Compare commits
	
		
			146 Commits
		
	
	
		
			v0.1.1
			...
			6a8945af21
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|  | 6a8945af21 | ||
|  | 6160723a72 | ||
|  | 7527163f26 | ||
|  | c6ee9fdc39 | ||
|  | 313cf7d6e9 | ||
|  | 8649c4e865 | ||
|  | 23037bafc1 | ||
|  | be98eb9b88 | ||
|  | 80d8db6924 | ||
|  | d6c207ba82 | ||
|  | fc37a12737 | ||
|  | 58b990db2a | ||
|  | f3cba82c9f | ||
|  | f7a0f43cab | ||
|  | 382b6776ce | ||
|  | 94bc6b10b1 | ||
| 53dae0aaaf | |||
| 41a085c475 | |||
|  | 70546b7484 | ||
|  | ae5b39bbcb | ||
|  | 02dfca5a44 | ||
|  | 31cba57a1a | ||
|  | f0a9258b71 | ||
|  | 63e6f8ab7b | ||
|  | 9fe5bde4e8 | ||
|  | 7e0a5b6b57 | ||
|  | b7ef2480be | ||
|  | 25a825b712 | ||
|  | 963446d9dc | ||
|  | bd000cc23a | ||
|  | 72bb525e9a | ||
|  | 0bb67e4503 | ||
|  | 3f35179983 | ||
|  | 68ffb94870 | ||
|  | ddf13aae1c | ||
|  | f63e0ac090 | ||
|  | 39a49ab95b | ||
|  | 187da26b30 | ||
|  | 62a2b488d2 | ||
|  | bec7476ace | ||
|  | d629fa600f | ||
|  | ba8c35da9f | ||
|  | e85ea8357a | ||
|  | 69d1af8ba5 | ||
|  | 293ac2a0b0 | ||
|  | 5c8d10b060 | ||
|  | 25ebf35835 | ||
|  | 1427715823 | ||
|  | 57b6d69b6b | ||
|  | 0e33c33415 | ||
|  | 4d36cd468f | ||
| 6f099c4bf2 | |||
|  | aa015cc7ba | ||
|  | 2de9bbb0bf | ||
|  | 4505f3985c | ||
|  | 82b684e460 | ||
|  | 8ec698f50e | ||
|  | 9b8fe1d8ef | ||
|  | 516f2a34cf | ||
| 361d0866e9 | |||
| 9d4ade904e | |||
| 8c3714f7e0 | |||
| 36ae5cc602 | |||
| d908419b78 | |||
| 2d399ff8ce | |||
| c753737497 | |||
| 886fe3783d | |||
|  | 18a47f8ad2 | ||
|  | e405734e72 | ||
| 8bf4292991 | |||
|  | b149b26485 | ||
|  | 5263a811e1 | ||
|  | 4b59ff1aac | ||
|  | ad1cc9f646 | ||
| 0f518ab28d | |||
| 1bf2a24cf2 | |||
| a73e8ff982 | |||
|  | 54a4ffa212 | ||
| 16040bf87a | |||
|  | 9c1c7417e1 | ||
|  | 0f9ca0869c | ||
|  | 6fbf060044 | ||
|  | 3bb40cdcb4 | ||
|  | 219c9d0413 | ||
|  | 4f92bfe86a | ||
|  | 640333cfc7 | ||
|  | 6a907f149f | ||
|  | 3db74524ca | ||
|  | e49df1fb4d | ||
|  | bb3ca7573b | ||
| 097712c6c6 | |||
|  | 3845fd8045 | ||
|  | 3caacac98a | ||
|  | beeca5a6b6 | ||
|  | 2d4c8ec14b | ||
| 10cc864275 | |||
| 689a6e5bae | |||
|  | 4e23b67f5d | ||
|  | f4d05fdd0f | ||
|  | 48bc422974 | ||
|  | 41d4959422 | ||
|  | c2116c24ec | ||
|  | 67692b372f | ||
| 8a6219718a | |||
|  | a10f6b3c9a | ||
|  | 56657df85a | ||
|  | 6a324e66da | ||
|  | 6081374696 | ||
|  | a3cec12284 | ||
| 40f76a8bdb | |||
| 8546855412 | |||
| 938ddd1bb6 | |||
| 5adc7785d0 | |||
| df1fdcbb14 | |||
| 3328016da4 | |||
| fdd3808c7e | |||
|  | fee8dfb97a | ||
|  | 2611231c8a | ||
| 884476606c | |||
|  | 92c51a21d0 | ||
| d316c8567e | |||
| cb793a7490 | |||
| d8bee2e029 | |||
|  | 12edc8445f | ||
|  | df7b9fd043 | ||
| 058e9b918f | |||
| 13c4b999d2 | |||
|  | f11d726cfe | ||
|  | 53443df46c | ||
|  | ef0f2633e0 | ||
|  | d13bcfd10c | ||
|  | 5e808df6ac | ||
| 69e56ef4f5 | |||
|  | 4c11c7d03a | ||
|  | b99111587d | ||
|  | e6c644c200 | ||
|  | 21baed2d92 | ||
| a2f248c6ff | |||
| 15a7258d99 | |||
| 06efcf1a55 | |||
|  | 2c9d1794a5 | ||
| 0fd7abdcc0 | |||
| 11fb42769c | |||
| aec384c78e | |||
| 7d4f01caf6 | |||
| fc4e561f29 | 
							
								
								
									
										15
									
								
								.github/dependabot.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								.github/dependabot.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,15 @@ | ||||
| # To get started with Dependabot version updates, you'll need to specify which | ||||
| # package ecosystems to update and where the package manifests are located. | ||||
| # Please see the documentation for all configuration options: | ||||
| # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates | ||||
|  | ||||
| version: 2 | ||||
| updates: | ||||
|   - package-ecosystem: "pip" | ||||
|     directory: "/" | ||||
|     schedule: | ||||
|       interval: "weekly" | ||||
|   - package-ecosystem: "github-actions" | ||||
|     directory: "/" | ||||
|     schedule: | ||||
|       interval: "weekly" | ||||
							
								
								
									
										68
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										68
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							| @@ -1,17 +1,20 @@ | ||||
| name: Release Charts | ||||
|  | ||||
| on: | ||||
|   release: | ||||
|     types: [published] | ||||
|   push: | ||||
|     branches: | ||||
|       - main | ||||
|  | ||||
| jobs: | ||||
|   release: | ||||
|     permissions: | ||||
|       id-token: write | ||||
|       contents: write | ||||
|       packages: write | ||||
|     runs-on: ubuntu-latest | ||||
|     steps: | ||||
|       - name: Checkout | ||||
|         uses: actions/checkout@v2 | ||||
|         uses: actions/checkout@v4 | ||||
|         with: | ||||
|           fetch-depth: 0 | ||||
|  | ||||
| @@ -26,6 +29,63 @@ jobs: | ||||
|           version: v3.10.0 | ||||
|  | ||||
|       - name: Run chart-releaser | ||||
|         uses: helm/chart-releaser-action@v1.4.1 | ||||
|         uses: helm/chart-releaser-action@v1.6.0 | ||||
|         with: | ||||
|           charts_dir: charts | ||||
|         env: | ||||
|           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||||
|  | ||||
|       - name: Get app version from chart | ||||
|         uses: mikefarah/yq@v4.40.2 | ||||
|         id: app_version | ||||
|         with: | ||||
|           cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml | ||||
|  | ||||
|       - name: "GHCR Login" | ||||
|         uses: docker/login-action@v3 | ||||
|         with: | ||||
|           registry: ghcr.io | ||||
|           username: lerentis | ||||
|           password: ${{ secrets.GITHUB_TOKEN }} | ||||
|  | ||||
|       - name: Set up QEMU | ||||
|         uses: docker/setup-qemu-action@v3 | ||||
|        | ||||
|       - name: Set up Docker Buildx | ||||
|         uses: docker/setup-buildx-action@v3 | ||||
|  | ||||
|       - name: "GHCR Build and Push" | ||||
|         id: docker_build | ||||
|         uses: docker/build-push-action@v5 | ||||
|         with: | ||||
|           push: true | ||||
|           platforms: linux/amd64,linux/arm64 | ||||
|           tags: ghcr.io/lerentis/bitwarden-crd-operator:${{ steps.app_version.outputs.result }} | ||||
|  | ||||
|       - name: Create SBOM | ||||
|         uses: anchore/sbom-action@v0 | ||||
|         with: | ||||
|           image: ghcr.io/lerentis/bitwarden-crd-operator:${{ steps.app_version.outputs.result }} | ||||
|          | ||||
|       - name: Publish SBOM | ||||
|         uses: anchore/sbom-action/publish-sbom@v0 | ||||
|         with: | ||||
|           sbom-artifact-match: ".*\\.spdx\\.json" | ||||
|  | ||||
|       - name: Get Latest Tag | ||||
|         id: previoustag | ||||
|         uses: WyriHaximus/github-action-get-previous-tag@v1 | ||||
|  | ||||
|       - name: Download SBOM from github action | ||||
|         uses: actions/download-artifact@v3 | ||||
|         with: | ||||
|           name: ${{ env.ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT }} | ||||
|  | ||||
|       - name: Add SBOM to release | ||||
|         uses: svenstaro/upload-release-action@v2 | ||||
|         with: | ||||
|           repo_token: ${{ secrets.GITHUB_TOKEN }} | ||||
|           file_glob: true | ||||
|           file: lerentis-bitwarden-crd-operator_*.spdx.json | ||||
|           tag:  ${{ steps.previoustag.outputs.tag }} | ||||
|           overwrite: true | ||||
|   | ||||
							
								
								
									
										55
									
								
								.github/workflows/test-and-lint.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										55
									
								
								.github/workflows/test-and-lint.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,55 @@ | ||||
| name: Lint and Test | ||||
|  | ||||
| on: pull_request | ||||
|  | ||||
| jobs: | ||||
|   lint-test: | ||||
|     runs-on: ubuntu-latest | ||||
|     steps: | ||||
|       - name: Checkout | ||||
|         uses: actions/checkout@v4 | ||||
|         with: | ||||
|           fetch-depth: 0 | ||||
|  | ||||
|       - name: Set up Helm | ||||
|         uses: azure/setup-helm@v3 | ||||
|         with: | ||||
|           version: v3.11.2 | ||||
|  | ||||
|       - uses: actions/setup-python@v4 | ||||
|         with: | ||||
|           python-version: '3.9' | ||||
|           check-latest: true | ||||
|  | ||||
|       - name: Set up chart-testing | ||||
|         uses: helm/chart-testing-action@v2.6.1 | ||||
|  | ||||
|       - name: Run chart-testing (list-changed) | ||||
|         id: list-changed | ||||
|         run: | | ||||
|           changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) | ||||
|           if [[ -n "$changed" ]]; then | ||||
|             echo "changed=true" >> "$GITHUB_OUTPUT" | ||||
|           fi | ||||
|  | ||||
|       - name: Run chart-testing (lint) | ||||
|         if: steps.list-changed.outputs.changed == 'true' | ||||
|         run: ct lint --target-branch ${{ github.event.repository.default_branch }} | ||||
|  | ||||
|   pr-build: | ||||
|     runs-on: ubuntu-latest | ||||
|     steps: | ||||
|       - name: Set up QEMU | ||||
|         uses: docker/setup-qemu-action@v3 | ||||
|        | ||||
|       - name: Set up Docker Buildx | ||||
|         uses: docker/setup-buildx-action@v3 | ||||
|  | ||||
|       - name: "GHCR Build" | ||||
|         id: docker_build | ||||
|         uses: docker/build-push-action@v5 | ||||
|         with: | ||||
|           push: false | ||||
|           platforms: linux/amd64,linux/arm64 | ||||
|           tags: ghcr.io/lerentis/bitwarden-crd-operator:dev | ||||
|  | ||||
							
								
								
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @@ -166,3 +166,5 @@ lib | ||||
| lib64 | ||||
|  | ||||
| myvalues.yaml | ||||
|  | ||||
| .vscode | ||||
							
								
								
									
										61
									
								
								Dockerfile
									
									
									
									
									
								
							
							
						
						
									
										61
									
								
								Dockerfile
									
									
									
									
									
								
							| @@ -1,33 +1,50 @@ | ||||
| FROM alpine:latest as builder | ||||
| FROM alpine:3.18.3 | ||||
|  | ||||
| ARG BW_VERSION=2022.8.0 | ||||
| LABEL org.opencontainers.image.source=https://github.com/Lerentis/bitwarden-crd-operator | ||||
| LABEL org.opencontainers.image.description="Kubernetes Operator to create k8s secrets from bitwarden" | ||||
| LABEL org.opencontainers.image.licenses=MIT | ||||
|  | ||||
| RUN apk add wget unzip | ||||
| ARG PYTHON_VERSION=3.11.6-r0 | ||||
| ARG PIP_VERSION=23.1.2-r0 | ||||
| ARG GCOMPAT_VERSION=1.1.0-r1 | ||||
| ARG LIBCRYPTO_VERSION=3.1.2-r0 | ||||
| ARG BW_VERSION=2023.1.0 | ||||
|  | ||||
| RUN cd /tmp && wget https://github.com/bitwarden/clients/releases/download/cli-v${BW_VERSION}/bw-linux-${BW_VERSION}.zip && \ | ||||
|     unzip /tmp/bw-linux-${BW_VERSION}.zip | ||||
|  | ||||
| FROM ubuntu:jammy | ||||
|  | ||||
| COPY --from=builder /tmp/bw /usr/local/bin/bw | ||||
| COPY requirements.txt requirements.txt | ||||
| COPY requirements.txt /requirements.txt | ||||
|  | ||||
| RUN set -eux; \ | ||||
|     groupadd -r bw-operator ; \ | ||||
|     useradd -r -g bw-operator -s /sbin/nologin bw-operator; \ | ||||
|     apk add --virtual build-dependencies wget unzip; \ | ||||
|     ARCH="$(apk --print-arch)"; \ | ||||
|     case "${ARCH}" in \ | ||||
|        aarch64|arm64) \ | ||||
|           apk add npm; \ | ||||
|           npm install -g @bitwarden/cli@${BW_VERSION}; \ | ||||
|          ;; \ | ||||
|        amd64|x86_64) \ | ||||
|           cd /tmp; \ | ||||
|           wget https://github.com/bitwarden/clients/releases/download/cli-v${BW_VERSION}/bw-linux-${BW_VERSION}.zip; \ | ||||
|           unzip /tmp/bw-linux-${BW_VERSION}.zip; \ | ||||
|           mv /tmp/bw /usr/local/bin/bw; \ | ||||
|           chmod +x /usr/local/bin/bw; \ | ||||
|          ;; \ | ||||
|        *) \ | ||||
|          echo "Unsupported arch: ${ARCH}"; \ | ||||
|          exit 1; \ | ||||
|          ;; \ | ||||
|     esac; \ | ||||
|     apk del --purge build-dependencies; \ | ||||
|     addgroup -S -g 1000 bw-operator; \ | ||||
|     adduser -S -D -u 1000 -G bw-operator bw-operator; \ | ||||
|     mkdir -p /home/bw-operator; \ | ||||
|     chown -R bw-operator /home/bw-operator; \ | ||||
|     chmod +x /usr/local/bin/bw; \ | ||||
|     apt-get update; \ | ||||
|     apt-get install -y --no-install-recommends python3 python3-pip; \ | ||||
|     apt-get clean; | ||||
|     apk add gcc musl-dev libstdc++ gcompat=${GCOMPAT_VERSION} python3=${PYTHON_VERSION} py3-pip=${PIP_VERSION} libcrypto3=${LIBCRYPTO_VERSION}; \ | ||||
|     pip install -r /requirements.txt --no-warn-script-location; \ | ||||
|     rm /requirements.txt; \ | ||||
|     apk del --purge gcc musl-dev libstdc++; | ||||
|  | ||||
| COPY --chown=bw-operator:bw-operator bitwarden-crd-operator.py /home/bw-operator/bitwarden-crd-operator.py | ||||
| COPY --chown=bw-operator:bw-operator src /home/bw-operator | ||||
|  | ||||
| USER bw-operator | ||||
|  | ||||
| RUN set -eux; \ | ||||
|     pip install -r requirements.txt --no-warn-script-location | ||||
|  | ||||
| ENTRYPOINT [ "/home/bw-operator/.local/bin/kopf", "run", "--all-namespaces", "--liveness=http://0.0.0.0:8080/healthz" ] | ||||
| CMD [ "/home/bw-operator/bitwarden-crd-operator.py" ] | ||||
| ENTRYPOINT [ "kopf", "run", "--log-format=json", "--all-namespaces", "--liveness=http://0.0.0.0:8080/healthz" ] | ||||
| CMD [ "/home/bw-operator/bitwardenCrdOperator.py", "/home/bw-operator/kv.py", "/home/bw-operator/dockerlogin.py", "/home/bw-operator/template.py"] | ||||
|   | ||||
							
								
								
									
										27
									
								
								Makefile
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								Makefile
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,27 @@ | ||||
| deployment_name ?= bitwarden-crd-operator | ||||
| namespace ?= bitwarden-crd-operator | ||||
| label_filter = -l app.kubernetes.io/instance=bitwarden-crd-operator -l app.kubernetes.io/name=bitwarden-crd-operator | ||||
|  | ||||
| create-namespace: | ||||
| 	kubectl create namespace ${namespace} | ||||
|  | ||||
| dev: | ||||
| 	skaffold dev -n ${namespace} | ||||
|  | ||||
| run: | ||||
| 	skaffold run -n ${namespace} | ||||
|  | ||||
| pods: | ||||
| 	kubectl -n ${namespace} get pods | ||||
|  | ||||
| desc-pods: | ||||
| 	kubectl -n ${namespace} describe pod ${label_filter} | ||||
|  | ||||
| delete-pods-force: | ||||
| 	kubectl -n ${namespace} delete pod ${label_filter} --force | ||||
|  | ||||
| exec: | ||||
| 	kubectl -n ${namespace} exec -it deployment/${deployment_name} -- sh | ||||
|  | ||||
| logs: | ||||
| 	kubectl -n ${namespace} logs -f --tail 30 deployment/${deployment_name} | ||||
							
								
								
									
										126
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										126
									
								
								README.md
									
									
									
									
									
								
							| @@ -1,15 +1,18 @@ | ||||
| # Bitwarden CRD Operator | ||||
|  | ||||
| [](https://drone.uploadfilter24.eu/lerentis/bitwarden-crd-operator) | ||||
| [](https://drone.uploadfilter24.eu/lerentis/bitwarden-crd-operator) [](https://artifacthub.io/packages/search?repo=lerentis) | ||||
|  | ||||
| Bitwarden CRD Operator is a kubernetes Operator based on [kopf](https://github.com/nolar/kopf/). The goal is to create kubernetes native secret objects from bitwarden. | ||||
|  | ||||
| <p align="center"> | ||||
|   <img src="logo.png" alt="Bitwarden CRD Operator Logo" width="200"/> | ||||
| </p> | ||||
|  | ||||
| > DISCLAIMER:   | ||||
| > This project is still very work in progress :) | ||||
|  | ||||
| ## Getting started | ||||
|  | ||||
| For now a few secrets need to be passed to helm. I will change this in the future to give the option to also use a kubernetes secret for this. | ||||
| ## Getting started | ||||
|  | ||||
| You will need a `ClientID` and `ClientSecret` ([where to get these](https://bitwarden.com/help/personal-api-key/)) as well as your password. | ||||
| Expose these to the operator as described in this example: | ||||
| @@ -26,20 +29,34 @@ env: | ||||
|     value: "YourSuperSecurePassword" | ||||
| ``` | ||||
|  | ||||
| you can also create a secret manually with these information and reference the existing secret like this in the `values.yaml`: | ||||
|  | ||||
| ```yaml | ||||
| externalConfigSecret: | ||||
|   enabled: true | ||||
|   name: "my-existing-secret" | ||||
| ``` | ||||
|  | ||||
| the helm template will use all environment variables from this secret, so make sure to prepare this secret with the key value pairs as described above. | ||||
|  | ||||
| `BW_HOST` can be omitted if you are using the Bitwarden SaaS offering. | ||||
|  | ||||
| After that it is a basic helm deployment: | ||||
|  | ||||
| ```bash | ||||
| helm repo add bitwarden-operator https://lerentis.github.io/bitwarden-crd-operator | ||||
| helm repo update  | ||||
| kubectl create namespace bw-operator | ||||
| helm upgrade --install --namespace bw-operator -f chart/bitwarden-crd-operator/values.yaml bw-operator chart/bitwarden-crd-operator | ||||
| helm upgrade --install --namespace bw-operator -f values.yaml bw-operator bitwarden-operator/bitwarden-crd-operator | ||||
| ``` | ||||
|  | ||||
| ## BitwardenSecret | ||||
|  | ||||
| And you are set to create your first secret using this operator. For that you need to add a CRD Object like this to your cluster: | ||||
|  | ||||
| ```yaml | ||||
| --- | ||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta2" | ||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||
| kind: BitwardenSecret | ||||
| metadata: | ||||
|   name: name-of-your-management-object | ||||
| @@ -48,9 +65,11 @@ spec: | ||||
|     - element: | ||||
|         secretName: nameOfTheFieldInBitwarden # for example username | ||||
|         secretRef: nameOfTheKeyInTheSecretToBeCreated  | ||||
|         secretScope: login # for custom entries on bitwarden use 'fields'  | ||||
|     - element: | ||||
|         secretName: nameOfAnotherFieldInBitwarden # for example password | ||||
|         secretRef: nameOfAnotherKeyInTheSecretToBeCreated  | ||||
|         secretScope: login # for custom entries on bitwarden use 'fields'  | ||||
|   id: "A Secret ID from bitwarden" | ||||
|   name: "Name of the secret to be created" | ||||
|   namespace: "Namespace of the secret to be created" | ||||
| @@ -73,10 +92,95 @@ metadata: | ||||
| type: Opaque | ||||
| ``` | ||||
|  | ||||
| ## Short Term Roadmap | ||||
| ## RegistryCredential | ||||
|  | ||||
| [] support more types   | ||||
| [] offer option to use a existing secret in helm chart   | ||||
| [x] host chart on gh pages   | ||||
| [x] write release pipeline   | ||||
| [x] maybe extend spec to offer modification of keys as well | ||||
| For managing registry credentials, or pull secrets, you can create another kind of object to let the operator create these as well for you: | ||||
|  | ||||
| ```yaml | ||||
| --- | ||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||
| kind: RegistryCredential | ||||
| metadata: | ||||
|   name: name-of-your-management-object | ||||
| spec: | ||||
|   usernameRef: nameOfTheFieldInBitwarden # for example username | ||||
|   passwordRef: nameOfTheFieldInBitwarden # for example password | ||||
|   registry: "docker.io" | ||||
|   id: "A Secret ID from bitwarden" | ||||
|   name: "Name of the secret to be created" | ||||
|   namespace: "Namespace of the secret to be created" | ||||
| ``` | ||||
|  | ||||
| The resulting secret looks something like this: | ||||
|  | ||||
| ```yaml | ||||
| apiVersion: v1 | ||||
| data: | ||||
|   .dockerconfigjson: "base64 encoded json auth string for your registry" | ||||
| kind: Secret | ||||
| metadata: | ||||
|   annotations: | ||||
|     managed: bitwarden-secrets.lerentis.uploadfilter24.eu | ||||
|     managedObject: bw-operator/test | ||||
|   name: name-of-your-management-object | ||||
|   namespace: default | ||||
| type: dockerconfigjson | ||||
| ``` | ||||
|  | ||||
| ## BitwardenTemplate | ||||
|  | ||||
| One of the more freely defined types that can be used with this operator you can just pass a whole template. Also the lookup function `bitwarden_lookup` is available to reference parts of the secret: | ||||
|  | ||||
| ```yaml | ||||
| --- | ||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||
| kind: BitwardenTemplate | ||||
| metadata: | ||||
|   name: name-of-your-management-object | ||||
| spec: | ||||
|   filename: "Key of the secret to be created" | ||||
|   name: "Name of the secret to be created" | ||||
|   namespace: "Namespace of the secret to be created" | ||||
|   template: | | ||||
|     --- | ||||
|     api: | ||||
|       enabled: True | ||||
|       key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }} | ||||
|       allowCrossOrigin: false | ||||
|       apps: | ||||
|         "some.app.identifier:some_version": | ||||
|           pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }} | ||||
|           enabled: true | ||||
| ``` | ||||
|  | ||||
| This will result in something like the following object: | ||||
|  | ||||
| ```yaml | ||||
| apiVersion: v1 | ||||
| data: | ||||
|   Key of the secret to be created: "base64 encoded and rendered template with secrets injected directly from bitwarden" | ||||
| kind: Secret | ||||
| metadata: | ||||
|   annotations: | ||||
|     managed: bitwarden-template.lerentis.uploadfilter24.eu | ||||
|     managedObject: namespace/name-of-your-management-object | ||||
|   name: Name of the secret to be created | ||||
|   namespace: Namespace of the secret to be created | ||||
| type: Opaque | ||||
| ``` | ||||
|  | ||||
| The signature of `bitwarden_lookup` is `(item_id, scope, field)`: | ||||
| - `item_id`: The item ID of the secret in Bitwarden | ||||
| - `scope`: one of `login`, `fields` or `attachment` | ||||
| - `field`: | ||||
|   - when `scope` is `login`: either `username` or `password` | ||||
|   - when `scope` is `fields`: the name of a custom field | ||||
|   - when `scope` is `attachment`: the filename of a file attached to the item | ||||
|  | ||||
| Please note that the rendering engine for this template is jinja2, with an addition of a custom `bitwarden_lookup` function, so there are more possibilities to inject here. | ||||
|  | ||||
| ## Configurations parameters | ||||
|  | ||||
| The operator uses the bitwarden cli in the background and does not communicate to the api directly. The cli mirrors the credential store locally but doesn't sync it on every get request. Instead it will sync each secret every 15 minutes (900 seconds). You can adjust the interval by setting `BW_SYNC_INTERVAL` in the values. If your secrets update very very frequently, you can force the operator to do a sync before each get by setting `BW_FORCE_SYNC="true"`. You might run into rate limits if you do this too frequent. | ||||
|  | ||||
| Additionally the bitwarden cli session may expire at some time. In order to create a new session, the login command is triggered from time to time. In what interval exactly can be configured with the env `BW_RELOGIN_INTERVAL` which defaults to 3600s. | ||||
|   | ||||
| @@ -1,90 +0,0 @@ | ||||
| #!/usr/bin/env python3 | ||||
| import kopf | ||||
| import kubernetes | ||||
| import base64 | ||||
| import os | ||||
| import subprocess | ||||
| import json | ||||
|  | ||||
| from pprint import pprint | ||||
|  | ||||
| def get_secret_from_bitwarden(logger, id): | ||||
|     return command_wrapper(logger, f"get item {id}") | ||||
|  | ||||
| def unlock_bw(logger): | ||||
|     token_output = command_wrapper(logger, "unlock --passwordenv BW_PASSWORD") | ||||
|     tokens = token_output.split('"')[1::2] | ||||
|     os.environ["BW_SESSION"] = tokens[1] | ||||
|     logger.info("Signin successful. Session exported") | ||||
|  | ||||
| def command_wrapper(logger, command): | ||||
|     system_env = dict(os.environ) | ||||
|     sp = subprocess.Popen([f"bw {command}"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True, shell=True, env=system_env) | ||||
|     out, err = sp.communicate() | ||||
|     if err: | ||||
|         logger.warn(f"Error during bw cli invokement: {err}") | ||||
|     return out.decode(encoding='UTF-8') | ||||
|  | ||||
| @kopf.on.startup() | ||||
| def bitwarden_signin(logger, **kwargs): | ||||
|     if 'BW_HOST' in os.environ: | ||||
|         command_wrapper(logger, f"config server {os.getenv('BW_HOST')}") | ||||
|     else: | ||||
|         logger.info(f"BW_HOST not set. Assuming SaaS installation") | ||||
|     command_wrapper(logger, "login --apikey") | ||||
|     unlock_bw(logger) | ||||
|  | ||||
| @kopf.on.create('bitwarden-secrets.lerentis.uploadfilter24.eu') | ||||
| def create_managed_secret(spec, name, namespace, logger, body, **kwargs): | ||||
|  | ||||
|     content_def = body['spec']['content'] | ||||
|     id = spec.get('id') | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|  | ||||
|     unlock_bw(logger) | ||||
|      | ||||
|     secret_json_object = json.loads(get_secret_from_bitwarden(logger, id)) | ||||
|  | ||||
|     api = kubernetes.client.CoreV1Api() | ||||
|  | ||||
|     annotations = { | ||||
|         "managed": "bitwarden-secrets.lerentis.uploadfilter24.eu", | ||||
|         "managedObject": f"{namespace}/{name}" | ||||
|     } | ||||
|     secret = kubernetes.client.V1Secret() | ||||
|     secret.metadata = kubernetes.client.V1ObjectMeta(name=secret_name, annotations=annotations) | ||||
|     secret.type = "Opaque" | ||||
|     secret.data = {} | ||||
|     for eleml in content_def: | ||||
|         for k, elem in eleml.items(): | ||||
|             for key,value in elem.items(): | ||||
|                 if key == "secretName": | ||||
|                     _secret_key = value | ||||
|                 if key == "secretRef": | ||||
|                     _secret_ref = value | ||||
|              | ||||
|             secret.data[_secret_ref] = str(base64.b64encode(secret_json_object["login"][_secret_key].encode("utf-8")), "utf-8") | ||||
|  | ||||
|     obj = api.create_namespaced_secret( | ||||
|         secret_namespace, secret | ||||
|     ) | ||||
|  | ||||
|     logger.info(f"Secret {secret_namespace}/{secret_name} is created") | ||||
|  | ||||
|  | ||||
| @kopf.on.update('bitwarden-secrets.lerentis.uploadfilter24.eu') | ||||
| def my_handler(spec, old, new, diff, **_): | ||||
|     pass | ||||
|  | ||||
| @kopf.on.delete('bitwarden-secrets.lerentis.uploadfilter24.eu') | ||||
| def delete_managed_secret(spec, name, namespace, logger, **kwargs): | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|     api = kubernetes.client.CoreV1Api() | ||||
|  | ||||
|     try: | ||||
|         api.delete_namespaced_secret(secret_name, secret_namespace) | ||||
|         logger.info(f"Secret {secret_namespace}/{secret_name} has been deleted") | ||||
|     except: | ||||
|         logger.warn(f"Could not delete secret {secret_namespace}/{secret_name}!") | ||||
| @@ -4,6 +4,99 @@ description: Deploy the Bitwarden CRD Operator | ||||
|  | ||||
| type: application | ||||
|  | ||||
| version: 0.1.1 | ||||
| version: "v0.10.1" | ||||
|  | ||||
| appVersion: "0.1.1" | ||||
| appVersion: "0.9.1" | ||||
|  | ||||
| keywords: | ||||
|   - operator | ||||
|   - bitwarden | ||||
|   - vaultwarden | ||||
|  | ||||
| icon: https://lerentis.github.io/bitwarden-crd-operator/logo.png | ||||
|  | ||||
| home: https://lerentis.github.io/bitwarden-crd-operator/ | ||||
|  | ||||
| sources: | ||||
|   - https://github.com/Lerentis/bitwarden-crd-operator | ||||
|  | ||||
| kubeVersion: ">= 1.23.0-0" | ||||
|  | ||||
| maintainers: | ||||
|   - name: lerentis | ||||
|     email: lerentis+helm@uploadfilter24.eu | ||||
|  | ||||
| annotations: | ||||
|   artifacthub.io/links: | | ||||
|     - name: Chart Source | ||||
|       url: https://github.com/Lerentis/bitwarden-crd-operator | ||||
|   artifacthub.io/crds: | | ||||
|     - kind: BitwardenSecret | ||||
|       version: v1beta4 | ||||
|       name: bitwarden-secret | ||||
|       displayName: Bitwarden Secret | ||||
|       description: Management Object to create secrets from bitwarden | ||||
|     - kind: RegistryCredential | ||||
|       version: v1beta4 | ||||
|       name: registry-credential | ||||
|       displayName: Regestry Credentials | ||||
|       description: Management Object to create regestry secrets from bitwarden | ||||
|     - kind: BitwardenTemplate | ||||
|       version: v1beta1 | ||||
|       name: bitwarden-template | ||||
|       displayName: Bitwarden Template | ||||
|       description: Management Object to create secrets from a jinja template with a bitwarden lookup | ||||
|   artifacthub.io/crdsExamples: | | ||||
|     - apiVersion: lerentis.uploadfilter24.eu/v1beta4 | ||||
|       kind: BitwardenSecret | ||||
|       metadata: | ||||
|         name: test | ||||
|       spec: | ||||
|         content: | ||||
|           - element: | ||||
|               secretName: username | ||||
|               secretRef: nameofUser | ||||
|           - element: | ||||
|               secretName: password | ||||
|               secretRef: passwordOfUser | ||||
|         id: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" | ||||
|         name: "test-secret" | ||||
|         namespace: "default" | ||||
|     - apiVersion: lerentis.uploadfilter24.eu/v1beta4 | ||||
|       kind: RegistryCredential | ||||
|       metadata: | ||||
|         name: test | ||||
|       spec: | ||||
|         usernameRef: "username" | ||||
|         passwordRef: "password" | ||||
|         registry: "docker.io" | ||||
|         id: "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" | ||||
|         name: "test-regcred" | ||||
|         namespace: "default" | ||||
|     - apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||
|       kind: BitwardenTemplate | ||||
|       metadata: | ||||
|         name: test | ||||
|       spec: | ||||
|         filename: "config.yaml" | ||||
|         name: "test-regcred" | ||||
|         namespace: "default" | ||||
|         template: | | ||||
|           --- | ||||
|           api: | ||||
|             enabled: True | ||||
|             key: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "fields", "key") }} | ||||
|             allowCrossOrigin: false | ||||
|             apps: | ||||
|               "some.app.identifier:some_version": | ||||
|                 pubkey: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "attachment", "public_key") }} | ||||
|                 enabled: true | ||||
|   artifacthub.io/license: MIT | ||||
|   artifacthub.io/operator: "true" | ||||
|   artifacthub.io/containsSecurityUpdates: "false" | ||||
|   artifacthub.io/changes: | | ||||
|     - kind: fixed | ||||
|       description: "Fixed type and content of RegistryCredential" | ||||
|   artifacthub.io/images: | | ||||
|     - name: bitwarden-crd-operator | ||||
|       image: ghcr.io/lerentis/bitwarden-crd-operator:0.9.1 | ||||
|   | ||||
							
								
								
									
										172
									
								
								charts/bitwarden-crd-operator/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										172
									
								
								charts/bitwarden-crd-operator/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,172 @@ | ||||
| # Bitwarden CRD Operator | ||||
|  | ||||
| [](https://drone.uploadfilter24.eu/lerentis/bitwarden-crd-operator) [](https://artifacthub.io/packages/search?repo=lerentis) | ||||
|  | ||||
| Bitwarden CRD Operator is a kubernetes Operator based on [kopf](https://github.com/nolar/kopf/). The goal is to create kubernetes native secret objects from bitwarden. | ||||
|  | ||||
| <p align="center"> | ||||
|   <img src="https://github.com/Lerentis/bitwarden-crd-operator/blob/main/logo.png?raw=true" alt="Bitwarden CRD Operator Logo" width="200"/> | ||||
| </p> | ||||
|  | ||||
| > DISCLAIMER:   | ||||
| > This project is still very work in progress :) | ||||
|  | ||||
|  | ||||
| ## Getting started | ||||
|  | ||||
| You will need a `ClientID` and `ClientSecret` ([where to get these](https://bitwarden.com/help/personal-api-key/)) as well as your password. | ||||
| Expose these to the operator as described in this example: | ||||
|  | ||||
| ```yaml | ||||
| env: | ||||
|   - name: BW_HOST | ||||
|     value: "https://bitwarden.your.tld.org" | ||||
|   - name: BW_CLIENTID | ||||
|     value: "user.your-client-id" | ||||
|   - name: BW_CLIENTSECRET | ||||
|     value: "YoUrCliEntSecRet" | ||||
|   - name: BW_PASSWORD | ||||
|     value: "YourSuperSecurePassword" | ||||
| ``` | ||||
|  | ||||
| you can also create a secret manually with these information and reference the existing secret like this in the `values.yaml`: | ||||
|  | ||||
| ```yaml | ||||
| externalConfigSecret: | ||||
|   enabled: true | ||||
|   name: "my-existing-secret" | ||||
| ``` | ||||
|  | ||||
| the helm template will use all environment variables from this secret, so make sure to prepare this secret with the key value pairs as described above. | ||||
|  | ||||
| `BW_HOST` can be omitted if you are using the Bitwarden SaaS offering. | ||||
|  | ||||
| After that it is a basic helm deployment: | ||||
|  | ||||
| ```bash | ||||
| helm repo add bitwarden-operator https://lerentis.github.io/bitwarden-crd-operator | ||||
| helm repo update  | ||||
| kubectl create namespace bw-operator | ||||
| helm upgrade --install --namespace bw-operator -f values.yaml bw-operator bitwarden-operator/bitwarden-crd-operator | ||||
| ``` | ||||
|  | ||||
| ## BitwardenSecret | ||||
|  | ||||
| And you are set to create your first secret using this operator. For that you need to add a CRD Object like this to your cluster: | ||||
|  | ||||
| ```yaml | ||||
| --- | ||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||
| kind: BitwardenSecret | ||||
| metadata: | ||||
|   name: name-of-your-management-object | ||||
| spec: | ||||
|   content: | ||||
|     - element: | ||||
|         secretName: nameOfTheFieldInBitwarden # for example username | ||||
|         secretRef: nameOfTheKeyInTheSecretToBeCreated  | ||||
|         secretScope: login # for custom entries on bitwarden use 'fields'  | ||||
|     - element: | ||||
|         secretName: nameOfAnotherFieldInBitwarden # for example password | ||||
|         secretRef: nameOfAnotherKeyInTheSecretToBeCreated  | ||||
|         secretScope: login # for custom entries on bitwarden use 'fields'  | ||||
|   id: "A Secret ID from bitwarden" | ||||
|   name: "Name of the secret to be created" | ||||
|   namespace: "Namespace of the secret to be created" | ||||
| ``` | ||||
|  | ||||
| The ID can be extracted from the browser when you open a item the ID is in the URL. The resulting secret looks something like this: | ||||
|  | ||||
| ```yaml | ||||
| apiVersion: v1 | ||||
| data: | ||||
|   nameOfTheKeyInTheSecretToBeCreated: "base64 encoded value of TheFieldInBitwarden" | ||||
|   nameOfAnotherKeyInTheSecretToBeCreated: "base64 encoded value of AnotherFieldInBitwarden" | ||||
| kind: Secret | ||||
| metadata: | ||||
|   annotations: | ||||
|     managed: bitwarden-secrets.lerentis.uploadfilter24.eu | ||||
|     managedObject: bw-operator/test | ||||
|   name: name-of-your-management-object | ||||
|   namespace: default | ||||
| type: Opaque | ||||
| ``` | ||||
|  | ||||
| ## RegistryCredential | ||||
|  | ||||
| For managing registry credentials, or pull secrets, you can create another kind of object to let the operator create these as well for you: | ||||
|  | ||||
| ```yaml | ||||
| --- | ||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||
| kind: RegistryCredential | ||||
| metadata: | ||||
|   name: name-of-your-management-object | ||||
| spec: | ||||
|   usernameRef: nameOfTheFieldInBitwarden # for example username | ||||
|   passwordRef: nameOfTheFieldInBitwarden # for example password | ||||
|   registry: "docker.io" | ||||
|   id: "A Secret ID from bitwarden" | ||||
|   name: "Name of the secret to be created" | ||||
|   namespace: "Namespace of the secret to be created" | ||||
| ``` | ||||
|  | ||||
| The resulting secret looks something like this: | ||||
|  | ||||
| ```yaml | ||||
| apiVersion: v1 | ||||
| data: | ||||
|   .dockerconfigjson: "base64 encoded json auth string for your registry" | ||||
| kind: Secret | ||||
| metadata: | ||||
|   annotations: | ||||
|     managed: bitwarden-secrets.lerentis.uploadfilter24.eu | ||||
|     managedObject: bw-operator/test | ||||
|   name: name-of-your-management-object | ||||
|   namespace: default | ||||
| type: dockerconfigjson | ||||
| ``` | ||||
|  | ||||
| ## BitwardenTemplate | ||||
|  | ||||
| One of the more freely defined types that can be used with this operator you can just pass a whole template: | ||||
|  | ||||
| ```yaml | ||||
| --- | ||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||
| kind: BitwardenTemplate | ||||
| metadata: | ||||
|   name: name-of-your-management-object | ||||
| spec: | ||||
|   filename: "Key of the secret to be created" | ||||
|   name: "Name of the secret to be created" | ||||
|   namespace: "Namespace of the secret to be created" | ||||
|   template: | | ||||
|     --- | ||||
|     api: | ||||
|       enabled: True | ||||
|       key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields", "name of a field in bitwarden") }} | ||||
|       allowCrossOrigin: false | ||||
|       apps: | ||||
|         "some.app.identifier:some_version": | ||||
|           pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields", "name of a field in bitwarden") }} | ||||
|           enabled: true | ||||
| ``` | ||||
|  | ||||
| This will result in something like the following object: | ||||
|  | ||||
| ```yaml | ||||
| apiVersion: v1 | ||||
| data: | ||||
|   Key of the secret to be created: "base64 encoded and rendered template with secrets injected directly from bitwarden" | ||||
| kind: Secret | ||||
| metadata: | ||||
|   annotations: | ||||
|     managed: bitwarden-template.lerentis.uploadfilter24.eu | ||||
|     managedObject: namespace/name-of-your-management-object | ||||
|   name: Name of the secret to be created | ||||
|   namespace: Namespace of the secret to be created | ||||
| type: Opaque | ||||
| ``` | ||||
|  | ||||
| please note that the rendering engine for this template is jinja2, with an addition of a custom `bitwarden_lookup` function, so there are more possibilities to inject here. | ||||
| @@ -1,3 +1,4 @@ | ||||
| --- | ||||
| apiVersion: apiextensions.k8s.io/v1 | ||||
| kind: CustomResourceDefinition | ||||
| metadata: | ||||
| @@ -12,7 +13,7 @@ spec: | ||||
|     shortNames: | ||||
|       - bws | ||||
|   versions: | ||||
|     - name: v1beta2 | ||||
|     - name: v1beta4 | ||||
|       served: true | ||||
|       storage: true | ||||
|       schema: | ||||
| @@ -34,6 +35,8 @@ spec: | ||||
|                             type: string | ||||
|                           secretRef: | ||||
|                             type: string | ||||
|                           secretScope: | ||||
|                             type: string | ||||
|                         required: | ||||
|                           - secretName | ||||
|                 id: | ||||
|   | ||||
							
								
								
									
										38
									
								
								charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										38
									
								
								charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,38 @@ | ||||
| --- | ||||
| apiVersion: apiextensions.k8s.io/v1 | ||||
| kind: CustomResourceDefinition | ||||
| metadata: | ||||
|   name: bitwarden-templates.lerentis.uploadfilter24.eu | ||||
| spec: | ||||
|   scope: Namespaced | ||||
|   group: lerentis.uploadfilter24.eu | ||||
|   names: | ||||
|     kind: BitwardenTemplate | ||||
|     plural: bitwarden-templates | ||||
|     singular: bitwarden-template | ||||
|     shortNames: | ||||
|       - bwt | ||||
|   versions: | ||||
|     - name: v1beta4 | ||||
|       served: true | ||||
|       storage: true | ||||
|       schema: | ||||
|         openAPIV3Schema: | ||||
|           type: object | ||||
|           properties: | ||||
|             spec: | ||||
|               type: object | ||||
|               properties: | ||||
|                 filename: | ||||
|                   type: string | ||||
|                 template: | ||||
|                   type: string | ||||
|                 namespace: | ||||
|                   type: string | ||||
|                 name: | ||||
|                   type: string | ||||
|               required: | ||||
|                 - filename | ||||
|                 - template | ||||
|                 - namespace | ||||
|                 - name | ||||
							
								
								
									
										44
									
								
								charts/bitwarden-crd-operator/crds/registry-credentials.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										44
									
								
								charts/bitwarden-crd-operator/crds/registry-credentials.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,44 @@ | ||||
| --- | ||||
| apiVersion: apiextensions.k8s.io/v1 | ||||
| kind: CustomResourceDefinition | ||||
| metadata: | ||||
|   name: registry-credentials.lerentis.uploadfilter24.eu | ||||
| spec: | ||||
|   scope: Namespaced | ||||
|   group: lerentis.uploadfilter24.eu | ||||
|   names: | ||||
|     kind: RegistryCredential | ||||
|     plural: registry-credentials | ||||
|     singular: registry-credential | ||||
|     shortNames: | ||||
|       - rgc | ||||
|   versions: | ||||
|     - name: v1beta4 | ||||
|       served: true | ||||
|       storage: true | ||||
|       schema: | ||||
|         openAPIV3Schema: | ||||
|           type: object | ||||
|           properties: | ||||
|             spec: | ||||
|               type: object | ||||
|               properties: | ||||
|                 usernameRef: | ||||
|                   type: string | ||||
|                 passwordRef: | ||||
|                   type: string | ||||
|                 registry: | ||||
|                   type: string | ||||
|                 id: | ||||
|                   type: string | ||||
|                 namespace: | ||||
|                   type: string | ||||
|                 name: | ||||
|                   type: string | ||||
|               required: | ||||
|                 - id | ||||
|                 - namespace | ||||
|                 - name | ||||
|                 - usernameRef | ||||
|                 - passwordRef | ||||
|                 - registry | ||||
| @@ -4,7 +4,7 @@ metadata: | ||||
|   name: {{ include "bitwarden-crd-operator.serviceAccountName" . }}-role | ||||
| rules: | ||||
| - apiGroups: ["lerentis.uploadfilter24.eu"] | ||||
|   resources: ["bitwarden-secrets"] | ||||
|   resources: ["bitwarden-secrets", "registry-credentials", "bitwarden-templates"] | ||||
|   verbs: ["get", "watch", "list", "create", "delete", "patch", "update"] | ||||
| - apiGroups: [""] | ||||
|   resources: ["secrets"] | ||||
|   | ||||
| @@ -33,10 +33,15 @@ spec: | ||||
|             {{- toYaml .Values.securityContext | nindent 12 }} | ||||
|           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" | ||||
|           imagePullPolicy: {{ .Values.image.pullPolicy }} | ||||
|           {{- with .Values.env }} | ||||
|           env: | ||||
|           {{- with .Values.env }} | ||||
|             {{- . | toYaml | trim | nindent 12 }} | ||||
|           {{- end }} | ||||
|           {{- if .Values.externalConfigSecret.enabled }} | ||||
|           envFrom: | ||||
|             - secretRef: | ||||
|                 name: {{ .Values.externalConfigSecret.name }} | ||||
|           {{- end }} | ||||
|           ports: | ||||
|             - name: http | ||||
|               containerPort: 8080 | ||||
| @@ -45,10 +50,20 @@ spec: | ||||
|             httpGet: | ||||
|               path: /healthz | ||||
|               port: http | ||||
|             failureThreshold: {{ .Values.livenessProbe.failureThreshold }} | ||||
|             initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} | ||||
|             periodSeconds: {{ .Values.livenessProbe.periodSeconds }} | ||||
|             successThreshold: {{ .Values.livenessProbe.successThreshold }} | ||||
|             timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} | ||||
|           readinessProbe: | ||||
|             httpGet: | ||||
|               path: /healthz | ||||
|               port: http | ||||
|             failureThreshold: {{ .Values.readinessProbe.failureThreshold }} | ||||
|             initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} | ||||
|             periodSeconds: {{ .Values.readinessProbe.periodSeconds }} | ||||
|             successThreshold: {{ .Values.readinessProbe.successThreshold }} | ||||
|             timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} | ||||
|           resources: | ||||
|             {{- toYaml .Values.resources | nindent 12 }} | ||||
|       {{- with .Values.nodeSelector }} | ||||
|   | ||||
| @@ -5,7 +5,7 @@ | ||||
| replicaCount: 1 | ||||
|  | ||||
| image: | ||||
|   repository: lerentis/bitwarden-crd-operator | ||||
|   repository: ghcr.io/lerentis/bitwarden-crd-operator | ||||
|   pullPolicy: IfNotPresent | ||||
|   # Overrides the image tag whose default is the chart appVersion. | ||||
|   # tag: "0.1.0" | ||||
| @@ -14,15 +14,26 @@ imagePullSecrets: [] | ||||
| nameOverride: "" | ||||
| fullnameOverride: "" | ||||
|  | ||||
| #env: | ||||
| #  - name: BW_HOST | ||||
| #    value: "define_it" | ||||
| #  - name: BW_CLIENTID | ||||
| #    value: "define_it" | ||||
| #  - name: BW_CLIENTSECRET | ||||
| #    value: "define_it" | ||||
| #  - name: BW_PASSWORD | ||||
| #    value: "define_id" | ||||
| # env: | ||||
| #   - name: BW_FORCE_SYNC | ||||
| #     value: "false" | ||||
| #   - name: BW_SYNC_INTERVAL | ||||
| #     value: "900" | ||||
| #   - name: BW_HOST | ||||
| #     value: "define_it" | ||||
| #   - name: BW_CLIENTID | ||||
| #     value: "define_it" | ||||
| #   - name: BW_CLIENTSECRET | ||||
| #     value: "define_it" | ||||
| #   - name: BW_PASSWORD | ||||
| #     value: "define_id" | ||||
| ##  - name: BW_RELOGIN_INTERVAL | ||||
| ##    value: "3600" | ||||
|  | ||||
| externalConfigSecret: | ||||
|   enabled: false | ||||
|  | ||||
|   name: "" | ||||
|  | ||||
| serviceAccount: | ||||
|   # Specifies whether a service account should be created | ||||
| @@ -46,6 +57,20 @@ securityContext: {} | ||||
|   # runAsNonRoot: true | ||||
|   # runAsUser: 1000 | ||||
|  | ||||
| readinessProbe: | ||||
|   failureThreshold: 3 | ||||
|   initialDelaySeconds: 10 | ||||
|   periodSeconds: 10 | ||||
|   successThreshold: 1 | ||||
|   timeoutSeconds: 1 | ||||
|  | ||||
| livenessProbe: | ||||
|   failureThreshold: 3 | ||||
|   initialDelaySeconds: 10 | ||||
|   periodSeconds: 10 | ||||
|   successThreshold: 1 | ||||
|   timeoutSeconds: 1 | ||||
|  | ||||
| resources: {} | ||||
|   # We usually recommend not to specify default resources and to leave this as a conscious | ||||
|   # choice for the user. This also increases chances charts run on environments with little | ||||
|   | ||||
							
								
								
									
										18
									
								
								example.yaml
									
									
									
									
									
								
							
							
						
						
									
										18
									
								
								example.yaml
									
									
									
									
									
								
							| @@ -1,5 +1,5 @@ | ||||
| --- | ||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta2" | ||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||
| kind: BitwardenSecret | ||||
| metadata: | ||||
|   name: test | ||||
| @@ -8,9 +8,25 @@ spec: | ||||
|     - element: | ||||
|         secretName: username | ||||
|         secretRef: nameofUser  | ||||
|         secretScope: login | ||||
|     - element: | ||||
|         secretName: password | ||||
|         secretRef: passwordOfUser  | ||||
|         secretScope: login | ||||
|   id: "88781348-c81c-4367-9801-550360c21295" | ||||
|   name: "test-secret" | ||||
|   namespace: "default" | ||||
| --- | ||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||
| kind: BitwardenSecret | ||||
| metadata: | ||||
|   name: test-scope | ||||
| spec: | ||||
|   content: | ||||
|     - element: | ||||
|         secretName: public_key | ||||
|         secretRef: pubKey  | ||||
|         secretScope: fields | ||||
|   id: "466fc4b0-ffca-4444-8d88-b59d4de3d928" | ||||
|   name: "test-scope" | ||||
|   namespace: "default" | ||||
							
								
								
									
										12
									
								
								example_dockerlogin.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										12
									
								
								example_dockerlogin.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,12 @@ | ||||
| --- | ||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||
| kind: RegistryCredential | ||||
| metadata: | ||||
|   name: test | ||||
| spec: | ||||
|   usernameRef: "username" | ||||
|   passwordRef: "password" | ||||
|   registry: "docker.io" | ||||
|   id: "3b249ec7-9ce7-440a-9558-f34f3ab10680" | ||||
|   name: "test-regcred" | ||||
|   namespace: "default" | ||||
							
								
								
									
										19
									
								
								example_template.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								example_template.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | ||||
| --- | ||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||
| kind: BitwardenTemplate | ||||
| metadata: | ||||
|   name: test | ||||
| spec: | ||||
|   filename: "config.yaml" | ||||
|   name: "test-template" | ||||
|   namespace: "default" | ||||
|   template: | | ||||
|     --- | ||||
|     api: | ||||
|       enabled: True | ||||
|       key: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "key") }} | ||||
|       allowCrossOrigin: false | ||||
|       apps: | ||||
|         "some.app.identifier:some_version": | ||||
|           pubkey: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "public_key") }} | ||||
|           enabled: true | ||||
| @@ -1,3 +1,4 @@ | ||||
| kopf | ||||
| kubernetes | ||||
| jinja2 | ||||
| kopf==1.36.2 | ||||
| kubernetes==26.1.0 | ||||
| Jinja2==3.1.2 | ||||
| schedule==1.2.1 | ||||
							
								
								
									
										17
									
								
								skaffold.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								skaffold.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| apiVersion: skaffold/v4beta5 | ||||
| kind: Config | ||||
| metadata: | ||||
|   name: bitwarden-crd-operator | ||||
| build: | ||||
|   artifacts: | ||||
|     - image: ghcr.io/lerentis/bitwarden-crd-operator | ||||
|       docker: | ||||
|         dockerfile: Dockerfile | ||||
| deploy: | ||||
|   helm: | ||||
|     releases: | ||||
|       - name: bitwarden-crd-operator | ||||
|         chartPath: charts/bitwarden-crd-operator | ||||
|         valuesFiles: | ||||
|           - env/values.yaml | ||||
|         version: v0.7.4 | ||||
							
								
								
									
										47
									
								
								src/bitwardenCrdOperator.py
									
									
									
									
									
										Executable file
									
								
							
							
						
						
									
										47
									
								
								src/bitwardenCrdOperator.py
									
									
									
									
									
										Executable file
									
								
							| @@ -0,0 +1,47 @@ | ||||
| #!/usr/bin/env python3 | ||||
| import os | ||||
| import kopf | ||||
| import schedule | ||||
| import time | ||||
| import threading | ||||
|  | ||||
| from utils.utils import command_wrapper, unlock_bw, sync_bw | ||||
|  | ||||
| def bitwarden_signin(logger, **kwargs): | ||||
|     if 'BW_HOST' in os.environ: | ||||
|         try: | ||||
|             command_wrapper(logger, f"config server {os.getenv('BW_HOST')}") | ||||
|         except BaseException: | ||||
|             logger.warn("Received non-zero exit code from server config") | ||||
|             logger.warn("This is expected from startup") | ||||
|             pass | ||||
|     else: | ||||
|         logger.info("BW_HOST not set. Assuming SaaS installation") | ||||
|     command_wrapper(logger, "login --apikey") | ||||
|     unlock_bw(logger) | ||||
|  | ||||
| def run_continuously(interval=30): | ||||
|     cease_continuous_run = threading.Event() | ||||
|  | ||||
|     class ScheduleThread(threading.Thread): | ||||
|         @classmethod | ||||
|         def run(cls): | ||||
|             while not cease_continuous_run.is_set(): | ||||
|                 schedule.run_pending() | ||||
|                 time.sleep(interval) | ||||
|  | ||||
|     continuous_thread = ScheduleThread() | ||||
|     continuous_thread.start() | ||||
|     return cease_continuous_run | ||||
|  | ||||
| @kopf.on.startup() | ||||
| def load_schedules(logger, **kwargs): | ||||
|     bitwarden_signin(logger) | ||||
|     logger.info("Loading schedules") | ||||
|     bw_relogin_interval = float(os.environ.get('BW_RELOGIN_INTERVAL', 3600)) | ||||
|     bw_sync_interval = float(os.environ.get('BW_SYNC_INTERVAL', 900)) | ||||
|     schedule.every(bw_relogin_interval).seconds.do(bitwarden_signin, logger=logger) | ||||
|     logger.info(f"relogin scheduled every {bw_relogin_interval} seconds") | ||||
|     schedule.every(bw_sync_interval).seconds.do(sync_bw, logger=logger) | ||||
|     logger.info(f"sync scheduled every {bw_relogin_interval} seconds") | ||||
|     stop_run_continuously = run_continuously() | ||||
							
								
								
									
										164
									
								
								src/dockerlogin.py
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										164
									
								
								src/dockerlogin.py
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,164 @@ | ||||
| import kopf | ||||
| import kubernetes | ||||
| import base64 | ||||
| import json | ||||
|  | ||||
| from utils.utils import unlock_bw, get_secret_from_bitwarden, bw_sync_interval | ||||
|  | ||||
|  | ||||
| def create_dockerlogin( | ||||
|         logger, | ||||
|         secret, | ||||
|         secret_json, | ||||
|         username_ref, | ||||
|         password_ref, | ||||
|         registry): | ||||
|     secret.type = "kubernetes.io/dockerconfigjson" | ||||
|     secret.data = {} | ||||
|     auths_dict = {} | ||||
|     registry_dict = {} | ||||
|     reg_auth_dict = {} | ||||
|  | ||||
|     _username = secret_json["login"][username_ref] | ||||
|     logger.info(f"Creating login with username: {_username}") | ||||
|     _password = secret_json["login"][password_ref] | ||||
|     cred_field = str( | ||||
|         base64.b64encode( | ||||
|             f"{_username}:{_password}".encode("utf-8")), | ||||
|         "utf-8") | ||||
|     reg_auth_dict["username"] = _username | ||||
|     reg_auth_dict["password"] = _password | ||||
|     reg_auth_dict["auth"] = cred_field | ||||
|     registry_dict[registry] = reg_auth_dict | ||||
|     auths_dict["auths"] = registry_dict | ||||
|     secret.data[".dockerconfigjson"] = str(base64.b64encode( | ||||
|         json.dumps(auths_dict).encode("utf-8")), "utf-8") | ||||
|     return secret | ||||
|  | ||||
|  | ||||
| @kopf.on.create('registry-credential.lerentis.uploadfilter24.eu') | ||||
| def create_managed_registry_secret(spec, name, namespace, logger, **kwargs): | ||||
|     username_ref = spec.get('usernameRef') | ||||
|     password_ref = spec.get('passwordRef') | ||||
|     registry = spec.get('registry') | ||||
|     id = spec.get('id') | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|  | ||||
|     unlock_bw(logger) | ||||
|     logger.info(f"Locking up secret with ID: {id}") | ||||
|     secret_json_object = get_secret_from_bitwarden(logger, id) | ||||
|  | ||||
|     api = kubernetes.client.CoreV1Api() | ||||
|  | ||||
|     annotations = { | ||||
|         "managed": "registry-credential.lerentis.uploadfilter24.eu", | ||||
|         "managedObject": f"{namespace}/{name}" | ||||
|     } | ||||
|     secret = kubernetes.client.V1Secret() | ||||
|     secret.metadata = kubernetes.client.V1ObjectMeta( | ||||
|         name=secret_name, annotations=annotations) | ||||
|     secret = create_dockerlogin( | ||||
|         logger, | ||||
|         secret, | ||||
|         secret_json_object["data"], | ||||
|         username_ref, | ||||
|         password_ref, | ||||
|         registry) | ||||
|  | ||||
|     obj = api.create_namespaced_secret( | ||||
|         secret_namespace, secret | ||||
|     ) | ||||
|  | ||||
|     logger.info( | ||||
|         f"Registry Secret {secret_namespace}/{secret_name} has been created") | ||||
|  | ||||
|  | ||||
| @kopf.on.update('registry-credential.lerentis.uploadfilter24.eu') | ||||
| @kopf.timer('registry-credential.lerentis.uploadfilter24.eu', interval=bw_sync_interval) | ||||
| def update_managed_registry_secret( | ||||
|         spec, | ||||
|         status, | ||||
|         name, | ||||
|         namespace, | ||||
|         logger, | ||||
|         body, | ||||
|         **kwargs): | ||||
|  | ||||
|     username_ref = spec.get('usernameRef') | ||||
|     password_ref = spec.get('passwordRef') | ||||
|     registry = spec.get('registry') | ||||
|     id = spec.get('id') | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|  | ||||
|     old_config = None | ||||
|     old_secret_name = None | ||||
|     old_secret_namespace = None | ||||
|     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: | ||||
|         old_config = json.loads( | ||||
|             body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) | ||||
|         old_secret_name = old_config['spec'].get('name') | ||||
|         old_secret_namespace = old_config['spec'].get('namespace') | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|  | ||||
|     if old_config is not None and ( | ||||
|             old_secret_name != secret_name or old_secret_namespace != secret_namespace): | ||||
|         # If the name of the secret or the namespace of the secret is different | ||||
|         # We have to delete the secret an recreate it | ||||
|         logger.info("Secret name or namespace changed, let's recreate it") | ||||
|         delete_managed_secret( | ||||
|             old_config['spec'], | ||||
|             name, | ||||
|             namespace, | ||||
|             logger, | ||||
|             **kwargs) | ||||
|         create_managed_registry_secret(spec, name, namespace, logger, **kwargs) | ||||
|         return | ||||
|  | ||||
|     unlock_bw(logger) | ||||
|     logger.info(f"Locking up secret with ID: {id}") | ||||
|     secret_json_object = get_secret_from_bitwarden(logger, id) | ||||
|  | ||||
|     api = kubernetes.client.CoreV1Api() | ||||
|  | ||||
|     annotations = { | ||||
|         "managed": "registry-credential.lerentis.uploadfilter24.eu", | ||||
|         "managedObject": f"{namespace}/{name}" | ||||
|     } | ||||
|     secret = kubernetes.client.V1Secret() | ||||
|     secret.metadata = kubernetes.client.V1ObjectMeta( | ||||
|         name=secret_name, annotations=annotations) | ||||
|     secret = create_dockerlogin( | ||||
|         logger, | ||||
|         secret, | ||||
|         secret_json_object["data"], | ||||
|         username_ref, | ||||
|         password_ref, | ||||
|         registry) | ||||
|     try: | ||||
|         obj = api.replace_namespaced_secret( | ||||
|             name=secret_name, | ||||
|             body=secret, | ||||
|             namespace="{}".format(secret_namespace)) | ||||
|         logger.info( | ||||
|             f"Secret {secret_namespace}/{secret_name} has been updated") | ||||
|     except BaseException: | ||||
|         logger.warn( | ||||
|             f"Could not update secret {secret_namespace}/{secret_name}!") | ||||
|  | ||||
|  | ||||
| @kopf.on.delete('registry-credential.lerentis.uploadfilter24.eu') | ||||
| def delete_managed_secret(spec, name, namespace, logger, **kwargs): | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|     api = kubernetes.client.CoreV1Api() | ||||
|  | ||||
|     try: | ||||
|         api.delete_namespaced_secret(secret_name, secret_namespace) | ||||
|         logger.info( | ||||
|             f"Secret {secret_namespace}/{secret_name} has been deleted") | ||||
|     except BaseException: | ||||
|         logger.warn( | ||||
|             f"Could not delete secret {secret_namespace}/{secret_name}!") | ||||
							
								
								
									
										146
									
								
								src/kv.py
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										146
									
								
								src/kv.py
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,146 @@ | ||||
| import kopf | ||||
| import kubernetes | ||||
| import base64 | ||||
| import json | ||||
|  | ||||
| from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope, bw_sync_interval | ||||
|  | ||||
| def create_kv(secret, secret_json, content_def): | ||||
|     secret.type = "Opaque" | ||||
|     secret.data = {} | ||||
|     for eleml in content_def: | ||||
|         for k, elem in eleml.items(): | ||||
|             for key, value in elem.items(): | ||||
|                 if key == "secretName": | ||||
|                     _secret_key = value | ||||
|                 if key == "secretRef": | ||||
|                     _secret_ref = value | ||||
|                 if key == "secretScope": | ||||
|                     _secret_scope = value | ||||
|             if _secret_scope == "login": | ||||
|                 value = parse_login_scope(secret_json, _secret_key) | ||||
|                 if value is None: | ||||
|                     raise Exception( | ||||
|                         f"Field {_secret_key} has no value in bitwarden secret") | ||||
|                 secret.data[_secret_ref] = str(base64.b64encode( | ||||
|                     value.encode("utf-8")), "utf-8") | ||||
|             if _secret_scope == "fields": | ||||
|                 value = parse_fields_scope(secret_json, _secret_key) | ||||
|                 if value is None: | ||||
|                     raise Exception( | ||||
|                         f"Field {_secret_key} has no value in bitwarden secret") | ||||
|                 secret.data[_secret_ref] = str(base64.b64encode( | ||||
|                     value.encode("utf-8")), "utf-8") | ||||
|     return secret | ||||
|  | ||||
|  | ||||
| @kopf.on.create('bitwarden-secret.lerentis.uploadfilter24.eu') | ||||
| def create_managed_secret(spec, name, namespace, logger, body, **kwargs): | ||||
|  | ||||
|     content_def = body['spec']['content'] | ||||
|     id = spec.get('id') | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|  | ||||
|     unlock_bw(logger) | ||||
|     logger.info(f"Locking up secret with ID: {id}") | ||||
|     secret_json_object = get_secret_from_bitwarden(logger, id) | ||||
|  | ||||
|     api = kubernetes.client.CoreV1Api() | ||||
|  | ||||
|     annotations = { | ||||
|         "managed": "bitwarden-secret.lerentis.uploadfilter24.eu", | ||||
|         "managedObject": f"{namespace}/{name}" | ||||
|     } | ||||
|     secret = kubernetes.client.V1Secret() | ||||
|     secret.metadata = kubernetes.client.V1ObjectMeta( | ||||
|         name=secret_name, annotations=annotations) | ||||
|     secret = create_kv(secret, secret_json_object, content_def) | ||||
|  | ||||
|     obj = api.create_namespaced_secret( | ||||
|         namespace="{}".format(secret_namespace), | ||||
|         body=secret | ||||
|     ) | ||||
|  | ||||
|     logger.info(f"Secret {secret_namespace}/{secret_name} has been created") | ||||
|  | ||||
|  | ||||
| @kopf.on.update('bitwarden-secret.lerentis.uploadfilter24.eu') | ||||
| @kopf.timer('bitwarden-secret.lerentis.uploadfilter24.eu', interval=bw_sync_interval) | ||||
| def update_managed_secret( | ||||
|         spec, | ||||
|         status, | ||||
|         name, | ||||
|         namespace, | ||||
|         logger, | ||||
|         body, | ||||
|         **kwargs): | ||||
|  | ||||
|     content_def = body['spec']['content'] | ||||
|     id = spec.get('id') | ||||
|     old_config = None | ||||
|     old_secret_name = None | ||||
|     old_secret_namespace = None | ||||
|     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: | ||||
|         old_config = json.loads( | ||||
|             body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) | ||||
|         old_secret_name = old_config['spec'].get('name') | ||||
|         old_secret_namespace = old_config['spec'].get('namespace') | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|  | ||||
|     if old_config is not None and ( | ||||
|             old_secret_name != secret_name or old_secret_namespace != secret_namespace): | ||||
|         # If the name of the secret or the namespace of the secret is different | ||||
|         # We have to delete the secret an recreate it | ||||
|         logger.info("Secret name or namespace changed, let's recreate it") | ||||
|         delete_managed_secret( | ||||
|             old_config['spec'], | ||||
|             name, | ||||
|             namespace, | ||||
|             logger, | ||||
|             **kwargs) | ||||
|         create_managed_secret(spec, name, namespace, logger, body, **kwargs) | ||||
|         return | ||||
|  | ||||
|     unlock_bw(logger) | ||||
|     logger.info(f"Locking up secret with ID: {id}") | ||||
|     secret_json_object = get_secret_from_bitwarden(logger, id) | ||||
|  | ||||
|     api = kubernetes.client.CoreV1Api() | ||||
|  | ||||
|     annotations = { | ||||
|         "managed": "bitwarden-secret.lerentis.uploadfilter24.eu", | ||||
|         "managedObject": f"{namespace}/{name}" | ||||
|     } | ||||
|  | ||||
|     secret = kubernetes.client.V1Secret() | ||||
|     secret.metadata = kubernetes.client.V1ObjectMeta( | ||||
|         name=secret_name, annotations=annotations) | ||||
|     secret = create_kv(secret, secret_json_object, content_def) | ||||
|  | ||||
|     try: | ||||
|         obj = api.replace_namespaced_secret( | ||||
|             name=secret_name, | ||||
|             body=secret, | ||||
|             namespace="{}".format(secret_namespace)) | ||||
|         logger.info( | ||||
|             f"Secret {secret_namespace}/{secret_name} has been updated") | ||||
|     except BaseException: | ||||
|         logger.warn( | ||||
|             f"Could not update secret {secret_namespace}/{secret_name}!") | ||||
|  | ||||
|  | ||||
| @kopf.on.delete('bitwarden-secret.lerentis.uploadfilter24.eu') | ||||
| def delete_managed_secret(spec, name, namespace, logger, **kwargs): | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|     api = kubernetes.client.CoreV1Api() | ||||
|  | ||||
|     try: | ||||
|         api.delete_namespaced_secret(secret_name, secret_namespace) | ||||
|         logger.info( | ||||
|             f"Secret {secret_namespace}/{secret_name} has been deleted") | ||||
|     except BaseException: | ||||
|         logger.warn( | ||||
|             f"Could not delete secret {secret_namespace}/{secret_name}!") | ||||
							
								
								
									
										0
									
								
								src/lookups/__init__.py
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										0
									
								
								src/lookups/__init__.py
									
									
									
									
									
										Normal file
									
								
							
							
								
								
									
										16
									
								
								src/lookups/bitwarden_lookup.py
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										16
									
								
								src/lookups/bitwarden_lookup.py
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,16 @@ | ||||
| from utils.utils import get_secret_from_bitwarden, get_attachment, parse_fields_scope, parse_login_scope | ||||
|  | ||||
|  | ||||
| class BitwardenLookupHandler: | ||||
|  | ||||
|     def __init__(self, logger) -> None: | ||||
|         self.logger = logger | ||||
|  | ||||
|     def bitwarden_lookup(self, id, scope, field): | ||||
|         if scope == "attachment": | ||||
|             return get_attachment(self.logger, id, field) | ||||
|         _secret_json = get_secret_from_bitwarden(self.logger, id) | ||||
|         if scope == "login": | ||||
|             return parse_login_scope(_secret_json, field) | ||||
|         if scope == "fields": | ||||
|             return parse_fields_scope(_secret_json, field) | ||||
							
								
								
									
										135
									
								
								src/template.py
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										135
									
								
								src/template.py
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,135 @@ | ||||
| import kopf | ||||
| import base64 | ||||
| import kubernetes | ||||
| import json | ||||
|  | ||||
| from utils.utils import unlock_bw, bw_sync_interval | ||||
| from lookups.bitwarden_lookup import BitwardenLookupHandler | ||||
| from jinja2 import Environment, BaseLoader | ||||
|  | ||||
|  | ||||
| def render_template(logger, template): | ||||
|     jinja_template = Environment(loader=BaseLoader()).from_string(template) | ||||
|     jinja_template.globals.update({ | ||||
|         "bitwarden_lookup": BitwardenLookupHandler(logger).bitwarden_lookup, | ||||
|     }) | ||||
|     return jinja_template.render() | ||||
|  | ||||
|  | ||||
| def create_template_secret(logger, secret, filename, template): | ||||
|     secret.type = "Opaque" | ||||
|     secret.data = {} | ||||
|     secret.data[filename] = str( | ||||
|         base64.b64encode( | ||||
|             render_template(logger, template).encode("utf-8")), | ||||
|         "utf-8") | ||||
|     return secret | ||||
|  | ||||
|  | ||||
| @kopf.on.create('bitwarden-template.lerentis.uploadfilter24.eu') | ||||
| def create_managed_secret(spec, name, namespace, logger, body, **kwargs): | ||||
|  | ||||
|     template = spec.get('template') | ||||
|     filename = spec.get('filename') | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|  | ||||
|     unlock_bw(logger) | ||||
|  | ||||
|     api = kubernetes.client.CoreV1Api() | ||||
|  | ||||
|     annotations = { | ||||
|         "managed": "bitwarden-template.lerentis.uploadfilter24.eu", | ||||
|         "managedObject": f"{namespace}/{name}" | ||||
|     } | ||||
|     secret = kubernetes.client.V1Secret() | ||||
|     secret.metadata = kubernetes.client.V1ObjectMeta( | ||||
|         name=secret_name, annotations=annotations) | ||||
|     secret = create_template_secret(logger, secret, filename, template) | ||||
|  | ||||
|     obj = api.create_namespaced_secret( | ||||
|         secret_namespace, secret | ||||
|     ) | ||||
|  | ||||
|     logger.info(f"Secret {secret_namespace}/{secret_name} has been created") | ||||
|  | ||||
|  | ||||
| @kopf.on.update('bitwarden-template.lerentis.uploadfilter24.eu') | ||||
| @kopf.timer('bitwarden-template.lerentis.uploadfilter24.eu', interval=bw_sync_interval) | ||||
| def update_managed_secret( | ||||
|         spec, | ||||
|         status, | ||||
|         name, | ||||
|         namespace, | ||||
|         logger, | ||||
|         body, | ||||
|         **kwargs): | ||||
|  | ||||
|     template = spec.get('template') | ||||
|     filename = spec.get('filename') | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|  | ||||
|     old_config = None | ||||
|     old_secret_name = None | ||||
|     old_secret_namespace = None | ||||
|     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: | ||||
|         old_config = json.loads( | ||||
|             body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) | ||||
|         old_secret_name = old_config['spec'].get('name') | ||||
|         old_secret_namespace = old_config['spec'].get('namespace') | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|  | ||||
|     if old_config is not None and ( | ||||
|             old_secret_name != secret_name or old_secret_namespace != secret_namespace): | ||||
|         # If the name of the secret or the namespace of the secret is different | ||||
|         # We have to delete the secret an recreate it | ||||
|         logger.info("Secret name or namespace changed, let's recreate it") | ||||
|         delete_managed_secret( | ||||
|             old_config['spec'], | ||||
|             name, | ||||
|             namespace, | ||||
|             logger, | ||||
|             **kwargs) | ||||
|         create_managed_secret(spec, name, namespace, logger, body, **kwargs) | ||||
|         return | ||||
|  | ||||
|     unlock_bw(logger) | ||||
|  | ||||
|     api = kubernetes.client.CoreV1Api() | ||||
|  | ||||
|     annotations = { | ||||
|         "managed": "bitwarden-template.lerentis.uploadfilter24.eu", | ||||
|         "managedObject": f"{namespace}/{name}" | ||||
|     } | ||||
|     secret = kubernetes.client.V1Secret() | ||||
|     secret.metadata = kubernetes.client.V1ObjectMeta( | ||||
|         name=secret_name, annotations=annotations) | ||||
|     secret = create_template_secret(logger, secret, filename, template) | ||||
|  | ||||
|     try: | ||||
|         obj = api.replace_namespaced_secret( | ||||
|             name=secret_name, | ||||
|             body=secret, | ||||
|             namespace="{}".format(secret_namespace)) | ||||
|         logger.info( | ||||
|             f"Secret {secret_namespace}/{secret_name} has been updated") | ||||
|     except BaseException: | ||||
|         logger.warn( | ||||
|             f"Could not update secret {secret_namespace}/{secret_name}!") | ||||
|  | ||||
|  | ||||
| @kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu') | ||||
| def delete_managed_secret(spec, name, namespace, logger, **kwargs): | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|     api = kubernetes.client.CoreV1Api() | ||||
|  | ||||
|     try: | ||||
|         api.delete_namespaced_secret(secret_name, secret_namespace) | ||||
|         logger.info( | ||||
|             f"Secret {secret_namespace}/{secret_name} has been deleted") | ||||
|     except BaseException: | ||||
|         logger.warn( | ||||
|             f"Could not delete secret {secret_namespace}/{secret_name}!") | ||||
							
								
								
									
										0
									
								
								src/utils/__init__.py
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										0
									
								
								src/utils/__init__.py
									
									
									
									
									
										Normal file
									
								
							
							
								
								
									
										91
									
								
								src/utils/utils.py
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										91
									
								
								src/utils/utils.py
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,91 @@ | ||||
| import os | ||||
| import json | ||||
| import subprocess | ||||
| import distutils | ||||
|  | ||||
| bw_sync_interval = float(os.environ.get( | ||||
|     'BW_SYNC_INTERVAL', 900)) | ||||
|  | ||||
| class BitwardenCommandException(Exception): | ||||
|     pass | ||||
|  | ||||
|  | ||||
| def get_secret_from_bitwarden(logger, id, force_sync=False): | ||||
|     sync_bw(logger, force=force_sync) | ||||
|     return command_wrapper(logger, command=f"get item {id}") | ||||
|  | ||||
|  | ||||
| def sync_bw(logger, force=False): | ||||
|  | ||||
|     def _sync(logger): | ||||
|         status_output = command_wrapper(logger, command=f"sync") | ||||
|         logger.info(f"Sync successful {status_output}") | ||||
|         return | ||||
|  | ||||
|     if force: | ||||
|         _sync(logger) | ||||
|         return | ||||
|  | ||||
|     global_force_sync = bool(distutils.util.strtobool( | ||||
|         os.environ.get('BW_FORCE_SYNC', "false"))) | ||||
|  | ||||
|     if global_force_sync: | ||||
|         logger.debug("Running forced sync") | ||||
|         status_output = _sync(logger) | ||||
|         logger.info(f"Sync successful {status_output}") | ||||
|     else: | ||||
|         logger.debug("Running scheduled sync") | ||||
|         status_output = _sync(logger) | ||||
|         logger.info(f"Sync successful {status_output}") | ||||
|  | ||||
|  | ||||
| def get_attachment(logger, id, name): | ||||
|     return command_wrapper(logger, command=f"get attachment {name} --itemid {id}", raw=True) | ||||
|  | ||||
|  | ||||
| def unlock_bw(logger): | ||||
|     status_output = command_wrapper(logger, "status", False) | ||||
|     status = status_output['data']['template']['status'] | ||||
|     if status == 'unlocked': | ||||
|         logger.info("Already unlocked") | ||||
|         return | ||||
|     token_output = command_wrapper(logger, "unlock --passwordenv BW_PASSWORD") | ||||
|     os.environ["BW_SESSION"] = token_output["data"]["raw"] | ||||
|     logger.info("Signin successful. Session exported") | ||||
|  | ||||
|  | ||||
| def command_wrapper(logger, command, use_success: bool = True, raw: bool = False): | ||||
|     system_env = dict(os.environ) | ||||
|     response_flag = "--raw" if raw else "--response" | ||||
|     sp = subprocess.Popen( | ||||
|         [f"bw {response_flag} {command}"], | ||||
|         stdout=subprocess.PIPE, | ||||
|         stderr=subprocess.PIPE, | ||||
|         close_fds=True, | ||||
|         shell=True, | ||||
|         env=system_env) | ||||
|     out, err = sp.communicate() | ||||
|     if err: | ||||
|         logger.warn(err) | ||||
|         return None | ||||
|     if raw: | ||||
|         return out.decode(encoding='UTF-8') | ||||
|     if "DEBUG" in system_env: | ||||
|         logger.info(out.decode(encoding='UTF-8')) | ||||
|     resp = json.loads(out.decode(encoding='UTF-8')) | ||||
|     if resp["success"] != None and (not use_success or (use_success and resp["success"] == True)): | ||||
|         return resp | ||||
|     logger.warn(resp) | ||||
|     return None | ||||
|  | ||||
|  | ||||
| def parse_login_scope(secret_json, key): | ||||
|     return secret_json["data"]["login"][key] | ||||
|  | ||||
|  | ||||
| def parse_fields_scope(secret_json, key): | ||||
|     if "fields" not in secret_json["data"]: | ||||
|         return None | ||||
|     for entry in secret_json["data"]["fields"]: | ||||
|         if entry['name'] == key: | ||||
|             return entry['value'] | ||||
		Reference in New Issue
	
	Block a user