From 1d147aad9a0cf33f8453f1c582d39931f124880e Mon Sep 17 00:00:00 2001 From: Tobias Trabelsi Date: Sat, 6 Jan 2024 14:10:45 +0100 Subject: [PATCH] WIP: Labels for Secrets --- Dockerfile | 4 +- .../crds/bitwarden-secrets.yaml | 54 ++++++++++++++++++- .../crds/bitwarden-templates.yaml | 41 +++++++++++++- .../crds/registry-credentials.yaml | 47 +++++++++++++++- example.yaml | 10 ++-- src/dockerlogin.py | 9 +++- src/kv.py | 9 +++- src/template.py | 7 ++- 8 files changed, 168 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5e98306..b97026e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.18.3 +FROM alpine:3.18.4 LABEL org.opencontainers.image.source=https://github.com/Lerentis/bitwarden-crd-operator LABEL org.opencontainers.image.description="Kubernetes Operator to create k8s secrets from bitwarden" @@ -7,7 +7,7 @@ LABEL org.opencontainers.image.licenses=MIT ARG PYTHON_VERSION=3.11.6-r0 ARG PIP_VERSION=23.1.2-r0 ARG GCOMPAT_VERSION=1.1.0-r1 -ARG LIBCRYPTO_VERSION=3.1.2-r0 +ARG LIBCRYPTO_VERSION=3.1.3-r0 ARG BW_VERSION=2023.1.0 COPY requirements.txt /requirements.txt diff --git a/charts/bitwarden-crd-operator/crds/bitwarden-secrets.yaml b/charts/bitwarden-crd-operator/crds/bitwarden-secrets.yaml index 4e420c9..3a3dc57 100644 --- a/charts/bitwarden-crd-operator/crds/bitwarden-secrets.yaml +++ b/charts/bitwarden-crd-operator/crds/bitwarden-secrets.yaml @@ -14,7 +14,7 @@ spec: - bws versions: - name: v1beta4 - served: true + served: false storage: true schema: openAPIV3Schema: @@ -49,3 +49,55 @@ spec: - id - namespace - name + - name: v1beta5 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + content: + type: array + items: + type: object + properties: + element: + type: object + properties: + secretName: + type: string + secretRef: + type: string + secretScope: + type: string + required: + - secretName + id: + type: string + namespace: + type: string + name: + type: string + labels: + type: array + items: + type: object + properties: + json: + x-kubernetes-preserve-unknown-fields: true + type: object + properties: + spec: + type: object + properties: + foo: + type: string + bar: + type: string + required: + - id + - namespace + - name diff --git a/charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml b/charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml index fa2212c..1dff2f7 100644 --- a/charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml +++ b/charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml @@ -14,7 +14,7 @@ spec: - bwt versions: - name: v1beta4 - served: true + served: false storage: true schema: openAPIV3Schema: @@ -36,3 +36,42 @@ spec: - template - namespace - name + - name: v1beta5 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + filename: + type: string + template: + type: string + namespace: + type: string + name: + type: string + labels: + type: array + items: + type: object + properties: + json: + x-kubernetes-preserve-unknown-fields: true + type: object + properties: + spec: + type: object + properties: + foo: + type: string + bar: + type: string + required: + - filename + - template + - namespace + - name diff --git a/charts/bitwarden-crd-operator/crds/registry-credentials.yaml b/charts/bitwarden-crd-operator/crds/registry-credentials.yaml index c3f4ffb..12d7c67 100644 --- a/charts/bitwarden-crd-operator/crds/registry-credentials.yaml +++ b/charts/bitwarden-crd-operator/crds/registry-credentials.yaml @@ -14,7 +14,7 @@ spec: - rgc versions: - name: v1beta4 - served: true + served: false storage: true schema: openAPIV3Schema: @@ -42,3 +42,48 @@ spec: - usernameRef - passwordRef - registry + - name: v1beta5 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + usernameRef: + type: string + passwordRef: + type: string + registry: + type: string + id: + type: string + namespace: + type: string + name: + type: string + labels: + type: array + items: + type: object + properties: + json: + x-kubernetes-preserve-unknown-fields: true + type: object + properties: + spec: + type: object + properties: + foo: + type: string + bar: + type: string + required: + - id + - namespace + - name + - usernameRef + - passwordRef + - registry diff --git a/example.yaml b/example.yaml index 77cc22b..881ca49 100644 --- a/example.yaml +++ b/example.yaml @@ -1,5 +1,5 @@ --- -apiVersion: "lerentis.uploadfilter24.eu/v1beta4" +apiVersion: "lerentis.uploadfilter24.eu/v1beta5" kind: BitwardenSecret metadata: name: test @@ -16,8 +16,10 @@ spec: id: "88781348-c81c-4367-9801-550360c21295" name: "test-secret" namespace: "default" + labels: + - key: value --- -apiVersion: "lerentis.uploadfilter24.eu/v1beta4" +apiVersion: "lerentis.uploadfilter24.eu/v1beta5" kind: BitwardenSecret metadata: name: test-scope @@ -29,4 +31,6 @@ spec: secretScope: fields id: "466fc4b0-ffca-4444-8d88-b59d4de3d928" name: "test-scope" - namespace: "default" \ No newline at end of file + namespace: "default" + labels: + - key: value \ No newline at end of file diff --git a/src/dockerlogin.py b/src/dockerlogin.py index 880b991..f07b298 100644 --- a/src/dockerlogin.py +++ b/src/dockerlogin.py @@ -44,6 +44,7 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs): id = spec.get('id') secret_name = spec.get('name') secret_namespace = spec.get('namespace') + labels = spec.get('labels') unlock_bw(logger) logger.info(f"Locking up secret with ID: {id}") @@ -55,9 +56,13 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs): "managed": "registry-credential.lerentis.uploadfilter24.eu", "managedObject": f"{namespace}/{name}" } + + if not labels: + labels = {} + secret = kubernetes.client.V1Secret() secret.metadata = kubernetes.client.V1ObjectMeta( - name=secret_name, annotations=annotations) + name=secret_name, annotations=annotations, labels=labels) secret = create_dockerlogin( logger, secret, @@ -66,7 +71,7 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs): password_ref, registry) - obj = api.create_namespaced_secret( + api.create_namespaced_secret( secret_namespace, secret ) diff --git a/src/kv.py b/src/kv.py index 5e976a7..77d232b 100644 --- a/src/kv.py +++ b/src/kv.py @@ -41,6 +41,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs): id = spec.get('id') secret_name = spec.get('name') secret_namespace = spec.get('namespace') + labels = spec.get('labels') unlock_bw(logger) logger.info(f"Locking up secret with ID: {id}") @@ -52,12 +53,16 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs): "managed": "bitwarden-secret.lerentis.uploadfilter24.eu", "managedObject": f"{namespace}/{name}" } + + if not labels: + labels = {} + secret = kubernetes.client.V1Secret() secret.metadata = kubernetes.client.V1ObjectMeta( - name=secret_name, annotations=annotations) + name=secret_name, annotations=annotations, labels=labels) secret = create_kv(secret, secret_json_object, content_def) - obj = api.create_namespaced_secret( + api.create_namespaced_secret( namespace="{}".format(secret_namespace), body=secret ) diff --git a/src/template.py b/src/template.py index ed9622c..b89cd85 100644 --- a/src/template.py +++ b/src/template.py @@ -33,6 +33,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs): filename = spec.get('filename') secret_name = spec.get('name') secret_namespace = spec.get('namespace') + labels = spec.get('labels') unlock_bw(logger) @@ -42,9 +43,13 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs): "managed": "bitwarden-template.lerentis.uploadfilter24.eu", "managedObject": f"{namespace}/{name}" } + + if not labels: + labels = {} + secret = kubernetes.client.V1Secret() secret.metadata = kubernetes.client.V1ObjectMeta( - name=secret_name, annotations=annotations) + name=secret_name, annotations=annotations, labels=labels) secret = create_template_secret(logger, secret, filename, template) obj = api.create_namespaced_secret(