Merge pull request #97 from Lerentis/feature/tt/refactor-templates

(feat): refactor bitwardenTemplate to handle more than one file

.github/workflows/release.yml

@@ -24,7 +24,7 @@ jobs:
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
       - name: Install Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4
         with:
           version: v3.10.0
 
@@ -36,7 +36,7 @@ jobs:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
       - name: Get app version from chart
-        uses: mikefarah/yq@v4.40.5
+        uses: mikefarah/yq@v4.44.3
         id: app_version
         with:
           cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml
@@ -56,7 +56,7 @@ jobs:
 
       - name: "GHCR Build and Push"
         id: docker_build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           push: true
           platforms: linux/amd64,linux/arm64

.github/workflows/test-and-lint.yml

@@ -12,7 +12,7 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4
         with:
           version: v3.11.2
 
@@ -36,6 +36,18 @@ jobs:
         if: steps.list-changed.outputs.changed == 'true'
         run: ct lint --target-branch ${{ github.event.repository.default_branch }}
 
+      - name: Install ah cli
+        run: |
+          export AH_VERSION=1.17.0
+          curl -LO https://github.com/artifacthub/hub/releases/download/v${AH_VERSION}/ah_${AH_VERSION}_linux_amd64.tar.gz
+          tar -xf ah_${AH_VERSION}_linux_amd64.tar.gz
+          chmod +x ./ah
+          sudo mv ./ah /usr/bin/ah
+          rm LICENSE
+      - name: ah lint
+        run: |
+          ah lint
+
   pr-build:
     runs-on: ubuntu-latest
     steps:
@@ -45,11 +57,10 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: "GHCR Build"
+      - name: GHCR Build
         id: docker_build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           push: false
           platforms: linux/amd64,linux/arm64
           tags: ghcr.io/lerentis/bitwarden-crd-operator:dev
-

Dockerfile

@@ -1,39 +1,23 @@
-FROM alpine:3.19.0
+FROM alpine:3.20.3
 
 LABEL org.opencontainers.image.source=https://github.com/Lerentis/bitwarden-crd-operator
 LABEL org.opencontainers.image.description="Kubernetes Operator to create k8s secrets from bitwarden"
 LABEL org.opencontainers.image.licenses=MIT
 
-ARG PYTHON_VERSION=3.11.6-r1
-ARG PIP_VERSION=23.3.1-r0
+ARG PYTHON_VERSION=3.12.6-r0
+ARG PIP_VERSION=24.0-r2
 ARG GCOMPAT_VERSION=1.1.0-r4
-ARG LIBCRYPTO_VERSION=3.1.4-r2
-ARG BW_VERSION=2023.7.0
-ARG NODE_VERSION=20.10.0-r1
+ARG LIBCRYPTO_VERSION=3.3.2-r0
+ARG BW_VERSION=2024.7.2
+ARG NODE_VERSION=20.15.1-r0
 
 COPY requirements.txt /requirements.txt
 
 RUN set -eux; \
-    apk add --virtual build-dependencies wget unzip; \
-    ARCH="$(apk --print-arch)"; \
-    case "${ARCH}" in \
-       aarch64|arm64) \
-          apk add nodejs=${NODE_VERSION} npm; \
-          npm install -g @bitwarden/cli@${BW_VERSION}; \
-         ;; \
-       amd64|x86_64) \
-          cd /tmp; \
-          wget https://github.com/bitwarden/clients/releases/download/cli-v${BW_VERSION}/bw-linux-${BW_VERSION}.zip; \
-          unzip /tmp/bw-linux-${BW_VERSION}.zip; \
-          mv /tmp/bw /usr/local/bin/bw; \
-          chmod +x /usr/local/bin/bw; \
-         ;; \
-       *) \
-         echo "Unsupported arch: ${ARCH}"; \
-         exit 1; \
-         ;; \
-    esac; \
-    apk del --purge build-dependencies; \
+    apk update; \
+    apk del nodejs-current; \
+    apk add nodejs=${NODE_VERSION} npm; \
+    npm install -g @bitwarden/cli@${BW_VERSION}; \
     addgroup -S -g 1000 bw-operator; \
     adduser -S -D -u 1000 -G bw-operator bw-operator; \
     mkdir -p /home/bw-operator; \

README.md

@@ -56,25 +56,29 @@ And you are set to create your first secret using this operator. For that you ne
 
 ```yaml
 ---
-apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
+apiVersion: "lerentis.uploadfilter24.eu/v1beta8"
 kind: BitwardenSecret
 metadata:
   name: name-of-your-management-object
 spec:
   content:
     - element:
-        secretName: nameOfTheFieldInBitwarden # for example username
+        secretName: nameOfTheFieldInBitwarden # for example username or filename
         secretRef: nameOfTheKeyInTheSecretToBeCreated 
-        secretScope: login # for custom entries on bitwarden use 'fields' 
+        secretScope: login # for custom entries on bitwarden use 'fields, for attachments use attachment' 
     - element:
-        secretName: nameOfAnotherFieldInBitwarden # for example password
+        secretName: nameOfAnotherFieldInBitwarden # for example password or filename
         secretRef: nameOfAnotherKeyInTheSecretToBeCreated 
-        secretScope: login # for custom entries on bitwarden use 'fields' 
+        secretScope: login # for custom entries on bitwarden use 'fields, for attachments use attachment' 
   id: "A Secret ID from bitwarden"
   name: "Name of the secret to be created"
+  secretType: # Optional (Default: Opaque)
   namespace: "Namespace of the secret to be created"
   labels: # Optional
     key: value
+  annotations: # Optional
+    key: value
+
 ```
 
 The ID can be extracted from the browser when you open a item the ID is in the URL. The resulting secret looks something like this:
@@ -102,7 +106,7 @@ For managing registry credentials, or pull secrets, you can create another kind
 
 ```yaml
 ---
-apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
+apiVersion: "lerentis.uploadfilter24.eu/v1beta8"
 kind: RegistryCredential
 metadata:
   name: name-of-your-management-object
@@ -115,6 +119,8 @@ spec:
   namespace: "Namespace of the secret to be created"
   labels: # Optional
     key: value
+  annotations: # Optional
+    key: value
 ```
 
 The resulting secret looks something like this:
@@ -141,26 +147,43 @@ One of the more freely defined types that can be used with this operator you can
 
 ```yaml
 ---
-apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
+apiVersion: "lerentis.uploadfilter24.eu/v1beta8"
 kind: BitwardenTemplate
 metadata:
   name: name-of-your-management-object
 spec:
-  filename: "Key of the secret to be created"
   name: "Name of the secret to be created"
+  secretType: # Optional (Default: Opaque)
   namespace: "Namespace of the secret to be created"
   labels: # Optional
     key: value
-  template: |
-    ---
-    api:
-      enabled: True
-      key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }}
-      allowCrossOrigin: false
-      apps:
-        "some.app.identifier:some_version":
-          pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }}
-          enabled: true
+  annotations: # Optional
+    key: value
+  content:
+    - element:
+        filename: config.yaml
+        template: |
+          ---
+          api:
+            enabled: True
+            key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }}
+            allowCrossOrigin: false
+            apps:
+              "some.app.identifier:some_version":
+                pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }}
+                enabled: true
+    - element:
+        filename: config2.yaml
+        template: |
+          ---
+          api:
+            enabled: True
+            key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }}
+            allowCrossOrigin: false
+            apps:
+              "some.app.identifier:some_version":
+                pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }}
+                enabled: false
 ```
 
 This will result in something like the following object:
@@ -195,4 +218,4 @@ Please note that the rendering engine for this template is jinja2, with an addit
 
 The operator uses the bitwarden cli in the background and does not communicate to the api directly. The cli mirrors the credential store locally but doesn't sync it on every get request. Instead it will sync each secret every 15 minutes (900 seconds). You can adjust the interval by setting `BW_SYNC_INTERVAL` in the values. If your secrets update very very frequently, you can force the operator to do a sync before each get by setting `BW_FORCE_SYNC="true"`. You might run into rate limits if you do this too frequent.
 
-Additionally the bitwarden cli session may expire at some time. In order to create a new session, the login command is triggered from time to time. In what interval exactly can be configured with the env `BW_RELOGIN_INTERVAL` which defaults to 3600s.
+Additionally the bitwarden cli session may expire at some time. In order to create a new session, the login command is triggered from time to time. In what interval exactly can be configured with the env `BW_RELOGIN_INTERVAL` which defaults to `3600` seconds.

charts/bitwarden-crd-operator/Chart.yaml

@@ -4,9 +4,9 @@ description: Deploy the Bitwarden CRD Operator
 
 type: application
 
-version: "v0.11.1"
+version: "v0.15.0"
 
-appVersion: "0.10.1"
+appVersion: "0.14.0"
 
 keywords:
   - operator
@@ -20,7 +20,7 @@ home: https://lerentis.github.io/bitwarden-crd-operator/
 sources:
   - https://github.com/Lerentis/bitwarden-crd-operator
 
-kubeVersion: ">= 1.23.0-0"
+kubeVersion: ">= 1.28.0-0"
 
 maintainers:
   - name: lerentis
@@ -32,22 +32,22 @@ annotations:
       url: https://github.com/Lerentis/bitwarden-crd-operator
   artifacthub.io/crds: |
     - kind: BitwardenSecret
-      version: v1beta5
+      version: v1beta8
       name: bitwarden-secret
       displayName: Bitwarden Secret
       description: Management Object to create secrets from bitwarden
     - kind: RegistryCredential
-      version: v1beta5
+      version: v1beta8
       name: registry-credential
       displayName: Regestry Credentials
       description: Management Object to create regestry secrets from bitwarden
     - kind: BitwardenTemplate
-      version: v1beta5
+      version: v1beta8
       name: bitwarden-template
       displayName: Bitwarden Template
       description: Management Object to create secrets from a jinja template with a bitwarden lookup
   artifacthub.io/crdsExamples: |
-    - apiVersion: lerentis.uploadfilter24.eu/v1beta5
+    - apiVersion: lerentis.uploadfilter24.eu/v1beta8
       kind: BitwardenSecret
       metadata:
         name: test
@@ -61,10 +61,13 @@ annotations:
               secretRef: passwordOfUser
         id: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
         name: "test-secret"
+        secretType: Obaque #Optional
         namespace: "default"
         labels:
           key: value
-    - apiVersion: lerentis.uploadfilter24.eu/v1beta5
+        annotations:
+          key: value
+    - apiVersion: lerentis.uploadfilter24.eu/v1beta8
       kind: RegistryCredential
       metadata:
         name: test
@@ -77,34 +80,46 @@ annotations:
         namespace: "default"
         labels:
           key: value
-    - apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
+        annotations:
+          key: value
+    - apiVersion: "lerentis.uploadfilter24.eu/v1beta8"
       kind: BitwardenTemplate
       metadata:
         name: test
       spec:
-        filename: "config.yaml"
         name: "test-regcred"
+        secretType: Obaque #Optional
         namespace: "default"
         labels:
           key: value
-        template: |
-          ---
-          api:
-            enabled: True
-            key: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "fields", "key") }}
-            allowCrossOrigin: false
-            apps:
-              "some.app.identifier:some_version":
-                pubkey: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "attachment", "public_key") }}
-                enabled: true
+        annotations:
+          key: value
+        content:
+          - element:
+              filename: "config.yaml"
+              template: |
+                ---
+                api:
+                  enabled: True
+                  key: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "fields", "key") }}
+                  allowCrossOrigin: false
+                  apps:
+                    "some.app.identifier:some_version":
+                      pubkey: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "attachment", "public_key") }}
+                      enabled: true
+
   artifacthub.io/license: MIT
   artifacthub.io/operator: "true"
   artifacthub.io/containsSecurityUpdates: "false"
   artifacthub.io/changes: |
-    - kind: fixed
-      description: "Downgrade node to LTS in order to make bw cli work on arm"
     - kind: changed
-      description: "Update bw cli to 2023.7.0 for the same reason"
+      description: "BitwardenTemplate can now handle multiple files"
+    - kind: changed
+      description: "Removed long deprecated versions"
+    - kind: changed
+      description: "Update kubernetes from v29.0.0 to v30.1.0"
+    - kind: changed
+      description: "Update alpine from 3.20.2 to 3.20.3"
   artifacthub.io/images: |
     - name: bitwarden-crd-operator
-      image: ghcr.io/lerentis/bitwarden-crd-operator:0.10.1
+      image: ghcr.io/lerentis/bitwarden-crd-operator:0.14.0

charts/bitwarden-crd-operator/crds/bitwarden-secrets.yaml

@@ -13,7 +13,7 @@ spec:
     shortNames:
       - bws
   versions:
-    - name: v1beta4
+    - name: v1beta7
       served: true
       storage: false
       deprecated: true
@@ -46,11 +46,19 @@ spec:
                   type: string
                 name:
                   type: string
+                secretType: 
+                  type: string
+                labels:
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                annotations:
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
               required:
                 - id
                 - namespace
                 - name
-    - name: v1beta5
+    - name: v1beta8
       served: true
       storage: true
       schema:
@@ -82,10 +90,15 @@ spec:
                   type: string
                 name:
                   type: string
+                secretType: 
+                  type: string
                 labels:
                   type: object
                   x-kubernetes-preserve-unknown-fields: true
+                annotations:
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
               required:
                 - id
                 - namespace
-                - name
+                - name

charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml

@@ -13,7 +13,7 @@ spec:
     shortNames:
       - bwt
   versions:
-    - name: v1beta4
+    - name: v1beta7
       served: true
       storage: false
       deprecated: true
@@ -32,12 +32,20 @@ spec:
                   type: string
                 name:
                   type: string
+                secretType: 
+                  type: string
+                labels:
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                annotations:
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
               required:
                 - filename
                 - template
                 - namespace
                 - name
-    - name: v1beta5
+    - name: v1beta8
       served: true
       storage: true
       schema:
@@ -47,19 +55,33 @@ spec:
             spec:
               type: object
               properties:
-                filename:
-                  type: string
-                template:
-                  type: string
                 namespace:
                   type: string
                 name:
                   type: string
+                secretType: 
+                  type: string
+                content:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      element:
+                        type: object
+                        properties:
+                          filename:
+                            type: string
+                          template:
+                            type: string
+                        required:
+                          - filename
+                          - template
                 labels:
                   type: object
                   x-kubernetes-preserve-unknown-fields: true
+                annotations:
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
               required:
-                - filename
-                - template
                 - namespace
-                - name
+                - name

charts/bitwarden-crd-operator/crds/registry-credentials.yaml

@@ -13,7 +13,7 @@ spec:
     shortNames:
       - rgc
   versions:
-    - name: v1beta4
+    - name: v1beta7
       served: true
       storage: false
       deprecated: true
@@ -36,6 +36,12 @@ spec:
                   type: string
                 name:
                   type: string
+                labels:
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                annotations:
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
               required:
                 - id
                 - namespace
@@ -43,7 +49,7 @@ spec:
                 - usernameRef
                 - passwordRef
                 - registry
-    - name: v1beta5
+    - name: v1beta8
       served: true
       storage: true
       schema:
@@ -68,6 +74,9 @@ spec:
                 labels:
                   type: object
                   x-kubernetes-preserve-unknown-fields: true
+                annotations:
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
               required:
                 - id
                 - namespace

charts/bitwarden-crd-operator/templates/deployment.yaml

@@ -8,6 +8,8 @@ spec:
   {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
   {{- end }}
+  strategy: 
+    type: {{ .Values.deploymentStrategy }}
   selector:
     matchLabels:
       {{- include "bitwarden-crd-operator.selectorLabels" . | nindent 6 }}

charts/bitwarden-crd-operator/values.yaml

@@ -14,6 +14,8 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
+deploymentStrategy: "Recreate"
+
 # env:
 #   - name: BW_FORCE_SYNC
 #     value: "false"

example.yaml

@@ -1,8 +1,9 @@
 ---
-apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
+apiVersion: "lerentis.uploadfilter24.eu/v1beta8"
 kind: BitwardenSecret
 metadata:
   name: test
+  namespace: default
 spec:
   content:
     - element:
@@ -15,12 +16,15 @@ spec:
         secretScope: login
   id: "88781348-c81c-4367-9801-550360c21295"
   name: "test-secret"
+  secretType: Opaque
   namespace: "default"
   labels:
     key: value
     app: example-app
+  annotations:
+    custom.annotation: is-used
 ---
-apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
+apiVersion: "lerentis.uploadfilter24.eu/v1beta8"
 kind: BitwardenSecret
 metadata:
   name: test-scope

example_dockerlogin.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
+apiVersion: "lerentis.uploadfilter24.eu/v1beta8"
 kind: RegistryCredential
 metadata:
   name: test
@@ -12,4 +12,6 @@ spec:
   namespace: "default"
   labels:
     namespace: default
-    tenant: example-team
+    tenant: example-team
+  annotations:
+    custom.annotation: is-used

example_template.yaml

@@ -1,22 +1,38 @@
 ---
-apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
+apiVersion: "lerentis.uploadfilter24.eu/v1beta8"
 kind: BitwardenTemplate
 metadata:
   name: test
 spec:
-  filename: "config.yaml"
   name: "test-template"
   namespace: "default"
   labels:
     key: value
     app: example-app
-  template: |
-    ---
-    api:
-      enabled: True
-      key: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "key") }}
-      allowCrossOrigin: false
-      apps:
-        "some.app.identifier:some_version":
-          pubkey: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "public_key") }}
-          enabled: true
+  annotations:
+    custom.annotation: is-used
+  content:
+    - element:
+        filename: config.yaml
+        template: |
+          ---
+          api:
+            enabled: True
+            key: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "key") }}
+            allowCrossOrigin: false
+            apps:
+              "some.app.identifier:some_version":
+                pubkey: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "public_key") }}
+                enabled: true
+    - element:
+        filename: config2.yaml
+        template: |
+          ---
+          api:
+            enabled: True
+            key: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "key") }}
+            allowCrossOrigin: false
+            apps:
+              "some.app.identifier:some_version":
+                pubkey: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "public_key") }}
+                enabled: false

requirements.txt

@@ -1,4 +1,4 @@
-kopf==1.36.2
-kubernetes==26.1.0
-Jinja2==3.1.2
-schedule==1.2.1
+kopf==1.37.2
+kubernetes==30.1.0
+Jinja2==3.1.4
+schedule==1.2.2

skaffold.yaml

@@ -1,8 +1,10 @@
-apiVersion: skaffold/v4beta5
+apiVersion: skaffold/v4beta9
 kind: Config
 metadata:
   name: bitwarden-crd-operator
 build:
+  tagPolicy:
+    sha256: {}
   artifacts:
     - image: ghcr.io/lerentis/bitwarden-crd-operator
       docker:
@@ -13,5 +15,43 @@ deploy:
       - name: bitwarden-crd-operator
         chartPath: charts/bitwarden-crd-operator
         valuesFiles:
-          - env/values.yaml
-        version: v0.7.4
+          - ./charts/bitwarden-crd-operator/myvalues.yaml
+        setValueTemplates:
+          image.repository: "{{.IMAGE_REPO_ghcr_io_lerentis_bitwarden_crd_operator}}"
+          image.tag: "{{.IMAGE_TAG_ghcr_io_lerentis_bitwarden_crd_operator}}@{{.IMAGE_DIGEST_ghcr_io_lerentis_bitwarden_crd_operator}}"
+    hooks:
+      after:
+        - host:
+            command:
+              - kubectl
+              - apply
+              - -f
+              - ./example*.yaml
+        - host:
+            command:
+              - sleep
+              - '5'
+        - host:
+            command:
+              - kubectl
+              - get
+              - secret
+              - test-regcred
+        - host:
+            command:
+              - kubectl
+              - get
+              - secret
+              - test-scope
+        - host:
+            command:
+              - kubectl
+              - get
+              - secret
+              - test-secret
+        - host:
+            command:
+              - kubectl
+              - get
+              - secret
+              - test-template

src/dockerlogin.py

@@ -45,6 +45,7 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
     secret_name = spec.get('name')
     secret_namespace = spec.get('namespace')
     labels = spec.get('labels')
+    custom_annotations = spec.get('annotations')
 
     unlock_bw(logger)
     logger.info(f"Locking up secret with ID: {id}")
@@ -57,6 +58,9 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
         "managedObject": f"{namespace}/{name}"
     }
 
+    if custom_annotations:
+        annotations.update(custom_annotations)
+
     if not labels:
         labels = {}
 
@@ -70,6 +74,11 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
         username_ref,
         password_ref,
         registry)
+    
+    # Garbage collection will delete the generated secret if the owner
+    # Is not in the same namespace as the generated secret
+    if secret_namespace == namespace:
+        kopf.append_owner_reference(secret)
 
     api.create_namespaced_secret(
         secret_namespace, secret
@@ -97,6 +106,7 @@ def update_managed_registry_secret(
     secret_name = spec.get('name')
     secret_namespace = spec.get('namespace')
     labels = spec.get('labels')
+    custom_annotations = spec.get('annotations')
 
     old_config = None
     old_secret_name = None
@@ -134,6 +144,9 @@ def update_managed_registry_secret(
         "managedObject": f"{namespace}/{name}"
     }
 
+    if custom_annotations:
+        annotations.update(custom_annotations)
+
     if not labels:
         labels = {}
 
@@ -147,6 +160,12 @@ def update_managed_registry_secret(
         username_ref,
         password_ref,
         registry)
+    
+    # Garbage collection will delete the generated secret if the owner
+    # Is not in the same namespace as the generated secret
+    if secret_namespace == namespace:
+        kopf.append_owner_reference(secret)
+
     try:
         api.replace_namespaced_secret(
             name=secret_name,
@@ -154,9 +173,12 @@ def update_managed_registry_secret(
             namespace="{}".format(secret_namespace))
         logger.info(
             f"Secret {secret_namespace}/{secret_name} has been updated")
-    except BaseException:
+    except BaseException as e:
         logger.warn(
             f"Could not update secret {secret_namespace}/{secret_name}!")
+        logger.warn(
+            f"Exception: {e}"
+        )
 
 
 @kopf.on.delete('registry-credential.lerentis.uploadfilter24.eu')

src/kv.py

@@ -3,10 +3,9 @@ import kubernetes
 import base64
 import json
 
-from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope, bw_sync_interval
+from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope, get_attachment, bw_sync_interval
 
-def create_kv(secret, secret_json, content_def):
-    secret.type = "Opaque"
+def create_kv(logger, id, secret, secret_json, content_def):
     secret.data = {}
     for eleml in content_def:
         for k, elem in eleml.items():
@@ -31,6 +30,13 @@ def create_kv(secret, secret_json, content_def):
                         f"Field {_secret_key} has no value in bitwarden secret")
                 secret.data[_secret_ref] = str(base64.b64encode(
                     value.encode("utf-8")), "utf-8")
+            if _secret_scope == "attachment":
+                value = get_attachment(logger, id, _secret_key)
+                if value is None:
+                    raise Exception(
+                        f"Attachment {_secret_key} has no value in bitwarden secret")
+                secret.data[_secret_ref] = str(base64.b64encode(
+                    value.encode("utf-8")), "utf-8")
     return secret
 
 
@@ -42,6 +48,8 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
     secret_name = spec.get('name')
     secret_namespace = spec.get('namespace')
     labels = spec.get('labels')
+    custom_annotations = spec.get('annotations')
+    custom_secret_type = spec.get('secretType')
 
     unlock_bw(logger)
     logger.info(f"Locking up secret with ID: {id}")
@@ -54,13 +62,25 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
         "managedObject": f"{namespace}/{name}"
     }
 
+    if custom_annotations:
+        annotations.update(custom_annotations)
+
+    if not custom_secret_type:
+        custom_secret_type = 'Opaque'
+
     if not labels:
         labels = {}
 
     secret = kubernetes.client.V1Secret()
     secret.metadata = kubernetes.client.V1ObjectMeta(
         name=secret_name, annotations=annotations, labels=labels)
-    secret = create_kv(secret, secret_json_object, content_def)
+    secret.type = custom_secret_type
+    secret = create_kv(logger, id, secret, secret_json_object, content_def)
+
+    # Garbage collection will delete the generated secret if the owner
+    # Is not in the same namespace as the generated secret
+    if secret_namespace == namespace:
+        kopf.append_owner_reference(secret)
 
     api.create_namespaced_secret(
         namespace="{}".format(secret_namespace),
@@ -86,20 +106,30 @@ def update_managed_secret(
     old_config = None
     old_secret_name = None
     old_secret_namespace = None
+    old_secret_type = None
     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations:
         old_config = json.loads(
             body.metadata.annotations['kopf.zalando.org/last-handled-configuration'])
         old_secret_name = old_config['spec'].get('name')
         old_secret_namespace = old_config['spec'].get('namespace')
+        old_secret_type = old_config['spec'].get('secretType')
     secret_name = spec.get('name')
     secret_namespace = spec.get('namespace')
     labels = spec.get('labels')
+    custom_annotations = spec.get('annotations')
+    custom_secret_type = spec.get('secretType')
+
+    if not custom_secret_type:
+        custom_secret_type = 'Opaque'
+
+    if not old_secret_type:
+        old_secret_type = 'Opaque'
 
     if old_config is not None and (
-            old_secret_name != secret_name or old_secret_namespace != secret_namespace):
+            old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type):
         # If the name of the secret or the namespace of the secret is different
         # We have to delete the secret an recreate it
-        logger.info("Secret name or namespace changed, let's recreate it")
+        logger.info("Secret name, namespace or type changed, let's recreate it")
         delete_managed_secret(
             old_config['spec'],
             name,
@@ -120,13 +150,22 @@ def update_managed_secret(
         "managedObject": f"{namespace}/{name}"
     }
 
+    if custom_annotations:
+        annotations.update(custom_annotations)
+
     if not labels:
         labels = {}
 
     secret = kubernetes.client.V1Secret()
     secret.metadata = kubernetes.client.V1ObjectMeta(
         name=secret_name, annotations=annotations, labels=labels)
-    secret = create_kv(secret, secret_json_object, content_def)
+    secret.type = custom_secret_type
+    secret = create_kv(logger, id, secret, secret_json_object, content_def)
+
+    # Garbage collection will delete the generated secret if the owner
+    # Is not in the same namespace as the generated secret
+    if secret_namespace == namespace:
+        kopf.append_owner_reference(secret)
 
     try:
         api.replace_namespaced_secret(
@@ -135,9 +174,12 @@ def update_managed_secret(
             namespace="{}".format(secret_namespace))
         logger.info(
             f"Secret {secret_namespace}/{secret_name} has been updated")
-    except BaseException:
+    except BaseException as e:
         logger.warn(
             f"Could not update secret {secret_namespace}/{secret_name}!")
+        logger.warn(
+            f"Exception: {e}"
+        )
 
 
 @kopf.on.delete('bitwarden-secret.lerentis.uploadfilter24.eu')

src/template.py

@@ -17,7 +17,6 @@ def render_template(logger, template):
 
 
 def create_template_secret(logger, secret, filename, template):
-    secret.type = "Opaque"
     secret.data = {}
     secret.data[filename] = str(
         base64.b64encode(
@@ -25,15 +24,33 @@ def create_template_secret(logger, secret, filename, template):
         "utf-8")
     return secret
 
+def create_template_obj(logger, secret, content_def):
+    secret.data = {}
+    for eleml in content_def:
+        for k, elem in eleml.items():
+            for key, value in elem.items():
+                if key == "filename":
+                    _file_name = value
+                if key == "template":
+                    _template = value
+            secret.data[_file_name] = str(
+                base64.b64encode(
+                    render_template(logger, _template).encode("utf-8")),
+                "utf-8")
+    return secret
+
 
 @kopf.on.create('bitwarden-template.lerentis.uploadfilter24.eu')
 def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
-
     template = spec.get('template')
-    filename = spec.get('filename')
+    if template is not None:
+        create_beta7_secret(spec, name, namespace, logger, body, **kwargs)
     secret_name = spec.get('name')
     secret_namespace = spec.get('namespace')
+    custom_secret_type = spec.get('secretType')
     labels = spec.get('labels')
+    custom_annotations = spec.get('annotations')
+    content_def = spec.get('content')
 
     unlock_bw(logger)
 
@@ -44,24 +61,80 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
         "managedObject": f"{namespace}/{name}"
     }
 
+    if custom_annotations:
+        annotations.update(custom_annotations)
+
+    if not custom_secret_type:
+        custom_secret_type = 'Opaque'
+
     if not labels:
         labels = {}
 
     secret = kubernetes.client.V1Secret()
     secret.metadata = kubernetes.client.V1ObjectMeta(
         name=secret_name, annotations=annotations, labels=labels)
+    secret.type = custom_secret_type
+    secret = create_template_obj(logger, secret, content_def)
+
+    # Garbage collection will delete the generated secret if the owner
+    # Is not in the same namespace as the generated secret
+    if secret_namespace == namespace:
+        kopf.append_owner_reference(secret)
+    
+    api.create_namespaced_secret(
+        namespace="{}".format(secret_namespace),
+        body=secret
+    )
+
+    logger.info(f"Secret {secret_namespace}/{secret_name} has been created")
+
+
+def create_beta7_secret(spec, name, namespace, logger, body, **kwargs):
+
+    template = spec.get('template')
+    filename = spec.get('filename')
+    secret_name = spec.get('name')
+    secret_namespace = spec.get('namespace')
+    labels = spec.get('labels')
+    custom_annotations = spec.get('annotations')
+    custom_secret_type = spec.get('secretType')
+
+    unlock_bw(logger)
+
+    api = kubernetes.client.CoreV1Api()
+
+    annotations = {
+        "managed": "bitwarden-template.lerentis.uploadfilter24.eu",
+        "managedObject": f"{namespace}/{name}"
+    }
+
+    if custom_annotations:
+        annotations.update(custom_annotations)
+
+    if not custom_secret_type:
+        custom_secret_type = 'Opaque'
+
+    if not labels:
+        labels = {}
+
+    secret = kubernetes.client.V1Secret()
+    secret.metadata = kubernetes.client.V1ObjectMeta(
+        name=secret_name, annotations=annotations, labels=labels)
+    secret.type = custom_secret_type
     secret = create_template_secret(logger, secret, filename, template)
 
+    # Garbage collection will delete the generated secret if the owner
+    # Is not in the same namespace as the generated secret
+    if secret_namespace == namespace:
+        kopf.append_owner_reference(secret)
+
     api.create_namespaced_secret(
         secret_namespace, secret
     )
 
     logger.info(f"Secret {secret_namespace}/{secret_name} has been created")
 
-
-@kopf.on.update('bitwarden-template.lerentis.uploadfilter24.eu')
-@kopf.timer('bitwarden-template.lerentis.uploadfilter24.eu', interval=bw_sync_interval)
-def update_managed_secret(
+def update_beta7_secret(
         spec,
         status,
         name,
@@ -75,20 +148,30 @@ def update_managed_secret(
     secret_name = spec.get('name')
     secret_namespace = spec.get('namespace')
     labels = spec.get('labels')
+    custom_annotations = spec.get('annotations')
+    custom_secret_type = spec.get('secretType')
+
+    if not custom_secret_type:
+        custom_secret_type = 'Opaque'
 
     old_config = None
     old_secret_name = None
     old_secret_namespace = None
+    old_secret_type = None
     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations:
         old_config = json.loads(
             body.metadata.annotations['kopf.zalando.org/last-handled-configuration'])
         old_secret_name = old_config['spec'].get('name')
         old_secret_namespace = old_config['spec'].get('namespace')
+        old_secret_type = old_config['spec'].get('secretType')
     secret_name = spec.get('name')
     secret_namespace = spec.get('namespace')
 
+    if not old_secret_type:
+      old_secret_type = 'Opaque'
+
     if old_config is not None and (
-            old_secret_name != secret_name or old_secret_namespace != secret_namespace):
+            old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type):
         # If the name of the secret or the namespace of the secret is different
         # We have to delete the secret an recreate it
         logger.info("Secret name or namespace changed, let's recreate it")
@@ -110,14 +193,23 @@ def update_managed_secret(
         "managedObject": f"{namespace}/{name}"
     }
 
+    if custom_annotations:
+        annotations.update(custom_annotations)
+
     if not labels:
         labels = {}
 
     secret = kubernetes.client.V1Secret()
     secret.metadata = kubernetes.client.V1ObjectMeta(
         name=secret_name, annotations=annotations, labels=labels)
+    secret.type = custom_secret_type
     secret = create_template_secret(logger, secret, filename, template)
 
+    # Garbage collection will delete the generated secret if the owner
+    # Is not in the same namespace as the generated secret
+    if secret_namespace == namespace:
+        kopf.append_owner_reference(secret)
+
     try:
         api.replace_namespaced_secret(
             name=secret_name,
@@ -125,9 +217,108 @@ def update_managed_secret(
             namespace="{}".format(secret_namespace))
         logger.info(
             f"Secret {secret_namespace}/{secret_name} has been updated")
-    except BaseException:
+    except BaseException as e:
         logger.warn(
             f"Could not update secret {secret_namespace}/{secret_name}!")
+        logger.warn(
+            f"Exception: {e}"
+        )
+
+
+
+@kopf.on.update('bitwarden-template.lerentis.uploadfilter24.eu')
+@kopf.timer('bitwarden-template.lerentis.uploadfilter24.eu', interval=bw_sync_interval)
+def update_managed_secret(
+        spec,
+        status,
+        name,
+        namespace,
+        logger,
+        body,
+        **kwargs):
+
+    template = spec.get('template')
+    if template is not None:
+        update_beta7_secret(spec, status, name, namespace, logger, body, **kwargs)
+    secret_name = spec.get('name')
+    secret_namespace = spec.get('namespace')
+    labels = spec.get('labels')
+    custom_annotations = spec.get('annotations')
+    custom_secret_type = spec.get('secretType')
+    content_def = spec.get('content')
+
+    if not custom_secret_type:
+        custom_secret_type = 'Opaque'
+
+    old_config = None
+    old_secret_name = None
+    old_secret_namespace = None
+    old_secret_type = None
+    if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations:
+        old_config = json.loads(
+            body.metadata.annotations['kopf.zalando.org/last-handled-configuration'])
+        old_secret_name = old_config['spec'].get('name')
+        old_secret_namespace = old_config['spec'].get('namespace')
+        old_secret_type = old_config['spec'].get('secretType')
+    secret_name = spec.get('name')
+    secret_namespace = spec.get('namespace')
+
+    if not old_secret_type:
+      old_secret_type = 'Opaque'
+
+    if old_config is not None and (
+            old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type):
+        # If the name of the secret or the namespace of the secret is different
+        # We have to delete the secret an recreate it
+        logger.info("Secret name or namespace changed, let's recreate it")
+        delete_managed_secret(
+            old_config['spec'],
+            name,
+            namespace,
+            logger,
+            **kwargs)
+        create_managed_secret(spec, name, namespace, logger, body, **kwargs)
+        return
+
+    unlock_bw(logger)
+
+    api = kubernetes.client.CoreV1Api()
+
+    annotations = {
+        "managed": "bitwarden-template.lerentis.uploadfilter24.eu",
+        "managedObject": f"{namespace}/{name}"
+    }
+
+    if custom_annotations:
+        annotations.update(custom_annotations)
+
+    if not labels:
+        labels = {}
+
+    secret = kubernetes.client.V1Secret()
+    secret.metadata = kubernetes.client.V1ObjectMeta(
+        name=secret_name, annotations=annotations, labels=labels)
+    secret.type = custom_secret_type
+    secret = create_template_obj(logger, secret, content_def)
+
+    # Garbage collection will delete the generated secret if the owner
+    # Is not in the same namespace as the generated secret
+    if secret_namespace == namespace:
+        kopf.append_owner_reference(secret)
+
+    try:
+        api.replace_namespaced_secret(
+            name=secret_name,
+            body=secret,
+            namespace="{}".format(secret_namespace))
+        logger.info(
+            f"Secret {secret_namespace}/{secret_name} has been updated")
+    except BaseException as e:
+        logger.warn(
+            f"Could not update secret {secret_namespace}/{secret_name}!")
+        logger.warn(
+            f"Exception: {e}"
+        )
 
 
 @kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu')