Compare commits

...

64 Commits

Author SHA1 Message Date
Tobias Trabelsi
a2186ab3aa
Merge pull request #61 from Lerentis/Lerentis/issue60
Labels for Secrets and updates
2024-01-06 23:38:59 +01:00
9f4264d355
update dependencies 2024-01-06 23:37:22 +01:00
620d0f0b18
fix CRD and updated docs 2024-01-06 23:29:45 +01:00
ac0bc2d89d
also add labels to update handlers 2024-01-06 22:48:02 +01:00
f45e9ed6a4
bump chart and app version 2024-01-06 14:19:05 +01:00
1d147aad9a
WIP: Labels for Secrets 2024-01-06 14:10:45 +01:00
Tobias Trabelsi
e31899b7f2
Merge pull request #59 from Lerentis/dependabot/github_actions/mikefarah/yq-4.40.5
Bump mikefarah/yq from 4.40.4 to 4.40.5
2023-12-18 20:47:12 +01:00
Tobias Trabelsi
116c1d9c4e
Merge pull request #58 from Lerentis/dependabot/github_actions/actions/download-artifact-4
Bump actions/download-artifact from 3 to 4
2023-12-18 20:47:02 +01:00
dependabot[bot]
0e08d3cc5e
Bump mikefarah/yq from 4.40.4 to 4.40.5
Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.40.4 to 4.40.5.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](https://github.com/mikefarah/yq/compare/v4.40.4...v4.40.5)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-18 06:20:53 +00:00
dependabot[bot]
a58f4762d9
Bump actions/download-artifact from 3 to 4
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-18 06:20:36 +00:00
Tobias Trabelsi
f287bd80a1
Merge pull request #56 from Lerentis/dependabot/github_actions/mikefarah/yq-4.40.4
Bump mikefarah/yq from 4.40.3 to 4.40.4
2023-12-11 17:49:35 +01:00
Tobias Trabelsi
17fdd4a977
Merge pull request #57 from Lerentis/dependabot/github_actions/actions/setup-python-5
Bump actions/setup-python from 4 to 5
2023-12-11 17:49:17 +01:00
dependabot[bot]
2fde884ad5
Bump actions/setup-python from 4 to 5
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4 to 5.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-11 06:40:27 +00:00
dependabot[bot]
cf186e84fb
Bump mikefarah/yq from 4.40.3 to 4.40.4
Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.40.3 to 4.40.4.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](https://github.com/mikefarah/yq/compare/v4.40.3...v4.40.4)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-04 06:48:49 +00:00
Tobias Trabelsi
bf5a0b2484
Merge pull request #55 from Lerentis/dependabot/github_actions/mikefarah/yq-4.40.3
Bump mikefarah/yq from 4.40.2 to 4.40.3
2023-11-27 07:52:18 +01:00
dependabot[bot]
3ba8f49b39
Bump mikefarah/yq from 4.40.2 to 4.40.3
Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.40.2 to 4.40.3.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](https://github.com/mikefarah/yq/compare/v4.40.2...v4.40.3)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-27 06:48:53 +00:00
Tobias Trabelsi
6a8945af21
Merge pull request #54 from Lerentis/dependabot/github_actions/mikefarah/yq-4.40.2
Bump mikefarah/yq from 4.40.1 to 4.40.2
2023-11-20 23:13:09 +01:00
dependabot[bot]
6160723a72
Bump mikefarah/yq from 4.40.1 to 4.40.2
Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.40.1 to 4.40.2.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](https://github.com/mikefarah/yq/compare/v4.40.1...v4.40.2)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-20 06:47:47 +00:00
Tobias Trabelsi
7527163f26
Merge pull request #52 from Lerentis/dependabot/github_actions/mikefarah/yq-4.40.1
Bump mikefarah/yq from 4.35.2 to 4.40.1
2023-11-13 08:19:36 +01:00
dependabot[bot]
c6ee9fdc39
Bump mikefarah/yq from 4.35.2 to 4.40.1
Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.35.2 to 4.40.1.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](https://github.com/mikefarah/yq/compare/v4.35.2...v4.40.1)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-13 06:14:33 +00:00
Tobias Trabelsi
313cf7d6e9
Merge pull request #51 from Lerentis/dependabot/github_actions/helm/chart-releaser-action-1.6.0
Bump helm/chart-releaser-action from 1.5.0 to 1.6.0
2023-11-06 08:43:57 +01:00
dependabot[bot]
8649c4e865
Bump helm/chart-releaser-action from 1.5.0 to 1.6.0
Bumps [helm/chart-releaser-action](https://github.com/helm/chart-releaser-action) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/helm/chart-releaser-action/releases)
- [Commits](https://github.com/helm/chart-releaser-action/compare/v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: helm/chart-releaser-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-06 07:25:38 +00:00
Tobias Trabelsi
23037bafc1
Merge pull request #50 from Lerentis/dependabot/github_actions/helm/chart-testing-action-2.6.1
Bump helm/chart-testing-action from 2.4.0 to 2.6.1
2023-11-06 08:24:11 +01:00
dependabot[bot]
be98eb9b88
Bump helm/chart-testing-action from 2.4.0 to 2.6.1
Bumps [helm/chart-testing-action](https://github.com/helm/chart-testing-action) from 2.4.0 to 2.6.1.
- [Release notes](https://github.com/helm/chart-testing-action/releases)
- [Commits](https://github.com/helm/chart-testing-action/compare/v2.4.0...v2.6.1)

---
updated-dependencies:
- dependency-name: helm/chart-testing-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-06 06:59:52 +00:00
Tobias Trabelsi
80d8db6924
Merge pull request #49 from Lerentis/bugfix/tt/fix-registry-credential-type
Fixed type and content of RegistryCredential
2023-10-27 15:29:18 +02:00
ttrabelsi
d6c207ba82 Fixed type and content of RegistryCredential 2023-10-27 15:22:00 +02:00
Tobias Trabelsi
fc37a12737
Merge pull request #45 from nicoangelo/feature/attachments 2023-10-16 22:58:02 +02:00
Nico Angelo
58b990db2a bump version 2023-10-16 13:28:12 +02:00
Nico Angelo
f3cba82c9f also populate logger for lookup 2023-10-16 13:10:41 +02:00
Nico Angelo
f7a0f43cab fix get attachment command 2023-10-16 13:10:41 +02:00
Nico Angelo
382b6776ce fetch attachments of items 2023-10-16 13:10:41 +02:00
Tobias Trabelsi
94bc6b10b1
Merge pull request #48 from Lerentis/Lerentis/issue47 2023-10-09 23:24:26 +02:00
53dae0aaaf
Added relogin schedule
Fixes #47
2023-10-09 23:18:04 +02:00
41a085c475
Downgrade bitwarden cli due to segfault on newer versions 2023-10-02 20:38:15 +02:00
Tobias Trabelsi
70546b7484
Merge pull request #31 from datalyze-solutions/sync-before-get 2023-10-02 20:35:41 +02:00
Tobias Trabelsi
ae5b39bbcb
Merge pull request #44 from Lerentis/dependabot/github_actions/mikefarah/yq-4.35.2
Bump mikefarah/yq from 4.35.1 to 4.35.2
2023-10-02 09:04:29 +02:00
dependabot[bot]
02dfca5a44
Bump mikefarah/yq from 4.35.1 to 4.35.2
Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.35.1 to 4.35.2.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](https://github.com/mikefarah/yq/compare/v4.35.1...v4.35.2)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-02 06:56:42 +00:00
Matthias Ludwig
31cba57a1a
chore: bump version to v0.8.0; add artifacthub changelog 2023-09-27 11:15:19 +02:00
Matthias Ludwig
f0a9258b71
feat: add time and force sync envs to trigger a sync before getting the secrets 2023-09-25 11:13:44 +02:00
Matthias Ludwig
63e6f8ab7b
Merge branch 'Lerentis:main' into sync-before-get 2023-09-22 13:06:31 +02:00
Tobias Trabelsi
9fe5bde4e8
Merge pull request #41 from Lerentis/dependabot/github_actions/docker/setup-qemu-action-3
Bump docker/setup-qemu-action from 2 to 3
2023-09-18 10:46:06 +02:00
Tobias Trabelsi
7e0a5b6b57
Merge pull request #40 from Lerentis/dependabot/github_actions/docker/login-action-3
Bump docker/login-action from 2 to 3
2023-09-18 10:45:56 +02:00
Tobias Trabelsi
b7ef2480be
Merge pull request #39 from Lerentis/dependabot/github_actions/docker/setup-buildx-action-3
Bump docker/setup-buildx-action from 2 to 3
2023-09-18 10:45:46 +02:00
dependabot[bot]
25a825b712
Bump docker/login-action from 2 to 3
Bumps [docker/login-action](https://github.com/docker/login-action) from 2 to 3.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v2...v3)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-18 08:38:06 +00:00
dependabot[bot]
963446d9dc
Bump docker/setup-qemu-action from 2 to 3
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 2 to 3.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](https://github.com/docker/setup-qemu-action/compare/v2...v3)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-18 08:38:00 +00:00
dependabot[bot]
bd000cc23a
Bump docker/setup-buildx-action from 2 to 3
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2 to 3.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/v2...v3)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-18 08:37:51 +00:00
Tobias Trabelsi
72bb525e9a
Merge pull request #38 from Lerentis/dependabot/github_actions/docker/build-push-action-5
Bump docker/build-push-action from 4 to 5
2023-09-18 10:37:02 +02:00
dependabot[bot]
0bb67e4503
Bump docker/build-push-action from 4 to 5
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 4 to 5.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v4...v5)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-18 08:03:01 +00:00
Tobias Trabelsi
3f35179983
Merge pull request #37 from Lerentis/dependabot/github_actions/actions/checkout-4
Bump actions/checkout from 3 to 4
2023-09-18 10:02:03 +02:00
dependabot[bot]
68ffb94870
Bump actions/checkout from 3 to 4
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-18 07:31:54 +00:00
Tobias Trabelsi
ddf13aae1c
Merge pull request #42 from Lerentis/bugfix/fix-docker-build
Bugfix/fix-docker-build
2023-09-18 09:31:01 +02:00
ttrabelsi
f63e0ac090 bump version and add release notes 2023-09-18 09:11:20 +02:00
ttrabelsi
39a49ab95b fix docker build by updating some dependencies 2023-09-18 09:11:05 +02:00
Tobias Trabelsi
187da26b30
Merge pull request #36 from mbathe19/main
feat: add probes to helm chart
2023-08-21 11:49:47 +02:00
Tobias Trabelsi
62a2b488d2
Update charts/bitwarden-crd-operator/Chart.yaml 2023-08-21 11:43:39 +02:00
Michel Bathe
bec7476ace fix: updatet chart version and added change log 2023-08-21 11:36:52 +02:00
Michel Bathe
d629fa600f feat: add probes to helm chart 2023-08-18 14:47:58 +02:00
Michel Bathe
ba8c35da9f feat: add probes to helm chart 2023-08-18 14:44:24 +02:00
Tobias Trabelsi
e85ea8357a
Merge pull request #35 from Lerentis/dependabot/github_actions/mikefarah/yq-4.35.1
Bump mikefarah/yq from 4.34.2 to 4.35.1
2023-08-14 14:34:49 +02:00
dependabot[bot]
69d1af8ba5
Bump mikefarah/yq from 4.34.2 to 4.35.1
Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.34.2 to 4.35.1.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](https://github.com/mikefarah/yq/compare/v4.34.2...v4.35.1)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-14 06:16:25 +00:00
Tobias Trabelsi
293ac2a0b0
Merge pull request #34 from Lerentis/dependabot/pip/kopf-1.36.2
Bump kopf from 1.36.1 to 1.36.2
2023-08-04 10:21:08 +02:00
dependabot[bot]
5c8d10b060
Bump kopf from 1.36.1 to 1.36.2
Bumps [kopf](https://github.com/nolar/kopf) from 1.36.1 to 1.36.2.
- [Release notes](https://github.com/nolar/kopf/releases)
- [Commits](https://github.com/nolar/kopf/compare/1.36.1...1.36.2)

---
updated-dependencies:
- dependency-name: kopf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-31 06:31:40 +00:00
Matthias Ludwig
57b6d69b6b chore: add makefile and skaffold config to simplify local testing 2023-07-12 11:06:39 +02:00
Matthias Ludwig
0e33c33415 feat: add sync with bitwarden before getting a secret 2023-07-12 11:05:01 +02:00
22 changed files with 416 additions and 102 deletions

View File

@ -14,7 +14,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
@ -29,34 +29,34 @@ jobs:
version: v3.10.0 version: v3.10.0
- name: Run chart-releaser - name: Run chart-releaser
uses: helm/chart-releaser-action@v1.5.0 uses: helm/chart-releaser-action@v1.6.0
with: with:
charts_dir: charts charts_dir: charts
env: env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Get app version from chart - name: Get app version from chart
uses: mikefarah/yq@v4.34.2 uses: mikefarah/yq@v4.40.5
id: app_version id: app_version
with: with:
cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml
- name: "GHCR Login" - name: "GHCR Login"
uses: docker/login-action@v2 uses: docker/login-action@v3
with: with:
registry: ghcr.io registry: ghcr.io
username: lerentis username: lerentis
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v2 uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@v3
- name: "GHCR Build and Push" - name: "GHCR Build and Push"
id: docker_build id: docker_build
uses: docker/build-push-action@v4 uses: docker/build-push-action@v5
with: with:
push: true push: true
platforms: linux/amd64,linux/arm64 platforms: linux/amd64,linux/arm64
@ -77,7 +77,7 @@ jobs:
uses: WyriHaximus/github-action-get-previous-tag@v1 uses: WyriHaximus/github-action-get-previous-tag@v1
- name: Download SBOM from github action - name: Download SBOM from github action
uses: actions/download-artifact@v3 uses: actions/download-artifact@v4
with: with:
name: ${{ env.ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT }} name: ${{ env.ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT }}

View File

@ -7,7 +7,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
@ -16,13 +16,13 @@ jobs:
with: with:
version: v3.11.2 version: v3.11.2
- uses: actions/setup-python@v4 - uses: actions/setup-python@v5
with: with:
python-version: '3.9' python-version: '3.9'
check-latest: true check-latest: true
- name: Set up chart-testing - name: Set up chart-testing
uses: helm/chart-testing-action@v2.4.0 uses: helm/chart-testing-action@v2.6.1
- name: Run chart-testing (list-changed) - name: Run chart-testing (list-changed)
id: list-changed id: list-changed
@ -40,14 +40,14 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v2 uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@v3
- name: "GHCR Build" - name: "GHCR Build"
id: docker_build id: docker_build
uses: docker/build-push-action@v4 uses: docker/build-push-action@v5
with: with:
push: false push: false
platforms: linux/amd64,linux/arm64 platforms: linux/amd64,linux/arm64

View File

@ -1,13 +1,13 @@
FROM alpine:3.18.0 FROM alpine:3.19.0
LABEL org.opencontainers.image.source=https://github.com/Lerentis/bitwarden-crd-operator LABEL org.opencontainers.image.source=https://github.com/Lerentis/bitwarden-crd-operator
LABEL org.opencontainers.image.description="Kubernetes Operator to create k8s secrets from bitwarden" LABEL org.opencontainers.image.description="Kubernetes Operator to create k8s secrets from bitwarden"
LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.licenses=MIT
ARG PYTHON_VERSION=3.11.4-r0 ARG PYTHON_VERSION=3.11.6-r1
ARG PIP_VERSION=23.1.2-r0 ARG PIP_VERSION=23.3.1-r0
ARG GCOMPAT_VERSION=1.1.0-r1 ARG GCOMPAT_VERSION=1.1.0-r4
ARG LIBCRYPTO_VERSION=3.1.0-r4 ARG LIBCRYPTO_VERSION=3.1.4-r2
ARG BW_VERSION=2023.1.0 ARG BW_VERSION=2023.1.0
COPY requirements.txt /requirements.txt COPY requirements.txt /requirements.txt
@ -38,7 +38,7 @@ RUN set -eux; \
mkdir -p /home/bw-operator; \ mkdir -p /home/bw-operator; \
chown -R bw-operator /home/bw-operator; \ chown -R bw-operator /home/bw-operator; \
apk add gcc musl-dev libstdc++ gcompat=${GCOMPAT_VERSION} python3=${PYTHON_VERSION} py3-pip=${PIP_VERSION} libcrypto3=${LIBCRYPTO_VERSION}; \ apk add gcc musl-dev libstdc++ gcompat=${GCOMPAT_VERSION} python3=${PYTHON_VERSION} py3-pip=${PIP_VERSION} libcrypto3=${LIBCRYPTO_VERSION}; \
pip install -r /requirements.txt --no-warn-script-location; \ pip install -r /requirements.txt --no-warn-script-location --break-system-packages; \
rm /requirements.txt; \ rm /requirements.txt; \
apk del --purge gcc musl-dev libstdc++; apk del --purge gcc musl-dev libstdc++;

27
Makefile Normal file
View File

@ -0,0 +1,27 @@
deployment_name ?= bitwarden-crd-operator
namespace ?= bitwarden-crd-operator
label_filter = -l app.kubernetes.io/instance=bitwarden-crd-operator -l app.kubernetes.io/name=bitwarden-crd-operator
create-namespace:
kubectl create namespace ${namespace}
dev:
skaffold dev -n ${namespace}
run:
skaffold run -n ${namespace}
pods:
kubectl -n ${namespace} get pods
desc-pods:
kubectl -n ${namespace} describe pod ${label_filter}
delete-pods-force:
kubectl -n ${namespace} delete pod ${label_filter} --force
exec:
kubectl -n ${namespace} exec -it deployment/${deployment_name} -- sh
logs:
kubectl -n ${namespace} logs -f --tail 30 deployment/${deployment_name}

View File

@ -56,7 +56,7 @@ And you are set to create your first secret using this operator. For that you ne
```yaml ```yaml
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta4" apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: name-of-your-management-object name: name-of-your-management-object
@ -73,6 +73,8 @@ spec:
id: "A Secret ID from bitwarden" id: "A Secret ID from bitwarden"
name: "Name of the secret to be created" name: "Name of the secret to be created"
namespace: "Namespace of the secret to be created" namespace: "Namespace of the secret to be created"
labels: # Optional
key: value
``` ```
The ID can be extracted from the browser when you open a item the ID is in the URL. The resulting secret looks something like this: The ID can be extracted from the browser when you open a item the ID is in the URL. The resulting secret looks something like this:
@ -87,6 +89,8 @@ metadata:
annotations: annotations:
managed: bitwarden-secrets.lerentis.uploadfilter24.eu managed: bitwarden-secrets.lerentis.uploadfilter24.eu
managedObject: bw-operator/test managedObject: bw-operator/test
labels:
key: value
name: name-of-your-management-object name: name-of-your-management-object
namespace: default namespace: default
type: Opaque type: Opaque
@ -98,7 +102,7 @@ For managing registry credentials, or pull secrets, you can create another kind
```yaml ```yaml
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta4" apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: RegistryCredential kind: RegistryCredential
metadata: metadata:
name: name-of-your-management-object name: name-of-your-management-object
@ -109,6 +113,8 @@ spec:
id: "A Secret ID from bitwarden" id: "A Secret ID from bitwarden"
name: "Name of the secret to be created" name: "Name of the secret to be created"
namespace: "Namespace of the secret to be created" namespace: "Namespace of the secret to be created"
labels: # Optional
key: value
``` ```
The resulting secret looks something like this: The resulting secret looks something like this:
@ -122,6 +128,8 @@ metadata:
annotations: annotations:
managed: bitwarden-secrets.lerentis.uploadfilter24.eu managed: bitwarden-secrets.lerentis.uploadfilter24.eu
managedObject: bw-operator/test managedObject: bw-operator/test
labels:
key: value
name: name-of-your-management-object name: name-of-your-management-object
namespace: default namespace: default
type: dockerconfigjson type: dockerconfigjson
@ -129,11 +137,11 @@ type: dockerconfigjson
## BitwardenTemplate ## BitwardenTemplate
One of the more freely defined types that can be used with this operator you can just pass a whole template: One of the more freely defined types that can be used with this operator you can just pass a whole template. Also the lookup function `bitwarden_lookup` is available to reference parts of the secret:
```yaml ```yaml
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta4" apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenTemplate kind: BitwardenTemplate
metadata: metadata:
name: name-of-your-management-object name: name-of-your-management-object
@ -141,15 +149,17 @@ spec:
filename: "Key of the secret to be created" filename: "Key of the secret to be created"
name: "Name of the secret to be created" name: "Name of the secret to be created"
namespace: "Namespace of the secret to be created" namespace: "Namespace of the secret to be created"
labels: # Optional
key: value
template: | template: |
--- ---
api: api:
enabled: True enabled: True
key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields", "name of a field in bitwarden") }} key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }}
allowCrossOrigin: false allowCrossOrigin: false
apps: apps:
"some.app.identifier:some_version": "some.app.identifier:some_version":
pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields", "name of a field in bitwarden") }} pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }}
enabled: true enabled: true
``` ```
@ -164,17 +174,25 @@ metadata:
annotations: annotations:
managed: bitwarden-template.lerentis.uploadfilter24.eu managed: bitwarden-template.lerentis.uploadfilter24.eu
managedObject: namespace/name-of-your-management-object managedObject: namespace/name-of-your-management-object
labels:
key: value
name: Name of the secret to be created name: Name of the secret to be created
namespace: Namespace of the secret to be created namespace: Namespace of the secret to be created
type: Opaque type: Opaque
``` ```
please note that the rendering engine for this template is jinja2, with an addition of a custom `bitwarden_lookup` function, so there are more possibilities to inject here. The signature of `bitwarden_lookup` is `(item_id, scope, field)`:
- `item_id`: The item ID of the secret in Bitwarden
- `scope`: one of `login`, `fields` or `attachment`
- `field`:
- when `scope` is `login`: either `username` or `password`
- when `scope` is `fields`: the name of a custom field
- when `scope` is `attachment`: the filename of a file attached to the item
## Short Term Roadmap Please note that the rendering engine for this template is jinja2, with an addition of a custom `bitwarden_lookup` function, so there are more possibilities to inject here.
- [ ] support more types ## Configurations parameters
- [x] offer option to use a existing secret in helm chart
- [x] host chart on gh pages The operator uses the bitwarden cli in the background and does not communicate to the api directly. The cli mirrors the credential store locally but doesn't sync it on every get request. Instead it will sync each secret every 15 minutes (900 seconds). You can adjust the interval by setting `BW_SYNC_INTERVAL` in the values. If your secrets update very very frequently, you can force the operator to do a sync before each get by setting `BW_FORCE_SYNC="true"`. You might run into rate limits if you do this too frequent.
- [x] write release pipeline
- [x] maybe extend spec to offer modification of keys as well Additionally the bitwarden cli session may expire at some time. In order to create a new session, the login command is triggered from time to time. In what interval exactly can be configured with the env `BW_RELOGIN_INTERVAL` which defaults to 3600s.

View File

@ -4,9 +4,9 @@ description: Deploy the Bitwarden CRD Operator
type: application type: application
version: "v0.7.4" version: "v0.11.0"
appVersion: "0.6.4" appVersion: "0.10.0"
keywords: keywords:
- operator - operator
@ -32,22 +32,22 @@ annotations:
url: https://github.com/Lerentis/bitwarden-crd-operator url: https://github.com/Lerentis/bitwarden-crd-operator
artifacthub.io/crds: | artifacthub.io/crds: |
- kind: BitwardenSecret - kind: BitwardenSecret
version: v1beta4 version: v1beta5
name: bitwarden-secret name: bitwarden-secret
displayName: Bitwarden Secret displayName: Bitwarden Secret
description: Management Object to create secrets from bitwarden description: Management Object to create secrets from bitwarden
- kind: RegistryCredential - kind: RegistryCredential
version: v1beta4 version: v1beta5
name: registry-credential name: registry-credential
displayName: Regestry Credentials displayName: Regestry Credentials
description: Management Object to create regestry secrets from bitwarden description: Management Object to create regestry secrets from bitwarden
- kind: BitwardenTemplate - kind: BitwardenTemplate
version: v1beta1 version: v1beta5
name: bitwarden-template name: bitwarden-template
displayName: Bitwarden Template displayName: Bitwarden Template
description: Management Object to create secrets from a jinja template with a bitwarden lookup description: Management Object to create secrets from a jinja template with a bitwarden lookup
artifacthub.io/crdsExamples: | artifacthub.io/crdsExamples: |
- apiVersion: lerentis.uploadfilter24.eu/v1beta4 - apiVersion: lerentis.uploadfilter24.eu/v1beta5
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: test name: test
@ -62,7 +62,9 @@ annotations:
id: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" id: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
name: "test-secret" name: "test-secret"
namespace: "default" namespace: "default"
- apiVersion: lerentis.uploadfilter24.eu/v1beta4 labels:
key: value
- apiVersion: lerentis.uploadfilter24.eu/v1beta5
kind: RegistryCredential kind: RegistryCredential
metadata: metadata:
name: test name: test
@ -73,7 +75,9 @@ annotations:
id: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" id: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
name: "test-regcred" name: "test-regcred"
namespace: "default" namespace: "default"
- apiVersion: "lerentis.uploadfilter24.eu/v1beta4" labels:
key: value
- apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenTemplate kind: BitwardenTemplate
metadata: metadata:
name: test name: test
@ -81,6 +85,8 @@ annotations:
filename: "config.yaml" filename: "config.yaml"
name: "test-regcred" name: "test-regcred"
namespace: "default" namespace: "default"
labels:
key: value
template: | template: |
--- ---
api: api:
@ -89,14 +95,24 @@ annotations:
allowCrossOrigin: false allowCrossOrigin: false
apps: apps:
"some.app.identifier:some_version": "some.app.identifier:some_version":
pubkey: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "fields", "public_key") }} pubkey: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "attachment", "public_key") }}
enabled: true enabled: true
artifacthub.io/license: MIT artifacthub.io/license: MIT
artifacthub.io/operator: "true" artifacthub.io/operator: "true"
artifacthub.io/containsSecurityUpdates: "false" artifacthub.io/containsSecurityUpdates: "false"
artifacthub.io/changes: | artifacthub.io/changes: |
- kind: fixed - kind: changed
description: "Fixed bitwarden installation" description: "Added the possibility to add labels to generated secrets"
- kind: changed
description: "Updated Alpine to 3.19.0"
- kind: changed
description: "Update Python to 3.11.6-r1"
- kind: changed
description: "Update pip to 23.3.1-r0"
- kind: changed
description: "Update gcompat to 1.1.0-r4"
- kind: changed
description: "Update libcrypto3 to 3.1.4-r2"
artifacthub.io/images: | artifacthub.io/images: |
- name: bitwarden-crd-operator - name: bitwarden-crd-operator
image: ghcr.io/lerentis/bitwarden-crd-operator:0.6.4 image: ghcr.io/lerentis/bitwarden-crd-operator:0.10.0

View File

@ -15,7 +15,8 @@ spec:
versions: versions:
- name: v1beta4 - name: v1beta4
served: true served: true
storage: true storage: false
deprecated: true
schema: schema:
openAPIV3Schema: openAPIV3Schema:
type: object type: object
@ -49,3 +50,42 @@ spec:
- id - id
- namespace - namespace
- name - name
- name: v1beta5
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
content:
type: array
items:
type: object
properties:
element:
type: object
properties:
secretName:
type: string
secretRef:
type: string
secretScope:
type: string
required:
- secretName
id:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name

View File

@ -15,7 +15,8 @@ spec:
versions: versions:
- name: v1beta4 - name: v1beta4
served: true served: true
storage: true storage: false
deprecated: true
schema: schema:
openAPIV3Schema: openAPIV3Schema:
type: object type: object
@ -36,3 +37,29 @@ spec:
- template - template
- namespace - namespace
- name - name
- name: v1beta5
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
filename:
type: string
template:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- filename
- template
- namespace
- name

View File

@ -15,7 +15,8 @@ spec:
versions: versions:
- name: v1beta4 - name: v1beta4
served: true served: true
storage: true storage: false
deprecated: true
schema: schema:
openAPIV3Schema: openAPIV3Schema:
type: object type: object
@ -42,3 +43,35 @@ spec:
- usernameRef - usernameRef
- passwordRef - passwordRef
- registry - registry
- name: v1beta5
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
usernameRef:
type: string
passwordRef:
type: string
registry:
type: string
id:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name
- usernameRef
- passwordRef
- registry

View File

@ -50,10 +50,20 @@ spec:
httpGet: httpGet:
path: /healthz path: /healthz
port: http port: http
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /healthz path: /healthz
port: http port: http
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
resources: resources:
{{- toYaml .Values.resources | nindent 12 }} {{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }} {{- with .Values.nodeSelector }}

View File

@ -15,6 +15,10 @@ nameOverride: ""
fullnameOverride: "" fullnameOverride: ""
# env: # env:
# - name: BW_FORCE_SYNC
# value: "false"
# - name: BW_SYNC_INTERVAL
# value: "900"
# - name: BW_HOST # - name: BW_HOST
# value: "define_it" # value: "define_it"
# - name: BW_CLIENTID # - name: BW_CLIENTID
@ -23,6 +27,8 @@ fullnameOverride: ""
# value: "define_it" # value: "define_it"
# - name: BW_PASSWORD # - name: BW_PASSWORD
# value: "define_id" # value: "define_id"
## - name: BW_RELOGIN_INTERVAL
## value: "3600"
externalConfigSecret: externalConfigSecret:
enabled: false enabled: false
@ -51,6 +57,20 @@ securityContext: {}
# runAsNonRoot: true # runAsNonRoot: true
# runAsUser: 1000 # runAsUser: 1000
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {} resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious # We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little # choice for the user. This also increases chances charts run on environments with little

View File

@ -1,5 +1,5 @@
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta4" apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: test name: test
@ -16,8 +16,11 @@ spec:
id: "88781348-c81c-4367-9801-550360c21295" id: "88781348-c81c-4367-9801-550360c21295"
name: "test-secret" name: "test-secret"
namespace: "default" namespace: "default"
labels:
key: value
app: example-app
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta4" apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: test-scope name: test-scope

View File

@ -1,5 +1,5 @@
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta4" apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: RegistryCredential kind: RegistryCredential
metadata: metadata:
name: test name: test
@ -9,4 +9,7 @@ spec:
registry: "docker.io" registry: "docker.io"
id: "3b249ec7-9ce7-440a-9558-f34f3ab10680" id: "3b249ec7-9ce7-440a-9558-f34f3ab10680"
name: "test-regcred" name: "test-regcred"
namespace: "default" namespace: "default"
labels:
namespace: default
tenant: example-team

View File

@ -1,5 +1,5 @@
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta4" apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenTemplate kind: BitwardenTemplate
metadata: metadata:
name: test name: test
@ -7,6 +7,9 @@ spec:
filename: "config.yaml" filename: "config.yaml"
name: "test-template" name: "test-template"
namespace: "default" namespace: "default"
labels:
key: value
app: example-app
template: | template: |
--- ---
api: api:

View File

@ -1,3 +1,4 @@
kopf==1.36.1 kopf==1.36.2
kubernetes==26.1.0 kubernetes==26.1.0
Jinja2==3.1.2 Jinja2==3.1.2
schedule==1.2.1

17
skaffold.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: skaffold/v4beta5
kind: Config
metadata:
name: bitwarden-crd-operator
build:
artifacts:
- image: ghcr.io/lerentis/bitwarden-crd-operator
docker:
dockerfile: Dockerfile
deploy:
helm:
releases:
- name: bitwarden-crd-operator
chartPath: charts/bitwarden-crd-operator
valuesFiles:
- env/values.yaml
version: v0.7.4

View File

@ -1,11 +1,12 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
import os import os
import kopf import kopf
import schedule
import time
import threading
from utils.utils import command_wrapper, unlock_bw from utils.utils import command_wrapper, unlock_bw, sync_bw
@kopf.on.startup()
def bitwarden_signin(logger, **kwargs): def bitwarden_signin(logger, **kwargs):
if 'BW_HOST' in os.environ: if 'BW_HOST' in os.environ:
try: try:
@ -18,3 +19,29 @@ def bitwarden_signin(logger, **kwargs):
logger.info("BW_HOST not set. Assuming SaaS installation") logger.info("BW_HOST not set. Assuming SaaS installation")
command_wrapper(logger, "login --apikey") command_wrapper(logger, "login --apikey")
unlock_bw(logger) unlock_bw(logger)
def run_continuously(interval=30):
cease_continuous_run = threading.Event()
class ScheduleThread(threading.Thread):
@classmethod
def run(cls):
while not cease_continuous_run.is_set():
schedule.run_pending()
time.sleep(interval)
continuous_thread = ScheduleThread()
continuous_thread.start()
return cease_continuous_run
@kopf.on.startup()
def load_schedules(logger, **kwargs):
bitwarden_signin(logger)
logger.info("Loading schedules")
bw_relogin_interval = float(os.environ.get('BW_RELOGIN_INTERVAL', 3600))
bw_sync_interval = float(os.environ.get('BW_SYNC_INTERVAL', 900))
schedule.every(bw_relogin_interval).seconds.do(bitwarden_signin, logger=logger)
logger.info(f"relogin scheduled every {bw_relogin_interval} seconds")
schedule.every(bw_sync_interval).seconds.do(sync_bw, logger=logger)
logger.info(f"sync scheduled every {bw_relogin_interval} seconds")
stop_run_continuously = run_continuously()

View File

@ -3,7 +3,7 @@ import kubernetes
import base64 import base64
import json import json
from utils.utils import unlock_bw, get_secret_from_bitwarden from utils.utils import unlock_bw, get_secret_from_bitwarden, bw_sync_interval
def create_dockerlogin( def create_dockerlogin(
@ -13,7 +13,7 @@ def create_dockerlogin(
username_ref, username_ref,
password_ref, password_ref,
registry): registry):
secret.type = "dockerconfigjson" secret.type = "kubernetes.io/dockerconfigjson"
secret.data = {} secret.data = {}
auths_dict = {} auths_dict = {}
registry_dict = {} registry_dict = {}
@ -26,7 +26,8 @@ def create_dockerlogin(
base64.b64encode( base64.b64encode(
f"{_username}:{_password}".encode("utf-8")), f"{_username}:{_password}".encode("utf-8")),
"utf-8") "utf-8")
reg_auth_dict["username"] = _username
reg_auth_dict["password"] = _password
reg_auth_dict["auth"] = cred_field reg_auth_dict["auth"] = cred_field
registry_dict[registry] = reg_auth_dict registry_dict[registry] = reg_auth_dict
auths_dict["auths"] = registry_dict auths_dict["auths"] = registry_dict
@ -43,6 +44,7 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
id = spec.get('id') id = spec.get('id')
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels')
unlock_bw(logger) unlock_bw(logger)
logger.info(f"Locking up secret with ID: {id}") logger.info(f"Locking up secret with ID: {id}")
@ -54,9 +56,13 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
"managed": "registry-credential.lerentis.uploadfilter24.eu", "managed": "registry-credential.lerentis.uploadfilter24.eu",
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if not labels:
labels = {}
secret = kubernetes.client.V1Secret() secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta( secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations) name=secret_name, annotations=annotations, labels=labels)
secret = create_dockerlogin( secret = create_dockerlogin(
logger, logger,
secret, secret,
@ -65,7 +71,7 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
password_ref, password_ref,
registry) registry)
obj = api.create_namespaced_secret( api.create_namespaced_secret(
secret_namespace, secret secret_namespace, secret
) )
@ -74,7 +80,7 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
@kopf.on.update('registry-credential.lerentis.uploadfilter24.eu') @kopf.on.update('registry-credential.lerentis.uploadfilter24.eu')
@kopf.timer('registry-credential.lerentis.uploadfilter24.eu', interval=900) @kopf.timer('registry-credential.lerentis.uploadfilter24.eu', interval=bw_sync_interval)
def update_managed_registry_secret( def update_managed_registry_secret(
spec, spec,
status, status,
@ -90,6 +96,7 @@ def update_managed_registry_secret(
id = spec.get('id') id = spec.get('id')
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels')
old_config = None old_config = None
old_secret_name = None old_secret_name = None
@ -126,9 +133,13 @@ def update_managed_registry_secret(
"managed": "registry-credential.lerentis.uploadfilter24.eu", "managed": "registry-credential.lerentis.uploadfilter24.eu",
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if not labels:
labels = {}
secret = kubernetes.client.V1Secret() secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta( secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations) name=secret_name, annotations=annotations, labels=labels)
secret = create_dockerlogin( secret = create_dockerlogin(
logger, logger,
secret, secret,
@ -137,7 +148,7 @@ def update_managed_registry_secret(
password_ref, password_ref,
registry) registry)
try: try:
obj = api.replace_namespaced_secret( api.replace_namespaced_secret(
name=secret_name, name=secret_name,
body=secret, body=secret,
namespace="{}".format(secret_namespace)) namespace="{}".format(secret_namespace))

View File

@ -3,8 +3,7 @@ import kubernetes
import base64 import base64
import json import json
from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope, bw_sync_interval
def create_kv(secret, secret_json, content_def): def create_kv(secret, secret_json, content_def):
secret.type = "Opaque" secret.type = "Opaque"
@ -42,6 +41,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
id = spec.get('id') id = spec.get('id')
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels')
unlock_bw(logger) unlock_bw(logger)
logger.info(f"Locking up secret with ID: {id}") logger.info(f"Locking up secret with ID: {id}")
@ -53,12 +53,16 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
"managed": "bitwarden-secret.lerentis.uploadfilter24.eu", "managed": "bitwarden-secret.lerentis.uploadfilter24.eu",
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if not labels:
labels = {}
secret = kubernetes.client.V1Secret() secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta( secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations) name=secret_name, annotations=annotations, labels=labels)
secret = create_kv(secret, secret_json_object, content_def) secret = create_kv(secret, secret_json_object, content_def)
obj = api.create_namespaced_secret( api.create_namespaced_secret(
namespace="{}".format(secret_namespace), namespace="{}".format(secret_namespace),
body=secret body=secret
) )
@ -67,7 +71,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
@kopf.on.update('bitwarden-secret.lerentis.uploadfilter24.eu') @kopf.on.update('bitwarden-secret.lerentis.uploadfilter24.eu')
@kopf.timer('bitwarden-secret.lerentis.uploadfilter24.eu', interval=900) @kopf.timer('bitwarden-secret.lerentis.uploadfilter24.eu', interval=bw_sync_interval)
def update_managed_secret( def update_managed_secret(
spec, spec,
status, status,
@ -89,6 +93,7 @@ def update_managed_secret(
old_secret_namespace = old_config['spec'].get('namespace') old_secret_namespace = old_config['spec'].get('namespace')
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels')
if old_config is not None and ( if old_config is not None and (
old_secret_name != secret_name or old_secret_namespace != secret_namespace): old_secret_name != secret_name or old_secret_namespace != secret_namespace):
@ -115,13 +120,16 @@ def update_managed_secret(
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if not labels:
labels = {}
secret = kubernetes.client.V1Secret() secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta( secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations) name=secret_name, annotations=annotations, labels=labels)
secret = create_kv(secret, secret_json_object, content_def) secret = create_kv(secret, secret_json_object, content_def)
try: try:
obj = api.replace_namespaced_secret( api.replace_namespaced_secret(
name=secret_name, name=secret_name,
body=secret, body=secret,
namespace="{}".format(secret_namespace)) namespace="{}".format(secret_namespace))

View File

@ -1,11 +1,16 @@
import json from utils.utils import get_secret_from_bitwarden, get_attachment, parse_fields_scope, parse_login_scope
from utils.utils import get_secret_from_bitwarden, parse_fields_scope, parse_login_scope
def bitwarden_lookup(id, scope, field): class BitwardenLookupHandler:
_secret_json = get_secret_from_bitwarden(None, id)
if scope == "login": def __init__(self, logger) -> None:
return parse_login_scope(_secret_json, field) self.logger = logger
if scope == "fields":
return parse_fields_scope(_secret_json, field) def bitwarden_lookup(self, id, scope, field):
if scope == "attachment":
return get_attachment(self.logger, id, field)
_secret_json = get_secret_from_bitwarden(self.logger, id)
if scope == "login":
return parse_login_scope(_secret_json, field)
if scope == "fields":
return parse_fields_scope(_secret_json, field)

View File

@ -3,28 +3,25 @@ import base64
import kubernetes import kubernetes
import json import json
from utils.utils import unlock_bw from utils.utils import unlock_bw, bw_sync_interval
from lookups.bitwarden_lookup import bitwarden_lookup from lookups.bitwarden_lookup import BitwardenLookupHandler
from jinja2 import Environment, BaseLoader from jinja2 import Environment, BaseLoader
lookup_func_dict = { def render_template(logger, template):
"bitwarden_lookup": bitwarden_lookup,
}
def render_template(template):
jinja_template = Environment(loader=BaseLoader()).from_string(template) jinja_template = Environment(loader=BaseLoader()).from_string(template)
jinja_template.globals.update(lookup_func_dict) jinja_template.globals.update({
"bitwarden_lookup": BitwardenLookupHandler(logger).bitwarden_lookup,
})
return jinja_template.render() return jinja_template.render()
def create_template_secret(secret, filename, template): def create_template_secret(logger, secret, filename, template):
secret.type = "Opaque" secret.type = "Opaque"
secret.data = {} secret.data = {}
secret.data[filename] = str( secret.data[filename] = str(
base64.b64encode( base64.b64encode(
render_template(template).encode("utf-8")), render_template(logger, template).encode("utf-8")),
"utf-8") "utf-8")
return secret return secret
@ -36,6 +33,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
filename = spec.get('filename') filename = spec.get('filename')
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels')
unlock_bw(logger) unlock_bw(logger)
@ -45,12 +43,16 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
"managed": "bitwarden-template.lerentis.uploadfilter24.eu", "managed": "bitwarden-template.lerentis.uploadfilter24.eu",
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if not labels:
labels = {}
secret = kubernetes.client.V1Secret() secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta( secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations) name=secret_name, annotations=annotations, labels=labels)
secret = create_template_secret(secret, filename, template) secret = create_template_secret(logger, secret, filename, template)
obj = api.create_namespaced_secret( api.create_namespaced_secret(
secret_namespace, secret secret_namespace, secret
) )
@ -58,7 +60,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
@kopf.on.update('bitwarden-template.lerentis.uploadfilter24.eu') @kopf.on.update('bitwarden-template.lerentis.uploadfilter24.eu')
@kopf.timer('bitwarden-template.lerentis.uploadfilter24.eu', interval=900) @kopf.timer('bitwarden-template.lerentis.uploadfilter24.eu', interval=bw_sync_interval)
def update_managed_secret( def update_managed_secret(
spec, spec,
status, status,
@ -72,6 +74,7 @@ def update_managed_secret(
filename = spec.get('filename') filename = spec.get('filename')
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels')
old_config = None old_config = None
old_secret_name = None old_secret_name = None
@ -106,13 +109,17 @@ def update_managed_secret(
"managed": "bitwarden-template.lerentis.uploadfilter24.eu", "managed": "bitwarden-template.lerentis.uploadfilter24.eu",
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if not labels:
labels = {}
secret = kubernetes.client.V1Secret() secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta( secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations) name=secret_name, annotations=annotations, labels=labels)
secret = create_template_secret(secret, filename, template) secret = create_template_secret(logger, secret, filename, template)
try: try:
obj = api.replace_namespaced_secret( api.replace_namespaced_secret(
name=secret_name, name=secret_name,
body=secret, body=secret,
namespace="{}".format(secret_namespace)) namespace="{}".format(secret_namespace))

View File

@ -1,16 +1,48 @@
import os import os
import json import json
import subprocess import subprocess
import distutils
bw_sync_interval = float(os.environ.get(
'BW_SYNC_INTERVAL', 900))
class BitwardenCommandException(Exception): class BitwardenCommandException(Exception):
pass pass
def get_secret_from_bitwarden(logger, id): def get_secret_from_bitwarden(logger, id, force_sync=False):
sync_bw(logger, force=force_sync)
return command_wrapper(logger, command=f"get item {id}") return command_wrapper(logger, command=f"get item {id}")
def sync_bw(logger, force=False):
def _sync(logger):
status_output = command_wrapper(logger, command=f"sync")
logger.info(f"Sync successful {status_output}")
return
if force:
_sync(logger)
return
global_force_sync = bool(distutils.util.strtobool(
os.environ.get('BW_FORCE_SYNC', "false")))
if global_force_sync:
logger.debug("Running forced sync")
status_output = _sync(logger)
logger.info(f"Sync successful {status_output}")
else:
logger.debug("Running scheduled sync")
status_output = _sync(logger)
logger.info(f"Sync successful {status_output}")
def get_attachment(logger, id, name):
return command_wrapper(logger, command=f"get attachment {name} --itemid {id}", raw=True)
def unlock_bw(logger): def unlock_bw(logger):
status_output = command_wrapper(logger, "status", False) status_output = command_wrapper(logger, "status", False)
status = status_output['data']['template']['status'] status = status_output['data']['template']['status']
@ -22,16 +54,22 @@ def unlock_bw(logger):
logger.info("Signin successful. Session exported") logger.info("Signin successful. Session exported")
def command_wrapper(logger, command, use_success: bool = True): def command_wrapper(logger, command, use_success: bool = True, raw: bool = False):
system_env = dict(os.environ) system_env = dict(os.environ)
response_flag = "--raw" if raw else "--response"
sp = subprocess.Popen( sp = subprocess.Popen(
[f"bw --response {command}"], [f"bw {response_flag} {command}"],
stdout=subprocess.PIPE, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, stderr=subprocess.PIPE,
close_fds=True, close_fds=True,
shell=True, shell=True,
env=system_env) env=system_env)
out, err = sp.communicate() out, err = sp.communicate()
if err:
logger.warn(err)
return None
if raw:
return out.decode(encoding='UTF-8')
if "DEBUG" in system_env: if "DEBUG" in system_env:
logger.info(out.decode(encoding='UTF-8')) logger.info(out.decode(encoding='UTF-8'))
resp = json.loads(out.decode(encoding='UTF-8')) resp = json.loads(out.decode(encoding='UTF-8'))