Compare commits
No commits in common. "e1418883353a37ff724ce3e897ca5fa69720555a" and "2bf13bc8c5c2291e2addaadebca32f527956e259" have entirely different histories.
e141888335
...
2bf13bc8c5
6
.github/workflows/release.yml
vendored
6
.github/workflows/release.yml
vendored
@ -24,7 +24,7 @@ jobs:
|
|||||||
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
|
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
|
||||||
|
|
||||||
- name: Install Helm
|
- name: Install Helm
|
||||||
uses: azure/setup-helm@v4
|
uses: azure/setup-helm@v3
|
||||||
with:
|
with:
|
||||||
version: v3.10.0
|
version: v3.10.0
|
||||||
|
|
||||||
@ -36,7 +36,7 @@ jobs:
|
|||||||
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
|
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
|
||||||
|
|
||||||
- name: Get app version from chart
|
- name: Get app version from chart
|
||||||
uses: mikefarah/yq@v4.44.2
|
uses: mikefarah/yq@v4.40.5
|
||||||
id: app_version
|
id: app_version
|
||||||
with:
|
with:
|
||||||
cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml
|
cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml
|
||||||
@ -56,7 +56,7 @@ jobs:
|
|||||||
|
|
||||||
- name: "GHCR Build and Push"
|
- name: "GHCR Build and Push"
|
||||||
id: docker_build
|
id: docker_build
|
||||||
uses: docker/build-push-action@v6
|
uses: docker/build-push-action@v5
|
||||||
with:
|
with:
|
||||||
push: true
|
push: true
|
||||||
platforms: linux/amd64,linux/arm64
|
platforms: linux/amd64,linux/arm64
|
||||||
|
19
.github/workflows/test-and-lint.yml
vendored
19
.github/workflows/test-and-lint.yml
vendored
@ -12,7 +12,7 @@ jobs:
|
|||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|
||||||
- name: Set up Helm
|
- name: Set up Helm
|
||||||
uses: azure/setup-helm@v4
|
uses: azure/setup-helm@v3
|
||||||
with:
|
with:
|
||||||
version: v3.11.2
|
version: v3.11.2
|
||||||
|
|
||||||
@ -36,18 +36,6 @@ jobs:
|
|||||||
if: steps.list-changed.outputs.changed == 'true'
|
if: steps.list-changed.outputs.changed == 'true'
|
||||||
run: ct lint --target-branch ${{ github.event.repository.default_branch }}
|
run: ct lint --target-branch ${{ github.event.repository.default_branch }}
|
||||||
|
|
||||||
- name: Install ah cli
|
|
||||||
run: |
|
|
||||||
export AH_VERSION=1.17.0
|
|
||||||
curl -LO https://github.com/artifacthub/hub/releases/download/v${AH_VERSION}/ah_${AH_VERSION}_linux_amd64.tar.gz
|
|
||||||
tar -xf ah_${AH_VERSION}_linux_amd64.tar.gz
|
|
||||||
chmod +x ./ah
|
|
||||||
sudo mv ./ah /usr/bin/ah
|
|
||||||
rm LICENSE
|
|
||||||
- name: ah lint
|
|
||||||
run: |
|
|
||||||
ah lint
|
|
||||||
|
|
||||||
pr-build:
|
pr-build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
@ -57,10 +45,11 @@ jobs:
|
|||||||
- name: Set up Docker Buildx
|
- name: Set up Docker Buildx
|
||||||
uses: docker/setup-buildx-action@v3
|
uses: docker/setup-buildx-action@v3
|
||||||
|
|
||||||
- name: GHCR Build
|
- name: "GHCR Build"
|
||||||
id: docker_build
|
id: docker_build
|
||||||
uses: docker/build-push-action@v6
|
uses: docker/build-push-action@v5
|
||||||
with:
|
with:
|
||||||
push: false
|
push: false
|
||||||
platforms: linux/amd64,linux/arm64
|
platforms: linux/amd64,linux/arm64
|
||||||
tags: ghcr.io/lerentis/bitwarden-crd-operator:dev
|
tags: ghcr.io/lerentis/bitwarden-crd-operator:dev
|
||||||
|
|
||||||
|
32
Dockerfile
32
Dockerfile
@ -1,23 +1,39 @@
|
|||||||
FROM alpine:3.19.1
|
FROM alpine:3.19.0
|
||||||
|
|
||||||
LABEL org.opencontainers.image.source=https://github.com/Lerentis/bitwarden-crd-operator
|
LABEL org.opencontainers.image.source=https://github.com/Lerentis/bitwarden-crd-operator
|
||||||
LABEL org.opencontainers.image.description="Kubernetes Operator to create k8s secrets from bitwarden"
|
LABEL org.opencontainers.image.description="Kubernetes Operator to create k8s secrets from bitwarden"
|
||||||
LABEL org.opencontainers.image.licenses=MIT
|
LABEL org.opencontainers.image.licenses=MIT
|
||||||
|
|
||||||
ARG PYTHON_VERSION=3.11.9-r0
|
ARG PYTHON_VERSION=3.11.6-r1
|
||||||
ARG PIP_VERSION=23.3.1-r0
|
ARG PIP_VERSION=23.3.1-r0
|
||||||
ARG GCOMPAT_VERSION=1.1.0-r4
|
ARG GCOMPAT_VERSION=1.1.0-r4
|
||||||
ARG LIBCRYPTO_VERSION=3.1.4-r5
|
ARG LIBCRYPTO_VERSION=3.1.4-r2
|
||||||
ARG BW_VERSION=2023.7.0
|
ARG BW_VERSION=2023.7.0
|
||||||
ARG NODE_VERSION=20.12.1-r0
|
ARG NODE_VERSION=20.10.0-r1
|
||||||
|
|
||||||
COPY requirements.txt /requirements.txt
|
COPY requirements.txt /requirements.txt
|
||||||
|
|
||||||
RUN set -eux; \
|
RUN set -eux; \
|
||||||
apk update; \
|
apk add --virtual build-dependencies wget unzip; \
|
||||||
apk del nodejs-current; \
|
ARCH="$(apk --print-arch)"; \
|
||||||
apk add nodejs=${NODE_VERSION} npm; \
|
case "${ARCH}" in \
|
||||||
npm install -g @bitwarden/cli@${BW_VERSION}; \
|
aarch64|arm64) \
|
||||||
|
apk add nodejs=${NODE_VERSION} npm; \
|
||||||
|
npm install -g @bitwarden/cli@${BW_VERSION}; \
|
||||||
|
;; \
|
||||||
|
amd64|x86_64) \
|
||||||
|
cd /tmp; \
|
||||||
|
wget https://github.com/bitwarden/clients/releases/download/cli-v${BW_VERSION}/bw-linux-${BW_VERSION}.zip; \
|
||||||
|
unzip /tmp/bw-linux-${BW_VERSION}.zip; \
|
||||||
|
mv /tmp/bw /usr/local/bin/bw; \
|
||||||
|
chmod +x /usr/local/bin/bw; \
|
||||||
|
;; \
|
||||||
|
*) \
|
||||||
|
echo "Unsupported arch: ${ARCH}"; \
|
||||||
|
exit 1; \
|
||||||
|
;; \
|
||||||
|
esac; \
|
||||||
|
apk del --purge build-dependencies; \
|
||||||
addgroup -S -g 1000 bw-operator; \
|
addgroup -S -g 1000 bw-operator; \
|
||||||
adduser -S -D -u 1000 -G bw-operator bw-operator; \
|
adduser -S -D -u 1000 -G bw-operator bw-operator; \
|
||||||
mkdir -p /home/bw-operator; \
|
mkdir -p /home/bw-operator; \
|
||||||
|
23
README.md
23
README.md
@ -56,29 +56,25 @@ And you are set to create your first secret using this operator. For that you ne
|
|||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
---
|
---
|
||||||
apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
|
apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
|
||||||
kind: BitwardenSecret
|
kind: BitwardenSecret
|
||||||
metadata:
|
metadata:
|
||||||
name: name-of-your-management-object
|
name: name-of-your-management-object
|
||||||
spec:
|
spec:
|
||||||
content:
|
content:
|
||||||
- element:
|
- element:
|
||||||
secretName: nameOfTheFieldInBitwarden # for example username or filename
|
secretName: nameOfTheFieldInBitwarden # for example username
|
||||||
secretRef: nameOfTheKeyInTheSecretToBeCreated
|
secretRef: nameOfTheKeyInTheSecretToBeCreated
|
||||||
secretScope: login # for custom entries on bitwarden use 'fields, for attachments use attachment'
|
secretScope: login # for custom entries on bitwarden use 'fields'
|
||||||
- element:
|
- element:
|
||||||
secretName: nameOfAnotherFieldInBitwarden # for example password or filename
|
secretName: nameOfAnotherFieldInBitwarden # for example password
|
||||||
secretRef: nameOfAnotherKeyInTheSecretToBeCreated
|
secretRef: nameOfAnotherKeyInTheSecretToBeCreated
|
||||||
secretScope: login # for custom entries on bitwarden use 'fields, for attachments use attachment'
|
secretScope: login # for custom entries on bitwarden use 'fields'
|
||||||
id: "A Secret ID from bitwarden"
|
id: "A Secret ID from bitwarden"
|
||||||
name: "Name of the secret to be created"
|
name: "Name of the secret to be created"
|
||||||
secretType: # Optional (Default: Opaque)
|
|
||||||
namespace: "Namespace of the secret to be created"
|
namespace: "Namespace of the secret to be created"
|
||||||
labels: # Optional
|
labels: # Optional
|
||||||
key: value
|
key: value
|
||||||
annotations: # Optional
|
|
||||||
key: value
|
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
The ID can be extracted from the browser when you open a item the ID is in the URL. The resulting secret looks something like this:
|
The ID can be extracted from the browser when you open a item the ID is in the URL. The resulting secret looks something like this:
|
||||||
@ -106,7 +102,7 @@ For managing registry credentials, or pull secrets, you can create another kind
|
|||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
---
|
---
|
||||||
apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
|
apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
|
||||||
kind: RegistryCredential
|
kind: RegistryCredential
|
||||||
metadata:
|
metadata:
|
||||||
name: name-of-your-management-object
|
name: name-of-your-management-object
|
||||||
@ -119,8 +115,6 @@ spec:
|
|||||||
namespace: "Namespace of the secret to be created"
|
namespace: "Namespace of the secret to be created"
|
||||||
labels: # Optional
|
labels: # Optional
|
||||||
key: value
|
key: value
|
||||||
annotations: # Optional
|
|
||||||
key: value
|
|
||||||
```
|
```
|
||||||
|
|
||||||
The resulting secret looks something like this:
|
The resulting secret looks something like this:
|
||||||
@ -147,19 +141,16 @@ One of the more freely defined types that can be used with this operator you can
|
|||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
---
|
---
|
||||||
apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
|
apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
|
||||||
kind: BitwardenTemplate
|
kind: BitwardenTemplate
|
||||||
metadata:
|
metadata:
|
||||||
name: name-of-your-management-object
|
name: name-of-your-management-object
|
||||||
spec:
|
spec:
|
||||||
filename: "Key of the secret to be created"
|
filename: "Key of the secret to be created"
|
||||||
name: "Name of the secret to be created"
|
name: "Name of the secret to be created"
|
||||||
secretType: # Optional (Default: Opaque)
|
|
||||||
namespace: "Namespace of the secret to be created"
|
namespace: "Namespace of the secret to be created"
|
||||||
labels: # Optional
|
labels: # Optional
|
||||||
key: value
|
key: value
|
||||||
annotations: # Optional
|
|
||||||
key: value
|
|
||||||
template: |
|
template: |
|
||||||
---
|
---
|
||||||
api:
|
api:
|
||||||
|
@ -4,9 +4,9 @@ description: Deploy the Bitwarden CRD Operator
|
|||||||
|
|
||||||
type: application
|
type: application
|
||||||
|
|
||||||
version: "v0.13.0"
|
version: "v0.11.1"
|
||||||
|
|
||||||
appVersion: "0.12.0"
|
appVersion: "0.10.1"
|
||||||
|
|
||||||
keywords:
|
keywords:
|
||||||
- operator
|
- operator
|
||||||
@ -32,22 +32,22 @@ annotations:
|
|||||||
url: https://github.com/Lerentis/bitwarden-crd-operator
|
url: https://github.com/Lerentis/bitwarden-crd-operator
|
||||||
artifacthub.io/crds: |
|
artifacthub.io/crds: |
|
||||||
- kind: BitwardenSecret
|
- kind: BitwardenSecret
|
||||||
version: v1beta7
|
version: v1beta5
|
||||||
name: bitwarden-secret
|
name: bitwarden-secret
|
||||||
displayName: Bitwarden Secret
|
displayName: Bitwarden Secret
|
||||||
description: Management Object to create secrets from bitwarden
|
description: Management Object to create secrets from bitwarden
|
||||||
- kind: RegistryCredential
|
- kind: RegistryCredential
|
||||||
version: v1beta7
|
version: v1beta5
|
||||||
name: registry-credential
|
name: registry-credential
|
||||||
displayName: Regestry Credentials
|
displayName: Regestry Credentials
|
||||||
description: Management Object to create regestry secrets from bitwarden
|
description: Management Object to create regestry secrets from bitwarden
|
||||||
- kind: BitwardenTemplate
|
- kind: BitwardenTemplate
|
||||||
version: v1beta7
|
version: v1beta5
|
||||||
name: bitwarden-template
|
name: bitwarden-template
|
||||||
displayName: Bitwarden Template
|
displayName: Bitwarden Template
|
||||||
description: Management Object to create secrets from a jinja template with a bitwarden lookup
|
description: Management Object to create secrets from a jinja template with a bitwarden lookup
|
||||||
artifacthub.io/crdsExamples: |
|
artifacthub.io/crdsExamples: |
|
||||||
- apiVersion: lerentis.uploadfilter24.eu/v1beta7
|
- apiVersion: lerentis.uploadfilter24.eu/v1beta5
|
||||||
kind: BitwardenSecret
|
kind: BitwardenSecret
|
||||||
metadata:
|
metadata:
|
||||||
name: test
|
name: test
|
||||||
@ -61,13 +61,10 @@ annotations:
|
|||||||
secretRef: passwordOfUser
|
secretRef: passwordOfUser
|
||||||
id: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
|
id: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
|
||||||
name: "test-secret"
|
name: "test-secret"
|
||||||
secretType: Obaque #Optional
|
|
||||||
namespace: "default"
|
namespace: "default"
|
||||||
labels:
|
labels:
|
||||||
key: value
|
key: value
|
||||||
annotations:
|
- apiVersion: lerentis.uploadfilter24.eu/v1beta5
|
||||||
key: value
|
|
||||||
- apiVersion: lerentis.uploadfilter24.eu/v1beta7
|
|
||||||
kind: RegistryCredential
|
kind: RegistryCredential
|
||||||
metadata:
|
metadata:
|
||||||
name: test
|
name: test
|
||||||
@ -80,21 +77,16 @@ annotations:
|
|||||||
namespace: "default"
|
namespace: "default"
|
||||||
labels:
|
labels:
|
||||||
key: value
|
key: value
|
||||||
annotations:
|
- apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
|
||||||
key: value
|
|
||||||
- apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
|
|
||||||
kind: BitwardenTemplate
|
kind: BitwardenTemplate
|
||||||
metadata:
|
metadata:
|
||||||
name: test
|
name: test
|
||||||
spec:
|
spec:
|
||||||
filename: "config.yaml"
|
filename: "config.yaml"
|
||||||
name: "test-regcred"
|
name: "test-regcred"
|
||||||
secretType: Obaque #Optional
|
|
||||||
namespace: "default"
|
namespace: "default"
|
||||||
labels:
|
labels:
|
||||||
key: value
|
key: value
|
||||||
annotations:
|
|
||||||
key: value
|
|
||||||
template: |
|
template: |
|
||||||
---
|
---
|
||||||
api:
|
api:
|
||||||
@ -109,12 +101,10 @@ annotations:
|
|||||||
artifacthub.io/operator: "true"
|
artifacthub.io/operator: "true"
|
||||||
artifacthub.io/containsSecurityUpdates: "false"
|
artifacthub.io/containsSecurityUpdates: "false"
|
||||||
artifacthub.io/changes: |
|
artifacthub.io/changes: |
|
||||||
- kind: added
|
- kind: fixed
|
||||||
description: "Allow custom type for generated secrets"
|
description: "Downgrade node to LTS in order to make bw cli work on arm"
|
||||||
- kind: added
|
- kind: changed
|
||||||
description: "Allow attachments in generated secrets"
|
description: "Update bw cli to 2023.7.0 for the same reason"
|
||||||
- kind: added
|
|
||||||
description: "Allow custom type in templated secrets"
|
|
||||||
artifacthub.io/images: |
|
artifacthub.io/images: |
|
||||||
- name: bitwarden-crd-operator
|
- name: bitwarden-crd-operator
|
||||||
image: ghcr.io/lerentis/bitwarden-crd-operator:0.12.0
|
image: ghcr.io/lerentis/bitwarden-crd-operator:0.10.1
|
||||||
|
@ -51,89 +51,6 @@ spec:
|
|||||||
- namespace
|
- namespace
|
||||||
- name
|
- name
|
||||||
- name: v1beta5
|
- name: v1beta5
|
||||||
served: true
|
|
||||||
storage: false
|
|
||||||
deprecated: true
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
spec:
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
content:
|
|
||||||
type: array
|
|
||||||
items:
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
element:
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
secretName:
|
|
||||||
type: string
|
|
||||||
secretRef:
|
|
||||||
type: string
|
|
||||||
secretScope:
|
|
||||||
type: string
|
|
||||||
required:
|
|
||||||
- secretName
|
|
||||||
id:
|
|
||||||
type: string
|
|
||||||
namespace:
|
|
||||||
type: string
|
|
||||||
name:
|
|
||||||
type: string
|
|
||||||
labels:
|
|
||||||
type: object
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
required:
|
|
||||||
- id
|
|
||||||
- namespace
|
|
||||||
- name
|
|
||||||
- name: v1beta6
|
|
||||||
served: true
|
|
||||||
storage: false
|
|
||||||
deprecated: true
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
spec:
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
content:
|
|
||||||
type: array
|
|
||||||
items:
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
element:
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
secretName:
|
|
||||||
type: string
|
|
||||||
secretRef:
|
|
||||||
type: string
|
|
||||||
secretScope:
|
|
||||||
type: string
|
|
||||||
required:
|
|
||||||
- secretName
|
|
||||||
id:
|
|
||||||
type: string
|
|
||||||
namespace:
|
|
||||||
type: string
|
|
||||||
name:
|
|
||||||
type: string
|
|
||||||
labels:
|
|
||||||
type: object
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
annotations:
|
|
||||||
type: object
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
required:
|
|
||||||
- id
|
|
||||||
- namespace
|
|
||||||
- name
|
|
||||||
- name: v1beta7
|
|
||||||
served: true
|
served: true
|
||||||
storage: true
|
storage: true
|
||||||
schema:
|
schema:
|
||||||
@ -165,14 +82,9 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
name:
|
name:
|
||||||
type: string
|
type: string
|
||||||
secretType:
|
|
||||||
type: string
|
|
||||||
labels:
|
labels:
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
annotations:
|
|
||||||
type: object
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
required:
|
required:
|
||||||
- id
|
- id
|
||||||
- namespace
|
- namespace
|
||||||
|
@ -38,63 +38,6 @@ spec:
|
|||||||
- namespace
|
- namespace
|
||||||
- name
|
- name
|
||||||
- name: v1beta5
|
- name: v1beta5
|
||||||
served: true
|
|
||||||
storage: false
|
|
||||||
deprecated: true
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
spec:
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
filename:
|
|
||||||
type: string
|
|
||||||
template:
|
|
||||||
type: string
|
|
||||||
namespace:
|
|
||||||
type: string
|
|
||||||
name:
|
|
||||||
type: string
|
|
||||||
labels:
|
|
||||||
type: object
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
required:
|
|
||||||
- filename
|
|
||||||
- template
|
|
||||||
- namespace
|
|
||||||
- name
|
|
||||||
- name: v1beta6
|
|
||||||
served: true
|
|
||||||
storage: false
|
|
||||||
deprecated: true
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
spec:
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
filename:
|
|
||||||
type: string
|
|
||||||
template:
|
|
||||||
type: string
|
|
||||||
namespace:
|
|
||||||
type: string
|
|
||||||
name:
|
|
||||||
type: string
|
|
||||||
labels:
|
|
||||||
type: object
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
annotations:
|
|
||||||
type: object
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
required:
|
|
||||||
- filename
|
|
||||||
- template
|
|
||||||
- namespace
|
|
||||||
- name
|
|
||||||
- name: v1beta7
|
|
||||||
served: true
|
served: true
|
||||||
storage: true
|
storage: true
|
||||||
schema:
|
schema:
|
||||||
@ -112,14 +55,9 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
name:
|
name:
|
||||||
type: string
|
type: string
|
||||||
secretType:
|
|
||||||
type: string
|
|
||||||
labels:
|
labels:
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
annotations:
|
|
||||||
type: object
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
required:
|
required:
|
||||||
- filename
|
- filename
|
||||||
- template
|
- template
|
||||||
|
@ -44,75 +44,6 @@ spec:
|
|||||||
- passwordRef
|
- passwordRef
|
||||||
- registry
|
- registry
|
||||||
- name: v1beta5
|
- name: v1beta5
|
||||||
served: true
|
|
||||||
storage: false
|
|
||||||
deprecated: true
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
spec:
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
usernameRef:
|
|
||||||
type: string
|
|
||||||
passwordRef:
|
|
||||||
type: string
|
|
||||||
registry:
|
|
||||||
type: string
|
|
||||||
id:
|
|
||||||
type: string
|
|
||||||
namespace:
|
|
||||||
type: string
|
|
||||||
name:
|
|
||||||
type: string
|
|
||||||
labels:
|
|
||||||
type: object
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
required:
|
|
||||||
- id
|
|
||||||
- namespace
|
|
||||||
- name
|
|
||||||
- usernameRef
|
|
||||||
- passwordRef
|
|
||||||
- registry
|
|
||||||
- name: v1beta6
|
|
||||||
served: true
|
|
||||||
storage: false
|
|
||||||
deprecated: true
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
spec:
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
usernameRef:
|
|
||||||
type: string
|
|
||||||
passwordRef:
|
|
||||||
type: string
|
|
||||||
registry:
|
|
||||||
type: string
|
|
||||||
id:
|
|
||||||
type: string
|
|
||||||
namespace:
|
|
||||||
type: string
|
|
||||||
name:
|
|
||||||
type: string
|
|
||||||
labels:
|
|
||||||
type: object
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
annotations:
|
|
||||||
type: object
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
required:
|
|
||||||
- id
|
|
||||||
- namespace
|
|
||||||
- name
|
|
||||||
- usernameRef
|
|
||||||
- passwordRef
|
|
||||||
- registry
|
|
||||||
- name: v1beta7
|
|
||||||
served: true
|
served: true
|
||||||
storage: true
|
storage: true
|
||||||
schema:
|
schema:
|
||||||
@ -137,9 +68,6 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
annotations:
|
|
||||||
type: object
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
required:
|
required:
|
||||||
- id
|
- id
|
||||||
- namespace
|
- namespace
|
||||||
|
@ -8,8 +8,6 @@ spec:
|
|||||||
{{- if not .Values.autoscaling.enabled }}
|
{{- if not .Values.autoscaling.enabled }}
|
||||||
replicas: {{ .Values.replicaCount }}
|
replicas: {{ .Values.replicaCount }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
strategy:
|
|
||||||
type: {{ .Values.deploymentStrategy }}
|
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
{{- include "bitwarden-crd-operator.selectorLabels" . | nindent 6 }}
|
{{- include "bitwarden-crd-operator.selectorLabels" . | nindent 6 }}
|
||||||
|
@ -14,8 +14,6 @@ imagePullSecrets: []
|
|||||||
nameOverride: ""
|
nameOverride: ""
|
||||||
fullnameOverride: ""
|
fullnameOverride: ""
|
||||||
|
|
||||||
deploymentStrategy: "Recreate"
|
|
||||||
|
|
||||||
# env:
|
# env:
|
||||||
# - name: BW_FORCE_SYNC
|
# - name: BW_FORCE_SYNC
|
||||||
# value: "false"
|
# value: "false"
|
||||||
|
@ -1,9 +1,8 @@
|
|||||||
---
|
---
|
||||||
apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
|
apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
|
||||||
kind: BitwardenSecret
|
kind: BitwardenSecret
|
||||||
metadata:
|
metadata:
|
||||||
name: test
|
name: test
|
||||||
namespace: default
|
|
||||||
spec:
|
spec:
|
||||||
content:
|
content:
|
||||||
- element:
|
- element:
|
||||||
@ -16,15 +15,12 @@ spec:
|
|||||||
secretScope: login
|
secretScope: login
|
||||||
id: "88781348-c81c-4367-9801-550360c21295"
|
id: "88781348-c81c-4367-9801-550360c21295"
|
||||||
name: "test-secret"
|
name: "test-secret"
|
||||||
secretType: Opaque
|
|
||||||
namespace: "default"
|
namespace: "default"
|
||||||
labels:
|
labels:
|
||||||
key: value
|
key: value
|
||||||
app: example-app
|
app: example-app
|
||||||
annotations:
|
|
||||||
custom.annotation: is-used
|
|
||||||
---
|
---
|
||||||
apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
|
apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
|
||||||
kind: BitwardenSecret
|
kind: BitwardenSecret
|
||||||
metadata:
|
metadata:
|
||||||
name: test-scope
|
name: test-scope
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
---
|
---
|
||||||
apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
|
apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
|
||||||
kind: RegistryCredential
|
kind: RegistryCredential
|
||||||
metadata:
|
metadata:
|
||||||
name: test
|
name: test
|
||||||
@ -13,5 +13,3 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
namespace: default
|
namespace: default
|
||||||
tenant: example-team
|
tenant: example-team
|
||||||
annotations:
|
|
||||||
custom.annotation: is-used
|
|
@ -1,5 +1,5 @@
|
|||||||
---
|
---
|
||||||
apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
|
apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
|
||||||
kind: BitwardenTemplate
|
kind: BitwardenTemplate
|
||||||
metadata:
|
metadata:
|
||||||
name: test
|
name: test
|
||||||
@ -10,8 +10,6 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
key: value
|
key: value
|
||||||
app: example-app
|
app: example-app
|
||||||
annotations:
|
|
||||||
custom.annotation: is-used
|
|
||||||
template: |
|
template: |
|
||||||
---
|
---
|
||||||
api:
|
api:
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
kopf==1.37.2
|
kopf==1.36.2
|
||||||
kubernetes==29.0.0
|
kubernetes==26.1.0
|
||||||
Jinja2==3.1.4
|
Jinja2==3.1.2
|
||||||
schedule==1.2.2
|
schedule==1.2.1
|
@ -1,10 +1,8 @@
|
|||||||
apiVersion: skaffold/v4beta9
|
apiVersion: skaffold/v4beta5
|
||||||
kind: Config
|
kind: Config
|
||||||
metadata:
|
metadata:
|
||||||
name: bitwarden-crd-operator
|
name: bitwarden-crd-operator
|
||||||
build:
|
build:
|
||||||
tagPolicy:
|
|
||||||
sha256: {}
|
|
||||||
artifacts:
|
artifacts:
|
||||||
- image: ghcr.io/lerentis/bitwarden-crd-operator
|
- image: ghcr.io/lerentis/bitwarden-crd-operator
|
||||||
docker:
|
docker:
|
||||||
@ -15,43 +13,5 @@ deploy:
|
|||||||
- name: bitwarden-crd-operator
|
- name: bitwarden-crd-operator
|
||||||
chartPath: charts/bitwarden-crd-operator
|
chartPath: charts/bitwarden-crd-operator
|
||||||
valuesFiles:
|
valuesFiles:
|
||||||
- ./charts/bitwarden-crd-operator/myvalues.yaml
|
- env/values.yaml
|
||||||
setValueTemplates:
|
version: v0.7.4
|
||||||
image.repository: "{{.IMAGE_REPO_ghcr_io_lerentis_bitwarden_crd_operator}}"
|
|
||||||
image.tag: "{{.IMAGE_TAG_ghcr_io_lerentis_bitwarden_crd_operator}}@{{.IMAGE_DIGEST_ghcr_io_lerentis_bitwarden_crd_operator}}"
|
|
||||||
hooks:
|
|
||||||
after:
|
|
||||||
- host:
|
|
||||||
command:
|
|
||||||
- kubectl
|
|
||||||
- apply
|
|
||||||
- -f
|
|
||||||
- ./example*.yaml
|
|
||||||
- host:
|
|
||||||
command:
|
|
||||||
- sleep
|
|
||||||
- '5'
|
|
||||||
- host:
|
|
||||||
command:
|
|
||||||
- kubectl
|
|
||||||
- get
|
|
||||||
- secret
|
|
||||||
- test-regcred
|
|
||||||
- host:
|
|
||||||
command:
|
|
||||||
- kubectl
|
|
||||||
- get
|
|
||||||
- secret
|
|
||||||
- test-scope
|
|
||||||
- host:
|
|
||||||
command:
|
|
||||||
- kubectl
|
|
||||||
- get
|
|
||||||
- secret
|
|
||||||
- test-secret
|
|
||||||
- host:
|
|
||||||
command:
|
|
||||||
- kubectl
|
|
||||||
- get
|
|
||||||
- secret
|
|
||||||
- test-template
|
|
||||||
|
@ -45,7 +45,6 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
|
|||||||
secret_name = spec.get('name')
|
secret_name = spec.get('name')
|
||||||
secret_namespace = spec.get('namespace')
|
secret_namespace = spec.get('namespace')
|
||||||
labels = spec.get('labels')
|
labels = spec.get('labels')
|
||||||
custom_annotations = spec.get('annotations')
|
|
||||||
|
|
||||||
unlock_bw(logger)
|
unlock_bw(logger)
|
||||||
logger.info(f"Locking up secret with ID: {id}")
|
logger.info(f"Locking up secret with ID: {id}")
|
||||||
@ -58,9 +57,6 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
|
|||||||
"managedObject": f"{namespace}/{name}"
|
"managedObject": f"{namespace}/{name}"
|
||||||
}
|
}
|
||||||
|
|
||||||
if custom_annotations:
|
|
||||||
annotations.update(custom_annotations)
|
|
||||||
|
|
||||||
if not labels:
|
if not labels:
|
||||||
labels = {}
|
labels = {}
|
||||||
|
|
||||||
@ -75,11 +71,6 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
|
|||||||
password_ref,
|
password_ref,
|
||||||
registry)
|
registry)
|
||||||
|
|
||||||
# Garbage collection will delete the generated secret if the owner
|
|
||||||
# Is not in the same namespace as the generated secret
|
|
||||||
if secret_namespace == namespace:
|
|
||||||
kopf.append_owner_reference(secret)
|
|
||||||
|
|
||||||
api.create_namespaced_secret(
|
api.create_namespaced_secret(
|
||||||
secret_namespace, secret
|
secret_namespace, secret
|
||||||
)
|
)
|
||||||
@ -106,7 +97,6 @@ def update_managed_registry_secret(
|
|||||||
secret_name = spec.get('name')
|
secret_name = spec.get('name')
|
||||||
secret_namespace = spec.get('namespace')
|
secret_namespace = spec.get('namespace')
|
||||||
labels = spec.get('labels')
|
labels = spec.get('labels')
|
||||||
custom_annotations = spec.get('annotations')
|
|
||||||
|
|
||||||
old_config = None
|
old_config = None
|
||||||
old_secret_name = None
|
old_secret_name = None
|
||||||
@ -144,9 +134,6 @@ def update_managed_registry_secret(
|
|||||||
"managedObject": f"{namespace}/{name}"
|
"managedObject": f"{namespace}/{name}"
|
||||||
}
|
}
|
||||||
|
|
||||||
if custom_annotations:
|
|
||||||
annotations.update(custom_annotations)
|
|
||||||
|
|
||||||
if not labels:
|
if not labels:
|
||||||
labels = {}
|
labels = {}
|
||||||
|
|
||||||
@ -160,12 +147,6 @@ def update_managed_registry_secret(
|
|||||||
username_ref,
|
username_ref,
|
||||||
password_ref,
|
password_ref,
|
||||||
registry)
|
registry)
|
||||||
|
|
||||||
# Garbage collection will delete the generated secret if the owner
|
|
||||||
# Is not in the same namespace as the generated secret
|
|
||||||
if secret_namespace == namespace:
|
|
||||||
kopf.append_owner_reference(secret)
|
|
||||||
|
|
||||||
try:
|
try:
|
||||||
api.replace_namespaced_secret(
|
api.replace_namespaced_secret(
|
||||||
name=secret_name,
|
name=secret_name,
|
||||||
@ -173,12 +154,9 @@ def update_managed_registry_secret(
|
|||||||
namespace="{}".format(secret_namespace))
|
namespace="{}".format(secret_namespace))
|
||||||
logger.info(
|
logger.info(
|
||||||
f"Secret {secret_namespace}/{secret_name} has been updated")
|
f"Secret {secret_namespace}/{secret_name} has been updated")
|
||||||
except BaseException as e:
|
except BaseException:
|
||||||
logger.warn(
|
logger.warn(
|
||||||
f"Could not update secret {secret_namespace}/{secret_name}!")
|
f"Could not update secret {secret_namespace}/{secret_name}!")
|
||||||
logger.warn(
|
|
||||||
f"Exception: {e}"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
@kopf.on.delete('registry-credential.lerentis.uploadfilter24.eu')
|
@kopf.on.delete('registry-credential.lerentis.uploadfilter24.eu')
|
||||||
|
55
src/kv.py
55
src/kv.py
@ -3,9 +3,10 @@ import kubernetes
|
|||||||
import base64
|
import base64
|
||||||
import json
|
import json
|
||||||
|
|
||||||
from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope, get_attachment, bw_sync_interval
|
from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope, bw_sync_interval
|
||||||
|
|
||||||
def create_kv(logger, id, secret, secret_json, content_def):
|
def create_kv(secret, secret_json, content_def):
|
||||||
|
secret.type = "Opaque"
|
||||||
secret.data = {}
|
secret.data = {}
|
||||||
for eleml in content_def:
|
for eleml in content_def:
|
||||||
for k, elem in eleml.items():
|
for k, elem in eleml.items():
|
||||||
@ -30,13 +31,6 @@ def create_kv(logger, id, secret, secret_json, content_def):
|
|||||||
f"Field {_secret_key} has no value in bitwarden secret")
|
f"Field {_secret_key} has no value in bitwarden secret")
|
||||||
secret.data[_secret_ref] = str(base64.b64encode(
|
secret.data[_secret_ref] = str(base64.b64encode(
|
||||||
value.encode("utf-8")), "utf-8")
|
value.encode("utf-8")), "utf-8")
|
||||||
if _secret_scope == "attachment":
|
|
||||||
value = get_attachment(logger, id, _secret_key)
|
|
||||||
if value is None:
|
|
||||||
raise Exception(
|
|
||||||
f"Attachment {_secret_key} has no value in bitwarden secret")
|
|
||||||
secret.data[_secret_ref] = str(base64.b64encode(
|
|
||||||
value.encode("utf-8")), "utf-8")
|
|
||||||
return secret
|
return secret
|
||||||
|
|
||||||
|
|
||||||
@ -48,8 +42,6 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
|
|||||||
secret_name = spec.get('name')
|
secret_name = spec.get('name')
|
||||||
secret_namespace = spec.get('namespace')
|
secret_namespace = spec.get('namespace')
|
||||||
labels = spec.get('labels')
|
labels = spec.get('labels')
|
||||||
custom_annotations = spec.get('annotations')
|
|
||||||
custom_secret_type = spec.get('secretType')
|
|
||||||
|
|
||||||
unlock_bw(logger)
|
unlock_bw(logger)
|
||||||
logger.info(f"Locking up secret with ID: {id}")
|
logger.info(f"Locking up secret with ID: {id}")
|
||||||
@ -62,25 +54,13 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
|
|||||||
"managedObject": f"{namespace}/{name}"
|
"managedObject": f"{namespace}/{name}"
|
||||||
}
|
}
|
||||||
|
|
||||||
if custom_annotations:
|
|
||||||
annotations.update(custom_annotations)
|
|
||||||
|
|
||||||
if not custom_secret_type:
|
|
||||||
custom_secret_type = 'Opaque'
|
|
||||||
|
|
||||||
if not labels:
|
if not labels:
|
||||||
labels = {}
|
labels = {}
|
||||||
|
|
||||||
secret = kubernetes.client.V1Secret()
|
secret = kubernetes.client.V1Secret()
|
||||||
secret.metadata = kubernetes.client.V1ObjectMeta(
|
secret.metadata = kubernetes.client.V1ObjectMeta(
|
||||||
name=secret_name, annotations=annotations, labels=labels)
|
name=secret_name, annotations=annotations, labels=labels)
|
||||||
secret.type = custom_secret_type
|
secret = create_kv(secret, secret_json_object, content_def)
|
||||||
secret = create_kv(logger, id, secret, secret_json_object, content_def)
|
|
||||||
|
|
||||||
# Garbage collection will delete the generated secret if the owner
|
|
||||||
# Is not in the same namespace as the generated secret
|
|
||||||
if secret_namespace == namespace:
|
|
||||||
kopf.append_owner_reference(secret)
|
|
||||||
|
|
||||||
api.create_namespaced_secret(
|
api.create_namespaced_secret(
|
||||||
namespace="{}".format(secret_namespace),
|
namespace="{}".format(secret_namespace),
|
||||||
@ -106,27 +86,20 @@ def update_managed_secret(
|
|||||||
old_config = None
|
old_config = None
|
||||||
old_secret_name = None
|
old_secret_name = None
|
||||||
old_secret_namespace = None
|
old_secret_namespace = None
|
||||||
old_secret_type = None
|
|
||||||
if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations:
|
if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations:
|
||||||
old_config = json.loads(
|
old_config = json.loads(
|
||||||
body.metadata.annotations['kopf.zalando.org/last-handled-configuration'])
|
body.metadata.annotations['kopf.zalando.org/last-handled-configuration'])
|
||||||
old_secret_name = old_config['spec'].get('name')
|
old_secret_name = old_config['spec'].get('name')
|
||||||
old_secret_namespace = old_config['spec'].get('namespace')
|
old_secret_namespace = old_config['spec'].get('namespace')
|
||||||
old_secret_type = old_config['spec'].get('type')
|
|
||||||
secret_name = spec.get('name')
|
secret_name = spec.get('name')
|
||||||
secret_namespace = spec.get('namespace')
|
secret_namespace = spec.get('namespace')
|
||||||
labels = spec.get('labels')
|
labels = spec.get('labels')
|
||||||
custom_annotations = spec.get('annotations')
|
|
||||||
custom_secret_type = spec.get('secretType')
|
|
||||||
|
|
||||||
if not custom_secret_type:
|
|
||||||
custom_secret_type = 'Opaque'
|
|
||||||
|
|
||||||
if old_config is not None and (
|
if old_config is not None and (
|
||||||
old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type):
|
old_secret_name != secret_name or old_secret_namespace != secret_namespace):
|
||||||
# If the name of the secret or the namespace of the secret is different
|
# If the name of the secret or the namespace of the secret is different
|
||||||
# We have to delete the secret an recreate it
|
# We have to delete the secret an recreate it
|
||||||
logger.info("Secret name, namespace or type changed, let's recreate it")
|
logger.info("Secret name or namespace changed, let's recreate it")
|
||||||
delete_managed_secret(
|
delete_managed_secret(
|
||||||
old_config['spec'],
|
old_config['spec'],
|
||||||
name,
|
name,
|
||||||
@ -147,22 +120,13 @@ def update_managed_secret(
|
|||||||
"managedObject": f"{namespace}/{name}"
|
"managedObject": f"{namespace}/{name}"
|
||||||
}
|
}
|
||||||
|
|
||||||
if custom_annotations:
|
|
||||||
annotations.update(custom_annotations)
|
|
||||||
|
|
||||||
if not labels:
|
if not labels:
|
||||||
labels = {}
|
labels = {}
|
||||||
|
|
||||||
secret = kubernetes.client.V1Secret()
|
secret = kubernetes.client.V1Secret()
|
||||||
secret.metadata = kubernetes.client.V1ObjectMeta(
|
secret.metadata = kubernetes.client.V1ObjectMeta(
|
||||||
name=secret_name, annotations=annotations, labels=labels)
|
name=secret_name, annotations=annotations, labels=labels)
|
||||||
secret.type = custom_secret_type
|
secret = create_kv(secret, secret_json_object, content_def)
|
||||||
secret = create_kv(logger, id, secret, secret_json_object, content_def)
|
|
||||||
|
|
||||||
# Garbage collection will delete the generated secret if the owner
|
|
||||||
# Is not in the same namespace as the generated secret
|
|
||||||
if secret_namespace == namespace:
|
|
||||||
kopf.append_owner_reference(secret)
|
|
||||||
|
|
||||||
try:
|
try:
|
||||||
api.replace_namespaced_secret(
|
api.replace_namespaced_secret(
|
||||||
@ -171,12 +135,9 @@ def update_managed_secret(
|
|||||||
namespace="{}".format(secret_namespace))
|
namespace="{}".format(secret_namespace))
|
||||||
logger.info(
|
logger.info(
|
||||||
f"Secret {secret_namespace}/{secret_name} has been updated")
|
f"Secret {secret_namespace}/{secret_name} has been updated")
|
||||||
except BaseException as e:
|
except BaseException:
|
||||||
logger.warn(
|
logger.warn(
|
||||||
f"Could not update secret {secret_namespace}/{secret_name}!")
|
f"Could not update secret {secret_namespace}/{secret_name}!")
|
||||||
logger.warn(
|
|
||||||
f"Exception: {e}"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
@kopf.on.delete('bitwarden-secret.lerentis.uploadfilter24.eu')
|
@kopf.on.delete('bitwarden-secret.lerentis.uploadfilter24.eu')
|
||||||
|
@ -17,6 +17,7 @@ def render_template(logger, template):
|
|||||||
|
|
||||||
|
|
||||||
def create_template_secret(logger, secret, filename, template):
|
def create_template_secret(logger, secret, filename, template):
|
||||||
|
secret.type = "Opaque"
|
||||||
secret.data = {}
|
secret.data = {}
|
||||||
secret.data[filename] = str(
|
secret.data[filename] = str(
|
||||||
base64.b64encode(
|
base64.b64encode(
|
||||||
@ -33,8 +34,6 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
|
|||||||
secret_name = spec.get('name')
|
secret_name = spec.get('name')
|
||||||
secret_namespace = spec.get('namespace')
|
secret_namespace = spec.get('namespace')
|
||||||
labels = spec.get('labels')
|
labels = spec.get('labels')
|
||||||
custom_annotations = spec.get('annotations')
|
|
||||||
custom_secret_type = spec.get('secretType')
|
|
||||||
|
|
||||||
unlock_bw(logger)
|
unlock_bw(logger)
|
||||||
|
|
||||||
@ -45,26 +44,14 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
|
|||||||
"managedObject": f"{namespace}/{name}"
|
"managedObject": f"{namespace}/{name}"
|
||||||
}
|
}
|
||||||
|
|
||||||
if custom_annotations:
|
|
||||||
annotations.update(custom_annotations)
|
|
||||||
|
|
||||||
if not custom_secret_type:
|
|
||||||
custom_secret_type = 'Opaque'
|
|
||||||
|
|
||||||
if not labels:
|
if not labels:
|
||||||
labels = {}
|
labels = {}
|
||||||
|
|
||||||
secret = kubernetes.client.V1Secret()
|
secret = kubernetes.client.V1Secret()
|
||||||
secret.metadata = kubernetes.client.V1ObjectMeta(
|
secret.metadata = kubernetes.client.V1ObjectMeta(
|
||||||
name=secret_name, annotations=annotations, labels=labels)
|
name=secret_name, annotations=annotations, labels=labels)
|
||||||
secret.type = custom_secret_type
|
|
||||||
secret = create_template_secret(logger, secret, filename, template)
|
secret = create_template_secret(logger, secret, filename, template)
|
||||||
|
|
||||||
# Garbage collection will delete the generated secret if the owner
|
|
||||||
# Is not in the same namespace as the generated secret
|
|
||||||
if secret_namespace == namespace:
|
|
||||||
kopf.append_owner_reference(secret)
|
|
||||||
|
|
||||||
api.create_namespaced_secret(
|
api.create_namespaced_secret(
|
||||||
secret_namespace, secret
|
secret_namespace, secret
|
||||||
)
|
)
|
||||||
@ -88,27 +75,20 @@ def update_managed_secret(
|
|||||||
secret_name = spec.get('name')
|
secret_name = spec.get('name')
|
||||||
secret_namespace = spec.get('namespace')
|
secret_namespace = spec.get('namespace')
|
||||||
labels = spec.get('labels')
|
labels = spec.get('labels')
|
||||||
custom_annotations = spec.get('annotations')
|
|
||||||
custom_secret_type = spec.get('secretType')
|
|
||||||
|
|
||||||
if not custom_secret_type:
|
|
||||||
custom_secret_type = 'Opaque'
|
|
||||||
|
|
||||||
old_config = None
|
old_config = None
|
||||||
old_secret_name = None
|
old_secret_name = None
|
||||||
old_secret_namespace = None
|
old_secret_namespace = None
|
||||||
old_secret_type = None
|
|
||||||
if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations:
|
if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations:
|
||||||
old_config = json.loads(
|
old_config = json.loads(
|
||||||
body.metadata.annotations['kopf.zalando.org/last-handled-configuration'])
|
body.metadata.annotations['kopf.zalando.org/last-handled-configuration'])
|
||||||
old_secret_name = old_config['spec'].get('name')
|
old_secret_name = old_config['spec'].get('name')
|
||||||
old_secret_namespace = old_config['spec'].get('namespace')
|
old_secret_namespace = old_config['spec'].get('namespace')
|
||||||
old_secret_type = old_config['spec'].get('type')
|
|
||||||
secret_name = spec.get('name')
|
secret_name = spec.get('name')
|
||||||
secret_namespace = spec.get('namespace')
|
secret_namespace = spec.get('namespace')
|
||||||
|
|
||||||
if old_config is not None and (
|
if old_config is not None and (
|
||||||
old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type):
|
old_secret_name != secret_name or old_secret_namespace != secret_namespace):
|
||||||
# If the name of the secret or the namespace of the secret is different
|
# If the name of the secret or the namespace of the secret is different
|
||||||
# We have to delete the secret an recreate it
|
# We have to delete the secret an recreate it
|
||||||
logger.info("Secret name or namespace changed, let's recreate it")
|
logger.info("Secret name or namespace changed, let's recreate it")
|
||||||
@ -130,23 +110,14 @@ def update_managed_secret(
|
|||||||
"managedObject": f"{namespace}/{name}"
|
"managedObject": f"{namespace}/{name}"
|
||||||
}
|
}
|
||||||
|
|
||||||
if custom_annotations:
|
|
||||||
annotations.update(custom_annotations)
|
|
||||||
|
|
||||||
if not labels:
|
if not labels:
|
||||||
labels = {}
|
labels = {}
|
||||||
|
|
||||||
secret = kubernetes.client.V1Secret()
|
secret = kubernetes.client.V1Secret()
|
||||||
secret.metadata = kubernetes.client.V1ObjectMeta(
|
secret.metadata = kubernetes.client.V1ObjectMeta(
|
||||||
name=secret_name, annotations=annotations, labels=labels)
|
name=secret_name, annotations=annotations, labels=labels)
|
||||||
secret.type = custom_secret_type
|
|
||||||
secret = create_template_secret(logger, secret, filename, template)
|
secret = create_template_secret(logger, secret, filename, template)
|
||||||
|
|
||||||
# Garbage collection will delete the generated secret if the owner
|
|
||||||
# Is not in the same namespace as the generated secret
|
|
||||||
if secret_namespace == namespace:
|
|
||||||
kopf.append_owner_reference(secret)
|
|
||||||
|
|
||||||
try:
|
try:
|
||||||
api.replace_namespaced_secret(
|
api.replace_namespaced_secret(
|
||||||
name=secret_name,
|
name=secret_name,
|
||||||
@ -154,12 +125,9 @@ def update_managed_secret(
|
|||||||
namespace="{}".format(secret_namespace))
|
namespace="{}".format(secret_namespace))
|
||||||
logger.info(
|
logger.info(
|
||||||
f"Secret {secret_namespace}/{secret_name} has been updated")
|
f"Secret {secret_namespace}/{secret_name} has been updated")
|
||||||
except BaseException as e:
|
except BaseException:
|
||||||
logger.warn(
|
logger.warn(
|
||||||
f"Could not update secret {secret_namespace}/{secret_name}!")
|
f"Could not update secret {secret_namespace}/{secret_name}!")
|
||||||
logger.warn(
|
|
||||||
f"Exception: {e}"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
@kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu')
|
@kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu')
|
||||||
|
Loading…
Reference in New Issue
Block a user