a volume to store Bitwarden config files and data. If you followed the previous articles to install and configure a self-hosting platform using RaspberryPi and Kubernetes, you remember we have on each worker a NFS client pointing to a SSD on /mnt/ssd.

1. Deploy the Persistent Volume (PV)

The Persistent Volume specify the name, the size, the location and the access modes of the volume:

  • The name of the PV is bitwarden-ssd
  • The size allocated is 500MB
  • The location is /mnt/ssd/bitwarden
  • The access is ReadWriteOnce

Create the following file and apply it to the k8 cluster.

You can verify the PV exists with the following command:

2. Create the Persistent Volume Claim (PVC)

The Persistent Volume Claim is used to map a Persistent Volume to a deployment or stateful set. Unlike the PV, the PVC belongs to a namespace.

Create the following file and apply it to the k8 cluster.

You can verify the PVC exists with the following command:

Outside access

The next part consist to enable the connections to Bitwarden from outside so you can access your passwords from anywhere.

1. Port Forwarding

First you need to go to your router setup and add a port-forwarding rule to map any incoming requests on port 80 or port 443 to be forwarded to 192.168.0.240 (the LoadBalancer IP of the Nginx).

VirginHub - Port-Forwarding

2. Map the subdomain bitwarden.<domain.com> to your home router

First you need to find out what's your router external IP, run this command or go to whatismyip.com.

Bitwarden Kubernetes

Then, we need to configure our subdomain to make sure bitwarden.<domain.com> resolves to our external static IP. Go to your domain provider console / DNS management add a record:

  • Type: A
  • Name: bitwarden (subdomain)
  • Value: x.x.x.x (external static IP)

GoDaddy

Deployment

1. Clone the repo bitwarden-k8s

Clone the repository bitwarden-k8s with the following command (change ~/workspace/bitwarden-k8s by the target folder of your choice):

2. Download the Chart values of the chart locally

Run the following command to download the Chart values into the local file pihole.values.yml.

If you open the file, you will see the default configuration values to setup Bitwarden. Instead of using the flag --set property=value like before, we will use the file bitwarden.values.yml to make all the changes.

3. Update the values

Hosted

We now need to update a few properties before installing the Helm chart. Open the file bitwarden.values.yml and change the following properties.

First we need to change to an ARM compatible image

Then we configure the environment variables.

Replace [ADMIN_TOKEN] by the result of the command $ openssl rand -base64 48. This token will be used to connect to the Bitwarden administration interface.

In the next step, we configure an ingress to access Bitwarden and issue a certificate (especially if we want to access from outside).

Replace <domain.com> by your domain (same as the section 'Internet access')

Finally, we want to plug Bitwarden to the persistent volume created at the beginning of the article pointing to /mnt/ssd/bitwarden.

4. Install the Chart

In the part, we will install the Helm chart under the namespace bitwarden with bitwarden.values.yml as configuration file.

After a couple of minutes, check if the pod and service is up and running:

Configuration

Once Bitwarden is up and running, we can start configuring our first user.

1. Access the admin interface

First, access the admin interface which should be available on /admin'>https://bitwarden.<domain.com>/admin and enter the <ADMIN_PASSWORD> generated previously.

2. Invite your first user

Once connected, you can check and modify the different parameters of Bitwarden and invite a new user. Enter an email address to invite a new user.

After a few seconds, You should received the invitation via email. Click on 'Join the Organisation'.

3. Create an account and login for the first time

Click on 'Create Account'.

Configure the details of the user: name, master password (encryption key) and click on 'Submit'.

Finally, log into with the newly created user using the couple email, master password.

Conclusion

You now have a fully self-hosted password manager accessible via your own domain from anywhere.

You can also install and configure your custom server to easily and safely access your password:

  • Bitwarden Mobile App (available on iOS and GooglePlay)
  • Bitwarden Web Browser extension (available on Chrome and Firefox)
  • Kauri original title: (7/8) Self-host your password manager with Bitwarden
  • Kauri original link: https://kauri.io/78-selfhost-your-password-manager-with-bitwarden/b2187730d4294626b28d1d938057e2e0/a
  • Kauri original author: Grégoire Jeanmart (@gregjeanmart)
  • Kauri original Publication date: 2020-04-01
  • Kauri original tags: self-hosting, kubernetes, password-manager, bitwarden
  • Kauri original hash: QmdEAA7UJgWkx9FgUiRXnEJuE46chrd7S9R4j9w78gL6ka
  • Kauri original checkpoint: unknown

Introduction

This article will cover setting up your own self-hosted Bitwarden instance with Docker and configuring ngnix to allow for public exposure for cross-device access to your vault.

What is Bitwarden?

Bitwarden is a free and open-source password management service that stores sensitive information such as website credentials in an encrypted vault. The Bitwarden platform offers a variety of client applications including a web interface, desktop applications, browser extensions, mobile apps, and a CLI.

I use Bitwarden as my main password vault. It stores my card details for automating the filling out of payment forms. Saves me from having to find or remember my card details. I also use Bitwarden for storing all of my passwords.

Having Bitwarden as a public endpoint means that I can connect to my password vault using the Bitwarden app on Android, specifying my self hosted instance.

Setting up the Bitwarden Server

This section of the tutorial is to set up the main Bitwarden 'hub'. This will be a publicly exposed Bitwarden API that will live on your server.

Require some assistance?

Our experts can help get you set up!

Step 1: Setting up your Linux server

You'll need to either have an existing server instance or create one. I use a Proxmox instance running on a server in my loft. You could also use something like Digital Ocean to host your Bitwarden Server. Using the following link will give you $100 worth of credits for 60 days to play around with, just sign up using this link.

You could also use a cheap Raspberry PI to set up your own Linux server.

Once you have the server set up, or have logged in. You'll need to do some updates and run some prerequisite installs.

Next, we need to install Docker. Docker is the layer which your containers run.

To install Docker on your instance, you need to run the following command.

Bitwarden

The following script is a convenience script provided by the Docker team. It's highly recommended to always check what you're going to execute, before executing it.

Once you have executed the Docker install script. You should see an output like the following.

As you can see in the output, the command was executed successfully. You may also notice that there is a console message specifying how to use Docker as a non-root user.

This means that whenever you are executing the Docker command, you'll no longer need to type in your sudo password.

If this sounds good to you, you can simply run the provided command, substituting your-user for your server user. In my case, my user is ubuntu. My command would look like this.

We also need to install Docker Compose. This can be done by running the following commands.

Step 2: Provisioning your Bitwarden Server

Next, you'll need to create a new folder, this will house your Bitwarden Server, you can call it anything memorable. I'll just call mine bitwarden

Next, you'll need to create a docker-compose.yml file. This is an orchistration file which docker-compose will use to provision your Docker instance.

Next, you'll need to edit your `docker-compose.yml` file and paste in the following content.

I'm using bitwarden_rs as it's written in Rust, faster and more reliable. Also entirely opensource with a heavy user-base.

Save your docker-compose.yml file and exit back to your bitwarden directory.

Step 3: Running your Bitwarden Server locally

Now, you have everything provisioned for running your Bitwarden Server.

The next thing to do is run it.

This will start up your Bitwarden Server inside Docker, it may take some time to pull down the images.

You can eventually see your instance running by executing the following

This will list your running instance.

If all is well, you can locally view your Bitwarden Server by navigating to http://localhost:PORT. Or from another machine by using your ip address instead of localhost

You should see something that looks like the following.

Finally, you'll just need to register for an account on your new hosted instance.

Click the Create Account button

Bitwarden kubernetes service

Then fill out your details. If you have an existing Bitwarden account, you'll still have to create a new account on this instance. You can then Export and Import between accounts.

The last thing to do is hit Submit

If your instance isn't on your local machine, you will need to set up Nginx routing, which you can follow in Step 4.

Step 4: Exposing your new server publicly

Bitwarden Kubernetes Secrets

This part may sound scary, but it is required to allow your Bitwarden Clients (Android, iOS, Chrome extension etc) to connect to your server.

We're going to be using nginx.

Setting up nginx

Nginx is a reverse proxy that allows you to point incoming web traffic to your new Bitwardeb server.

Firstly, install nginx if you haven't already

If you have UFW installed, you will have to Allow Nginx through your local firewall.

I have a tutorial for setting up UFW here

As you can see, there are three profiles available for Nginx:

  • Nginx Full: This profile opens both port 80 (normal, unencrypted web traffic) and port 443 (TLS/SSL encrypted traffic)
  • Nginx HTTP: This profile opens only port 80 (normal, unencrypted web traffic)
  • Nginx HTTPS: This profile opens only port 443 (TLS/SSL encrypted traffic)

You can enable this by typing:

Next thing to do is just double check your nginx server is up and running

You should see something that looks like the following

The next part allows us to take incoming traffic and point it to your container instance. Allowing you to expose your Bitwarden server to the internet.

Navigate to /etc/nginx/

Bitwarden

Use your favorite text editor and open the following file with sudo

I use the following code for my syncing server

Port-forwarding

You will need to port forward your instance to allow public access to your instance. This will involve googling how to port forward from your router.

You'll need to point port 80 and 443 to your instance where Nginx is set up.

Linking Bitwarden Server with your public domain

You will also need to set up a public domain name. This can then be used to call your new public instance with port 443 exposed.

For example, I would set up a subdomain on bowlerdesign.tech to be vault.bowlerdesign.tech. Notice this is also the domain I specified in my Nginx config above.

Here's something to search for with regards to setting up a domain name

Setting up Certbot

Certbot allows us to generate SSL certificates for free with Let's Encrypt. It's simple to install and use. Even hooks in with Nginx, meaning that there's no more manual configuration required.

To install Certbot, simply run the following command

Then, to set up your SSL certificate, run

Follow the instructions, select your domain name from the nginx list.
Also, select redirect as this will upgrade any http requests to https.

Step 5: Connecting to your new Bitwarden instance from a client.

I'm going to use the Firefox Bitwarden Plugin for this part of the tutorial. But the process is identical for all Bitwarden clients.

First, if you haven't already, install your chosen Bitwarden client and open it.

In the top left corner, click the cog icon

You'll then get some configuration. Simply add your full url into the Server URL field

Like so, then just hit Save and log in as normal

That's it

Pretty easy right?

Please don't hesitate to get in touch in the comments if you get stuck. I'd be more than happy to help out with any issues you may face.

This post contains affiliate links meaning we may receive a small commission on purchases made through links in this post. At no extra cost to you 😊

Enjoying the post?

Subscribe to our free Weekly Newsletter, featuring our latest posts.Straight to your inbox.No spam ever (we hate it as much as you do).