Compare commits
	
		
			7 Commits
		
	
	
		
			v0.4.0
			...
			fdd3808c7e
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| fdd3808c7e | |||
|  | fee8dfb97a | ||
|  | 2611231c8a | ||
| 884476606c | |||
|  | 92c51a21d0 | ||
|  | 12edc8445f | ||
|  | df7b9fd043 | 
| @@ -9,6 +9,10 @@ RUN cd /tmp && wget https://github.com/bitwarden/clients/releases/download/cli-v | |||||||
|  |  | ||||||
| FROM alpine:3.17 | FROM alpine:3.17 | ||||||
|  |  | ||||||
|  | ARG PYTHON_VERSION=3.10.9-r1 | ||||||
|  | ARG PIP_VERSION=22.3.1-r1 | ||||||
|  | ARG GCOMPAT_VERSION=1.1.0-r0 | ||||||
|  |  | ||||||
| COPY --from=builder /tmp/bw /usr/local/bin/bw | COPY --from=builder /tmp/bw /usr/local/bin/bw | ||||||
| COPY requirements.txt requirements.txt | COPY requirements.txt requirements.txt | ||||||
|  |  | ||||||
| @@ -18,7 +22,7 @@ RUN set -eux; \ | |||||||
|     mkdir -p /home/bw-operator; \ |     mkdir -p /home/bw-operator; \ | ||||||
|     chown -R bw-operator /home/bw-operator; \ |     chown -R bw-operator /home/bw-operator; \ | ||||||
|     chmod +x /usr/local/bin/bw; \ |     chmod +x /usr/local/bin/bw; \ | ||||||
|     apk add gcc musl-dev libstdc++ gcompat python3 py-pip; \ |     apk add gcc musl-dev libstdc++ gcompat=${GCOMPAT_VERSION} python3=${PYTHON_VERSION} py-pip=${PIP_VERSION}; \ | ||||||
|     pip install -r requirements.txt --no-warn-script-location; \ |     pip install -r requirements.txt --no-warn-script-location; \ | ||||||
|     apk del --purge gcc musl-dev libstdc++; |     apk del --purge gcc musl-dev libstdc++; | ||||||
|  |  | ||||||
|   | |||||||
							
								
								
									
										50
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										50
									
								
								README.md
									
									
									
									
									
								
							| @@ -56,7 +56,7 @@ And you are set to create your first secret using this operator. For that you ne | |||||||
|  |  | ||||||
| ```yaml | ```yaml | ||||||
| --- | --- | ||||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta3" | apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||||
| kind: BitwardenSecret | kind: BitwardenSecret | ||||||
| metadata: | metadata: | ||||||
|   name: name-of-your-management-object |   name: name-of-your-management-object | ||||||
| @@ -65,9 +65,11 @@ spec: | |||||||
|     - element: |     - element: | ||||||
|         secretName: nameOfTheFieldInBitwarden # for example username |         secretName: nameOfTheFieldInBitwarden # for example username | ||||||
|         secretRef: nameOfTheKeyInTheSecretToBeCreated  |         secretRef: nameOfTheKeyInTheSecretToBeCreated  | ||||||
|  |         secretScope: login # for custom entries on bitwarden use 'fields'  | ||||||
|     - element: |     - element: | ||||||
|         secretName: nameOfAnotherFieldInBitwarden # for example password |         secretName: nameOfAnotherFieldInBitwarden # for example password | ||||||
|         secretRef: nameOfAnotherKeyInTheSecretToBeCreated  |         secretRef: nameOfAnotherKeyInTheSecretToBeCreated  | ||||||
|  |         secretScope: login # for custom entries on bitwarden use 'fields'  | ||||||
|   id: "A Secret ID from bitwarden" |   id: "A Secret ID from bitwarden" | ||||||
|   name: "Name of the secret to be created" |   name: "Name of the secret to be created" | ||||||
|   namespace: "Namespace of the secret to be created" |   namespace: "Namespace of the secret to be created" | ||||||
| @@ -96,7 +98,7 @@ For managing registry credentials, or pull secrets, you can create another kind | |||||||
|  |  | ||||||
| ```yaml | ```yaml | ||||||
| --- | --- | ||||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta3" | apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||||
| kind: RegistryCredential | kind: RegistryCredential | ||||||
| metadata: | metadata: | ||||||
|   name: name-of-your-management-object |   name: name-of-your-management-object | ||||||
| @@ -125,6 +127,50 @@ metadata: | |||||||
| type: dockerconfigjson | type: dockerconfigjson | ||||||
| ``` | ``` | ||||||
|  |  | ||||||
|  | ## BitwardenTemplate | ||||||
|  |  | ||||||
|  | One of the more freely defined types that can be used with this operator you can just pass a whole template: | ||||||
|  |  | ||||||
|  | ```yaml | ||||||
|  | --- | ||||||
|  | apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||||
|  | kind: BitwardenTemplate | ||||||
|  | metadata: | ||||||
|  |   name: name-of-your-management-object | ||||||
|  | spec: | ||||||
|  |   filename: "Key of the secret to be created" | ||||||
|  |   name: "Name of the secret to be created" | ||||||
|  |   namespace: "Namespace of the secret to be created" | ||||||
|  |   template: | | ||||||
|  |     --- | ||||||
|  |     api: | ||||||
|  |       enabled: True | ||||||
|  |       key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields", "name of a field in bitwarden") }} | ||||||
|  |       allowCrossOrigin: false | ||||||
|  |       apps: | ||||||
|  |         "some.app.identifier:some_version": | ||||||
|  |           pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields", "name of a field in bitwarden") }} | ||||||
|  |           enabled: true | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | This will result in something like the following object: | ||||||
|  |  | ||||||
|  | ```yaml | ||||||
|  | apiVersion: v1 | ||||||
|  | data: | ||||||
|  |   Key of the secret to be created: "base64 encoded and rendered template with secrets injected directly from bitwarden" | ||||||
|  | kind: Secret | ||||||
|  | metadata: | ||||||
|  |   annotations: | ||||||
|  |     managed: bitwarden-template.lerentis.uploadfilter24.eu | ||||||
|  |     managedObject: namespace/name-of-your-management-object | ||||||
|  |   name: Name of the secret to be created | ||||||
|  |   namespace: Namespace of the secret to be created | ||||||
|  | type: Opaque | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | please note that the rendering engine for this template is jinja2, with an addition of a custom `bitwarden_lookup` function, so there are more possibilities to inject here. | ||||||
|  |  | ||||||
| ## Short Term Roadmap | ## Short Term Roadmap | ||||||
|  |  | ||||||
| - [ ] support more types | - [ ] support more types | ||||||
|   | |||||||
| @@ -4,7 +4,7 @@ description: Deploy the Bitwarden CRD Operator | |||||||
|  |  | ||||||
| type: application | type: application | ||||||
|  |  | ||||||
| version: "v0.4.0" | version: "v0.4.1" | ||||||
|  |  | ||||||
| appVersion: "0.4.0" | appVersion: "0.4.0" | ||||||
|  |  | ||||||
| @@ -85,23 +85,17 @@ annotations: | |||||||
|           --- |           --- | ||||||
|           api: |           api: | ||||||
|             enabled: True |             enabled: True | ||||||
|             key: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "key") }} |             key: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "fields", "key") }} | ||||||
|             allowCrossOrigin: false |             allowCrossOrigin: false | ||||||
|             apps: |             apps: | ||||||
|               "some.app.identifier:some_version": |               "some.app.identifier:some_version": | ||||||
|                 pubkey: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "public_key") }} |                 pubkey: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "fields", "public_key") }} | ||||||
|                 enabled: true   |                 enabled: true   | ||||||
|   artifacthub.io/license: MIT |   artifacthub.io/license: MIT | ||||||
|   artifacthub.io/operator: "true"   |   artifacthub.io/operator: "true"   | ||||||
|   artifacthub.io/changes: | |   artifacthub.io/changes: | | ||||||
|     - kind: added |  | ||||||
|       description: "Added Template type" |  | ||||||
|     - kind: added |  | ||||||
|       description: "Added logo" |  | ||||||
|     - kind: changed |  | ||||||
|       description: "BitwardenSecret now requires a 'secretScope' to be defined. Can eigher be 'login' or 'fields'" |  | ||||||
|     - kind: fixed |     - kind: fixed | ||||||
|       description: "fixed hardcoded reference to 'login' even tho secrets could also be in 'fields' scope" |       description: "Fixed documentation and examples" | ||||||
|   artifacthub.io/images: | |   artifacthub.io/images: | | ||||||
|     - name: bitwarden-crd-operator |     - name: bitwarden-crd-operator | ||||||
|       image: lerentis/bitwarden-crd-operator:0.4.0 |       image: lerentis/bitwarden-crd-operator:0.4.0 | ||||||
|   | |||||||
| @@ -4,9 +4,14 @@ | |||||||
|  |  | ||||||
| Bitwarden CRD Operator is a kubernetes Operator based on [kopf](https://github.com/nolar/kopf/). The goal is to create kubernetes native secret objects from bitwarden. | Bitwarden CRD Operator is a kubernetes Operator based on [kopf](https://github.com/nolar/kopf/). The goal is to create kubernetes native secret objects from bitwarden. | ||||||
|  |  | ||||||
|  | <p align="center"> | ||||||
|  |   <img src="https://github.com/Lerentis/bitwarden-crd-operator/blob/main/logo.png?raw=true" alt="Bitwarden CRD Operator Logo" width="200"/> | ||||||
|  | </p> | ||||||
|  |  | ||||||
| > DISCLAIMER:   | > DISCLAIMER:   | ||||||
| > This project is still very work in progress :) | > This project is still very work in progress :) | ||||||
|  |  | ||||||
|  |  | ||||||
| ## Getting started | ## Getting started | ||||||
|  |  | ||||||
| You will need a `ClientID` and `ClientSecret` ([where to get these](https://bitwarden.com/help/personal-api-key/)) as well as your password. | You will need a `ClientID` and `ClientSecret` ([where to get these](https://bitwarden.com/help/personal-api-key/)) as well as your password. | ||||||
| @@ -51,7 +56,7 @@ And you are set to create your first secret using this operator. For that you ne | |||||||
|  |  | ||||||
| ```yaml | ```yaml | ||||||
| --- | --- | ||||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta3" | apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||||
| kind: BitwardenSecret | kind: BitwardenSecret | ||||||
| metadata: | metadata: | ||||||
|   name: name-of-your-management-object |   name: name-of-your-management-object | ||||||
| @@ -60,9 +65,11 @@ spec: | |||||||
|     - element: |     - element: | ||||||
|         secretName: nameOfTheFieldInBitwarden # for example username |         secretName: nameOfTheFieldInBitwarden # for example username | ||||||
|         secretRef: nameOfTheKeyInTheSecretToBeCreated  |         secretRef: nameOfTheKeyInTheSecretToBeCreated  | ||||||
|  |         secretScope: login # for custom entries on bitwarden use 'fields'  | ||||||
|     - element: |     - element: | ||||||
|         secretName: nameOfAnotherFieldInBitwarden # for example password |         secretName: nameOfAnotherFieldInBitwarden # for example password | ||||||
|         secretRef: nameOfAnotherKeyInTheSecretToBeCreated  |         secretRef: nameOfAnotherKeyInTheSecretToBeCreated  | ||||||
|  |         secretScope: login # for custom entries on bitwarden use 'fields'  | ||||||
|   id: "A Secret ID from bitwarden" |   id: "A Secret ID from bitwarden" | ||||||
|   name: "Name of the secret to be created" |   name: "Name of the secret to be created" | ||||||
|   namespace: "Namespace of the secret to be created" |   namespace: "Namespace of the secret to be created" | ||||||
| @@ -91,7 +98,7 @@ For managing registry credentials, or pull secrets, you can create another kind | |||||||
|  |  | ||||||
| ```yaml | ```yaml | ||||||
| --- | --- | ||||||
| apiVersion: "lerentis.uploadfilter24.eu/v1beta3" | apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||||
| kind: RegistryCredential | kind: RegistryCredential | ||||||
| metadata: | metadata: | ||||||
|   name: name-of-your-management-object |   name: name-of-your-management-object | ||||||
| @@ -120,10 +127,46 @@ metadata: | |||||||
| type: dockerconfigjson | type: dockerconfigjson | ||||||
| ``` | ``` | ||||||
|  |  | ||||||
| ## Short Term Roadmap | ## BitwardenTemplate | ||||||
|  |  | ||||||
| - [ ] support more types | One of the more freely defined types that can be used with this operator you can just pass a whole template: | ||||||
| - [x] offer option to use a existing secret in helm chart |  | ||||||
| - [x] host chart on gh pages | ```yaml | ||||||
| - [x] write release pipeline | --- | ||||||
| - [x] maybe extend spec to offer modification of keys as well | apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||||
|  | kind: BitwardenTemplate | ||||||
|  | metadata: | ||||||
|  |   name: name-of-your-management-object | ||||||
|  | spec: | ||||||
|  |   filename: "Key of the secret to be created" | ||||||
|  |   name: "Name of the secret to be created" | ||||||
|  |   namespace: "Namespace of the secret to be created" | ||||||
|  |   template: | | ||||||
|  |     --- | ||||||
|  |     api: | ||||||
|  |       enabled: True | ||||||
|  |       key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields", "name of a field in bitwarden") }} | ||||||
|  |       allowCrossOrigin: false | ||||||
|  |       apps: | ||||||
|  |         "some.app.identifier:some_version": | ||||||
|  |           pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields", "name of a field in bitwarden") }} | ||||||
|  |           enabled: true | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | This will result in something like the following object: | ||||||
|  |  | ||||||
|  | ```yaml | ||||||
|  | apiVersion: v1 | ||||||
|  | data: | ||||||
|  |   Key of the secret to be created: "base64 encoded and rendered template with secrets injected directly from bitwarden" | ||||||
|  | kind: Secret | ||||||
|  | metadata: | ||||||
|  |   annotations: | ||||||
|  |     managed: bitwarden-template.lerentis.uploadfilter24.eu | ||||||
|  |     managedObject: namespace/name-of-your-management-object | ||||||
|  |   name: Name of the secret to be created | ||||||
|  |   namespace: Namespace of the secret to be created | ||||||
|  | type: Opaque | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | please note that the rendering engine for this template is jinja2, with an addition of a custom `bitwarden_lookup` function, so there are more possibilities to inject here. | ||||||
|   | |||||||
| @@ -1,3 +1,3 @@ | |||||||
| kopf==1.35.6 | kopf==1.36.0 | ||||||
| kubernetes==25.3.0 | kubernetes==25.3.0 | ||||||
| Jinja2==3.1.2 | Jinja2==3.1.2 | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user