Updated CRDs and added custom secret type to templates

This commit is contained in:
Christoph Thalhammer 2024-06-19 11:24:22 +02:00
parent e1c8f49c11
commit 38459629bc
4 changed files with 89 additions and 21 deletions

View File

@ -37,12 +37,12 @@ annotations:
displayName: Bitwarden Secret
description: Management Object to create secrets from bitwarden
- kind: RegistryCredential
version: v1beta6
version: v1beta7
name: registry-credential
displayName: Regestry Credentials
description: Management Object to create regestry secrets from bitwarden
- kind: BitwardenTemplate
version: v1beta6
version: v1beta7
name: bitwarden-template
displayName: Bitwarden Template
description: Management Object to create secrets from a jinja template with a bitwarden lookup
@ -67,7 +67,7 @@ annotations:
key: value
annotations:
key: value
- apiVersion: lerentis.uploadfilter24.eu/v1beta6
- apiVersion: lerentis.uploadfilter24.eu/v1beta7
kind: RegistryCredential
metadata:
name: test
@ -82,13 +82,14 @@ annotations:
key: value
annotations:
key: value
- apiVersion: "lerentis.uploadfilter24.eu/v1beta6"
- apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
kind: BitwardenTemplate
metadata:
name: test
spec:
filename: "config.yaml"
name: "test-regcred"
secretType: Obaque #Optional
namespace: "default"
labels:
key: value
@ -110,22 +111,10 @@ annotations:
artifacthub.io/changes: |
- kind: added
description: "Allow custom type for generated secrets"
- kind: changed
description: "Update python to 3.11.9-r0"
- kind: changed
description: "Update Node to 20.12.1-r0"
- kind: changed
description: "Update libcrypto3 to 3.1.4-r5"
- kind: changed
description: "Update alpine to 3.19.1"
- kind: changed
description: "Update kopf to 1.37.2"
- kind: changed
description: "Update jinja to 3.1.4"
- kind: added
description: "Allow custom annotations to generated secrets"
description: "Allow attachments in generated secrets"
- kind: added
description: "Set ownership of generated secrets if CRD is in the same namespace"
description: "Allow custom type in templated secrets"
artifacthub.io/images: |
- name: bitwarden-crd-operator
image: ghcr.io/lerentis/bitwarden-crd-operator:0.12.0

View File

@ -66,7 +66,8 @@ spec:
- name
- name: v1beta6
served: true
storage: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
@ -93,3 +94,34 @@ spec:
- template
- namespace
- name
- name: v1beta7
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
filename:
type: string
template:
type: string
namespace:
type: string
name:
type: string
secretType:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- filename
- template
- namespace
- name

View File

@ -77,6 +77,42 @@ spec:
- passwordRef
- registry
- name: v1beta6
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
usernameRef:
type: string
passwordRef:
type: string
registry:
type: string
id:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name
- usernameRef
- passwordRef
- registry
- name: v1beta7
served: true
storage: true
schema:

View File

@ -17,7 +17,6 @@ def render_template(logger, template):
def create_template_secret(logger, secret, filename, template):
secret.type = "Opaque"
secret.data = {}
secret.data[filename] = str(
base64.b64encode(
@ -35,6 +34,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
secret_namespace = spec.get('namespace')
labels = spec.get('labels')
custom_annotations = spec.get('annotations')
custom_secret_type = spec.get('secretType')
unlock_bw(logger)
@ -48,12 +48,16 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
if custom_annotations:
annotations.update(custom_annotations)
if not custom_secret_type:
custom_secret_type = 'Opaque'
if not labels:
labels = {}
secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations, labels=labels)
secret.type = custom_secret_type
secret = create_template_secret(logger, secret, filename, template)
# Garbage collection will delete the generated secret if the owner
@ -85,20 +89,26 @@ def update_managed_secret(
secret_namespace = spec.get('namespace')
labels = spec.get('labels')
custom_annotations = spec.get('annotations')
custom_secret_type = spec.get('secretType')
if not custom_secret_type:
custom_secret_type = 'Opaque'
old_config = None
old_secret_name = None
old_secret_namespace = None
old_secret_type = None
if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations:
old_config = json.loads(
body.metadata.annotations['kopf.zalando.org/last-handled-configuration'])
old_secret_name = old_config['spec'].get('name')
old_secret_namespace = old_config['spec'].get('namespace')
old_secret_type = old_config['spec'].get('type')
secret_name = spec.get('name')
secret_namespace = spec.get('namespace')
if old_config is not None and (
old_secret_name != secret_name or old_secret_namespace != secret_namespace):
old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type):
# If the name of the secret or the namespace of the secret is different
# We have to delete the secret an recreate it
logger.info("Secret name or namespace changed, let's recreate it")
@ -129,6 +139,7 @@ def update_managed_secret(
secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations, labels=labels)
secret.type = custom_secret_type
secret = create_template_secret(logger, secret, filename, template)
# Garbage collection will delete the generated secret if the owner