lerentis/bitwarden-crd-operator
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 18 Wiki Activity

(feat): refactor bitwardenTemplate to handle more than one file

Browse Source 
(chore): update dependencies
(chore): drop old CRD versions
This commit is contained in:
Tobias Trabelsi
2024-10-06 22:32:30 +02:00
parent 25b1d0778e
commit 559c08c187
11 changed files with 297 additions and 292 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Dockerfile
View File

@@ -1,13 +1,13 @@
FROM alpine:3.20.2 FROM alpine:3.20.3
LABEL org.opencontainers.image.source=https://github.com/Lerentis/bitwarden-crd-operator LABEL org.opencontainers.image.source=https://github.com/Lerentis/bitwarden-crd-operator
LABEL org.opencontainers.image.description="Kubernetes Operator to create k8s secrets from bitwarden" LABEL org.opencontainers.image.description="Kubernetes Operator to create k8s secrets from bitwarden"
LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.licenses=MIT
ARG PYTHON_VERSION=3.12.3-r1 ARG PYTHON_VERSION=3.12.6-r0
ARG PIP_VERSION=24.0-r2 ARG PIP_VERSION=24.0-r2
ARG GCOMPAT_VERSION=1.1.0-r4 ARG GCOMPAT_VERSION=1.1.0-r4
ARG LIBCRYPTO_VERSION=3.3.1-r3 ARG LIBCRYPTO_VERSION=3.3.2-r0
ARG BW_VERSION=2024.7.2 ARG BW_VERSION=2024.7.2
ARG NODE_VERSION=20.15.1-r0 ARG NODE_VERSION=20.15.1-r0

22
README.md
View File

@@ -56,7 +56,7 @@ And you are set to create your first secret using this operator. For that you ne
```yaml ```yaml
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7" apiVersion: "lerentis.uploadfilter24.eu/v1beta8"
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: name-of-your-management-object name: name-of-your-management-object
@@ -106,7 +106,7 @@ For managing registry credentials, or pull secrets, you can create another kind
```yaml ```yaml
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7" apiVersion: "lerentis.uploadfilter24.eu/v1beta8"
kind: RegistryCredential kind: RegistryCredential
metadata: metadata:
name: name-of-your-management-object name: name-of-your-management-object
@@ -147,12 +147,11 @@ One of the more freely defined types that can be used with this operator you can
```yaml ```yaml
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7" apiVersion: "lerentis.uploadfilter24.eu/v1beta8"
kind: BitwardenTemplate kind: BitwardenTemplate
metadata: metadata:
name: name-of-your-management-object name: name-of-your-management-object
spec: spec:
filename: "Key of the secret to be created"
name: "Name of the secret to be created" name: "Name of the secret to be created"
secretType: # Optional (Default: Opaque) secretType: # Optional (Default: Opaque)
namespace: "Namespace of the secret to be created" namespace: "Namespace of the secret to be created"
@@ -160,6 +159,9 @@ spec:
key: value key: value
annotations: # Optional annotations: # Optional
key: value key: value
content:
- element:
filename: config.yaml
template: | template: |
--- ---
api: api:
@@ -170,6 +172,18 @@ spec:
"some.app.identifier:some_version": "some.app.identifier:some_version":
pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }} pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }}
enabled: true enabled: true
- element:
filename: config2.yaml
template: |
---
api:
enabled: True
key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }}
allowCrossOrigin: false
apps:
"some.app.identifier:some_version":
pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }}
enabled: false
``` ```
This will result in something like the following object: This will result in something like the following object:

39
charts/bitwarden-crd-operator/Chart.yaml
View File

@@ -4,9 +4,9 @@ description: Deploy the Bitwarden CRD Operator
type: application type: application
version: "v0.14.0" version: "v0.15.0"
appVersion: "0.13.0" appVersion: "0.14.0"
keywords: keywords:
- operator - operator
@@ -20,7 +20,7 @@ home: https://lerentis.github.io/bitwarden-crd-operator/
sources: sources:
- https://github.com/Lerentis/bitwarden-crd-operator - https://github.com/Lerentis/bitwarden-crd-operator
kubeVersion: ">= 1.23.0-0" kubeVersion: ">= 1.28.0-0"
maintainers: maintainers:
- name: lerentis - name: lerentis
@@ -32,22 +32,22 @@ annotations:
url: https://github.com/Lerentis/bitwarden-crd-operator url: https://github.com/Lerentis/bitwarden-crd-operator
artifacthub.io/crds: | artifacthub.io/crds: |
- kind: BitwardenSecret - kind: BitwardenSecret
version: v1beta7 version: v1beta8
name: bitwarden-secret name: bitwarden-secret
displayName: Bitwarden Secret displayName: Bitwarden Secret
description: Management Object to create secrets from bitwarden description: Management Object to create secrets from bitwarden
- kind: RegistryCredential - kind: RegistryCredential
version: v1beta7 version: v1beta8
name: registry-credential name: registry-credential
displayName: Regestry Credentials displayName: Regestry Credentials
description: Management Object to create regestry secrets from bitwarden description: Management Object to create regestry secrets from bitwarden
- kind: BitwardenTemplate - kind: BitwardenTemplate
version: v1beta7 version: v1beta8
name: bitwarden-template name: bitwarden-template
displayName: Bitwarden Template displayName: Bitwarden Template
description: Management Object to create secrets from a jinja template with a bitwarden lookup description: Management Object to create secrets from a jinja template with a bitwarden lookup
artifacthub.io/crdsExamples: | artifacthub.io/crdsExamples: |
- apiVersion: lerentis.uploadfilter24.eu/v1beta7 - apiVersion: lerentis.uploadfilter24.eu/v1beta8
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: test name: test
@@ -67,7 +67,7 @@ annotations:
key: value key: value
annotations: annotations:
key: value key: value
- apiVersion: lerentis.uploadfilter24.eu/v1beta7 - apiVersion: lerentis.uploadfilter24.eu/v1beta8
kind: RegistryCredential kind: RegistryCredential
metadata: metadata:
name: test name: test
@@ -82,12 +82,11 @@ annotations:
key: value key: value
annotations: annotations:
key: value key: value
- apiVersion: "lerentis.uploadfilter24.eu/v1beta7" - apiVersion: "lerentis.uploadfilter24.eu/v1beta8"
kind: BitwardenTemplate kind: BitwardenTemplate
metadata: metadata:
name: test name: test
spec: spec:
filename: "config.yaml"
name: "test-regcred" name: "test-regcred"
secretType: Obaque #Optional secretType: Obaque #Optional
namespace: "default" namespace: "default"
@@ -95,6 +94,9 @@ annotations:
key: value key: value
annotations: annotations:
key: value key: value
content:
- element:
filename: "config.yaml"
template: | template: |
--- ---
api: api:
@@ -105,22 +107,19 @@ annotations:
"some.app.identifier:some_version": "some.app.identifier:some_version":
pubkey: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "attachment", "public_key") }} pubkey: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "attachment", "public_key") }}
enabled: true enabled: true
artifacthub.io/license: MIT artifacthub.io/license: MIT
artifacthub.io/operator: "true" artifacthub.io/operator: "true"
artifacthub.io/containsSecurityUpdates: "false" artifacthub.io/containsSecurityUpdates: "false"
artifacthub.io/changes: | artifacthub.io/changes: |
- kind: changed - kind: changed
description: "Update Alpine to 3.20.2" description: "BitwardenTemplate can now handle multiple files"
- kind: changed - kind: changed
description: "Update Python to 3.12.3-r1" description: "Removed long deprecated versions"
- kind changed
description: "Update kubernetes from v29.0.0 to v30.1.0"
- kind: changed - kind: changed
description: "Update Pip to 24.0-r2" description: "Update alpine from 3.20.2 to 3.20.3"
- kind: changed
description: "Update NodeJS to 20.15.1-r0"
- kind: changed
description: "Update libcrypto3 to 3.3.1-r3"
- kind: changed
description: "Update BitwardenCLI to 2024.7.2"
artifacthub.io/images: | artifacthub.io/images: |
- name: bitwarden-crd-operator - name: bitwarden-crd-operator
image: ghcr.io/lerentis/bitwarden-crd-operator:0.13.0 image: ghcr.io/lerentis/bitwarden-crd-operator:0.14.0

81
charts/bitwarden-crd-operator/crds/bitwarden-secrets.yaml
View File

@@ -13,7 +13,7 @@ spec:
shortNames: shortNames:
- bws - bws
versions: versions:
- name: v1beta4 - name: v1beta7
served: true served: true
storage: false storage: false
deprecated: true deprecated: true
@@ -46,82 +46,7 @@ spec:
type: string type: string
name: name:
type: string type: string
required: secretType:
- id
- namespace
- name
- name: v1beta5
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
content:
type: array
items:
type: object
properties:
element:
type: object
properties:
secretName:
type: string
secretRef:
type: string
secretScope:
type: string
required:
- secretName
id:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name
- name: v1beta6
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
content:
type: array
items:
type: object
properties:
element:
type: object
properties:
secretName:
type: string
secretRef:
type: string
secretScope:
type: string
required:
- secretName
id:
type: string
namespace:
type: string
name:
type: string type: string
labels: labels:
type: object type: object
@@ -133,7 +58,7 @@ spec:
- id - id
- namespace - namespace
- name - name
- name: v1beta7 - name: v1beta8
served: true served: true
storage: true storage: true
schema: schema:

124
charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml
View File

@@ -13,90 +13,10 @@ spec:
shortNames: shortNames:
- bwt - bwt
versions: versions:
- name: v1beta4
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
filename:
type: string
template:
type: string
namespace:
type: string
name:
type: string
required:
- filename
- template
- namespace
- name
- name: v1beta5
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
filename:
type: string
template:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- filename
- template
- namespace
- name
- name: v1beta6
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
filename:
type: string
template:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- filename
- template
- namespace
- name
- name: v1beta7 - name: v1beta7
served: true served: true
storage: true storage: false
deprecated: true
schema: schema:
openAPIV3Schema: openAPIV3Schema:
type: object type: object
@@ -125,3 +45,43 @@ spec:
- template - template
- namespace - namespace
- name - name
- name: v1beta8
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
namespace:
type: string
name:
type: string
secretType:
type: string
content:
type: array
items:
type: object
properties:
element:
type: object
properties:
filename:
type: string
template:
type: string
required:
- filename
- template
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- namespace
- name

67
charts/bitwarden-crd-operator/crds/registry-credentials.yaml
View File

@@ -13,70 +13,7 @@ spec:
shortNames: shortNames:
- rgc - rgc
versions: versions:
- name: v1beta4 - name: v1beta7
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
usernameRef:
type: string
passwordRef:
type: string
registry:
type: string
id:
type: string
namespace:
type: string
name:
type: string
required:
- id
- namespace
- name
- usernameRef
- passwordRef
- registry
- name: v1beta5
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
usernameRef:
type: string
passwordRef:
type: string
registry:
type: string
id:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name
- usernameRef
- passwordRef
- registry
- name: v1beta6
served: true served: true
storage: false storage: false
deprecated: true deprecated: true
@@ -112,7 +49,7 @@ spec:
- usernameRef - usernameRef
- passwordRef - passwordRef
- registry - registry
- name: v1beta7 - name: v1beta8
served: true served: true
storage: true storage: true
schema: schema:

4
example.yaml
View File

@@ -1,5 +1,5 @@
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7" apiVersion: "lerentis.uploadfilter24.eu/v1beta8"
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: test name: test
@@ -24,7 +24,7 @@ spec:
annotations: annotations:
custom.annotation: is-used custom.annotation: is-used
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7" apiVersion: "lerentis.uploadfilter24.eu/v1beta8"
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: test-scope name: test-scope

2
example_dockerlogin.yaml
View File

@@ -1,5 +1,5 @@
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7" apiVersion: "lerentis.uploadfilter24.eu/v1beta8"
kind: RegistryCredential kind: RegistryCredential
metadata: metadata:
name: test name: test

18
example_template.yaml
View File

@@ -1,10 +1,9 @@
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7" apiVersion: "lerentis.uploadfilter24.eu/v1beta8"
kind: BitwardenTemplate kind: BitwardenTemplate
metadata: metadata:
name: test name: test
spec: spec:
filename: "config.yaml"
name: "test-template" name: "test-template"
namespace: "default" namespace: "default"
labels: labels:
@@ -12,6 +11,9 @@ spec:
app: example-app app: example-app
annotations: annotations:
custom.annotation: is-used custom.annotation: is-used
content:
- element:
filename: config.yaml
template: | template: |
--- ---
api: api:
@@ -22,3 +24,15 @@ spec:
"some.app.identifier:some_version": "some.app.identifier:some_version":
pubkey: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "public_key") }} pubkey: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "public_key") }}
enabled: true enabled: true
- element:
filename: config2.yaml
template: |
---
api:
enabled: True
key: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "key") }}
allowCrossOrigin: false
apps:
"some.app.identifier:some_version":
pubkey: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "public_key") }}
enabled: false

2
requirements.txt
View File

@@ -1,4 +1,4 @@
kopf==1.37.2 kopf==1.37.2
kubernetes==29.0.0 kubernetes==30.1.0
Jinja2==3.1.4 Jinja2==3.1.4
schedule==1.2.2 schedule==1.2.2

164
src/template.py
View File

@@ -24,9 +24,72 @@ def create_template_secret(logger, secret, filename, template):
"utf-8") "utf-8")
return secret return secret
def create_template_obj(logger, secret, content_def):
secret.data = {}
for eleml in content_def:
for k, elem in eleml.items():
for key, value in elem.items():
if key == "filename":
_file_name = value
if key == "template":
_template = value
secret.data[_file_name] = str(
base64.b64encode(
render_template(logger, _template).encode("utf-8")),
"utf-8")
return secret
@kopf.on.create('bitwarden-template.lerentis.uploadfilter24.eu') @kopf.on.create('bitwarden-template.lerentis.uploadfilter24.eu')
def create_managed_secret(spec, name, namespace, logger, body, **kwargs): def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
template = spec.get('template')
if template is not None:
create_beta7_secret(spec, name, namespace, logger, body, **kwargs)
secret_name = spec.get('name')
secret_namespace = spec.get('namespace')
custom_secret_type = spec.get('secretType')
labels = spec.get('labels')
custom_annotations = spec.get('annotations')
content_def = spec.get('content')
unlock_bw(logger)
api = kubernetes.client.CoreV1Api()
annotations = {
"managed": "bitwarden-template.lerentis.uploadfilter24.eu",
"managedObject": f"{namespace}/{name}"
}
if custom_annotations:
annotations.update(custom_annotations)
if not custom_secret_type:
custom_secret_type = 'Opaque'
if not labels:
labels = {}
secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations, labels=labels)
secret.type = custom_secret_type
secret = create_template_obj(logger, secret, content_def)
# Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
api.create_namespaced_secret(
namespace="{}".format(secret_namespace),
body=secret
)
logger.info(f"Secret {secret_namespace}/{secret_name} has been created")
def create_beta7_secret(spec, name, namespace, logger, body, **kwargs):
template = spec.get('template') template = spec.get('template')
filename = spec.get('filename') filename = spec.get('filename')
@@ -71,10 +134,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
logger.info(f"Secret {secret_namespace}/{secret_name} has been created") logger.info(f"Secret {secret_namespace}/{secret_name} has been created")
def update_beta7_secret(
@kopf.on.update('bitwarden-template.lerentis.uploadfilter24.eu')
@kopf.timer('bitwarden-template.lerentis.uploadfilter24.eu', interval=bw_sync_interval)
def update_managed_secret(
spec, spec,
status, status,
name, name,
@@ -165,6 +225,102 @@ def update_managed_secret(
) )
@kopf.on.update('bitwarden-template.lerentis.uploadfilter24.eu')
@kopf.timer('bitwarden-template.lerentis.uploadfilter24.eu', interval=bw_sync_interval)
def update_managed_secret(
spec,
status,
name,
namespace,
logger,
body,
**kwargs):
template = spec.get('template')
if template is not None:
update_beta7_secret(spec, status, name, namespace, logger, body, **kwargs)
secret_name = spec.get('name')
secret_namespace = spec.get('namespace')
labels = spec.get('labels')
custom_annotations = spec.get('annotations')
custom_secret_type = spec.get('secretType')
content_def = spec.get('content')
if not custom_secret_type:
custom_secret_type = 'Opaque'
old_config = None
old_secret_name = None
old_secret_namespace = None
old_secret_type = None
if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations:
old_config = json.loads(
body.metadata.annotations['kopf.zalando.org/last-handled-configuration'])
old_secret_name = old_config['spec'].get('name')
old_secret_namespace = old_config['spec'].get('namespace')
old_secret_type = old_config['spec'].get('secretType')
secret_name = spec.get('name')
secret_namespace = spec.get('namespace')
if not old_secret_type:
old_secret_type = 'Opaque'
if old_config is not None and (
old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type):
# If the name of the secret or the namespace of the secret is different
# We have to delete the secret an recreate it
logger.info("Secret name or namespace changed, let's recreate it")
delete_managed_secret(
old_config['spec'],
name,
namespace,
logger,
**kwargs)
create_managed_secret(spec, name, namespace, logger, body, **kwargs)
return
unlock_bw(logger)
api = kubernetes.client.CoreV1Api()
annotations = {
"managed": "bitwarden-template.lerentis.uploadfilter24.eu",
"managedObject": f"{namespace}/{name}"
}
if custom_annotations:
annotations.update(custom_annotations)
if not labels:
labels = {}
secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations, labels=labels)
secret.type = custom_secret_type
secret = create_template_obj(logger, secret, content_def)
# Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
try:
api.replace_namespaced_secret(
name=secret_name,
body=secret,
namespace="{}".format(secret_namespace))
logger.info(
f"Secret {secret_namespace}/{secret_name} has been updated")
except BaseException as e:
logger.warn(
f"Could not update secret {secret_namespace}/{secret_name}!")
logger.warn(
f"Exception: {e}"
)
@kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu') @kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu')
def delete_managed_secret(spec, name, namespace, logger, **kwargs): def delete_managed_secret(spec, name, namespace, logger, **kwargs):
secret_name = spec.get('name') secret_name = spec.get('name')