lerentis/bitwarden-crd-operator
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 18 Wiki Activity

Merge pull request #86 from chrthal/feature/custom-secret-type

Browse Source 
Added custom secret type and attachment support for bitwardenSecret
This commit is contained in:
Tobias Trabelsi 2024-06-22 22:52:01 +02:00 committed by GitHub
commit 297fb37f13
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 187 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
README.md
View File

@ -56,25 +56,29 @@ And you are set to create your first secret using this operator. For that you ne
```yaml ```yaml
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta5" apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: name-of-your-management-object name: name-of-your-management-object
spec: spec:
content: content:
- element: - element:
secretName: nameOfTheFieldInBitwarden # for example username secretName: nameOfTheFieldInBitwarden # for example username or filename
secretRef: nameOfTheKeyInTheSecretToBeCreated secretRef: nameOfTheKeyInTheSecretToBeCreated
secretScope: login # for custom entries on bitwarden use 'fields' secretScope: login # for custom entries on bitwarden use 'fields, for attachments use attachment'
- element: - element:
secretName: nameOfAnotherFieldInBitwarden # for example password secretName: nameOfAnotherFieldInBitwarden # for example password or filename
secretRef: nameOfAnotherKeyInTheSecretToBeCreated secretRef: nameOfAnotherKeyInTheSecretToBeCreated
secretScope: login # for custom entries on bitwarden use 'fields' secretScope: login # for custom entries on bitwarden use 'fields, for attachments use attachment'
id: "A Secret ID from bitwarden" id: "A Secret ID from bitwarden"
name: "Name of the secret to be created" name: "Name of the secret to be created"
secretType: # Optional (Default: Opaque)
namespace: "Namespace of the secret to be created" namespace: "Namespace of the secret to be created"
labels: # Optional labels: # Optional
key: value key: value
annotations: # Optional
key: value
``` ```
The ID can be extracted from the browser when you open a item the ID is in the URL. The resulting secret looks something like this: The ID can be extracted from the browser when you open a item the ID is in the URL. The resulting secret looks something like this:
@ -102,7 +106,7 @@ For managing registry credentials, or pull secrets, you can create another kind
```yaml ```yaml
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta5" apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
kind: RegistryCredential kind: RegistryCredential
metadata: metadata:
name: name-of-your-management-object name: name-of-your-management-object
@ -115,6 +119,8 @@ spec:
namespace: "Namespace of the secret to be created" namespace: "Namespace of the secret to be created"
labels: # Optional labels: # Optional
key: value key: value
annotations: # Optional
key: value
``` ```
The resulting secret looks something like this: The resulting secret looks something like this:
@ -141,16 +147,19 @@ One of the more freely defined types that can be used with this operator you can
```yaml ```yaml
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta5" apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
kind: BitwardenTemplate kind: BitwardenTemplate
metadata: metadata:
name: name-of-your-management-object name: name-of-your-management-object
spec: spec:
filename: "Key of the secret to be created" filename: "Key of the secret to be created"
name: "Name of the secret to be created" name: "Name of the secret to be created"
secretType: # Optional (Default: Opaque)
namespace: "Namespace of the secret to be created" namespace: "Namespace of the secret to be created"
labels: # Optional labels: # Optional
key: value key: value
annotations: # Optional
key: value
template: | template: |
--- ---
api: api:

38
charts/bitwarden-crd-operator/Chart.yaml
View File

@ -4,9 +4,9 @@ description: Deploy the Bitwarden CRD Operator
type: application type: application
version: "v0.12.0" version: "v0.13.0"
appVersion: "0.11.0" appVersion: "0.12.0"
keywords: keywords:
- operator - operator
@ -32,22 +32,22 @@ annotations:
url: https://github.com/Lerentis/bitwarden-crd-operator url: https://github.com/Lerentis/bitwarden-crd-operator
artifacthub.io/crds: | artifacthub.io/crds: |
- kind: BitwardenSecret - kind: BitwardenSecret
version: v1beta6 version: v1beta7
name: bitwarden-secret name: bitwarden-secret
displayName: Bitwarden Secret displayName: Bitwarden Secret
description: Management Object to create secrets from bitwarden description: Management Object to create secrets from bitwarden
- kind: RegistryCredential - kind: RegistryCredential
version: v1beta6 version: v1beta7
name: registry-credential name: registry-credential
displayName: Regestry Credentials displayName: Regestry Credentials
description: Management Object to create regestry secrets from bitwarden description: Management Object to create regestry secrets from bitwarden
- kind: BitwardenTemplate - kind: BitwardenTemplate
version: v1beta6 version: v1beta7
name: bitwarden-template name: bitwarden-template
displayName: Bitwarden Template displayName: Bitwarden Template
description: Management Object to create secrets from a jinja template with a bitwarden lookup description: Management Object to create secrets from a jinja template with a bitwarden lookup
artifacthub.io/crdsExamples: | artifacthub.io/crdsExamples: |
- apiVersion: lerentis.uploadfilter24.eu/v1beta6 - apiVersion: lerentis.uploadfilter24.eu/v1beta7
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: test name: test
@ -61,12 +61,13 @@ annotations:
secretRef: passwordOfUser secretRef: passwordOfUser
id: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" id: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
name: "test-secret" name: "test-secret"
secretType: Obaque #Optional
namespace: "default" namespace: "default"
labels: labels:
key: value key: value
annotations: annotations:
key: value key: value
- apiVersion: lerentis.uploadfilter24.eu/v1beta6 - apiVersion: lerentis.uploadfilter24.eu/v1beta7
kind: RegistryCredential kind: RegistryCredential
metadata: metadata:
name: test name: test
@ -81,13 +82,14 @@ annotations:
key: value key: value
annotations: annotations:
key: value key: value
- apiVersion: "lerentis.uploadfilter24.eu/v1beta6" - apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
kind: BitwardenTemplate kind: BitwardenTemplate
metadata: metadata:
name: test name: test
spec: spec:
filename: "config.yaml" filename: "config.yaml"
name: "test-regcred" name: "test-regcred"
secretType: Obaque #Optional
namespace: "default" namespace: "default"
labels: labels:
key: value key: value
@ -107,22 +109,12 @@ annotations:
artifacthub.io/operator: "true" artifacthub.io/operator: "true"
artifacthub.io/containsSecurityUpdates: "false" artifacthub.io/containsSecurityUpdates: "false"
artifacthub.io/changes: | artifacthub.io/changes: |
- kind: changed
description: "Update python to 3.11.9-r0"
- kind: changed
description: "Update Node to 20.12.1-r0"
- kind: changed
description: "Update libcrypto3 to 3.1.4-r5"
- kind: changed
description: "Update alpine to 3.19.1"
- kind: changed
description: "Update kopf to 1.37.2"
- kind: changed
description: "Update jinja to 3.1.4"
- kind: added - kind: added
description: "Allow custom annotations to generated secrets" description: "Allow custom type for generated secrets"
- kind: added - kind: added
description: "Set ownership of generated secrets if CRD is in the same namespace" description: "Allow attachments in generated secrets"
- kind: added
description: "Allow custom type in templated secrets"
artifacthub.io/images: | artifacthub.io/images: |
- name: bitwarden-crd-operator - name: bitwarden-crd-operator
image: ghcr.io/lerentis/bitwarden-crd-operator:0.11.0 image: ghcr.io/lerentis/bitwarden-crd-operator:0.12.0

47
charts/bitwarden-crd-operator/crds/bitwarden-secrets.yaml
View File

@ -92,7 +92,8 @@ spec:
- name - name
- name: v1beta6 - name: v1beta6
served: true served: true
storage: true storage: false
deprecated: true
schema: schema:
openAPIV3Schema: openAPIV3Schema:
type: object type: object
@ -132,3 +133,47 @@ spec:
- id - id
- namespace - namespace
- name - name
- name: v1beta7
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
content:
type: array
items:
type: object
properties:
element:
type: object
properties:
secretName:
type: string
secretRef:
type: string
secretScope:
type: string
required:
- secretName
id:
type: string
namespace:
type: string
name:
type: string
secretType:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name

34
charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml
View File

@ -66,7 +66,8 @@ spec:
- name - name
- name: v1beta6 - name: v1beta6
served: true served: true
storage: true storage: false
deprecated: true
schema: schema:
openAPIV3Schema: openAPIV3Schema:
type: object type: object
@ -93,3 +94,34 @@ spec:
- template - template
- namespace - namespace
- name - name
- name: v1beta7
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
filename:
type: string
template:
type: string
namespace:
type: string
name:
type: string
secretType:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- filename
- template
- namespace
- name

36
charts/bitwarden-crd-operator/crds/registry-credentials.yaml
View File

@ -77,6 +77,42 @@ spec:
- passwordRef - passwordRef
- registry - registry
- name: v1beta6 - name: v1beta6
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
usernameRef:
type: string
passwordRef:
type: string
registry:
type: string
id:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name
- usernameRef
- passwordRef
- registry
- name: v1beta7
served: true served: true
storage: true storage: true
schema: schema:

3
example.yaml
View File

@ -1,5 +1,5 @@
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta6" apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: test name: test
@ -16,6 +16,7 @@ spec:
secretScope: login secretScope: login
id: "88781348-c81c-4367-9801-550360c21295" id: "88781348-c81c-4367-9801-550360c21295"
name: "test-secret" name: "test-secret"
secretType: Opaque
namespace: "default" namespace: "default"
labels: labels:
key: value key: value

2
skaffold.yaml
View File

@ -14,4 +14,4 @@ deploy:
chartPath: charts/bitwarden-crd-operator chartPath: charts/bitwarden-crd-operator
valuesFiles: valuesFiles:
- env/values.yaml - env/values.yaml
version: v0.7.4 version: v0.13.0

32
src/kv.py
View File

@ -3,10 +3,9 @@ import kubernetes
import base64 import base64
import json import json
from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope, bw_sync_interval from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope, get_attachment, bw_sync_interval
def create_kv(secret, secret_json, content_def): def create_kv(logger, id, secret, secret_json, content_def):
secret.type = "Opaque"
secret.data = {} secret.data = {}
for eleml in content_def: for eleml in content_def:
for k, elem in eleml.items(): for k, elem in eleml.items():
@ -31,6 +30,13 @@ def create_kv(secret, secret_json, content_def):
f"Field {_secret_key} has no value in bitwarden secret") f"Field {_secret_key} has no value in bitwarden secret")
secret.data[_secret_ref] = str(base64.b64encode( secret.data[_secret_ref] = str(base64.b64encode(
value.encode("utf-8")), "utf-8") value.encode("utf-8")), "utf-8")
if _secret_scope == "attachment":
value = get_attachment(logger, id, _secret_key)
if value is None:
raise Exception(
f"Attachment {_secret_key} has no value in bitwarden secret")
secret.data[_secret_ref] = str(base64.b64encode(
value.encode("utf-8")), "utf-8")
return secret return secret
@ -43,6 +49,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels') labels = spec.get('labels')
custom_annotations = spec.get('annotations') custom_annotations = spec.get('annotations')
custom_secret_type = spec.get('secretType')
unlock_bw(logger) unlock_bw(logger)
logger.info(f"Locking up secret with ID: {id}") logger.info(f"Locking up secret with ID: {id}")
@ -58,13 +65,17 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
if custom_annotations: if custom_annotations:
annotations.update(custom_annotations) annotations.update(custom_annotations)
if not custom_secret_type:
custom_secret_type = 'Opaque'
if not labels: if not labels:
labels = {} labels = {}
secret = kubernetes.client.V1Secret() secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta( secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations, labels=labels) name=secret_name, annotations=annotations, labels=labels)
secret = create_kv(secret, secret_json_object, content_def) secret.type = custom_secret_type
secret = create_kv(logger, id, secret, secret_json_object, content_def)
# Garbage collection will delete the generated secret if the owner # Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret # Is not in the same namespace as the generated secret
@ -95,21 +106,27 @@ def update_managed_secret(
old_config = None old_config = None
old_secret_name = None old_secret_name = None
old_secret_namespace = None old_secret_namespace = None
old_secret_type = None
if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations:
old_config = json.loads( old_config = json.loads(
body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) body.metadata.annotations['kopf.zalando.org/last-handled-configuration'])
old_secret_name = old_config['spec'].get('name') old_secret_name = old_config['spec'].get('name')
old_secret_namespace = old_config['spec'].get('namespace') old_secret_namespace = old_config['spec'].get('namespace')
old_secret_type = old_config['spec'].get('type')
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels') labels = spec.get('labels')
custom_annotations = spec.get('annotations') custom_annotations = spec.get('annotations')
custom_secret_type = spec.get('secretType')
if not custom_secret_type:
custom_secret_type = 'Opaque'
if old_config is not None and ( if old_config is not None and (
old_secret_name != secret_name or old_secret_namespace != secret_namespace): old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type):
# If the name of the secret or the namespace of the secret is different # If the name of the secret or the namespace of the secret is different
# We have to delete the secret an recreate it # We have to delete the secret an recreate it
logger.info("Secret name or namespace changed, let's recreate it") logger.info("Secret name, namespace or type changed, let's recreate it")
delete_managed_secret( delete_managed_secret(
old_config['spec'], old_config['spec'],
name, name,
@ -139,7 +156,8 @@ def update_managed_secret(
secret = kubernetes.client.V1Secret() secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta( secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations, labels=labels) name=secret_name, annotations=annotations, labels=labels)
secret = create_kv(secret, secret_json_object, content_def) secret.type = custom_secret_type
secret = create_kv(logger, id, secret, secret_json_object, content_def)
# Garbage collection will delete the generated secret if the owner # Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret # Is not in the same namespace as the generated secret

15
src/template.py
View File

@ -17,7 +17,6 @@ def render_template(logger, template):
def create_template_secret(logger, secret, filename, template): def create_template_secret(logger, secret, filename, template):
secret.type = "Opaque"
secret.data = {} secret.data = {}
secret.data[filename] = str( secret.data[filename] = str(
base64.b64encode( base64.b64encode(
@ -35,6 +34,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels') labels = spec.get('labels')
custom_annotations = spec.get('annotations') custom_annotations = spec.get('annotations')
custom_secret_type = spec.get('secretType')
unlock_bw(logger) unlock_bw(logger)
@ -48,12 +48,16 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
if custom_annotations: if custom_annotations:
annotations.update(custom_annotations) annotations.update(custom_annotations)
if not custom_secret_type:
custom_secret_type = 'Opaque'
if not labels: if not labels:
labels = {} labels = {}
secret = kubernetes.client.V1Secret() secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta( secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations, labels=labels) name=secret_name, annotations=annotations, labels=labels)
secret.type = custom_secret_type
secret = create_template_secret(logger, secret, filename, template) secret = create_template_secret(logger, secret, filename, template)
# Garbage collection will delete the generated secret if the owner # Garbage collection will delete the generated secret if the owner
@ -85,20 +89,26 @@ def update_managed_secret(
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels') labels = spec.get('labels')
custom_annotations = spec.get('annotations') custom_annotations = spec.get('annotations')
custom_secret_type = spec.get('secretType')
if not custom_secret_type:
custom_secret_type = 'Opaque'
old_config = None old_config = None
old_secret_name = None old_secret_name = None
old_secret_namespace = None old_secret_namespace = None
old_secret_type = None
if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations:
old_config = json.loads( old_config = json.loads(
body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) body.metadata.annotations['kopf.zalando.org/last-handled-configuration'])
old_secret_name = old_config['spec'].get('name') old_secret_name = old_config['spec'].get('name')
old_secret_namespace = old_config['spec'].get('namespace') old_secret_namespace = old_config['spec'].get('namespace')
old_secret_type = old_config['spec'].get('type')
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
if old_config is not None and ( if old_config is not None and (
old_secret_name != secret_name or old_secret_namespace != secret_namespace): old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type):
# If the name of the secret or the namespace of the secret is different # If the name of the secret or the namespace of the secret is different
# We have to delete the secret an recreate it # We have to delete the secret an recreate it
logger.info("Secret name or namespace changed, let's recreate it") logger.info("Secret name or namespace changed, let's recreate it")
@ -129,6 +139,7 @@ def update_managed_secret(
secret = kubernetes.client.V1Secret() secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta( secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations, labels=labels) name=secret_name, annotations=annotations, labels=labels)
secret.type = custom_secret_type
secret = create_template_secret(logger, secret, filename, template) secret = create_template_secret(logger, secret, filename, template)
# Garbage collection will delete the generated secret if the owner # Garbage collection will delete the generated secret if the owner