Compare commits

..

No commits in common. "e1418883353a37ff724ce3e897ca5fa69720555a" and "2bf13bc8c5c2291e2addaadebca32f527956e259" have entirely different histories.

18 changed files with 76 additions and 457 deletions

View File

@ -24,7 +24,7 @@ jobs:
git config user.email "$GITHUB_ACTOR@users.noreply.github.com" git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Install Helm - name: Install Helm
uses: azure/setup-helm@v4 uses: azure/setup-helm@v3
with: with:
version: v3.10.0 version: v3.10.0
@ -36,7 +36,7 @@ jobs:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Get app version from chart - name: Get app version from chart
uses: mikefarah/yq@v4.44.2 uses: mikefarah/yq@v4.40.5
id: app_version id: app_version
with: with:
cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml
@ -56,7 +56,7 @@ jobs:
- name: "GHCR Build and Push" - name: "GHCR Build and Push"
id: docker_build id: docker_build
uses: docker/build-push-action@v6 uses: docker/build-push-action@v5
with: with:
push: true push: true
platforms: linux/amd64,linux/arm64 platforms: linux/amd64,linux/arm64

View File

@ -12,7 +12,7 @@ jobs:
fetch-depth: 0 fetch-depth: 0
- name: Set up Helm - name: Set up Helm
uses: azure/setup-helm@v4 uses: azure/setup-helm@v3
with: with:
version: v3.11.2 version: v3.11.2
@ -36,18 +36,6 @@ jobs:
if: steps.list-changed.outputs.changed == 'true' if: steps.list-changed.outputs.changed == 'true'
run: ct lint --target-branch ${{ github.event.repository.default_branch }} run: ct lint --target-branch ${{ github.event.repository.default_branch }}
- name: Install ah cli
run: |
export AH_VERSION=1.17.0
curl -LO https://github.com/artifacthub/hub/releases/download/v${AH_VERSION}/ah_${AH_VERSION}_linux_amd64.tar.gz
tar -xf ah_${AH_VERSION}_linux_amd64.tar.gz
chmod +x ./ah
sudo mv ./ah /usr/bin/ah
rm LICENSE
- name: ah lint
run: |
ah lint
pr-build: pr-build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
@ -57,10 +45,11 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
- name: GHCR Build - name: "GHCR Build"
id: docker_build id: docker_build
uses: docker/build-push-action@v6 uses: docker/build-push-action@v5
with: with:
push: false push: false
platforms: linux/amd64,linux/arm64 platforms: linux/amd64,linux/arm64
tags: ghcr.io/lerentis/bitwarden-crd-operator:dev tags: ghcr.io/lerentis/bitwarden-crd-operator:dev

View File

@ -1,23 +1,39 @@
FROM alpine:3.19.1 FROM alpine:3.19.0
LABEL org.opencontainers.image.source=https://github.com/Lerentis/bitwarden-crd-operator LABEL org.opencontainers.image.source=https://github.com/Lerentis/bitwarden-crd-operator
LABEL org.opencontainers.image.description="Kubernetes Operator to create k8s secrets from bitwarden" LABEL org.opencontainers.image.description="Kubernetes Operator to create k8s secrets from bitwarden"
LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.licenses=MIT
ARG PYTHON_VERSION=3.11.9-r0 ARG PYTHON_VERSION=3.11.6-r1
ARG PIP_VERSION=23.3.1-r0 ARG PIP_VERSION=23.3.1-r0
ARG GCOMPAT_VERSION=1.1.0-r4 ARG GCOMPAT_VERSION=1.1.0-r4
ARG LIBCRYPTO_VERSION=3.1.4-r5 ARG LIBCRYPTO_VERSION=3.1.4-r2
ARG BW_VERSION=2023.7.0 ARG BW_VERSION=2023.7.0
ARG NODE_VERSION=20.12.1-r0 ARG NODE_VERSION=20.10.0-r1
COPY requirements.txt /requirements.txt COPY requirements.txt /requirements.txt
RUN set -eux; \ RUN set -eux; \
apk update; \ apk add --virtual build-dependencies wget unzip; \
apk del nodejs-current; \ ARCH="$(apk --print-arch)"; \
apk add nodejs=${NODE_VERSION} npm; \ case "${ARCH}" in \
npm install -g @bitwarden/cli@${BW_VERSION}; \ aarch64|arm64) \
apk add nodejs=${NODE_VERSION} npm; \
npm install -g @bitwarden/cli@${BW_VERSION}; \
;; \
amd64|x86_64) \
cd /tmp; \
wget https://github.com/bitwarden/clients/releases/download/cli-v${BW_VERSION}/bw-linux-${BW_VERSION}.zip; \
unzip /tmp/bw-linux-${BW_VERSION}.zip; \
mv /tmp/bw /usr/local/bin/bw; \
chmod +x /usr/local/bin/bw; \
;; \
*) \
echo "Unsupported arch: ${ARCH}"; \
exit 1; \
;; \
esac; \
apk del --purge build-dependencies; \
addgroup -S -g 1000 bw-operator; \ addgroup -S -g 1000 bw-operator; \
adduser -S -D -u 1000 -G bw-operator bw-operator; \ adduser -S -D -u 1000 -G bw-operator bw-operator; \
mkdir -p /home/bw-operator; \ mkdir -p /home/bw-operator; \

View File

@ -56,29 +56,25 @@ And you are set to create your first secret using this operator. For that you ne
```yaml ```yaml
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7" apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: name-of-your-management-object name: name-of-your-management-object
spec: spec:
content: content:
- element: - element:
secretName: nameOfTheFieldInBitwarden # for example username or filename secretName: nameOfTheFieldInBitwarden # for example username
secretRef: nameOfTheKeyInTheSecretToBeCreated secretRef: nameOfTheKeyInTheSecretToBeCreated
secretScope: login # for custom entries on bitwarden use 'fields, for attachments use attachment' secretScope: login # for custom entries on bitwarden use 'fields'
- element: - element:
secretName: nameOfAnotherFieldInBitwarden # for example password or filename secretName: nameOfAnotherFieldInBitwarden # for example password
secretRef: nameOfAnotherKeyInTheSecretToBeCreated secretRef: nameOfAnotherKeyInTheSecretToBeCreated
secretScope: login # for custom entries on bitwarden use 'fields, for attachments use attachment' secretScope: login # for custom entries on bitwarden use 'fields'
id: "A Secret ID from bitwarden" id: "A Secret ID from bitwarden"
name: "Name of the secret to be created" name: "Name of the secret to be created"
secretType: # Optional (Default: Opaque)
namespace: "Namespace of the secret to be created" namespace: "Namespace of the secret to be created"
labels: # Optional labels: # Optional
key: value key: value
annotations: # Optional
key: value
``` ```
The ID can be extracted from the browser when you open a item the ID is in the URL. The resulting secret looks something like this: The ID can be extracted from the browser when you open a item the ID is in the URL. The resulting secret looks something like this:
@ -106,7 +102,7 @@ For managing registry credentials, or pull secrets, you can create another kind
```yaml ```yaml
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7" apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: RegistryCredential kind: RegistryCredential
metadata: metadata:
name: name-of-your-management-object name: name-of-your-management-object
@ -119,8 +115,6 @@ spec:
namespace: "Namespace of the secret to be created" namespace: "Namespace of the secret to be created"
labels: # Optional labels: # Optional
key: value key: value
annotations: # Optional
key: value
``` ```
The resulting secret looks something like this: The resulting secret looks something like this:
@ -147,19 +141,16 @@ One of the more freely defined types that can be used with this operator you can
```yaml ```yaml
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7" apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenTemplate kind: BitwardenTemplate
metadata: metadata:
name: name-of-your-management-object name: name-of-your-management-object
spec: spec:
filename: "Key of the secret to be created" filename: "Key of the secret to be created"
name: "Name of the secret to be created" name: "Name of the secret to be created"
secretType: # Optional (Default: Opaque)
namespace: "Namespace of the secret to be created" namespace: "Namespace of the secret to be created"
labels: # Optional labels: # Optional
key: value key: value
annotations: # Optional
key: value
template: | template: |
--- ---
api: api:

View File

@ -4,9 +4,9 @@ description: Deploy the Bitwarden CRD Operator
type: application type: application
version: "v0.13.0" version: "v0.11.1"
appVersion: "0.12.0" appVersion: "0.10.1"
keywords: keywords:
- operator - operator
@ -32,22 +32,22 @@ annotations:
url: https://github.com/Lerentis/bitwarden-crd-operator url: https://github.com/Lerentis/bitwarden-crd-operator
artifacthub.io/crds: | artifacthub.io/crds: |
- kind: BitwardenSecret - kind: BitwardenSecret
version: v1beta7 version: v1beta5
name: bitwarden-secret name: bitwarden-secret
displayName: Bitwarden Secret displayName: Bitwarden Secret
description: Management Object to create secrets from bitwarden description: Management Object to create secrets from bitwarden
- kind: RegistryCredential - kind: RegistryCredential
version: v1beta7 version: v1beta5
name: registry-credential name: registry-credential
displayName: Regestry Credentials displayName: Regestry Credentials
description: Management Object to create regestry secrets from bitwarden description: Management Object to create regestry secrets from bitwarden
- kind: BitwardenTemplate - kind: BitwardenTemplate
version: v1beta7 version: v1beta5
name: bitwarden-template name: bitwarden-template
displayName: Bitwarden Template displayName: Bitwarden Template
description: Management Object to create secrets from a jinja template with a bitwarden lookup description: Management Object to create secrets from a jinja template with a bitwarden lookup
artifacthub.io/crdsExamples: | artifacthub.io/crdsExamples: |
- apiVersion: lerentis.uploadfilter24.eu/v1beta7 - apiVersion: lerentis.uploadfilter24.eu/v1beta5
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: test name: test
@ -61,13 +61,10 @@ annotations:
secretRef: passwordOfUser secretRef: passwordOfUser
id: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" id: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
name: "test-secret" name: "test-secret"
secretType: Obaque #Optional
namespace: "default" namespace: "default"
labels: labels:
key: value key: value
annotations: - apiVersion: lerentis.uploadfilter24.eu/v1beta5
key: value
- apiVersion: lerentis.uploadfilter24.eu/v1beta7
kind: RegistryCredential kind: RegistryCredential
metadata: metadata:
name: test name: test
@ -80,21 +77,16 @@ annotations:
namespace: "default" namespace: "default"
labels: labels:
key: value key: value
annotations: - apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
key: value
- apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
kind: BitwardenTemplate kind: BitwardenTemplate
metadata: metadata:
name: test name: test
spec: spec:
filename: "config.yaml" filename: "config.yaml"
name: "test-regcred" name: "test-regcred"
secretType: Obaque #Optional
namespace: "default" namespace: "default"
labels: labels:
key: value key: value
annotations:
key: value
template: | template: |
--- ---
api: api:
@ -109,12 +101,10 @@ annotations:
artifacthub.io/operator: "true" artifacthub.io/operator: "true"
artifacthub.io/containsSecurityUpdates: "false" artifacthub.io/containsSecurityUpdates: "false"
artifacthub.io/changes: | artifacthub.io/changes: |
- kind: added - kind: fixed
description: "Allow custom type for generated secrets" description: "Downgrade node to LTS in order to make bw cli work on arm"
- kind: added - kind: changed
description: "Allow attachments in generated secrets" description: "Update bw cli to 2023.7.0 for the same reason"
- kind: added
description: "Allow custom type in templated secrets"
artifacthub.io/images: | artifacthub.io/images: |
- name: bitwarden-crd-operator - name: bitwarden-crd-operator
image: ghcr.io/lerentis/bitwarden-crd-operator:0.12.0 image: ghcr.io/lerentis/bitwarden-crd-operator:0.10.1

View File

@ -51,89 +51,6 @@ spec:
- namespace - namespace
- name - name
- name: v1beta5 - name: v1beta5
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
content:
type: array
items:
type: object
properties:
element:
type: object
properties:
secretName:
type: string
secretRef:
type: string
secretScope:
type: string
required:
- secretName
id:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name
- name: v1beta6
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
content:
type: array
items:
type: object
properties:
element:
type: object
properties:
secretName:
type: string
secretRef:
type: string
secretScope:
type: string
required:
- secretName
id:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name
- name: v1beta7
served: true served: true
storage: true storage: true
schema: schema:
@ -165,14 +82,9 @@ spec:
type: string type: string
name: name:
type: string type: string
secretType:
type: string
labels: labels:
type: object type: object
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required: required:
- id - id
- namespace - namespace

View File

@ -38,63 +38,6 @@ spec:
- namespace - namespace
- name - name
- name: v1beta5 - name: v1beta5
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
filename:
type: string
template:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- filename
- template
- namespace
- name
- name: v1beta6
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
filename:
type: string
template:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- filename
- template
- namespace
- name
- name: v1beta7
served: true served: true
storage: true storage: true
schema: schema:
@ -112,14 +55,9 @@ spec:
type: string type: string
name: name:
type: string type: string
secretType:
type: string
labels: labels:
type: object type: object
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required: required:
- filename - filename
- template - template

View File

@ -44,75 +44,6 @@ spec:
- passwordRef - passwordRef
- registry - registry
- name: v1beta5 - name: v1beta5
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
usernameRef:
type: string
passwordRef:
type: string
registry:
type: string
id:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name
- usernameRef
- passwordRef
- registry
- name: v1beta6
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
usernameRef:
type: string
passwordRef:
type: string
registry:
type: string
id:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name
- usernameRef
- passwordRef
- registry
- name: v1beta7
served: true served: true
storage: true storage: true
schema: schema:
@ -137,9 +68,6 @@ spec:
labels: labels:
type: object type: object
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required: required:
- id - id
- namespace - namespace

View File

@ -8,8 +8,6 @@ spec:
{{- if not .Values.autoscaling.enabled }} {{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }} replicas: {{ .Values.replicaCount }}
{{- end }} {{- end }}
strategy:
type: {{ .Values.deploymentStrategy }}
selector: selector:
matchLabels: matchLabels:
{{- include "bitwarden-crd-operator.selectorLabels" . | nindent 6 }} {{- include "bitwarden-crd-operator.selectorLabels" . | nindent 6 }}

View File

@ -14,8 +14,6 @@ imagePullSecrets: []
nameOverride: "" nameOverride: ""
fullnameOverride: "" fullnameOverride: ""
deploymentStrategy: "Recreate"
# env: # env:
# - name: BW_FORCE_SYNC # - name: BW_FORCE_SYNC
# value: "false" # value: "false"

View File

@ -1,9 +1,8 @@
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7" apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: test name: test
namespace: default
spec: spec:
content: content:
- element: - element:
@ -16,15 +15,12 @@ spec:
secretScope: login secretScope: login
id: "88781348-c81c-4367-9801-550360c21295" id: "88781348-c81c-4367-9801-550360c21295"
name: "test-secret" name: "test-secret"
secretType: Opaque
namespace: "default" namespace: "default"
labels: labels:
key: value key: value
app: example-app app: example-app
annotations:
custom.annotation: is-used
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7" apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenSecret kind: BitwardenSecret
metadata: metadata:
name: test-scope name: test-scope

View File

@ -1,5 +1,5 @@
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7" apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: RegistryCredential kind: RegistryCredential
metadata: metadata:
name: test name: test
@ -13,5 +13,3 @@ spec:
labels: labels:
namespace: default namespace: default
tenant: example-team tenant: example-team
annotations:
custom.annotation: is-used

View File

@ -1,5 +1,5 @@
--- ---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7" apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenTemplate kind: BitwardenTemplate
metadata: metadata:
name: test name: test
@ -10,8 +10,6 @@ spec:
labels: labels:
key: value key: value
app: example-app app: example-app
annotations:
custom.annotation: is-used
template: | template: |
--- ---
api: api:

View File

@ -1,4 +1,4 @@
kopf==1.37.2 kopf==1.36.2
kubernetes==29.0.0 kubernetes==26.1.0
Jinja2==3.1.4 Jinja2==3.1.2
schedule==1.2.2 schedule==1.2.1

View File

@ -1,10 +1,8 @@
apiVersion: skaffold/v4beta9 apiVersion: skaffold/v4beta5
kind: Config kind: Config
metadata: metadata:
name: bitwarden-crd-operator name: bitwarden-crd-operator
build: build:
tagPolicy:
sha256: {}
artifacts: artifacts:
- image: ghcr.io/lerentis/bitwarden-crd-operator - image: ghcr.io/lerentis/bitwarden-crd-operator
docker: docker:
@ -15,43 +13,5 @@ deploy:
- name: bitwarden-crd-operator - name: bitwarden-crd-operator
chartPath: charts/bitwarden-crd-operator chartPath: charts/bitwarden-crd-operator
valuesFiles: valuesFiles:
- ./charts/bitwarden-crd-operator/myvalues.yaml - env/values.yaml
setValueTemplates: version: v0.7.4
image.repository: "{{.IMAGE_REPO_ghcr_io_lerentis_bitwarden_crd_operator}}"
image.tag: "{{.IMAGE_TAG_ghcr_io_lerentis_bitwarden_crd_operator}}@{{.IMAGE_DIGEST_ghcr_io_lerentis_bitwarden_crd_operator}}"
hooks:
after:
- host:
command:
- kubectl
- apply
- -f
- ./example*.yaml
- host:
command:
- sleep
- '5'
- host:
command:
- kubectl
- get
- secret
- test-regcred
- host:
command:
- kubectl
- get
- secret
- test-scope
- host:
command:
- kubectl
- get
- secret
- test-secret
- host:
command:
- kubectl
- get
- secret
- test-template

View File

@ -45,7 +45,6 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels') labels = spec.get('labels')
custom_annotations = spec.get('annotations')
unlock_bw(logger) unlock_bw(logger)
logger.info(f"Locking up secret with ID: {id}") logger.info(f"Locking up secret with ID: {id}")
@ -58,9 +57,6 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if custom_annotations:
annotations.update(custom_annotations)
if not labels: if not labels:
labels = {} labels = {}
@ -75,11 +71,6 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
password_ref, password_ref,
registry) registry)
# Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
api.create_namespaced_secret( api.create_namespaced_secret(
secret_namespace, secret secret_namespace, secret
) )
@ -106,7 +97,6 @@ def update_managed_registry_secret(
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels') labels = spec.get('labels')
custom_annotations = spec.get('annotations')
old_config = None old_config = None
old_secret_name = None old_secret_name = None
@ -144,9 +134,6 @@ def update_managed_registry_secret(
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if custom_annotations:
annotations.update(custom_annotations)
if not labels: if not labels:
labels = {} labels = {}
@ -160,12 +147,6 @@ def update_managed_registry_secret(
username_ref, username_ref,
password_ref, password_ref,
registry) registry)
# Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
try: try:
api.replace_namespaced_secret( api.replace_namespaced_secret(
name=secret_name, name=secret_name,
@ -173,12 +154,9 @@ def update_managed_registry_secret(
namespace="{}".format(secret_namespace)) namespace="{}".format(secret_namespace))
logger.info( logger.info(
f"Secret {secret_namespace}/{secret_name} has been updated") f"Secret {secret_namespace}/{secret_name} has been updated")
except BaseException as e: except BaseException:
logger.warn( logger.warn(
f"Could not update secret {secret_namespace}/{secret_name}!") f"Could not update secret {secret_namespace}/{secret_name}!")
logger.warn(
f"Exception: {e}"
)
@kopf.on.delete('registry-credential.lerentis.uploadfilter24.eu') @kopf.on.delete('registry-credential.lerentis.uploadfilter24.eu')

View File

@ -3,9 +3,10 @@ import kubernetes
import base64 import base64
import json import json
from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope, get_attachment, bw_sync_interval from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope, bw_sync_interval
def create_kv(logger, id, secret, secret_json, content_def): def create_kv(secret, secret_json, content_def):
secret.type = "Opaque"
secret.data = {} secret.data = {}
for eleml in content_def: for eleml in content_def:
for k, elem in eleml.items(): for k, elem in eleml.items():
@ -30,13 +31,6 @@ def create_kv(logger, id, secret, secret_json, content_def):
f"Field {_secret_key} has no value in bitwarden secret") f"Field {_secret_key} has no value in bitwarden secret")
secret.data[_secret_ref] = str(base64.b64encode( secret.data[_secret_ref] = str(base64.b64encode(
value.encode("utf-8")), "utf-8") value.encode("utf-8")), "utf-8")
if _secret_scope == "attachment":
value = get_attachment(logger, id, _secret_key)
if value is None:
raise Exception(
f"Attachment {_secret_key} has no value in bitwarden secret")
secret.data[_secret_ref] = str(base64.b64encode(
value.encode("utf-8")), "utf-8")
return secret return secret
@ -48,8 +42,6 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels') labels = spec.get('labels')
custom_annotations = spec.get('annotations')
custom_secret_type = spec.get('secretType')
unlock_bw(logger) unlock_bw(logger)
logger.info(f"Locking up secret with ID: {id}") logger.info(f"Locking up secret with ID: {id}")
@ -62,25 +54,13 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if custom_annotations:
annotations.update(custom_annotations)
if not custom_secret_type:
custom_secret_type = 'Opaque'
if not labels: if not labels:
labels = {} labels = {}
secret = kubernetes.client.V1Secret() secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta( secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations, labels=labels) name=secret_name, annotations=annotations, labels=labels)
secret.type = custom_secret_type secret = create_kv(secret, secret_json_object, content_def)
secret = create_kv(logger, id, secret, secret_json_object, content_def)
# Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
api.create_namespaced_secret( api.create_namespaced_secret(
namespace="{}".format(secret_namespace), namespace="{}".format(secret_namespace),
@ -106,27 +86,20 @@ def update_managed_secret(
old_config = None old_config = None
old_secret_name = None old_secret_name = None
old_secret_namespace = None old_secret_namespace = None
old_secret_type = None
if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations:
old_config = json.loads( old_config = json.loads(
body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) body.metadata.annotations['kopf.zalando.org/last-handled-configuration'])
old_secret_name = old_config['spec'].get('name') old_secret_name = old_config['spec'].get('name')
old_secret_namespace = old_config['spec'].get('namespace') old_secret_namespace = old_config['spec'].get('namespace')
old_secret_type = old_config['spec'].get('type')
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels') labels = spec.get('labels')
custom_annotations = spec.get('annotations')
custom_secret_type = spec.get('secretType')
if not custom_secret_type:
custom_secret_type = 'Opaque'
if old_config is not None and ( if old_config is not None and (
old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type): old_secret_name != secret_name or old_secret_namespace != secret_namespace):
# If the name of the secret or the namespace of the secret is different # If the name of the secret or the namespace of the secret is different
# We have to delete the secret an recreate it # We have to delete the secret an recreate it
logger.info("Secret name, namespace or type changed, let's recreate it") logger.info("Secret name or namespace changed, let's recreate it")
delete_managed_secret( delete_managed_secret(
old_config['spec'], old_config['spec'],
name, name,
@ -147,22 +120,13 @@ def update_managed_secret(
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if custom_annotations:
annotations.update(custom_annotations)
if not labels: if not labels:
labels = {} labels = {}
secret = kubernetes.client.V1Secret() secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta( secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations, labels=labels) name=secret_name, annotations=annotations, labels=labels)
secret.type = custom_secret_type secret = create_kv(secret, secret_json_object, content_def)
secret = create_kv(logger, id, secret, secret_json_object, content_def)
# Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
try: try:
api.replace_namespaced_secret( api.replace_namespaced_secret(
@ -171,12 +135,9 @@ def update_managed_secret(
namespace="{}".format(secret_namespace)) namespace="{}".format(secret_namespace))
logger.info( logger.info(
f"Secret {secret_namespace}/{secret_name} has been updated") f"Secret {secret_namespace}/{secret_name} has been updated")
except BaseException as e: except BaseException:
logger.warn( logger.warn(
f"Could not update secret {secret_namespace}/{secret_name}!") f"Could not update secret {secret_namespace}/{secret_name}!")
logger.warn(
f"Exception: {e}"
)
@kopf.on.delete('bitwarden-secret.lerentis.uploadfilter24.eu') @kopf.on.delete('bitwarden-secret.lerentis.uploadfilter24.eu')

View File

@ -17,6 +17,7 @@ def render_template(logger, template):
def create_template_secret(logger, secret, filename, template): def create_template_secret(logger, secret, filename, template):
secret.type = "Opaque"
secret.data = {} secret.data = {}
secret.data[filename] = str( secret.data[filename] = str(
base64.b64encode( base64.b64encode(
@ -33,8 +34,6 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels') labels = spec.get('labels')
custom_annotations = spec.get('annotations')
custom_secret_type = spec.get('secretType')
unlock_bw(logger) unlock_bw(logger)
@ -45,26 +44,14 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if custom_annotations:
annotations.update(custom_annotations)
if not custom_secret_type:
custom_secret_type = 'Opaque'
if not labels: if not labels:
labels = {} labels = {}
secret = kubernetes.client.V1Secret() secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta( secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations, labels=labels) name=secret_name, annotations=annotations, labels=labels)
secret.type = custom_secret_type
secret = create_template_secret(logger, secret, filename, template) secret = create_template_secret(logger, secret, filename, template)
# Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
api.create_namespaced_secret( api.create_namespaced_secret(
secret_namespace, secret secret_namespace, secret
) )
@ -88,27 +75,20 @@ def update_managed_secret(
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
labels = spec.get('labels') labels = spec.get('labels')
custom_annotations = spec.get('annotations')
custom_secret_type = spec.get('secretType')
if not custom_secret_type:
custom_secret_type = 'Opaque'
old_config = None old_config = None
old_secret_name = None old_secret_name = None
old_secret_namespace = None old_secret_namespace = None
old_secret_type = None
if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations:
old_config = json.loads( old_config = json.loads(
body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) body.metadata.annotations['kopf.zalando.org/last-handled-configuration'])
old_secret_name = old_config['spec'].get('name') old_secret_name = old_config['spec'].get('name')
old_secret_namespace = old_config['spec'].get('namespace') old_secret_namespace = old_config['spec'].get('namespace')
old_secret_type = old_config['spec'].get('type')
secret_name = spec.get('name') secret_name = spec.get('name')
secret_namespace = spec.get('namespace') secret_namespace = spec.get('namespace')
if old_config is not None and ( if old_config is not None and (
old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type): old_secret_name != secret_name or old_secret_namespace != secret_namespace):
# If the name of the secret or the namespace of the secret is different # If the name of the secret or the namespace of the secret is different
# We have to delete the secret an recreate it # We have to delete the secret an recreate it
logger.info("Secret name or namespace changed, let's recreate it") logger.info("Secret name or namespace changed, let's recreate it")
@ -130,23 +110,14 @@ def update_managed_secret(
"managedObject": f"{namespace}/{name}" "managedObject": f"{namespace}/{name}"
} }
if custom_annotations:
annotations.update(custom_annotations)
if not labels: if not labels:
labels = {} labels = {}
secret = kubernetes.client.V1Secret() secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta( secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations, labels=labels) name=secret_name, annotations=annotations, labels=labels)
secret.type = custom_secret_type
secret = create_template_secret(logger, secret, filename, template) secret = create_template_secret(logger, secret, filename, template)
# Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
try: try:
api.replace_namespaced_secret( api.replace_namespaced_secret(
name=secret_name, name=secret_name,
@ -154,12 +125,9 @@ def update_managed_secret(
namespace="{}".format(secret_namespace)) namespace="{}".format(secret_namespace))
logger.info( logger.info(
f"Secret {secret_namespace}/{secret_name} has been updated") f"Secret {secret_namespace}/{secret_name} has been updated")
except BaseException as e: except BaseException:
logger.warn( logger.warn(
f"Could not update secret {secret_namespace}/{secret_name}!") f"Could not update secret {secret_namespace}/{secret_name}!")
logger.warn(
f"Exception: {e}"
)
@kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu') @kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu')