From 11fb42769c719db1930f2df2663e7408bc821921 Mon Sep 17 00:00:00 2001 From: Tobias Trabelsi Date: Tue, 25 Oct 2022 21:15:38 +0200 Subject: [PATCH] added possibility to use an existing secret for deployment --- README.md | 14 ++- charts/bitwarden-crd-operator/Chart.yaml | 37 +++++++- charts/bitwarden-crd-operator/README.md | 92 +++++++++++++++++++ .../templates/deployment.yaml | 7 +- charts/bitwarden-crd-operator/values.yaml | 5 + 5 files changed, 150 insertions(+), 5 deletions(-) create mode 100644 charts/bitwarden-crd-operator/README.md diff --git a/README.md b/README.md index af4d4ff..1a2f4ec 100644 --- a/README.md +++ b/README.md @@ -9,8 +9,6 @@ Bitwarden CRD Operator is a kubernetes Operator based on [kopf](https://github.c ## Getting started -For now a few secrets need to be passed to helm. I will change this in the future to give the option to also use a kubernetes secret for this. - You will need a `ClientID` and `ClientSecret` ([where to get these](https://bitwarden.com/help/personal-api-key/)) as well as your password. Expose these to the operator as described in this example: @@ -26,6 +24,16 @@ env: value: "YourSuperSecurePassword" ``` +you can also create a secret manually with these information and reference the existing secret like this in the `values.yaml`: + +```yaml +externalConfigSecret: + enabled: true + name: "my-existing-secret" +``` + +the helm template will use all environment variables from this secret, so make sure to prepare this secret with the key value pairs as described above. + `BW_HOST` can be omitted if you are using the Bitwarden SaaS offering. After that it is a basic helm deployment: @@ -78,7 +86,7 @@ type: Opaque ## Short Term Roadmap - [ ] support more types -- [ ] offer option to use a existing secret in helm chart +- [x] offer option to use a existing secret in helm chart - [x] host chart on gh pages - [x] write release pipeline - [x] maybe extend spec to offer modification of keys as well diff --git a/charts/bitwarden-crd-operator/Chart.yaml b/charts/bitwarden-crd-operator/Chart.yaml index 0ff6e9e..a65225e 100644 --- a/charts/bitwarden-crd-operator/Chart.yaml +++ b/charts/bitwarden-crd-operator/Chart.yaml @@ -4,6 +4,41 @@ description: Deploy the Bitwarden CRD Operator type: application -version: "v0.1.2" +version: "v0.2.0" appVersion: "0.1.2" + +keywords: + - operator + - bitwarden + - vaultwarden + +home: https://lerentis.github.io/bitwarden-crd-operator/ + +sources: + - https://github.com/Lerentis/bitwarden-crd-operator + +kubeVersion: '>= 1.13.0-0' + +maintainers: + - name: lerentis + email: lerentis+helm@uploadfilter24.eu + +annotations: + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/Lerentis/bitwarden-crd-operator + artifacthub.io/crds: | + - kind: BitwardenSecret + version: v1beta2 + name: bitwarden-secret + displayName: Bitwarden Secret + description: Management Object to create secrets from bitwarden + artifacthub.io/license: MIT + artifacthub.io/operator: "true" + artifacthub.io/changes: | + - kind: changed + description: "added possibility to configure operator from existing secret" + artifacthub.io/images: | + - name: bitwarden-crd-operator + image: lerentis/bitwarden-crd-operator:0.1.2 diff --git a/charts/bitwarden-crd-operator/README.md b/charts/bitwarden-crd-operator/README.md new file mode 100644 index 0000000..1a2f4ec --- /dev/null +++ b/charts/bitwarden-crd-operator/README.md @@ -0,0 +1,92 @@ +# Bitwarden CRD Operator + +[![Build Status](https://drone.uploadfilter24.eu/api/badges/lerentis/bitwarden-crd-operator/status.svg?ref=refs/heads/main)](https://drone.uploadfilter24.eu/lerentis/bitwarden-crd-operator) + +Bitwarden CRD Operator is a kubernetes Operator based on [kopf](https://github.com/nolar/kopf/). The goal is to create kubernetes native secret objects from bitwarden. + +> DISCLAIMER: +> This project is still very work in progress :) + +## Getting started + +You will need a `ClientID` and `ClientSecret` ([where to get these](https://bitwarden.com/help/personal-api-key/)) as well as your password. +Expose these to the operator as described in this example: + +```yaml +env: + - name: BW_HOST + value: "https://bitwarden.your.tld.org" + - name: BW_CLIENTID + value: "user.your-client-id" + - name: BW_CLIENTSECRET + value: "YoUrCliEntSecRet" + - name: BW_PASSWORD + value: "YourSuperSecurePassword" +``` + +you can also create a secret manually with these information and reference the existing secret like this in the `values.yaml`: + +```yaml +externalConfigSecret: + enabled: true + name: "my-existing-secret" +``` + +the helm template will use all environment variables from this secret, so make sure to prepare this secret with the key value pairs as described above. + +`BW_HOST` can be omitted if you are using the Bitwarden SaaS offering. + +After that it is a basic helm deployment: + +```bash +helm repo add bitwarden-operator https://lerentis.github.io/bitwarden-crd-operator +helm repo update +kubectl create namespace bw-operator +helm upgrade --install --namespace bw-operator -f values.yaml bw-operator bitwarden-operator/bitwarden-crd-operator +``` + +And you are set to create your first secret using this operator. For that you need to add a CRD Object like this to your cluster: + +```yaml +--- +apiVersion: "lerentis.uploadfilter24.eu/v1beta2" +kind: BitwardenSecret +metadata: + name: name-of-your-management-object +spec: + content: + - element: + secretName: nameOfTheFieldInBitwarden # for example username + secretRef: nameOfTheKeyInTheSecretToBeCreated + - element: + secretName: nameOfAnotherFieldInBitwarden # for example password + secretRef: nameOfAnotherKeyInTheSecretToBeCreated + id: "A Secret ID from bitwarden" + name: "Name of the secret to be created" + namespace: "Namespace of the secret to be created" +``` + +The ID can be extracted from the browser when you open a item the ID is in the URL. The resulting secret looks something like this: + +```yaml +apiVersion: v1 +data: + nameOfTheKeyInTheSecretToBeCreated: "base64 encoded value of TheFieldInBitwarden" + nameOfAnotherKeyInTheSecretToBeCreated: "base64 encoded value of AnotherFieldInBitwarden" +kind: Secret +metadata: + annotations: + managed: bitwarden-secrets.lerentis.uploadfilter24.eu + managedObject: bw-operator/test + name: name-of-your-management-object + namespace: default +type: Opaque +``` + +## Short Term Roadmap + +- [ ] support more types +- [x] offer option to use a existing secret in helm chart +- [x] host chart on gh pages +- [x] write release pipeline +- [x] maybe extend spec to offer modification of keys as well diff --git a/charts/bitwarden-crd-operator/templates/deployment.yaml b/charts/bitwarden-crd-operator/templates/deployment.yaml index 77d45a7..931f3fa 100644 --- a/charts/bitwarden-crd-operator/templates/deployment.yaml +++ b/charts/bitwarden-crd-operator/templates/deployment.yaml @@ -33,10 +33,15 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with .Values.env }} env: + {{- with .Values.env }} {{- . | toYaml | trim | nindent 12 }} {{- end }} + {{- if .Values.externalConfigSecret.enabled }} + envFrom: + - secretRef: + name: {{ .Values.externalConfigSecret.name }} + {{- end }} ports: - name: http containerPort: 8080 diff --git a/charts/bitwarden-crd-operator/values.yaml b/charts/bitwarden-crd-operator/values.yaml index 439f9dc..726c9b3 100644 --- a/charts/bitwarden-crd-operator/values.yaml +++ b/charts/bitwarden-crd-operator/values.yaml @@ -24,6 +24,11 @@ fullnameOverride: "" # - name: BW_PASSWORD # value: "define_id" +externalConfigSecret: + enabled: false + + name: "" + serviceAccount: # Specifies whether a service account should be created create: true