diff --git a/Dockerfile b/Dockerfile index 0380275..36e86fd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ RUN apk add wget unzip RUN cd /tmp && wget https://github.com/bitwarden/clients/releases/download/cli-v${BW_VERSION}/bw-linux-${BW_VERSION}.zip && \ unzip /tmp/bw-linux-${BW_VERSION}.zip -FROM alpine:3.17 +FROM alpine:3.17.1 ARG PYTHON_VERSION=3.10.9-r1 ARG PIP_VERSION=22.3.1-r1 diff --git a/charts/bitwarden-crd-operator/Chart.yaml b/charts/bitwarden-crd-operator/Chart.yaml index bda8355..9897c4e 100644 --- a/charts/bitwarden-crd-operator/Chart.yaml +++ b/charts/bitwarden-crd-operator/Chart.yaml @@ -4,9 +4,9 @@ description: Deploy the Bitwarden CRD Operator type: application -version: "v0.5.0" +version: "v0.5.1" -appVersion: "0.5.0" +appVersion: "0.5.1" keywords: - operator @@ -94,12 +94,14 @@ annotations: artifacthub.io/license: MIT artifacthub.io/operator: "true" artifacthub.io/changes: | - - kind: added - description: "Implemented update handling" + - kind: fixed + description: "Unlocking bitwarden only when needed" - kind: changed - description: "Changed default logging structure to json logging" + description: "Allow switch of namespaces in CRDs" + - kind: fixed + description: "Handle none existing keys gracefully" - kind: changed - description: "Secrets are periodically updated every 15 minutes" + description: "Bump alpine minor release version" artifacthub.io/images: | - name: bitwarden-crd-operator - image: lerentis/bitwarden-crd-operator:0.5.0 + image: lerentis/bitwarden-crd-operator:0.5.1 diff --git a/src/dockerlogin.py b/src/dockerlogin.py index bdc876b..aef2c59 100644 --- a/src/dockerlogin.py +++ b/src/dockerlogin.py @@ -63,6 +63,25 @@ def update_managed_registry_secret(spec, status, name, namespace, logger, body, secret_name = spec.get('name') secret_namespace = spec.get('namespace') + + old_config = None + old_secret_name = None + old_secret_namespace = None + if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: + old_config = json.loads(body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) + old_secret_name = old_config['spec'].get('name') + old_secret_namespace = old_config['spec'].get('namespace') + secret_name = spec.get('name') + secret_namespace = spec.get('namespace') + + if old_config is not None and (old_secret_name != secret_name or old_secret_namespace != secret_namespace): + # If the name of the secret or the namespace of the secret is different + # We have to delete the secret an recreate it + logger.info("Secret name or namespace changed, let's recreate it") + delete_managed_secret(old_config['spec'], name, namespace, logger, **kwargs) + create_managed_registry_secret(spec, name, namespace, logger, **kwargs) + return + unlock_bw(logger) logger.info(f"Locking up secret with ID: {id}") secret_json_object = json.loads(get_secret_from_bitwarden(id)) diff --git a/src/template.py b/src/template.py index e34e73c..983fa62 100644 --- a/src/template.py +++ b/src/template.py @@ -1,6 +1,7 @@ import kopf import base64 import kubernetes +import json from utils.utils import unlock_bw from lookups.bitwarden_lookup import bitwarden_lookup @@ -57,6 +58,24 @@ def update_managed_secret(spec, status, name, namespace, logger, body, **kwargs) secret_name = spec.get('name') secret_namespace = spec.get('namespace') + old_config = None + old_secret_name = None + old_secret_namespace = None + if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: + old_config = json.loads(body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) + old_secret_name = old_config['spec'].get('name') + old_secret_namespace = old_config['spec'].get('namespace') + secret_name = spec.get('name') + secret_namespace = spec.get('namespace') + + if old_config is not None and (old_secret_name != secret_name or old_secret_namespace != secret_namespace): + # If the name of the secret or the namespace of the secret is different + # We have to delete the secret an recreate it + logger.info("Secret name or namespace changed, let's recreate it") + delete_managed_secret(old_config['spec'], name, namespace, logger, **kwargs) + create_managed_secret(spec, name, namespace, logger, body, **kwargs) + return + unlock_bw(logger) api = kubernetes.client.CoreV1Api()