WIP: Labels for Secrets

2024-01-06 14:10:45 +01:00 · 2024-01-06 14:10:45 +01:00 · 1d147aad9a
parent e31899b7f2
commit 1d147aad9a
8 changed files with 168 additions and 13 deletions
--- a/4
+++ b/4
@ -1,4 +1,4 @@
-FROM alpine:3.18.3
+FROM alpine:3.18.4

 LABEL org.opencontainers.image.source=https://github.com/Lerentis/bitwarden-crd-operator
 LABEL org.opencontainers.image.description="Kubernetes Operator to create k8s secrets from bitwarden"
@ -7,7 +7,7 @@ LABEL org.opencontainers.image.licenses=MIT
 ARG PYTHON_VERSION=3.11.6-r0
 ARG PIP_VERSION=23.1.2-r0
 ARG GCOMPAT_VERSION=1.1.0-r1
-ARG LIBCRYPTO_VERSION=3.1.2-r0
+ARG LIBCRYPTO_VERSION=3.1.3-r0
 ARG BW_VERSION=2023.1.0

 COPY requirements.txt /requirements.txt
--- a/charts/bitwarden-crd-operator/crds/bitwarden-secrets.yaml
+++ b/charts/bitwarden-crd-operator/crds/bitwarden-secrets.yaml
@ -14,7 +14,7 @@ spec:
      - bws
  versions:
    - name: v1beta4
-      served: true
+      served: false
      storage: true
      schema:
        openAPIV3Schema:
@ -49,3 +49,55 @@ spec:
                - id
                - namespace
                - name
+    - name: v1beta5
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                content:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      element:
+                        type: object
+                        properties:
+                          secretName:
+                            type: string
+                          secretRef:
+                            type: string
+                          secretScope:
+                            type: string
+                        required:
+                          - secretName
+                id:
+                  type: string
+                namespace:
+                  type: string
+                name:
+                  type: string
+                labels:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      json:
+                        x-kubernetes-preserve-unknown-fields: true
+                        type: object
+                        properties:
+                          spec:
+                            type: object
+                            properties:
+                              foo:
+                                type: string
+                              bar:
+                                type: string
+              required:
+                - id
+                - namespace
+                - name
--- a/charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml
+++ b/charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml
@ -14,7 +14,7 @@ spec:
      - bwt
  versions:
    - name: v1beta4
-      served: true
+      served: false
      storage: true
      schema:
        openAPIV3Schema:
@ -36,3 +36,42 @@ spec:
                - template
                - namespace
                - name
+    - name: v1beta5
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                filename:
+                  type: string
+                template:
+                  type: string
+                namespace:
+                  type: string
+                name:
+                  type: string
+                labels:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      json:
+                        x-kubernetes-preserve-unknown-fields: true
+                        type: object
+                        properties:
+                          spec:
+                            type: object
+                            properties:
+                              foo:
+                                type: string
+                              bar:
+                                type: string
+              required:
+                - filename
+                - template
+                - namespace
+                - name
--- a/charts/bitwarden-crd-operator/crds/registry-credentials.yaml
+++ b/charts/bitwarden-crd-operator/crds/registry-credentials.yaml
@ -14,7 +14,7 @@ spec:
      - rgc
  versions:
    - name: v1beta4
-      served: true
+      served: false
      storage: true
      schema:
        openAPIV3Schema:
@ -42,3 +42,48 @@ spec:
                - usernameRef
                - passwordRef
                - registry
+    - name: v1beta5
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                usernameRef:
+                  type: string
+                passwordRef:
+                  type: string
+                registry:
+                  type: string
+                id:
+                  type: string
+                namespace:
+                  type: string
+                name:
+                  type: string
+                labels:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      json:
+                        x-kubernetes-preserve-unknown-fields: true
+                        type: object
+                        properties:
+                          spec:
+                            type: object
+                            properties:
+                              foo:
+                                type: string
+                              bar:
+                                type: string
+              required:
+                - id
+                - namespace
+                - name
+                - usernameRef
+                - passwordRef
+                - registry
--- a/example.yaml
+++ b/example.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: "lerentis.uploadfilter24.eu/v1beta4"
+apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
 kind: BitwardenSecret
 metadata:
  name: test
@ -16,8 +16,10 @@ spec:
  id: "88781348-c81c-4367-9801-550360c21295"
  name: "test-secret"
  namespace: "default"
+  labels:
+    - key: value
 ---
-apiVersion: "lerentis.uploadfilter24.eu/v1beta4"
+apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
 kind: BitwardenSecret
 metadata:
  name: test-scope
@ -29,4 +31,6 @@ spec:
        secretScope: fields
  id: "466fc4b0-ffca-4444-8d88-b59d4de3d928"
  name: "test-scope"
-  namespace: "default"
+  namespace: "default"
+  labels:
+    - key: value
--- a/src/dockerlogin.py
+++ b/src/dockerlogin.py
@ -44,6 +44,7 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
    id = spec.get('id')
    secret_name = spec.get('name')
    secret_namespace = spec.get('namespace')
+    labels = spec.get('labels')

    unlock_bw(logger)
    logger.info(f"Locking up secret with ID: {id}")
@ -55,9 +56,13 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
        "managed": "registry-credential.lerentis.uploadfilter24.eu",
        "managedObject": f"{namespace}/{name}"
    }
+
+    if not labels:
+        labels = {}
+
    secret = kubernetes.client.V1Secret()
    secret.metadata = kubernetes.client.V1ObjectMeta(
-        name=secret_name, annotations=annotations)
+        name=secret_name, annotations=annotations, labels=labels)
    secret = create_dockerlogin(
        logger,
        secret,
@ -66,7 +71,7 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
        password_ref,
        registry)

-    obj = api.create_namespaced_secret(
+    api.create_namespaced_secret(
        secret_namespace, secret
    )

--- a/src/kv.py
+++ b/src/kv.py
@ -41,6 +41,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
    id = spec.get('id')
    secret_name = spec.get('name')
    secret_namespace = spec.get('namespace')
+    labels = spec.get('labels')

    unlock_bw(logger)
    logger.info(f"Locking up secret with ID: {id}")
@ -52,12 +53,16 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
        "managed": "bitwarden-secret.lerentis.uploadfilter24.eu",
        "managedObject": f"{namespace}/{name}"
    }
+
+    if not labels:
+        labels = {}
+
    secret = kubernetes.client.V1Secret()
    secret.metadata = kubernetes.client.V1ObjectMeta(
-        name=secret_name, annotations=annotations)
+        name=secret_name, annotations=annotations, labels=labels)
    secret = create_kv(secret, secret_json_object, content_def)

-    obj = api.create_namespaced_secret(
+    api.create_namespaced_secret(
        namespace="{}".format(secret_namespace),
        body=secret
    )
--- a/src/template.py
+++ b/src/template.py
@ -33,6 +33,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
    filename = spec.get('filename')
    secret_name = spec.get('name')
    secret_namespace = spec.get('namespace')
+    labels = spec.get('labels')

    unlock_bw(logger)

@ -42,9 +43,13 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
        "managed": "bitwarden-template.lerentis.uploadfilter24.eu",
        "managedObject": f"{namespace}/{name}"
    }
+
+    if not labels:
+        labels = {}
+
    secret = kubernetes.client.V1Secret()
    secret.metadata = kubernetes.client.V1ObjectMeta(
-        name=secret_name, annotations=annotations)
+        name=secret_name, annotations=annotations, labels=labels)
    secret = create_template_secret(logger, secret, filename, template)

    obj = api.create_namespaced_secret(