Updated CRDs and added custom secret type to templates

2024-06-19 11:24:22 +02:00
parent e1c8f49c11
commit 38459629bc
4 changed files with 89 additions and 21 deletions
--- a/charts/bitwarden-crd-operator/Chart.yaml
+++ b/charts/bitwarden-crd-operator/Chart.yaml
@@ -37,12 +37,12 @@ annotations:
      displayName: Bitwarden Secret
      description: Management Object to create secrets from bitwarden
    - kind: RegistryCredential
-      version: v1beta6
+      version: v1beta7
      name: registry-credential
      displayName: Regestry Credentials
      description: Management Object to create regestry secrets from bitwarden
    - kind: BitwardenTemplate
-      version: v1beta6
+      version: v1beta7
      name: bitwarden-template
      displayName: Bitwarden Template
      description: Management Object to create secrets from a jinja template with a bitwarden lookup
@@ -67,7 +67,7 @@ annotations:
          key: value
        annotations:
          key: value
-    - apiVersion: lerentis.uploadfilter24.eu/v1beta6
+    - apiVersion: lerentis.uploadfilter24.eu/v1beta7
      kind: RegistryCredential
      metadata:
        name: test
@@ -82,13 +82,14 @@ annotations:
          key: value
        annotations:
          key: value
-    - apiVersion: "lerentis.uploadfilter24.eu/v1beta6"
+    - apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
      kind: BitwardenTemplate
      metadata:
        name: test
      spec:
        filename: "config.yaml"
        name: "test-regcred"
+        secretType: Obaque #Optional
        namespace: "default"
        labels:
          key: value
@@ -110,22 +111,10 @@ annotations:
  artifacthub.io/changes: |
    - kind: added
      description: "Allow custom type for generated secrets"
-    - kind: changed
-      description: "Update python to 3.11.9-r0"
-    - kind: changed
-      description: "Update Node to 20.12.1-r0"
-    - kind: changed
-      description: "Update libcrypto3 to 3.1.4-r5"
-    - kind: changed
-      description: "Update alpine to 3.19.1"
-    - kind: changed
-      description: "Update kopf to 1.37.2"
-    - kind: changed
-      description: "Update jinja to 3.1.4"
    - kind: added
-      description: "Allow custom annotations to generated secrets"
+      description: "Allow attachments in generated secrets"
    - kind: added
-      description: "Set ownership of generated secrets if CRD is in the same namespace"
+      description: "Allow custom type in templated secrets"
  artifacthub.io/images: |
    - name: bitwarden-crd-operator
      image: ghcr.io/lerentis/bitwarden-crd-operator:0.12.0
--- a/charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml
+++ b/charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml
@@ -66,7 +66,8 @@ spec:
                - name
    - name: v1beta6
      served: true
-      storage: true
+      storage: false
+      deprecated: true
      schema:
        openAPIV3Schema:
          type: object
@@ -93,3 +94,34 @@ spec:
                - template
                - namespace
                - name
+    - name: v1beta7
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                filename:
+                  type: string
+                template:
+                  type: string
+                namespace:
+                  type: string
+                name:
+                  type: string
+                secretType: 
+                  type: string
+                labels:
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                annotations:
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+              required:
+                - filename
+                - template
+                - namespace
+                - name
--- a/charts/bitwarden-crd-operator/crds/registry-credentials.yaml
+++ b/charts/bitwarden-crd-operator/crds/registry-credentials.yaml
@@ -77,6 +77,42 @@ spec:
                - passwordRef
                - registry
    - name: v1beta6
+      served: true
+      storage: false
+      deprecated: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                usernameRef:
+                  type: string
+                passwordRef:
+                  type: string
+                registry:
+                  type: string
+                id:
+                  type: string
+                namespace:
+                  type: string
+                name:
+                  type: string
+                labels:
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                annotations:
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+              required:
+                - id
+                - namespace
+                - name
+                - usernameRef
+                - passwordRef
+                - registry
+    - name: v1beta7
      served: true
      storage: true
      schema:
--- a/src/template.py
+++ b/src/template.py
@@ -17,7 +17,6 @@ def render_template(logger, template):


 def create_template_secret(logger, secret, filename, template):
-    secret.type = "Opaque"
    secret.data = {}
    secret.data[filename] = str(
        base64.b64encode(
@@ -35,6 +34,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
    secret_namespace = spec.get('namespace')
    labels = spec.get('labels')
    custom_annotations = spec.get('annotations')
+    custom_secret_type = spec.get('secretType')

    unlock_bw(logger)

@@ -48,12 +48,16 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
    if custom_annotations:
        annotations.update(custom_annotations)

+    if not custom_secret_type:
+        custom_secret_type = 'Opaque'
+
    if not labels:
        labels = {}

    secret = kubernetes.client.V1Secret()
    secret.metadata = kubernetes.client.V1ObjectMeta(
        name=secret_name, annotations=annotations, labels=labels)
+    secret.type = custom_secret_type
    secret = create_template_secret(logger, secret, filename, template)

    # Garbage collection will delete the generated secret if the owner
@@ -85,20 +89,26 @@ def update_managed_secret(
    secret_namespace = spec.get('namespace')
    labels = spec.get('labels')
    custom_annotations = spec.get('annotations')
+    custom_secret_type = spec.get('secretType')
+
+    if not custom_secret_type:
+        custom_secret_type = 'Opaque'

    old_config = None
    old_secret_name = None
    old_secret_namespace = None
+    old_secret_type = None
    if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations:
        old_config = json.loads(
            body.metadata.annotations['kopf.zalando.org/last-handled-configuration'])
        old_secret_name = old_config['spec'].get('name')
        old_secret_namespace = old_config['spec'].get('namespace')
+        old_secret_type = old_config['spec'].get('type')
    secret_name = spec.get('name')
    secret_namespace = spec.get('namespace')

    if old_config is not None and (
-            old_secret_name != secret_name or old_secret_namespace != secret_namespace):
+            old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type):
        # If the name of the secret or the namespace of the secret is different
        # We have to delete the secret an recreate it
        logger.info("Secret name or namespace changed, let's recreate it")
@@ -129,6 +139,7 @@ def update_managed_secret(
    secret = kubernetes.client.V1Secret()
    secret.metadata = kubernetes.client.V1ObjectMeta(
        name=secret_name, annotations=annotations, labels=labels)
+    secret.type = custom_secret_type
    secret = create_template_secret(logger, secret, filename, template)

    # Garbage collection will delete the generated secret if the owner