added possibility to use an existing secret for deployment
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Tobias Trabelsi 2022-10-25 21:15:38 +02:00
parent aec384c78e
commit 11fb42769c
Signed by: lerentis
GPG Key ID: FF0C2839718CAF2E
5 changed files with 150 additions and 5 deletions

View File

@ -9,8 +9,6 @@ Bitwarden CRD Operator is a kubernetes Operator based on [kopf](https://github.c
## Getting started ## Getting started
For now a few secrets need to be passed to helm. I will change this in the future to give the option to also use a kubernetes secret for this.
You will need a `ClientID` and `ClientSecret` ([where to get these](https://bitwarden.com/help/personal-api-key/)) as well as your password. You will need a `ClientID` and `ClientSecret` ([where to get these](https://bitwarden.com/help/personal-api-key/)) as well as your password.
Expose these to the operator as described in this example: Expose these to the operator as described in this example:
@ -26,6 +24,16 @@ env:
value: "YourSuperSecurePassword" value: "YourSuperSecurePassword"
``` ```
you can also create a secret manually with these information and reference the existing secret like this in the `values.yaml`:
```yaml
externalConfigSecret:
enabled: true
name: "my-existing-secret"
```
the helm template will use all environment variables from this secret, so make sure to prepare this secret with the key value pairs as described above.
`BW_HOST` can be omitted if you are using the Bitwarden SaaS offering. `BW_HOST` can be omitted if you are using the Bitwarden SaaS offering.
After that it is a basic helm deployment: After that it is a basic helm deployment:
@ -78,7 +86,7 @@ type: Opaque
## Short Term Roadmap ## Short Term Roadmap
- [ ] support more types - [ ] support more types
- [ ] offer option to use a existing secret in helm chart - [x] offer option to use a existing secret in helm chart
- [x] host chart on gh pages - [x] host chart on gh pages
- [x] write release pipeline - [x] write release pipeline
- [x] maybe extend spec to offer modification of keys as well - [x] maybe extend spec to offer modification of keys as well

View File

@ -4,6 +4,41 @@ description: Deploy the Bitwarden CRD Operator
type: application type: application
version: "v0.1.2" version: "v0.2.0"
appVersion: "0.1.2" appVersion: "0.1.2"
keywords:
- operator
- bitwarden
- vaultwarden
home: https://lerentis.github.io/bitwarden-crd-operator/
sources:
- https://github.com/Lerentis/bitwarden-crd-operator
kubeVersion: '>= 1.13.0-0'
maintainers:
- name: lerentis
email: lerentis+helm@uploadfilter24.eu
annotations:
artifacthub.io/links: |
- name: Chart Source
url: https://github.com/Lerentis/bitwarden-crd-operator
artifacthub.io/crds: |
- kind: BitwardenSecret
version: v1beta2
name: bitwarden-secret
displayName: Bitwarden Secret
description: Management Object to create secrets from bitwarden
artifacthub.io/license: MIT
artifacthub.io/operator: "true"
artifacthub.io/changes: |
- kind: changed
description: "added possibility to configure operator from existing secret"
artifacthub.io/images: |
- name: bitwarden-crd-operator
image: lerentis/bitwarden-crd-operator:0.1.2

View File

@ -0,0 +1,92 @@
# Bitwarden CRD Operator
[![Build Status](https://drone.uploadfilter24.eu/api/badges/lerentis/bitwarden-crd-operator/status.svg?ref=refs/heads/main)](https://drone.uploadfilter24.eu/lerentis/bitwarden-crd-operator)
Bitwarden CRD Operator is a kubernetes Operator based on [kopf](https://github.com/nolar/kopf/). The goal is to create kubernetes native secret objects from bitwarden.
> DISCLAIMER:
> This project is still very work in progress :)
## Getting started
You will need a `ClientID` and `ClientSecret` ([where to get these](https://bitwarden.com/help/personal-api-key/)) as well as your password.
Expose these to the operator as described in this example:
```yaml
env:
- name: BW_HOST
value: "https://bitwarden.your.tld.org"
- name: BW_CLIENTID
value: "user.your-client-id"
- name: BW_CLIENTSECRET
value: "YoUrCliEntSecRet"
- name: BW_PASSWORD
value: "YourSuperSecurePassword"
```
you can also create a secret manually with these information and reference the existing secret like this in the `values.yaml`:
```yaml
externalConfigSecret:
enabled: true
name: "my-existing-secret"
```
the helm template will use all environment variables from this secret, so make sure to prepare this secret with the key value pairs as described above.
`BW_HOST` can be omitted if you are using the Bitwarden SaaS offering.
After that it is a basic helm deployment:
```bash
helm repo add bitwarden-operator https://lerentis.github.io/bitwarden-crd-operator
helm repo update
kubectl create namespace bw-operator
helm upgrade --install --namespace bw-operator -f values.yaml bw-operator bitwarden-operator/bitwarden-crd-operator
```
And you are set to create your first secret using this operator. For that you need to add a CRD Object like this to your cluster:
```yaml
---
apiVersion: "lerentis.uploadfilter24.eu/v1beta2"
kind: BitwardenSecret
metadata:
name: name-of-your-management-object
spec:
content:
- element:
secretName: nameOfTheFieldInBitwarden # for example username
secretRef: nameOfTheKeyInTheSecretToBeCreated
- element:
secretName: nameOfAnotherFieldInBitwarden # for example password
secretRef: nameOfAnotherKeyInTheSecretToBeCreated
id: "A Secret ID from bitwarden"
name: "Name of the secret to be created"
namespace: "Namespace of the secret to be created"
```
The ID can be extracted from the browser when you open a item the ID is in the URL. The resulting secret looks something like this:
```yaml
apiVersion: v1
data:
nameOfTheKeyInTheSecretToBeCreated: "base64 encoded value of TheFieldInBitwarden"
nameOfAnotherKeyInTheSecretToBeCreated: "base64 encoded value of AnotherFieldInBitwarden"
kind: Secret
metadata:
annotations:
managed: bitwarden-secrets.lerentis.uploadfilter24.eu
managedObject: bw-operator/test
name: name-of-your-management-object
namespace: default
type: Opaque
```
## Short Term Roadmap
- [ ] support more types
- [x] offer option to use a existing secret in helm chart
- [x] host chart on gh pages
- [x] write release pipeline
- [x] maybe extend spec to offer modification of keys as well

View File

@ -33,10 +33,15 @@ spec:
{{- toYaml .Values.securityContext | nindent 12 }} {{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.env }}
env: env:
{{- with .Values.env }}
{{- . | toYaml | trim | nindent 12 }} {{- . | toYaml | trim | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.externalConfigSecret.enabled }}
envFrom:
- secretRef:
name: {{ .Values.externalConfigSecret.name }}
{{- end }}
ports: ports:
- name: http - name: http
containerPort: 8080 containerPort: 8080

View File

@ -24,6 +24,11 @@ fullnameOverride: ""
# - name: BW_PASSWORD # - name: BW_PASSWORD
# value: "define_id" # value: "define_id"
externalConfigSecret:
enabled: false
name: ""
serviceAccount: serviceAccount:
# Specifies whether a service account should be created # Specifies whether a service account should be created
create: true create: true