Compare commits
	
		
			13 Commits
		
	
	
		
			e141888335
			...
			3efa4e68f1
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|  | 3efa4e68f1 | ||
| 90a3e9f73d | |||
| 559c08c187 | |||
|  | 25b1d0778e | ||
|  | 9005ea4658 | ||
|  | 8c46aa2f41 | ||
|  | 6a4a345688 | ||
|  | aef0a5a33c | ||
| 096bf6b5f6 | |||
| ffbf466416 | |||
|  | 0c0243c407 | ||
|  | 8f17ee7f17 | ||
|  | 5dde6160de | 
							
								
								
									
										2
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							| @@ -36,7 +36,7 @@ jobs: | |||||||
|           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" |           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||||||
|  |  | ||||||
|       - name: Get app version from chart |       - name: Get app version from chart | ||||||
|         uses: mikefarah/yq@v4.44.2 |         uses: mikefarah/yq@v4.44.3 | ||||||
|         id: app_version |         id: app_version | ||||||
|         with: |         with: | ||||||
|           cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml |           cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml | ||||||
|   | |||||||
							
								
								
									
										12
									
								
								Dockerfile
									
									
									
									
									
								
							
							
						
						
									
										12
									
								
								Dockerfile
									
									
									
									
									
								
							| @@ -1,15 +1,15 @@ | |||||||
| FROM alpine:3.19.1 | FROM alpine:3.20.3 | ||||||
|  |  | ||||||
| LABEL org.opencontainers.image.source=https://github.com/Lerentis/bitwarden-crd-operator | LABEL org.opencontainers.image.source=https://github.com/Lerentis/bitwarden-crd-operator | ||||||
| LABEL org.opencontainers.image.description="Kubernetes Operator to create k8s secrets from bitwarden" | LABEL org.opencontainers.image.description="Kubernetes Operator to create k8s secrets from bitwarden" | ||||||
| LABEL org.opencontainers.image.licenses=MIT | LABEL org.opencontainers.image.licenses=MIT | ||||||
|  |  | ||||||
| ARG PYTHON_VERSION=3.11.9-r0 | ARG PYTHON_VERSION=3.12.6-r0 | ||||||
| ARG PIP_VERSION=23.3.1-r0 | ARG PIP_VERSION=24.0-r2 | ||||||
| ARG GCOMPAT_VERSION=1.1.0-r4 | ARG GCOMPAT_VERSION=1.1.0-r4 | ||||||
| ARG LIBCRYPTO_VERSION=3.1.4-r5 | ARG LIBCRYPTO_VERSION=3.3.2-r0 | ||||||
| ARG BW_VERSION=2023.7.0 | ARG BW_VERSION=2024.7.2 | ||||||
| ARG NODE_VERSION=20.12.1-r0 | ARG NODE_VERSION=20.15.1-r0 | ||||||
|  |  | ||||||
| COPY requirements.txt /requirements.txt | COPY requirements.txt /requirements.txt | ||||||
|  |  | ||||||
|   | |||||||
							
								
								
									
										44
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										44
									
								
								README.md
									
									
									
									
									
								
							| @@ -56,7 +56,7 @@ And you are set to create your first secret using this operator. For that you ne | |||||||
|  |  | ||||||
| ```yaml | ```yaml | ||||||
| --- | --- | ||||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta7" | apiVersion: "lerentis.uploadfilter24.eu/v1beta8" | ||||||
| kind: BitwardenSecret | kind: BitwardenSecret | ||||||
| metadata: | metadata: | ||||||
|   name: name-of-your-management-object |   name: name-of-your-management-object | ||||||
| @@ -106,7 +106,7 @@ For managing registry credentials, or pull secrets, you can create another kind | |||||||
|  |  | ||||||
| ```yaml | ```yaml | ||||||
| --- | --- | ||||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta7" | apiVersion: "lerentis.uploadfilter24.eu/v1beta8" | ||||||
| kind: RegistryCredential | kind: RegistryCredential | ||||||
| metadata: | metadata: | ||||||
|   name: name-of-your-management-object |   name: name-of-your-management-object | ||||||
| @@ -147,12 +147,11 @@ One of the more freely defined types that can be used with this operator you can | |||||||
|  |  | ||||||
| ```yaml | ```yaml | ||||||
| --- | --- | ||||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta7" | apiVersion: "lerentis.uploadfilter24.eu/v1beta8" | ||||||
| kind: BitwardenTemplate | kind: BitwardenTemplate | ||||||
| metadata: | metadata: | ||||||
|   name: name-of-your-management-object |   name: name-of-your-management-object | ||||||
| spec: | spec: | ||||||
|   filename: "Key of the secret to be created" |  | ||||||
|   name: "Name of the secret to be created" |   name: "Name of the secret to be created" | ||||||
|   secretType: # Optional (Default: Opaque) |   secretType: # Optional (Default: Opaque) | ||||||
|   namespace: "Namespace of the secret to be created" |   namespace: "Namespace of the secret to be created" | ||||||
| @@ -160,16 +159,31 @@ spec: | |||||||
|     key: value |     key: value | ||||||
|   annotations: # Optional |   annotations: # Optional | ||||||
|     key: value |     key: value | ||||||
|   template: | |   content: | ||||||
|     --- |     - element: | ||||||
|     api: |         filename: config.yaml | ||||||
|       enabled: True |         template: | | ||||||
|       key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }} |           --- | ||||||
|       allowCrossOrigin: false |           api: | ||||||
|       apps: |             enabled: True | ||||||
|         "some.app.identifier:some_version": |             key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }} | ||||||
|           pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }} |             allowCrossOrigin: false | ||||||
|           enabled: true |             apps: | ||||||
|  |               "some.app.identifier:some_version": | ||||||
|  |                 pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }} | ||||||
|  |                 enabled: true | ||||||
|  |     - element: | ||||||
|  |         filename: config2.yaml | ||||||
|  |         template: | | ||||||
|  |           --- | ||||||
|  |           api: | ||||||
|  |             enabled: True | ||||||
|  |             key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }} | ||||||
|  |             allowCrossOrigin: false | ||||||
|  |             apps: | ||||||
|  |               "some.app.identifier:some_version": | ||||||
|  |                 pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }} | ||||||
|  |                 enabled: false | ||||||
| ``` | ``` | ||||||
|  |  | ||||||
| This will result in something like the following object: | This will result in something like the following object: | ||||||
| @@ -204,4 +218,4 @@ Please note that the rendering engine for this template is jinja2, with an addit | |||||||
|  |  | ||||||
| The operator uses the bitwarden cli in the background and does not communicate to the api directly. The cli mirrors the credential store locally but doesn't sync it on every get request. Instead it will sync each secret every 15 minutes (900 seconds). You can adjust the interval by setting `BW_SYNC_INTERVAL` in the values. If your secrets update very very frequently, you can force the operator to do a sync before each get by setting `BW_FORCE_SYNC="true"`. You might run into rate limits if you do this too frequent. | The operator uses the bitwarden cli in the background and does not communicate to the api directly. The cli mirrors the credential store locally but doesn't sync it on every get request. Instead it will sync each secret every 15 minutes (900 seconds). You can adjust the interval by setting `BW_SYNC_INTERVAL` in the values. If your secrets update very very frequently, you can force the operator to do a sync before each get by setting `BW_FORCE_SYNC="true"`. You might run into rate limits if you do this too frequent. | ||||||
|  |  | ||||||
| Additionally the bitwarden cli session may expire at some time. In order to create a new session, the login command is triggered from time to time. In what interval exactly can be configured with the env `BW_RELOGIN_INTERVAL` which defaults to 3600s. | Additionally the bitwarden cli session may expire at some time. In order to create a new session, the login command is triggered from time to time. In what interval exactly can be configured with the env `BW_RELOGIN_INTERVAL` which defaults to `3600` seconds. | ||||||
|   | |||||||
| @@ -4,9 +4,9 @@ description: Deploy the Bitwarden CRD Operator | |||||||
|  |  | ||||||
| type: application | type: application | ||||||
|  |  | ||||||
| version: "v0.13.0" | version: "v0.15.0" | ||||||
|  |  | ||||||
| appVersion: "0.12.0" | appVersion: "0.14.0" | ||||||
|  |  | ||||||
| keywords: | keywords: | ||||||
|   - operator |   - operator | ||||||
| @@ -20,7 +20,7 @@ home: https://lerentis.github.io/bitwarden-crd-operator/ | |||||||
| sources: | sources: | ||||||
|   - https://github.com/Lerentis/bitwarden-crd-operator |   - https://github.com/Lerentis/bitwarden-crd-operator | ||||||
|  |  | ||||||
| kubeVersion: ">= 1.23.0-0" | kubeVersion: ">= 1.28.0-0" | ||||||
|  |  | ||||||
| maintainers: | maintainers: | ||||||
|   - name: lerentis |   - name: lerentis | ||||||
| @@ -32,22 +32,22 @@ annotations: | |||||||
|       url: https://github.com/Lerentis/bitwarden-crd-operator |       url: https://github.com/Lerentis/bitwarden-crd-operator | ||||||
|   artifacthub.io/crds: | |   artifacthub.io/crds: | | ||||||
|     - kind: BitwardenSecret |     - kind: BitwardenSecret | ||||||
|       version: v1beta7 |       version: v1beta8 | ||||||
|       name: bitwarden-secret |       name: bitwarden-secret | ||||||
|       displayName: Bitwarden Secret |       displayName: Bitwarden Secret | ||||||
|       description: Management Object to create secrets from bitwarden |       description: Management Object to create secrets from bitwarden | ||||||
|     - kind: RegistryCredential |     - kind: RegistryCredential | ||||||
|       version: v1beta7 |       version: v1beta8 | ||||||
|       name: registry-credential |       name: registry-credential | ||||||
|       displayName: Regestry Credentials |       displayName: Regestry Credentials | ||||||
|       description: Management Object to create regestry secrets from bitwarden |       description: Management Object to create regestry secrets from bitwarden | ||||||
|     - kind: BitwardenTemplate |     - kind: BitwardenTemplate | ||||||
|       version: v1beta7 |       version: v1beta8 | ||||||
|       name: bitwarden-template |       name: bitwarden-template | ||||||
|       displayName: Bitwarden Template |       displayName: Bitwarden Template | ||||||
|       description: Management Object to create secrets from a jinja template with a bitwarden lookup |       description: Management Object to create secrets from a jinja template with a bitwarden lookup | ||||||
|   artifacthub.io/crdsExamples: | |   artifacthub.io/crdsExamples: | | ||||||
|     - apiVersion: lerentis.uploadfilter24.eu/v1beta7 |     - apiVersion: lerentis.uploadfilter24.eu/v1beta8 | ||||||
|       kind: BitwardenSecret |       kind: BitwardenSecret | ||||||
|       metadata: |       metadata: | ||||||
|         name: test |         name: test | ||||||
| @@ -67,7 +67,7 @@ annotations: | |||||||
|           key: value |           key: value | ||||||
|         annotations: |         annotations: | ||||||
|           key: value |           key: value | ||||||
|     - apiVersion: lerentis.uploadfilter24.eu/v1beta7 |     - apiVersion: lerentis.uploadfilter24.eu/v1beta8 | ||||||
|       kind: RegistryCredential |       kind: RegistryCredential | ||||||
|       metadata: |       metadata: | ||||||
|         name: test |         name: test | ||||||
| @@ -82,12 +82,11 @@ annotations: | |||||||
|           key: value |           key: value | ||||||
|         annotations: |         annotations: | ||||||
|           key: value |           key: value | ||||||
|     - apiVersion: "lerentis.uploadfilter24.eu/v1beta7" |     - apiVersion: "lerentis.uploadfilter24.eu/v1beta8" | ||||||
|       kind: BitwardenTemplate |       kind: BitwardenTemplate | ||||||
|       metadata: |       metadata: | ||||||
|         name: test |         name: test | ||||||
|       spec: |       spec: | ||||||
|         filename: "config.yaml" |  | ||||||
|         name: "test-regcred" |         name: "test-regcred" | ||||||
|         secretType: Obaque #Optional |         secretType: Obaque #Optional | ||||||
|         namespace: "default" |         namespace: "default" | ||||||
| @@ -95,26 +94,32 @@ annotations: | |||||||
|           key: value |           key: value | ||||||
|         annotations: |         annotations: | ||||||
|           key: value |           key: value | ||||||
|         template: | |         content: | ||||||
|           --- |           - element: | ||||||
|           api: |               filename: "config.yaml" | ||||||
|             enabled: True |               template: | | ||||||
|             key: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "fields", "key") }} |                 --- | ||||||
|             allowCrossOrigin: false |                 api: | ||||||
|             apps: |                   enabled: True | ||||||
|               "some.app.identifier:some_version": |                   key: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "fields", "key") }} | ||||||
|                 pubkey: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "attachment", "public_key") }} |                   allowCrossOrigin: false | ||||||
|                 enabled: true |                   apps: | ||||||
|  |                     "some.app.identifier:some_version": | ||||||
|  |                       pubkey: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "attachment", "public_key") }} | ||||||
|  |                       enabled: true | ||||||
|  |  | ||||||
|   artifacthub.io/license: MIT |   artifacthub.io/license: MIT | ||||||
|   artifacthub.io/operator: "true" |   artifacthub.io/operator: "true" | ||||||
|   artifacthub.io/containsSecurityUpdates: "false" |   artifacthub.io/containsSecurityUpdates: "false" | ||||||
|   artifacthub.io/changes: | |   artifacthub.io/changes: | | ||||||
|     - kind: added |     - kind: changed | ||||||
|       description: "Allow custom type for generated secrets" |       description: "BitwardenTemplate can now handle multiple files" | ||||||
|     - kind: added |     - kind: changed | ||||||
|       description: "Allow attachments in generated secrets" |       description: "Removed long deprecated versions" | ||||||
|     - kind: added |     - kind: changed | ||||||
|       description: "Allow custom type in templated secrets" |       description: "Update kubernetes from v29.0.0 to v30.1.0" | ||||||
|  |     - kind: changed | ||||||
|  |       description: "Update alpine from 3.20.2 to 3.20.3" | ||||||
|   artifacthub.io/images: | |   artifacthub.io/images: | | ||||||
|     - name: bitwarden-crd-operator |     - name: bitwarden-crd-operator | ||||||
|       image: ghcr.io/lerentis/bitwarden-crd-operator:0.12.0 |       image: ghcr.io/lerentis/bitwarden-crd-operator:0.14.0 | ||||||
|   | |||||||
| @@ -13,7 +13,7 @@ spec: | |||||||
|     shortNames: |     shortNames: | ||||||
|       - bws |       - bws | ||||||
|   versions: |   versions: | ||||||
|     - name: v1beta4 |     - name: v1beta7 | ||||||
|       served: true |       served: true | ||||||
|       storage: false |       storage: false | ||||||
|       deprecated: true |       deprecated: true | ||||||
| @@ -46,82 +46,7 @@ spec: | |||||||
|                   type: string |                   type: string | ||||||
|                 name: |                 name: | ||||||
|                   type: string |                   type: string | ||||||
|               required: |                 secretType:  | ||||||
|                 - id |  | ||||||
|                 - namespace |  | ||||||
|                 - name |  | ||||||
|     - name: v1beta5 |  | ||||||
|       served: true |  | ||||||
|       storage: false |  | ||||||
|       deprecated: true |  | ||||||
|       schema: |  | ||||||
|         openAPIV3Schema: |  | ||||||
|           type: object |  | ||||||
|           properties: |  | ||||||
|             spec: |  | ||||||
|               type: object |  | ||||||
|               properties: |  | ||||||
|                 content: |  | ||||||
|                   type: array |  | ||||||
|                   items: |  | ||||||
|                     type: object |  | ||||||
|                     properties: |  | ||||||
|                       element: |  | ||||||
|                         type: object |  | ||||||
|                         properties: |  | ||||||
|                           secretName: |  | ||||||
|                             type: string |  | ||||||
|                           secretRef: |  | ||||||
|                             type: string |  | ||||||
|                           secretScope: |  | ||||||
|                             type: string |  | ||||||
|                         required: |  | ||||||
|                           - secretName |  | ||||||
|                 id: |  | ||||||
|                   type: string |  | ||||||
|                 namespace: |  | ||||||
|                   type: string |  | ||||||
|                 name: |  | ||||||
|                   type: string |  | ||||||
|                 labels: |  | ||||||
|                   type: object |  | ||||||
|                   x-kubernetes-preserve-unknown-fields: true |  | ||||||
|               required: |  | ||||||
|                 - id |  | ||||||
|                 - namespace |  | ||||||
|                 - name |  | ||||||
|     - name: v1beta6 |  | ||||||
|       served: true |  | ||||||
|       storage: false |  | ||||||
|       deprecated: true |  | ||||||
|       schema: |  | ||||||
|         openAPIV3Schema: |  | ||||||
|           type: object |  | ||||||
|           properties: |  | ||||||
|             spec: |  | ||||||
|               type: object |  | ||||||
|               properties: |  | ||||||
|                 content: |  | ||||||
|                   type: array |  | ||||||
|                   items: |  | ||||||
|                     type: object |  | ||||||
|                     properties: |  | ||||||
|                       element: |  | ||||||
|                         type: object |  | ||||||
|                         properties: |  | ||||||
|                           secretName: |  | ||||||
|                             type: string |  | ||||||
|                           secretRef: |  | ||||||
|                             type: string |  | ||||||
|                           secretScope: |  | ||||||
|                             type: string |  | ||||||
|                         required: |  | ||||||
|                           - secretName |  | ||||||
|                 id: |  | ||||||
|                   type: string |  | ||||||
|                 namespace: |  | ||||||
|                   type: string |  | ||||||
|                 name: |  | ||||||
|                   type: string |                   type: string | ||||||
|                 labels: |                 labels: | ||||||
|                   type: object |                   type: object | ||||||
| @@ -133,7 +58,7 @@ spec: | |||||||
|                 - id |                 - id | ||||||
|                 - namespace |                 - namespace | ||||||
|                 - name |                 - name | ||||||
|     - name: v1beta7 |     - name: v1beta8 | ||||||
|       served: true |       served: true | ||||||
|       storage: true |       storage: true | ||||||
|       schema: |       schema: | ||||||
|   | |||||||
| @@ -13,90 +13,10 @@ spec: | |||||||
|     shortNames: |     shortNames: | ||||||
|       - bwt |       - bwt | ||||||
|   versions: |   versions: | ||||||
|     - name: v1beta4 |  | ||||||
|       served: true |  | ||||||
|       storage: false |  | ||||||
|       deprecated: true |  | ||||||
|       schema: |  | ||||||
|         openAPIV3Schema: |  | ||||||
|           type: object |  | ||||||
|           properties: |  | ||||||
|             spec: |  | ||||||
|               type: object |  | ||||||
|               properties: |  | ||||||
|                 filename: |  | ||||||
|                   type: string |  | ||||||
|                 template: |  | ||||||
|                   type: string |  | ||||||
|                 namespace: |  | ||||||
|                   type: string |  | ||||||
|                 name: |  | ||||||
|                   type: string |  | ||||||
|               required: |  | ||||||
|                 - filename |  | ||||||
|                 - template |  | ||||||
|                 - namespace |  | ||||||
|                 - name |  | ||||||
|     - name: v1beta5 |  | ||||||
|       served: true |  | ||||||
|       storage: false |  | ||||||
|       deprecated: true |  | ||||||
|       schema: |  | ||||||
|         openAPIV3Schema: |  | ||||||
|           type: object |  | ||||||
|           properties: |  | ||||||
|             spec: |  | ||||||
|               type: object |  | ||||||
|               properties: |  | ||||||
|                 filename: |  | ||||||
|                   type: string |  | ||||||
|                 template: |  | ||||||
|                   type: string |  | ||||||
|                 namespace: |  | ||||||
|                   type: string |  | ||||||
|                 name: |  | ||||||
|                   type: string |  | ||||||
|                 labels: |  | ||||||
|                   type: object |  | ||||||
|                   x-kubernetes-preserve-unknown-fields: true |  | ||||||
|               required: |  | ||||||
|                 - filename |  | ||||||
|                 - template |  | ||||||
|                 - namespace |  | ||||||
|                 - name |  | ||||||
|     - name: v1beta6 |  | ||||||
|       served: true |  | ||||||
|       storage: false |  | ||||||
|       deprecated: true |  | ||||||
|       schema: |  | ||||||
|         openAPIV3Schema: |  | ||||||
|           type: object |  | ||||||
|           properties: |  | ||||||
|             spec: |  | ||||||
|               type: object |  | ||||||
|               properties: |  | ||||||
|                 filename: |  | ||||||
|                   type: string |  | ||||||
|                 template: |  | ||||||
|                   type: string |  | ||||||
|                 namespace: |  | ||||||
|                   type: string |  | ||||||
|                 name: |  | ||||||
|                   type: string |  | ||||||
|                 labels: |  | ||||||
|                   type: object |  | ||||||
|                   x-kubernetes-preserve-unknown-fields: true |  | ||||||
|                 annotations: |  | ||||||
|                   type: object |  | ||||||
|                   x-kubernetes-preserve-unknown-fields: true |  | ||||||
|               required: |  | ||||||
|                 - filename |  | ||||||
|                 - template |  | ||||||
|                 - namespace |  | ||||||
|                 - name |  | ||||||
|     - name: v1beta7 |     - name: v1beta7 | ||||||
|       served: true |       served: true | ||||||
|       storage: true |       storage: false | ||||||
|  |       deprecated: true | ||||||
|       schema: |       schema: | ||||||
|         openAPIV3Schema: |         openAPIV3Schema: | ||||||
|           type: object |           type: object | ||||||
| @@ -125,3 +45,43 @@ spec: | |||||||
|                 - template |                 - template | ||||||
|                 - namespace |                 - namespace | ||||||
|                 - name |                 - name | ||||||
|  |     - name: v1beta8 | ||||||
|  |       served: true | ||||||
|  |       storage: true | ||||||
|  |       schema: | ||||||
|  |         openAPIV3Schema: | ||||||
|  |           type: object | ||||||
|  |           properties: | ||||||
|  |             spec: | ||||||
|  |               type: object | ||||||
|  |               properties: | ||||||
|  |                 namespace: | ||||||
|  |                   type: string | ||||||
|  |                 name: | ||||||
|  |                   type: string | ||||||
|  |                 secretType:  | ||||||
|  |                   type: string | ||||||
|  |                 content: | ||||||
|  |                   type: array | ||||||
|  |                   items: | ||||||
|  |                     type: object | ||||||
|  |                     properties: | ||||||
|  |                       element: | ||||||
|  |                         type: object | ||||||
|  |                         properties: | ||||||
|  |                           filename: | ||||||
|  |                             type: string | ||||||
|  |                           template: | ||||||
|  |                             type: string | ||||||
|  |                         required: | ||||||
|  |                           - filename | ||||||
|  |                           - template | ||||||
|  |                 labels: | ||||||
|  |                   type: object | ||||||
|  |                   x-kubernetes-preserve-unknown-fields: true | ||||||
|  |                 annotations: | ||||||
|  |                   type: object | ||||||
|  |                   x-kubernetes-preserve-unknown-fields: true | ||||||
|  |               required: | ||||||
|  |                 - namespace | ||||||
|  |                 - name | ||||||
| @@ -13,70 +13,7 @@ spec: | |||||||
|     shortNames: |     shortNames: | ||||||
|       - rgc |       - rgc | ||||||
|   versions: |   versions: | ||||||
|     - name: v1beta4 |     - name: v1beta7 | ||||||
|       served: true |  | ||||||
|       storage: false |  | ||||||
|       deprecated: true |  | ||||||
|       schema: |  | ||||||
|         openAPIV3Schema: |  | ||||||
|           type: object |  | ||||||
|           properties: |  | ||||||
|             spec: |  | ||||||
|               type: object |  | ||||||
|               properties: |  | ||||||
|                 usernameRef: |  | ||||||
|                   type: string |  | ||||||
|                 passwordRef: |  | ||||||
|                   type: string |  | ||||||
|                 registry: |  | ||||||
|                   type: string |  | ||||||
|                 id: |  | ||||||
|                   type: string |  | ||||||
|                 namespace: |  | ||||||
|                   type: string |  | ||||||
|                 name: |  | ||||||
|                   type: string |  | ||||||
|               required: |  | ||||||
|                 - id |  | ||||||
|                 - namespace |  | ||||||
|                 - name |  | ||||||
|                 - usernameRef |  | ||||||
|                 - passwordRef |  | ||||||
|                 - registry |  | ||||||
|     - name: v1beta5 |  | ||||||
|       served: true |  | ||||||
|       storage: false |  | ||||||
|       deprecated: true |  | ||||||
|       schema: |  | ||||||
|         openAPIV3Schema: |  | ||||||
|           type: object |  | ||||||
|           properties: |  | ||||||
|             spec: |  | ||||||
|               type: object |  | ||||||
|               properties: |  | ||||||
|                 usernameRef: |  | ||||||
|                   type: string |  | ||||||
|                 passwordRef: |  | ||||||
|                   type: string |  | ||||||
|                 registry: |  | ||||||
|                   type: string |  | ||||||
|                 id: |  | ||||||
|                   type: string |  | ||||||
|                 namespace: |  | ||||||
|                   type: string |  | ||||||
|                 name: |  | ||||||
|                   type: string |  | ||||||
|                 labels: |  | ||||||
|                   type: object |  | ||||||
|                   x-kubernetes-preserve-unknown-fields: true |  | ||||||
|               required: |  | ||||||
|                 - id |  | ||||||
|                 - namespace |  | ||||||
|                 - name |  | ||||||
|                 - usernameRef |  | ||||||
|                 - passwordRef |  | ||||||
|                 - registry |  | ||||||
|     - name: v1beta6 |  | ||||||
|       served: true |       served: true | ||||||
|       storage: false |       storage: false | ||||||
|       deprecated: true |       deprecated: true | ||||||
| @@ -112,7 +49,7 @@ spec: | |||||||
|                 - usernameRef |                 - usernameRef | ||||||
|                 - passwordRef |                 - passwordRef | ||||||
|                 - registry |                 - registry | ||||||
|     - name: v1beta7 |     - name: v1beta8 | ||||||
|       served: true |       served: true | ||||||
|       storage: true |       storage: true | ||||||
|       schema: |       schema: | ||||||
|   | |||||||
| @@ -1,5 +1,5 @@ | |||||||
| --- | --- | ||||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta7" | apiVersion: "lerentis.uploadfilter24.eu/v1beta8" | ||||||
| kind: BitwardenSecret | kind: BitwardenSecret | ||||||
| metadata: | metadata: | ||||||
|   name: test |   name: test | ||||||
| @@ -24,7 +24,7 @@ spec: | |||||||
|   annotations: |   annotations: | ||||||
|     custom.annotation: is-used |     custom.annotation: is-used | ||||||
| --- | --- | ||||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta7" | apiVersion: "lerentis.uploadfilter24.eu/v1beta8" | ||||||
| kind: BitwardenSecret | kind: BitwardenSecret | ||||||
| metadata: | metadata: | ||||||
|   name: test-scope |   name: test-scope | ||||||
|   | |||||||
| @@ -1,5 +1,5 @@ | |||||||
| --- | --- | ||||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta7" | apiVersion: "lerentis.uploadfilter24.eu/v1beta8" | ||||||
| kind: RegistryCredential | kind: RegistryCredential | ||||||
| metadata: | metadata: | ||||||
|   name: test |   name: test | ||||||
|   | |||||||
| @@ -1,10 +1,9 @@ | |||||||
| --- | --- | ||||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta7" | apiVersion: "lerentis.uploadfilter24.eu/v1beta8" | ||||||
| kind: BitwardenTemplate | kind: BitwardenTemplate | ||||||
| metadata: | metadata: | ||||||
|   name: test |   name: test | ||||||
| spec: | spec: | ||||||
|   filename: "config.yaml" |  | ||||||
|   name: "test-template" |   name: "test-template" | ||||||
|   namespace: "default" |   namespace: "default" | ||||||
|   labels: |   labels: | ||||||
| @@ -12,13 +11,28 @@ spec: | |||||||
|     app: example-app |     app: example-app | ||||||
|   annotations: |   annotations: | ||||||
|     custom.annotation: is-used |     custom.annotation: is-used | ||||||
|   template: | |   content: | ||||||
|     --- |     - element: | ||||||
|     api: |         filename: config.yaml | ||||||
|       enabled: True |         template: | | ||||||
|       key: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "key") }} |           --- | ||||||
|       allowCrossOrigin: false |           api: | ||||||
|       apps: |             enabled: True | ||||||
|         "some.app.identifier:some_version": |             key: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "key") }} | ||||||
|           pubkey: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "public_key") }} |             allowCrossOrigin: false | ||||||
|           enabled: true |             apps: | ||||||
|  |               "some.app.identifier:some_version": | ||||||
|  |                 pubkey: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "public_key") }} | ||||||
|  |                 enabled: true | ||||||
|  |     - element: | ||||||
|  |         filename: config2.yaml | ||||||
|  |         template: | | ||||||
|  |           --- | ||||||
|  |           api: | ||||||
|  |             enabled: True | ||||||
|  |             key: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "key") }} | ||||||
|  |             allowCrossOrigin: false | ||||||
|  |             apps: | ||||||
|  |               "some.app.identifier:some_version": | ||||||
|  |                 pubkey: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "public_key") }} | ||||||
|  |                 enabled: false | ||||||
|   | |||||||
| @@ -1,4 +1,4 @@ | |||||||
| kopf==1.37.2 | kopf==1.37.2 | ||||||
| kubernetes==29.0.0 | kubernetes==30.1.0 | ||||||
| Jinja2==3.1.4 | Jinja2==3.1.4 | ||||||
| schedule==1.2.2 | schedule==1.2.2 | ||||||
| @@ -112,7 +112,7 @@ def update_managed_secret( | |||||||
|             body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) |             body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) | ||||||
|         old_secret_name = old_config['spec'].get('name') |         old_secret_name = old_config['spec'].get('name') | ||||||
|         old_secret_namespace = old_config['spec'].get('namespace') |         old_secret_namespace = old_config['spec'].get('namespace') | ||||||
|         old_secret_type = old_config['spec'].get('type') |         old_secret_type = old_config['spec'].get('secretType') | ||||||
|     secret_name = spec.get('name') |     secret_name = spec.get('name') | ||||||
|     secret_namespace = spec.get('namespace') |     secret_namespace = spec.get('namespace') | ||||||
|     labels = spec.get('labels') |     labels = spec.get('labels') | ||||||
| @@ -122,6 +122,9 @@ def update_managed_secret( | |||||||
|     if not custom_secret_type: |     if not custom_secret_type: | ||||||
|         custom_secret_type = 'Opaque' |         custom_secret_type = 'Opaque' | ||||||
|  |  | ||||||
|  |     if not old_secret_type: | ||||||
|  |         old_secret_type = 'Opaque' | ||||||
|  |  | ||||||
|     if old_config is not None and ( |     if old_config is not None and ( | ||||||
|             old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type): |             old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type): | ||||||
|         # If the name of the secret or the namespace of the secret is different |         # If the name of the secret or the namespace of the secret is different | ||||||
|   | |||||||
							
								
								
									
										169
									
								
								src/template.py
									
									
									
									
									
								
							
							
						
						
									
										169
									
								
								src/template.py
									
									
									
									
									
								
							| @@ -24,9 +24,72 @@ def create_template_secret(logger, secret, filename, template): | |||||||
|         "utf-8") |         "utf-8") | ||||||
|     return secret |     return secret | ||||||
|  |  | ||||||
|  | def create_template_obj(logger, secret, content_def): | ||||||
|  |     secret.data = {} | ||||||
|  |     for eleml in content_def: | ||||||
|  |         for k, elem in eleml.items(): | ||||||
|  |             for key, value in elem.items(): | ||||||
|  |                 if key == "filename": | ||||||
|  |                     _file_name = value | ||||||
|  |                 if key == "template": | ||||||
|  |                     _template = value | ||||||
|  |             secret.data[_file_name] = str( | ||||||
|  |                 base64.b64encode( | ||||||
|  |                     render_template(logger, _template).encode("utf-8")), | ||||||
|  |                 "utf-8") | ||||||
|  |     return secret | ||||||
|  |  | ||||||
|  |  | ||||||
| @kopf.on.create('bitwarden-template.lerentis.uploadfilter24.eu') | @kopf.on.create('bitwarden-template.lerentis.uploadfilter24.eu') | ||||||
| def create_managed_secret(spec, name, namespace, logger, body, **kwargs): | def create_managed_secret(spec, name, namespace, logger, body, **kwargs): | ||||||
|  |     template = spec.get('template') | ||||||
|  |     if template is not None: | ||||||
|  |         create_beta7_secret(spec, name, namespace, logger, body, **kwargs) | ||||||
|  |     secret_name = spec.get('name') | ||||||
|  |     secret_namespace = spec.get('namespace') | ||||||
|  |     custom_secret_type = spec.get('secretType') | ||||||
|  |     labels = spec.get('labels') | ||||||
|  |     custom_annotations = spec.get('annotations') | ||||||
|  |     content_def = spec.get('content') | ||||||
|  |  | ||||||
|  |     unlock_bw(logger) | ||||||
|  |  | ||||||
|  |     api = kubernetes.client.CoreV1Api() | ||||||
|  |  | ||||||
|  |     annotations = { | ||||||
|  |         "managed": "bitwarden-template.lerentis.uploadfilter24.eu", | ||||||
|  |         "managedObject": f"{namespace}/{name}" | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     if custom_annotations: | ||||||
|  |         annotations.update(custom_annotations) | ||||||
|  |  | ||||||
|  |     if not custom_secret_type: | ||||||
|  |         custom_secret_type = 'Opaque' | ||||||
|  |  | ||||||
|  |     if not labels: | ||||||
|  |         labels = {} | ||||||
|  |  | ||||||
|  |     secret = kubernetes.client.V1Secret() | ||||||
|  |     secret.metadata = kubernetes.client.V1ObjectMeta( | ||||||
|  |         name=secret_name, annotations=annotations, labels=labels) | ||||||
|  |     secret.type = custom_secret_type | ||||||
|  |     secret = create_template_obj(logger, secret, content_def) | ||||||
|  |  | ||||||
|  |     # Garbage collection will delete the generated secret if the owner | ||||||
|  |     # Is not in the same namespace as the generated secret | ||||||
|  |     if secret_namespace == namespace: | ||||||
|  |         kopf.append_owner_reference(secret) | ||||||
|  |      | ||||||
|  |     api.create_namespaced_secret( | ||||||
|  |         namespace="{}".format(secret_namespace), | ||||||
|  |         body=secret | ||||||
|  |     ) | ||||||
|  |  | ||||||
|  |     logger.info(f"Secret {secret_namespace}/{secret_name} has been created") | ||||||
|  |  | ||||||
|  |  | ||||||
|  | def create_beta7_secret(spec, name, namespace, logger, body, **kwargs): | ||||||
|  |  | ||||||
|     template = spec.get('template') |     template = spec.get('template') | ||||||
|     filename = spec.get('filename') |     filename = spec.get('filename') | ||||||
| @@ -71,10 +134,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs): | |||||||
|  |  | ||||||
|     logger.info(f"Secret {secret_namespace}/{secret_name} has been created") |     logger.info(f"Secret {secret_namespace}/{secret_name} has been created") | ||||||
|  |  | ||||||
|  | def update_beta7_secret( | ||||||
| @kopf.on.update('bitwarden-template.lerentis.uploadfilter24.eu') |  | ||||||
| @kopf.timer('bitwarden-template.lerentis.uploadfilter24.eu', interval=bw_sync_interval) |  | ||||||
| def update_managed_secret( |  | ||||||
|         spec, |         spec, | ||||||
|         status, |         status, | ||||||
|         name, |         name, | ||||||
| @@ -103,10 +163,13 @@ def update_managed_secret( | |||||||
|             body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) |             body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) | ||||||
|         old_secret_name = old_config['spec'].get('name') |         old_secret_name = old_config['spec'].get('name') | ||||||
|         old_secret_namespace = old_config['spec'].get('namespace') |         old_secret_namespace = old_config['spec'].get('namespace') | ||||||
|         old_secret_type = old_config['spec'].get('type') |         old_secret_type = old_config['spec'].get('secretType') | ||||||
|     secret_name = spec.get('name') |     secret_name = spec.get('name') | ||||||
|     secret_namespace = spec.get('namespace') |     secret_namespace = spec.get('namespace') | ||||||
|  |  | ||||||
|  |     if not old_secret_type: | ||||||
|  |       old_secret_type = 'Opaque' | ||||||
|  |  | ||||||
|     if old_config is not None and ( |     if old_config is not None and ( | ||||||
|             old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type): |             old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type): | ||||||
|         # If the name of the secret or the namespace of the secret is different |         # If the name of the secret or the namespace of the secret is different | ||||||
| @@ -162,6 +225,102 @@ def update_managed_secret( | |||||||
|         ) |         ) | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  | @kopf.on.update('bitwarden-template.lerentis.uploadfilter24.eu') | ||||||
|  | @kopf.timer('bitwarden-template.lerentis.uploadfilter24.eu', interval=bw_sync_interval) | ||||||
|  | def update_managed_secret( | ||||||
|  |         spec, | ||||||
|  |         status, | ||||||
|  |         name, | ||||||
|  |         namespace, | ||||||
|  |         logger, | ||||||
|  |         body, | ||||||
|  |         **kwargs): | ||||||
|  |  | ||||||
|  |     template = spec.get('template') | ||||||
|  |     if template is not None: | ||||||
|  |         update_beta7_secret(spec, status, name, namespace, logger, body, **kwargs) | ||||||
|  |     secret_name = spec.get('name') | ||||||
|  |     secret_namespace = spec.get('namespace') | ||||||
|  |     labels = spec.get('labels') | ||||||
|  |     custom_annotations = spec.get('annotations') | ||||||
|  |     custom_secret_type = spec.get('secretType') | ||||||
|  |     content_def = spec.get('content') | ||||||
|  |  | ||||||
|  |     if not custom_secret_type: | ||||||
|  |         custom_secret_type = 'Opaque' | ||||||
|  |  | ||||||
|  |     old_config = None | ||||||
|  |     old_secret_name = None | ||||||
|  |     old_secret_namespace = None | ||||||
|  |     old_secret_type = None | ||||||
|  |     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: | ||||||
|  |         old_config = json.loads( | ||||||
|  |             body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) | ||||||
|  |         old_secret_name = old_config['spec'].get('name') | ||||||
|  |         old_secret_namespace = old_config['spec'].get('namespace') | ||||||
|  |         old_secret_type = old_config['spec'].get('secretType') | ||||||
|  |     secret_name = spec.get('name') | ||||||
|  |     secret_namespace = spec.get('namespace') | ||||||
|  |  | ||||||
|  |     if not old_secret_type: | ||||||
|  |       old_secret_type = 'Opaque' | ||||||
|  |  | ||||||
|  |     if old_config is not None and ( | ||||||
|  |             old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type): | ||||||
|  |         # If the name of the secret or the namespace of the secret is different | ||||||
|  |         # We have to delete the secret an recreate it | ||||||
|  |         logger.info("Secret name or namespace changed, let's recreate it") | ||||||
|  |         delete_managed_secret( | ||||||
|  |             old_config['spec'], | ||||||
|  |             name, | ||||||
|  |             namespace, | ||||||
|  |             logger, | ||||||
|  |             **kwargs) | ||||||
|  |         create_managed_secret(spec, name, namespace, logger, body, **kwargs) | ||||||
|  |         return | ||||||
|  |  | ||||||
|  |     unlock_bw(logger) | ||||||
|  |  | ||||||
|  |     api = kubernetes.client.CoreV1Api() | ||||||
|  |  | ||||||
|  |     annotations = { | ||||||
|  |         "managed": "bitwarden-template.lerentis.uploadfilter24.eu", | ||||||
|  |         "managedObject": f"{namespace}/{name}" | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     if custom_annotations: | ||||||
|  |         annotations.update(custom_annotations) | ||||||
|  |  | ||||||
|  |     if not labels: | ||||||
|  |         labels = {} | ||||||
|  |  | ||||||
|  |     secret = kubernetes.client.V1Secret() | ||||||
|  |     secret.metadata = kubernetes.client.V1ObjectMeta( | ||||||
|  |         name=secret_name, annotations=annotations, labels=labels) | ||||||
|  |     secret.type = custom_secret_type | ||||||
|  |     secret = create_template_obj(logger, secret, content_def) | ||||||
|  |  | ||||||
|  |     # Garbage collection will delete the generated secret if the owner | ||||||
|  |     # Is not in the same namespace as the generated secret | ||||||
|  |     if secret_namespace == namespace: | ||||||
|  |         kopf.append_owner_reference(secret) | ||||||
|  |  | ||||||
|  |     try: | ||||||
|  |         api.replace_namespaced_secret( | ||||||
|  |             name=secret_name, | ||||||
|  |             body=secret, | ||||||
|  |             namespace="{}".format(secret_namespace)) | ||||||
|  |         logger.info( | ||||||
|  |             f"Secret {secret_namespace}/{secret_name} has been updated") | ||||||
|  |     except BaseException as e: | ||||||
|  |         logger.warn( | ||||||
|  |             f"Could not update secret {secret_namespace}/{secret_name}!") | ||||||
|  |         logger.warn( | ||||||
|  |             f"Exception: {e}" | ||||||
|  |         ) | ||||||
|  |  | ||||||
|  |  | ||||||
| @kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu') | @kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu') | ||||||
| def delete_managed_secret(spec, name, namespace, logger, **kwargs): | def delete_managed_secret(spec, name, namespace, logger, **kwargs): | ||||||
|     secret_name = spec.get('name') |     secret_name = spec.get('name') | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user