lerentis/bitwarden-crd-operator
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 18 Wiki Activity

Compare commits

base: lerentis:e1418883353a37ff724ce3e897ca5fa69720555a
Branches Tags
lerentis:main
lerentis:Lerentis/issue60
lerentis:Lerentis/issue29
lerentis:Lerentis/issue25
lerentis:gh-pages
lerentis:0.6.4
lerentis:v0.6.2
lerentis:v0.6.1
lerentis:v0.6.0
lerentis:v0.5.4
lerentis:v0.5.3
lerentis:v0.5.2
lerentis:v0.5.1
lerentis:v0.5.0
lerentis:v0.4.2
lerentis:v0.4.1
lerentis:v0.4.0
lerentis:v0.3.0
lerentis:v0.2.1
lerentis:v0.2.0
lerentis:v0.1.2
lerentis:v0.1.1
lerentis:v0.1.0
..
compare: lerentis:2bf13bc8c5c2291e2addaadebca32f527956e259
Branches Tags
lerentis:main
lerentis:Lerentis/issue60
lerentis:Lerentis/issue29
lerentis:Lerentis/issue25
lerentis:gh-pages
lerentis:0.6.4
lerentis:v0.6.2
lerentis:v0.6.1
lerentis:v0.6.0
lerentis:v0.5.4
lerentis:v0.5.3
lerentis:v0.5.2
lerentis:v0.5.1
lerentis:v0.5.0
lerentis:v0.4.2
lerentis:v0.4.1
lerentis:v0.4.0
lerentis:v0.3.0
lerentis:v0.2.1
lerentis:v0.2.0
lerentis:v0.1.2
lerentis:v0.1.1
lerentis:v0.1.0

No commits in common. "e1418883353a37ff724ce3e897ca5fa69720555a" and "2bf13bc8c5c2291e2addaadebca32f527956e259" have entirely different histories.
e141888335 ... 2bf13bc8c5

18 changed files with 76 additions and 457 deletions
Show Stats Expand all files Collapse all files

6
.github/workflows/release.yml vendored
View File

@ -24,7 +24,7 @@ jobs:
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Install Helm
uses: azure/setup-helm@v4
uses: azure/setup-helm@v3
with:
version: v3.10.0
@ -36,7 +36,7 @@ jobs:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Get app version from chart
uses: mikefarah/yq@v4.44.2
uses: mikefarah/yq@v4.40.5
id: app_version
with:
cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml
@ -56,7 +56,7 @@ jobs:
- name: "GHCR Build and Push"
id: docker_build
uses: docker/build-push-action@v6
uses: docker/build-push-action@v5
with:
push: true
platforms: linux/amd64,linux/arm64

19
.github/workflows/test-and-lint.yml vendored
View File

@ -12,7 +12,7 @@ jobs:
fetch-depth: 0
- name: Set up Helm
uses: azure/setup-helm@v4
uses: azure/setup-helm@v3
with:
version: v3.11.2
@ -36,18 +36,6 @@ jobs:
if: steps.list-changed.outputs.changed == 'true'
run: ct lint --target-branch ${{ github.event.repository.default_branch }}
- name: Install ah cli
run: |
export AH_VERSION=1.17.0
curl -LO https://github.com/artifacthub/hub/releases/download/v${AH_VERSION}/ah_${AH_VERSION}_linux_amd64.tar.gz
tar -xf ah_${AH_VERSION}_linux_amd64.tar.gz
chmod +x ./ah
sudo mv ./ah /usr/bin/ah
rm LICENSE
- name: ah lint
run: |
ah lint
pr-build:
runs-on: ubuntu-latest
steps:
@ -57,10 +45,11 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: GHCR Build
- name: "GHCR Build"
id: docker_build
uses: docker/build-push-action@v6
uses: docker/build-push-action@v5
with:
push: false
platforms: linux/amd64,linux/arm64
tags: ghcr.io/lerentis/bitwarden-crd-operator:dev

28
Dockerfile
View File

@ -1,23 +1,39 @@
FROM alpine:3.19.1
FROM alpine:3.19.0
LABEL org.opencontainers.image.source=https://github.com/Lerentis/bitwarden-crd-operator
LABEL org.opencontainers.image.description="Kubernetes Operator to create k8s secrets from bitwarden"
LABEL org.opencontainers.image.licenses=MIT
ARG PYTHON_VERSION=3.11.9-r0
ARG PYTHON_VERSION=3.11.6-r1
ARG PIP_VERSION=23.3.1-r0
ARG GCOMPAT_VERSION=1.1.0-r4
ARG LIBCRYPTO_VERSION=3.1.4-r5
ARG LIBCRYPTO_VERSION=3.1.4-r2
ARG BW_VERSION=2023.7.0
ARG NODE_VERSION=20.12.1-r0
ARG NODE_VERSION=20.10.0-r1
COPY requirements.txt /requirements.txt
RUN set -eux; \
apk update; \
apk del nodejs-current; \
apk add --virtual build-dependencies wget unzip; \
ARCH="$(apk --print-arch)"; \
case "${ARCH}" in \
aarch64|arm64) \
apk add nodejs=${NODE_VERSION} npm; \
npm install -g @bitwarden/cli@${BW_VERSION}; \
;; \
amd64|x86_64) \
cd /tmp; \
wget https://github.com/bitwarden/clients/releases/download/cli-v${BW_VERSION}/bw-linux-${BW_VERSION}.zip; \
unzip /tmp/bw-linux-${BW_VERSION}.zip; \
mv /tmp/bw /usr/local/bin/bw; \
chmod +x /usr/local/bin/bw; \
;; \
*) \
echo "Unsupported arch: ${ARCH}"; \
exit 1; \
;; \
esac; \
apk del --purge build-dependencies; \
addgroup -S -g 1000 bw-operator; \
adduser -S -D -u 1000 -G bw-operator bw-operator; \
mkdir -p /home/bw-operator; \

23
README.md
View File

@ -56,29 +56,25 @@ And you are set to create your first secret using this operator. For that you ne
```yaml
---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenSecret
metadata:
name: name-of-your-management-object
spec:
content:
- element:
secretName: nameOfTheFieldInBitwarden # for example username or filename
secretName: nameOfTheFieldInBitwarden # for example username
secretRef: nameOfTheKeyInTheSecretToBeCreated
secretScope: login # for custom entries on bitwarden use 'fields, for attachments use attachment'
secretScope: login # for custom entries on bitwarden use 'fields'
- element:
secretName: nameOfAnotherFieldInBitwarden # for example password or filename
secretName: nameOfAnotherFieldInBitwarden # for example password
secretRef: nameOfAnotherKeyInTheSecretToBeCreated
secretScope: login # for custom entries on bitwarden use 'fields, for attachments use attachment'
secretScope: login # for custom entries on bitwarden use 'fields'
id: "A Secret ID from bitwarden"
name: "Name of the secret to be created"
secretType: # Optional (Default: Opaque)
namespace: "Namespace of the secret to be created"
labels: # Optional
key: value
annotations: # Optional
key: value
```
The ID can be extracted from the browser when you open a item the ID is in the URL. The resulting secret looks something like this:
@ -106,7 +102,7 @@ For managing registry credentials, or pull secrets, you can create another kind
```yaml
---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: RegistryCredential
metadata:
name: name-of-your-management-object
@ -119,8 +115,6 @@ spec:
namespace: "Namespace of the secret to be created"
labels: # Optional
key: value
annotations: # Optional
key: value
```
The resulting secret looks something like this:
@ -147,19 +141,16 @@ One of the more freely defined types that can be used with this operator you can
```yaml
---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenTemplate
metadata:
name: name-of-your-management-object
spec:
filename: "Key of the secret to be created"
name: "Name of the secret to be created"
secretType: # Optional (Default: Opaque)
namespace: "Namespace of the secret to be created"
labels: # Optional
key: value
annotations: # Optional
key: value
template: |
---
api:

36
charts/bitwarden-crd-operator/Chart.yaml
View File

@ -4,9 +4,9 @@ description: Deploy the Bitwarden CRD Operator
type: application
version: "v0.13.0"
version: "v0.11.1"
appVersion: "0.12.0"
appVersion: "0.10.1"
keywords:
- operator
@ -32,22 +32,22 @@ annotations:
url: https://github.com/Lerentis/bitwarden-crd-operator
artifacthub.io/crds: |
- kind: BitwardenSecret
version: v1beta7
version: v1beta5
name: bitwarden-secret
displayName: Bitwarden Secret
description: Management Object to create secrets from bitwarden
- kind: RegistryCredential
version: v1beta7
version: v1beta5
name: registry-credential
displayName: Regestry Credentials
description: Management Object to create regestry secrets from bitwarden
- kind: BitwardenTemplate
version: v1beta7
version: v1beta5
name: bitwarden-template
displayName: Bitwarden Template
description: Management Object to create secrets from a jinja template with a bitwarden lookup
artifacthub.io/crdsExamples: |
- apiVersion: lerentis.uploadfilter24.eu/v1beta7
- apiVersion: lerentis.uploadfilter24.eu/v1beta5
kind: BitwardenSecret
metadata:
name: test
@ -61,13 +61,10 @@ annotations:
secretRef: passwordOfUser
id: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
name: "test-secret"
secretType: Obaque #Optional
namespace: "default"
labels:
key: value
annotations:
key: value
- apiVersion: lerentis.uploadfilter24.eu/v1beta7
- apiVersion: lerentis.uploadfilter24.eu/v1beta5
kind: RegistryCredential
metadata:
name: test
@ -80,21 +77,16 @@ annotations:
namespace: "default"
labels:
key: value
annotations:
key: value
- apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
- apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenTemplate
metadata:
name: test
spec:
filename: "config.yaml"
name: "test-regcred"
secretType: Obaque #Optional
namespace: "default"
labels:
key: value
annotations:
key: value
template: |
---
api:
@ -109,12 +101,10 @@ annotations:
artifacthub.io/operator: "true"
artifacthub.io/containsSecurityUpdates: "false"
artifacthub.io/changes: |
- kind: added
description: "Allow custom type for generated secrets"
- kind: added
description: "Allow attachments in generated secrets"
- kind: added
description: "Allow custom type in templated secrets"
- kind: fixed
description: "Downgrade node to LTS in order to make bw cli work on arm"
- kind: changed
description: "Update bw cli to 2023.7.0 for the same reason"
artifacthub.io/images: |
- name: bitwarden-crd-operator
image: ghcr.io/lerentis/bitwarden-crd-operator:0.12.0
image: ghcr.io/lerentis/bitwarden-crd-operator:0.10.1

88
charts/bitwarden-crd-operator/crds/bitwarden-secrets.yaml
View File

@ -51,89 +51,6 @@ spec:
- namespace
- name
- name: v1beta5
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
content:
type: array
items:
type: object
properties:
element:
type: object
properties:
secretName:
type: string
secretRef:
type: string
secretScope:
type: string
required:
- secretName
id:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name
- name: v1beta6
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
content:
type: array
items:
type: object
properties:
element:
type: object
properties:
secretName:
type: string
secretRef:
type: string
secretScope:
type: string
required:
- secretName
id:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name
- name: v1beta7
served: true
storage: true
schema:
@ -165,14 +82,9 @@ spec:
type: string
name:
type: string
secretType:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace

62
charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml
View File

@ -38,63 +38,6 @@ spec:
- namespace
- name
- name: v1beta5
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
filename:
type: string
template:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- filename
- template
- namespace
- name
- name: v1beta6
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
filename:
type: string
template:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- filename
- template
- namespace
- name
- name: v1beta7
served: true
storage: true
schema:
@ -112,14 +55,9 @@ spec:
type: string
name:
type: string
secretType:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- filename
- template

72
charts/bitwarden-crd-operator/crds/registry-credentials.yaml
View File

@ -44,75 +44,6 @@ spec:
- passwordRef
- registry
- name: v1beta5
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
usernameRef:
type: string
passwordRef:
type: string
registry:
type: string
id:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name
- usernameRef
- passwordRef
- registry
- name: v1beta6
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
usernameRef:
type: string
passwordRef:
type: string
registry:
type: string
id:
type: string
namespace:
type: string
name:
type: string
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace
- name
- usernameRef
- passwordRef
- registry
- name: v1beta7
served: true
storage: true
schema:
@ -137,9 +68,6 @@ spec:
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- id
- namespace

2
charts/bitwarden-crd-operator/templates/deployment.yaml
View File

@ -8,8 +8,6 @@ spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
strategy:
type: {{ .Values.deploymentStrategy }}
selector:
matchLabels:
{{- include "bitwarden-crd-operator.selectorLabels" . | nindent 6 }}

2
charts/bitwarden-crd-operator/values.yaml
View File

@ -14,8 +14,6 @@ imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
deploymentStrategy: "Recreate"
# env:
# - name: BW_FORCE_SYNC
# value: "false"

8
example.yaml
View File

@ -1,9 +1,8 @@
---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenSecret
metadata:
name: test
namespace: default
spec:
content:
- element:
@ -16,15 +15,12 @@ spec:
secretScope: login
id: "88781348-c81c-4367-9801-550360c21295"
name: "test-secret"
secretType: Opaque
namespace: "default"
labels:
key: value
app: example-app
annotations:
custom.annotation: is-used
---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenSecret
metadata:
name: test-scope

4
example_dockerlogin.yaml
View File

@ -1,5 +1,5 @@
---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: RegistryCredential
metadata:
name: test
@ -13,5 +13,3 @@ spec:
labels:
namespace: default
tenant: example-team
annotations:
custom.annotation: is-used

4
example_template.yaml
View File

@ -1,5 +1,5 @@
---
apiVersion: "lerentis.uploadfilter24.eu/v1beta7"
apiVersion: "lerentis.uploadfilter24.eu/v1beta5"
kind: BitwardenTemplate
metadata:
name: test
@ -10,8 +10,6 @@ spec:
labels:
key: value
app: example-app
annotations:
custom.annotation: is-used
template: |
---
api:

8
requirements.txt
View File

@ -1,4 +1,4 @@
kopf==1.37.2
kubernetes==29.0.0
Jinja2==3.1.4
schedule==1.2.2
kopf==1.36.2
kubernetes==26.1.0
Jinja2==3.1.2
schedule==1.2.1

46
skaffold.yaml
View File

@ -1,10 +1,8 @@
apiVersion: skaffold/v4beta9
apiVersion: skaffold/v4beta5
kind: Config
metadata:
name: bitwarden-crd-operator
build:
tagPolicy:
sha256: {}
artifacts:
- image: ghcr.io/lerentis/bitwarden-crd-operator
docker:
@ -15,43 +13,5 @@ deploy:
- name: bitwarden-crd-operator
chartPath: charts/bitwarden-crd-operator
valuesFiles:
- ./charts/bitwarden-crd-operator/myvalues.yaml
setValueTemplates:
image.repository: "{{.IMAGE_REPO_ghcr_io_lerentis_bitwarden_crd_operator}}"
image.tag: "{{.IMAGE_TAG_ghcr_io_lerentis_bitwarden_crd_operator}}@{{.IMAGE_DIGEST_ghcr_io_lerentis_bitwarden_crd_operator}}"
hooks:
after:
- host:
command:
- kubectl
- apply
- -f
- ./example*.yaml
- host:
command:
- sleep
- '5'
- host:
command:
- kubectl
- get
- secret
- test-regcred
- host:
command:
- kubectl
- get
- secret
- test-scope
- host:
command:
- kubectl
- get
- secret
- test-secret
- host:
command:
- kubectl
- get
- secret
- test-template
- env/values.yaml
version: v0.7.4

24
src/dockerlogin.py
View File

@ -45,7 +45,6 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
secret_name = spec.get('name')
secret_namespace = spec.get('namespace')
labels = spec.get('labels')
custom_annotations = spec.get('annotations')
unlock_bw(logger)
logger.info(f"Locking up secret with ID: {id}")
@ -58,9 +57,6 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
"managedObject": f"{namespace}/{name}"
}
if custom_annotations:
annotations.update(custom_annotations)
if not labels:
labels = {}
@ -75,11 +71,6 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
password_ref,
registry)
# Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
api.create_namespaced_secret(
secret_namespace, secret
)
@ -106,7 +97,6 @@ def update_managed_registry_secret(
secret_name = spec.get('name')
secret_namespace = spec.get('namespace')
labels = spec.get('labels')
custom_annotations = spec.get('annotations')
old_config = None
old_secret_name = None
@ -144,9 +134,6 @@ def update_managed_registry_secret(
"managedObject": f"{namespace}/{name}"
}
if custom_annotations:
annotations.update(custom_annotations)
if not labels:
labels = {}
@ -160,12 +147,6 @@ def update_managed_registry_secret(
username_ref,
password_ref,
registry)
# Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
try:
api.replace_namespaced_secret(
name=secret_name,
@ -173,12 +154,9 @@ def update_managed_registry_secret(
namespace="{}".format(secret_namespace))
logger.info(
f"Secret {secret_namespace}/{secret_name} has been updated")
except BaseException as e:
except BaseException:
logger.warn(
f"Could not update secret {secret_namespace}/{secret_name}!")
logger.warn(
f"Exception: {e}"
)
@kopf.on.delete('registry-credential.lerentis.uploadfilter24.eu')

55
src/kv.py
View File

@ -3,9 +3,10 @@ import kubernetes
import base64
import json
from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope, get_attachment, bw_sync_interval
from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope, bw_sync_interval
def create_kv(logger, id, secret, secret_json, content_def):
def create_kv(secret, secret_json, content_def):
secret.type = "Opaque"
secret.data = {}
for eleml in content_def:
for k, elem in eleml.items():
@ -30,13 +31,6 @@ def create_kv(logger, id, secret, secret_json, content_def):
f"Field {_secret_key} has no value in bitwarden secret")
secret.data[_secret_ref] = str(base64.b64encode(
value.encode("utf-8")), "utf-8")
if _secret_scope == "attachment":
value = get_attachment(logger, id, _secret_key)
if value is None:
raise Exception(
f"Attachment {_secret_key} has no value in bitwarden secret")
secret.data[_secret_ref] = str(base64.b64encode(
value.encode("utf-8")), "utf-8")
return secret
@ -48,8 +42,6 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
secret_name = spec.get('name')
secret_namespace = spec.get('namespace')
labels = spec.get('labels')
custom_annotations = spec.get('annotations')
custom_secret_type = spec.get('secretType')
unlock_bw(logger)
logger.info(f"Locking up secret with ID: {id}")
@ -62,25 +54,13 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
"managedObject": f"{namespace}/{name}"
}
if custom_annotations:
annotations.update(custom_annotations)
if not custom_secret_type:
custom_secret_type = 'Opaque'
if not labels:
labels = {}
secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations, labels=labels)
secret.type = custom_secret_type
secret = create_kv(logger, id, secret, secret_json_object, content_def)
# Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
secret = create_kv(secret, secret_json_object, content_def)
api.create_namespaced_secret(
namespace="{}".format(secret_namespace),
@ -106,27 +86,20 @@ def update_managed_secret(
old_config = None
old_secret_name = None
old_secret_namespace = None
old_secret_type = None
if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations:
old_config = json.loads(
body.metadata.annotations['kopf.zalando.org/last-handled-configuration'])
old_secret_name = old_config['spec'].get('name')
old_secret_namespace = old_config['spec'].get('namespace')
old_secret_type = old_config['spec'].get('type')
secret_name = spec.get('name')
secret_namespace = spec.get('namespace')
labels = spec.get('labels')
custom_annotations = spec.get('annotations')
custom_secret_type = spec.get('secretType')
if not custom_secret_type:
custom_secret_type = 'Opaque'
if old_config is not None and (
old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type):
old_secret_name != secret_name or old_secret_namespace != secret_namespace):
# If the name of the secret or the namespace of the secret is different
# We have to delete the secret an recreate it
logger.info("Secret name, namespace or type changed, let's recreate it")
logger.info("Secret name or namespace changed, let's recreate it")
delete_managed_secret(
old_config['spec'],
name,
@ -147,22 +120,13 @@ def update_managed_secret(
"managedObject": f"{namespace}/{name}"
}
if custom_annotations:
annotations.update(custom_annotations)
if not labels:
labels = {}
secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations, labels=labels)
secret.type = custom_secret_type
secret = create_kv(logger, id, secret, secret_json_object, content_def)
# Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
secret = create_kv(secret, secret_json_object, content_def)
try:
api.replace_namespaced_secret(
@ -171,12 +135,9 @@ def update_managed_secret(
namespace="{}".format(secret_namespace))
logger.info(
f"Secret {secret_namespace}/{secret_name} has been updated")
except BaseException as e:
except BaseException:
logger.warn(
f"Could not update secret {secret_namespace}/{secret_name}!")
logger.warn(
f"Exception: {e}"
)
@kopf.on.delete('bitwarden-secret.lerentis.uploadfilter24.eu')

38
src/template.py
View File

@ -17,6 +17,7 @@ def render_template(logger, template):
def create_template_secret(logger, secret, filename, template):
secret.type = "Opaque"
secret.data = {}
secret.data[filename] = str(
base64.b64encode(
@ -33,8 +34,6 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
secret_name = spec.get('name')
secret_namespace = spec.get('namespace')
labels = spec.get('labels')
custom_annotations = spec.get('annotations')
custom_secret_type = spec.get('secretType')
unlock_bw(logger)
@ -45,26 +44,14 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
"managedObject": f"{namespace}/{name}"
}
if custom_annotations:
annotations.update(custom_annotations)
if not custom_secret_type:
custom_secret_type = 'Opaque'
if not labels:
labels = {}
secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations, labels=labels)
secret.type = custom_secret_type
secret = create_template_secret(logger, secret, filename, template)
# Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
api.create_namespaced_secret(
secret_namespace, secret
)
@ -88,27 +75,20 @@ def update_managed_secret(
secret_name = spec.get('name')
secret_namespace = spec.get('namespace')
labels = spec.get('labels')
custom_annotations = spec.get('annotations')
custom_secret_type = spec.get('secretType')
if not custom_secret_type:
custom_secret_type = 'Opaque'
old_config = None
old_secret_name = None
old_secret_namespace = None
old_secret_type = None
if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations:
old_config = json.loads(
body.metadata.annotations['kopf.zalando.org/last-handled-configuration'])
old_secret_name = old_config['spec'].get('name')
old_secret_namespace = old_config['spec'].get('namespace')
old_secret_type = old_config['spec'].get('type')
secret_name = spec.get('name')
secret_namespace = spec.get('namespace')
if old_config is not None and (
old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type):
old_secret_name != secret_name or old_secret_namespace != secret_namespace):
# If the name of the secret or the namespace of the secret is different
# We have to delete the secret an recreate it
logger.info("Secret name or namespace changed, let's recreate it")
@ -130,23 +110,14 @@ def update_managed_secret(
"managedObject": f"{namespace}/{name}"
}
if custom_annotations:
annotations.update(custom_annotations)
if not labels:
labels = {}
secret = kubernetes.client.V1Secret()
secret.metadata = kubernetes.client.V1ObjectMeta(
name=secret_name, annotations=annotations, labels=labels)
secret.type = custom_secret_type
secret = create_template_secret(logger, secret, filename, template)
# Garbage collection will delete the generated secret if the owner
# Is not in the same namespace as the generated secret
if secret_namespace == namespace:
kopf.append_owner_reference(secret)
try:
api.replace_namespaced_secret(
name=secret_name,
@ -154,12 +125,9 @@ def update_managed_secret(
namespace="{}".format(secret_namespace))
logger.info(
f"Secret {secret_namespace}/{secret_name} has been updated")
except BaseException as e:
except BaseException:
logger.warn(
f"Could not update secret {secret_namespace}/{secret_name}!")
logger.warn(
f"Exception: {e}"
)
@kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu')