allow annotations and honor gc

This commit is contained in:
Tobias Trabelsi 2024-05-19 00:07:05 +02:00
parent 1128051a5b
commit b01f410f9f
Signed by: lerentis
GPG Key ID: FF0C2839718CAF2E
12 changed files with 201 additions and 24 deletions

View File

@ -32,22 +32,22 @@ annotations:
url: https://github.com/Lerentis/bitwarden-crd-operator url: https://github.com/Lerentis/bitwarden-crd-operator
artifacthub.io/crds: | artifacthub.io/crds: |
- kind: BitwardenSecret - kind: BitwardenSecret
version: v1beta5 version: v1beta6
name: bitwarden-secret name: bitwarden-secret
displayName: Bitwarden Secret displayName: Bitwarden Secret
description: Management Object to create secrets from bitwarden description: Management Object to create secrets from bitwarden
- kind: RegistryCredential - kind: RegistryCredential
version: v1beta5 version: v1beta6
name: registry-credential name: registry-credential
displayName: Regestry Credentials displayName: Regestry Credentials
description: Management Object to create regestry secrets from bitwarden description: Management Object to create regestry secrets from bitwarden
- kind: BitwardenTemplate - kind: BitwardenTemplate
version: v1beta5 version: v1beta6
name: bitwarden-template name: bitwarden-template
displayName: Bitwarden Template displayName: Bitwarden Template
description: Management Object to create secrets from a jinja template with a bitwarden lookup description: Management Object to create secrets from a jinja template with a bitwarden lookup
artifacthub.io/crdsExamples: | artifacthub.io/crdsExamples: |
- apiVersion: lerentis.uploadfilter24.eu/v1beta5 - apiVersion: lerentis.uploadfilter24.eu/v1beta6
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: test name: test
@ -64,7 +64,9 @@ annotations:
namespace: "default" namespace: "default"
labels: labels:
key: value key: value
- apiVersion: lerentis.uploadfilter24.eu/v1beta5 annotations:
key: value
- apiVersion: lerentis.uploadfilter24.eu/v1beta6
kind: RegistryCredential kind: RegistryCredential
metadata: metadata:
name: test name: test
@ -77,7 +79,9 @@ annotations:
namespace: "default" namespace: "default"
labels: labels:
key: value key: value
- apiVersion: "lerentis.uploadfilter24.eu/v1beta5" annotations:
key: value
- apiVersion: "lerentis.uploadfilter24.eu/v1beta6"
kind: BitwardenTemplate kind: BitwardenTemplate
metadata: metadata:
name: test name: test
@ -87,6 +91,8 @@ annotations:
namespace: "default" namespace: "default"
labels: labels:
key: value key: value
annotations:
key: value
template: | template: |
--- ---
api: api:
@ -116,7 +122,7 @@ annotations:
- kind: added - kind: added
description: "Allow custom annotations to generated secrets" description: "Allow custom annotations to generated secrets"
- kind: added - kind: added
description: "Set ownership of generated secrets" description: "Set ownership of generated secrets if CRD is in the same namespace"
artifacthub.io/images: | artifacthub.io/images: |
- name: bitwarden-crd-operator - name: bitwarden-crd-operator
image: ghcr.io/lerentis/bitwarden-crd-operator:0.11.0 image: ghcr.io/lerentis/bitwarden-crd-operator:0.11.0

View File

@ -52,7 +52,8 @@ spec:
- name - name
- name: v1beta5 - name: v1beta5
served: true served: true
storage: true storage: false
deprecated: true
schema: schema:
openAPIV3Schema: openAPIV3Schema:
type: object type: object
@ -89,3 +90,45 @@ spec:
- id - id
- namespace - namespace
- name - name
- name: v1beta6
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
content:
type: array
items:
type: object
properties:
element:
type: object
properties:
secretName:
type: string
secretRef:
type: string
secretScope:
type: string
required:
- secretName
id:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name

View File

@ -39,7 +39,8 @@ spec:
- name - name
- name: v1beta5 - name: v1beta5
served: true served: true
storage: true storage: false
deprecated: true
schema: schema:
openAPIV3Schema: openAPIV3Schema:
type: object type: object
@ -63,3 +64,32 @@ spec:
- template - template
- namespace - namespace
- name - name
- name: v1beta6
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
filename:
type: string
template:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- filename
- template
- namespace
- name

View File

@ -45,7 +45,8 @@ spec:
- registry - registry
- name: v1beta5 - name: v1beta5
served: true served: true
storage: true storage: false
deprecated: true
schema: schema:
openAPIV3Schema: openAPIV3Schema:
type: object type: object
@ -75,3 +76,38 @@ spec:
- usernameRef - usernameRef
- passwordRef - passwordRef
- registry - registry
- name: v1beta6
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
usernameRef:
type: string
passwordRef:
type: string
registry:
type: string
id:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name
- usernameRef
- passwordRef
- registry

View File

@ -8,6 +8,8 @@ spec:
{{- if not .Values.autoscaling.enabled }} {{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }} replicas: {{ .Values.replicaCount }}
{{- end }} {{- end }}
strategy:
type: {{ .Values.deploymentStrategy }}
selector: selector:
matchLabels: matchLabels:
{{- include "bitwarden-crd-operator.selectorLabels" . | nindent 6 }} {{- include "bitwarden-crd-operator.selectorLabels" . | nindent 6 }}

View File

@ -14,6 +14,8 @@ imagePullSecrets: []
nameOverride: "" nameOverride: ""
fullnameOverride: "" fullnameOverride: ""
deploymentStrategy: "Recreate"
# env: # env:
# - name: BW_FORCE_SYNC # - name: BW_FORCE_SYNC
# value: "false" # value: "false"

View File

@ -1,8 +1,9 @@
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta5" apiVersion: "lerentis.uploadfilter24.eu/v1beta6"
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: test name: test
namespace: default
spec: spec:
content: content:
- element: - element:
@ -19,8 +20,10 @@ spec:
labels: labels:
key: value key: value
app: example-app app: example-app
annotations:
custom.annotation: is-used
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta5" apiVersion: "lerentis.uploadfilter24.eu/v1beta6"
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: test-scope name: test-scope

View File

@ -1,5 +1,5 @@
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta5" apiVersion: "lerentis.uploadfilter24.eu/v1beta6"
kind: RegistryCredential kind: RegistryCredential
metadata: metadata:
name: test name: test
@ -13,3 +13,5 @@ spec:
labels: labels:
namespace: default namespace: default
tenant: example-team tenant: example-team
annotations:
custom.annotation: is-used

View File

@ -1,5 +1,5 @@
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta5" apiVersion: "lerentis.uploadfilter24.eu/v1beta6"
kind: BitwardenTemplate kind: BitwardenTemplate
metadata: metadata:
name: test name: test
@ -10,6 +10,8 @@ spec:
labels: labels:
key: value key: value
app: example-app app: example-app
annotations:
custom.annotation: is-used
template: | template: |
--- ---
api: api:

View File

@ -45,6 +45,7 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels') labels = spec.get('labels')
custom_annotations = spec.get('annotations')
unlock_bw(logger) unlock_bw(logger)
logger.info(f"Locking up secret with ID: {id}") logger.info(f"Locking up secret with ID: {id}")
@ -57,6 +58,9 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if custom_annotations:
annotations.update(custom_annotations)
if not labels: if not labels:
labels = {} labels = {}
@ -71,7 +75,10 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
password_ref, password_ref,
registry) registry)
kopf.append_owner_reference(secret) # Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
api.create_namespaced_secret( api.create_namespaced_secret(
secret_namespace, secret secret_namespace, secret
@ -99,6 +106,7 @@ def update_managed_registry_secret(
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels') labels = spec.get('labels')
custom_annotations = spec.get('annotations')
old_config = None old_config = None
old_secret_name = None old_secret_name = None
@ -136,6 +144,9 @@ def update_managed_registry_secret(
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if custom_annotations:
annotations.update(custom_annotations)
if not labels: if not labels:
labels = {} labels = {}
@ -150,7 +161,10 @@ def update_managed_registry_secret(
password_ref, password_ref,
registry) registry)
kopf.append_owner_reference(secret) # Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
try: try:
api.replace_namespaced_secret( api.replace_namespaced_secret(
@ -159,9 +173,12 @@ def update_managed_registry_secret(
namespace="{}".format(secret_namespace)) namespace="{}".format(secret_namespace))
logger.info( logger.info(
f"Secret {secret_namespace}/{secret_name} has been updated") f"Secret {secret_namespace}/{secret_name} has been updated")
except BaseException: except BaseException as e:
logger.warn( logger.warn(
f"Could not update secret {secret_namespace}/{secret_name}!") f"Could not update secret {secret_namespace}/{secret_name}!")
logger.warn(
f"Exception: {e}"
)
@kopf.on.delete('registry-credential.lerentis.uploadfilter24.eu') @kopf.on.delete('registry-credential.lerentis.uploadfilter24.eu')

View File

@ -42,6 +42,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels') labels = spec.get('labels')
custom_annotations = spec.get('annotations')
unlock_bw(logger) unlock_bw(logger)
logger.info(f"Locking up secret with ID: {id}") logger.info(f"Locking up secret with ID: {id}")
@ -54,6 +55,9 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if custom_annotations:
annotations.update(custom_annotations)
if not labels: if not labels:
labels = {} labels = {}
@ -62,7 +66,10 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
name=secret_name, annotations=annotations, labels=labels) name=secret_name, annotations=annotations, labels=labels)
secret = create_kv(secret, secret_json_object, content_def) secret = create_kv(secret, secret_json_object, content_def)
kopf.append_owner_reference(secret) # Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
api.create_namespaced_secret( api.create_namespaced_secret(
namespace="{}".format(secret_namespace), namespace="{}".format(secret_namespace),
@ -96,6 +103,7 @@ def update_managed_secret(
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels') labels = spec.get('labels')
custom_annotations = spec.get('annotations')
if old_config is not None and ( if old_config is not None and (
old_secret_name != secret_name or old_secret_namespace != secret_namespace): old_secret_name != secret_name or old_secret_namespace != secret_namespace):
@ -122,6 +130,9 @@ def update_managed_secret(
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if custom_annotations:
annotations.update(custom_annotations)
if not labels: if not labels:
labels = {} labels = {}
@ -130,7 +141,10 @@ def update_managed_secret(
name=secret_name, annotations=annotations, labels=labels) name=secret_name, annotations=annotations, labels=labels)
secret = create_kv(secret, secret_json_object, content_def) secret = create_kv(secret, secret_json_object, content_def)
kopf.append_owner_reference(secret) # Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
try: try:
api.replace_namespaced_secret( api.replace_namespaced_secret(
@ -139,9 +153,12 @@ def update_managed_secret(
namespace="{}".format(secret_namespace)) namespace="{}".format(secret_namespace))
logger.info( logger.info(
f"Secret {secret_namespace}/{secret_name} has been updated") f"Secret {secret_namespace}/{secret_name} has been updated")
except BaseException: except BaseException as e:
logger.warn( logger.warn(
f"Could not update secret {secret_namespace}/{secret_name}!") f"Could not update secret {secret_namespace}/{secret_name}!")
logger.warn(
f"Exception: {e}"
)
@kopf.on.delete('bitwarden-secret.lerentis.uploadfilter24.eu') @kopf.on.delete('bitwarden-secret.lerentis.uploadfilter24.eu')

View File

@ -34,6 +34,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels') labels = spec.get('labels')
custom_annotations = spec.get('annotations')
unlock_bw(logger) unlock_bw(logger)
@ -44,6 +45,9 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if custom_annotations:
annotations.update(custom_annotations)
if not labels: if not labels:
labels = {} labels = {}
@ -52,7 +56,10 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
name=secret_name, annotations=annotations, labels=labels) name=secret_name, annotations=annotations, labels=labels)
secret = create_template_secret(logger, secret, filename, template) secret = create_template_secret(logger, secret, filename, template)
kopf.append_owner_reference(secret) # Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
api.create_namespaced_secret( api.create_namespaced_secret(
secret_namespace, secret secret_namespace, secret
@ -77,6 +84,7 @@ def update_managed_secret(
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels') labels = spec.get('labels')
custom_annotations = spec.get('annotations')
old_config = None old_config = None
old_secret_name = None old_secret_name = None
@ -112,6 +120,9 @@ def update_managed_secret(
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if custom_annotations:
annotations.update(custom_annotations)
if not labels: if not labels:
labels = {} labels = {}
@ -120,7 +131,10 @@ def update_managed_secret(
name=secret_name, annotations=annotations, labels=labels) name=secret_name, annotations=annotations, labels=labels)
secret = create_template_secret(logger, secret, filename, template) secret = create_template_secret(logger, secret, filename, template)
kopf.append_owner_reference(secret) # Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
try: try:
api.replace_namespaced_secret( api.replace_namespaced_secret(
@ -129,9 +143,12 @@ def update_managed_secret(
namespace="{}".format(secret_namespace)) namespace="{}".format(secret_namespace))
logger.info( logger.info(
f"Secret {secret_namespace}/{secret_name} has been updated") f"Secret {secret_namespace}/{secret_name} has been updated")
except BaseException: except BaseException as e:
logger.warn( logger.warn(
f"Could not update secret {secret_namespace}/{secret_name}!") f"Could not update secret {secret_namespace}/{secret_name}!")
logger.warn(
f"Exception: {e}"
)
@kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu') @kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu')