vaultwarden Runbook¶
Metadata¶
| Field | Value |
|---|---|
| Service | vaultwarden |
| Criticality | Tier 1 |
| Owner | Platform / Security owner |
| Namespace | vaultwarden |
| Clusters | local |
| Last validated | 2026-06-29 |
| Related service page | ../services/vaultwarden.md |
Trigger Conditions¶
- Vaultwarden UI or sync clients fail.
- Websocket access breaks.
- Users cannot unlock or sync vault items.
- PVC-backed state or runtime secrets are unavailable.
1. Health Checks¶
kubectl -n vaultwarden get pods,svc,pvc,ingressroute
kubectl -n vaultwarden logs statefulset/vaultwarden --tail=200
# Readiness/liveness probes hit GET /alive on port 8080. Verify it returns 200:
kubectl -n vaultwarden exec statefulset/vaultwarden -- \
wget -qO- http://localhost:8080/alive && echo
A pod that is not Ready is failing the /alive readiness probe and will not receive traffic.
2. Troubleshooting Workflows¶
Check ingress, websocket handling, and PVC health first.
kubectl -n vaultwarden describe statefulset vaultwarden
kubectl -n vaultwarden describe ingressroute
kubectl -n vaultwarden get secret
kubectl -n vaultwarden describe pod -l run=vaultwarden
Common causes:
- Pod stuck
NotReady/ restarting: failing/aliveprobe, missing or malformedvaultwarden-secrets, or/dataPVC not attached. /tmppermission errors: the container runs with a read-only root filesystem;/tmpis anemptyDir. Ifvaultwarden-servercannot write, confirm thetmpvolume is mounted.- SMTP errors: check
SMTP_*values in ConfigMapvaultwarden-configand credentials in Secretvaultwarden-secrets. - Admin panel locked out: verify
ADMIN_TOKENin Secretvaultwarden-secrets.
3. Disaster Recovery¶
- Restore the data volume from snapshot.
- Recreate the runtime Secret: populate
overlays/local/vault-secrets.envfromvault-secrets.env.example(SMTP credentials +ADMIN_TOKEN). - Reconcile
vaultwarden/overlays/local. - Validate
/alivereturns 200 and web login + client sync work.
4. Scaling and Resource Management¶
Resource changes are usually small, but adjust memory or storage in Git if the StatefulSet becomes constrained.
5. Maintenance Procedures¶
- Rotate
ADMIN_TOKENandSMTP_PASSWORDin Secretvaultwarden-secrets. - Validate websocket behavior after Traefik changes.
- Schedule updates carefully because this service stores credentials.
- Before a vaultwarden version upgrade or downgrade, snapshot the
dataPVC: data-format changes can make downgrades unsafe.
6. Rollback Strategy¶
- Revert the overlay to the previous working revision in Git.
- Restore the prior data snapshot if a configuration or version change corrupts startup.
- A vaultwarden image downgrade after a data-format change may be unsafe; restore from a pre-change snapshot rather than rolling the image back in place.
7. Post-Incident Actions¶
- Add a changelog fragment for recovery work.
- Update the service page if exposure or secret handling changed.
- Extend this runbook with any newly discovered failure mode.