update and retry handler

updated bitwarden CLI version
download from action run before uploading to release
2022-12-26 16:29:14 +01:00 · 2022-12-24 17:42:07 +01:00 · 2022-12-18 18:08:52 +01:00 · 2022-12-18 17:05:36 +01:00 · 2022-12-18 16:37:22 +01:00 · 2022-12-18 16:31:52 +01:00
9 changed files with 263 additions and 46 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -32,3 +32,37 @@ jobs:
          charts_dir: charts
        env:
          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
      - name: Get app version from chart
        uses: mikefarah/yq@v4.30.6
        id: app_version
        with:
          cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml
      - name: Create SBOM
        uses: anchore/sbom-action@v0
        with:
          image: lerentis/bitwarden-crd-operator:${{ steps.app_version.outputs.result }}
      - name: Publish SBOM
        uses: anchore/sbom-action/publish-sbom@v0
        with:
          sbom-artifact-match: ".*\\.spdx\\.json"
      - name: Get Latest Tag
        id: previoustag
        uses: WyriHaximus/github-action-get-previous-tag@v1
      - name: Download SBOM from github action
        uses: actions/download-artifact@v3
        with:
          name: ${{ env.ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT }}
      - name: Add SBOM to release
        uses: svenstaro/upload-release-action@v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file_glob: true
          file: lerentis-bitwarden-crd-operator_*.spdx.json
          tag:  ${{ steps.previoustag.outputs.tag }}
          overwrite: false
--- a/10
+++ b/10
@ -1,6 +1,6 @@
 FROM alpine:latest as builder
-ARG BW_VERSION=2022.8.0
+ARG BW_VERSION=2022.11.0
 RUN apk add wget unzip
@ -9,6 +9,10 @@ RUN cd /tmp && wget https://github.com/bitwarden/clients/releases/download/cli-v
 FROM alpine:3.17
 ARG PYTHON_VERSION=3.10.9-r1
 ARG PIP_VERSION=22.3.1-r1
 ARG GCOMPAT_VERSION=1.1.0-r0
 COPY --from=builder /tmp/bw /usr/local/bin/bw
 COPY requirements.txt requirements.txt
@ -18,7 +22,7 @@ RUN set -eux; \
    mkdir -p /home/bw-operator; \
    chown -R bw-operator /home/bw-operator; \
    chmod +x /usr/local/bin/bw; \
-    apk add gcc musl-dev libstdc++ gcompat python3 py-pip; \
+    apk add gcc musl-dev libstdc++ gcompat=${GCOMPAT_VERSION} python3=${PYTHON_VERSION} py-pip=${PIP_VERSION}; \
    pip install -r requirements.txt --no-warn-script-location; \
    apk del --purge gcc musl-dev libstdc++;
@ -26,5 +30,5 @@ COPY --chown=bw-operator:bw-operator src /home/bw-operator
 USER bw-operator
-ENTRYPOINT [ "kopf", "run", "--all-namespaces", "--liveness=http://0.0.0.0:8080/healthz" ]
+ENTRYPOINT [ "kopf", "run", "--log-format=json", "--all-namespaces", "--liveness=http://0.0.0.0:8080/healthz" ]
 CMD [ "/home/bw-operator/bitwardenCrdOperator.py", "/home/bw-operator/kv.py", "/home/bw-operator/dockerlogin.py", "/home/bw-operator/template.py"]
--- a/README.md
+++ b/README.md
@ -56,7 +56,7 @@ And you are set to create your first secret using this operator. For that you ne
 ```yaml
 ---
-apiVersion: "lerentis.uploadfilter24.eu/v1beta3"
+apiVersion: "lerentis.uploadfilter24.eu/v1beta4"
 kind: BitwardenSecret
 metadata:
  name: name-of-your-management-object
@ -65,9 +65,11 @@ spec:
    - element:
        secretName: nameOfTheFieldInBitwarden # for example username
        secretRef: nameOfTheKeyInTheSecretToBeCreated 
        secretScope: login # for custom entries on bitwarden use 'fields' 
    - element:
        secretName: nameOfAnotherFieldInBitwarden # for example password
        secretRef: nameOfAnotherKeyInTheSecretToBeCreated 
        secretScope: login # for custom entries on bitwarden use 'fields' 
  id: "A Secret ID from bitwarden"
  name: "Name of the secret to be created"
  namespace: "Namespace of the secret to be created"
@ -96,7 +98,7 @@ For managing registry credentials, or pull secrets, you can create another kind
 ```yaml
 ---
-apiVersion: "lerentis.uploadfilter24.eu/v1beta3"
+apiVersion: "lerentis.uploadfilter24.eu/v1beta4"
 kind: RegistryCredential
 metadata:
  name: name-of-your-management-object
@ -125,6 +127,50 @@ metadata:
 type: dockerconfigjson
 ```
 ## BitwardenTemplate
 One of the more freely defined types that can be used with this operator you can just pass a whole template:
 ```yaml
 ---
 apiVersion: "lerentis.uploadfilter24.eu/v1beta4"
 kind: BitwardenTemplate
 metadata:
  name: name-of-your-management-object
 spec:
  filename: "Key of the secret to be created"
  name: "Name of the secret to be created"
  namespace: "Namespace of the secret to be created"
  template: |
    ---
    api:
      enabled: True
      key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields", "name of a field in bitwarden") }}
      allowCrossOrigin: false
      apps:
        "some.app.identifier:some_version":
          pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields", "name of a field in bitwarden") }}
          enabled: true
 ```
 This will result in something like the following object:
 ```yaml
 apiVersion: v1
 data:
  Key of the secret to be created: "base64 encoded and rendered template with secrets injected directly from bitwarden"
 kind: Secret
 metadata:
  annotations:
    managed: bitwarden-template.lerentis.uploadfilter24.eu
    managedObject: namespace/name-of-your-management-object
  name: Name of the secret to be created
  namespace: Namespace of the secret to be created
 type: Opaque
 ```
 please note that the rendering engine for this template is jinja2, with an addition of a custom `bitwarden_lookup` function, so there are more possibilities to inject here.
 ## Short Term Roadmap
 - [ ] support more types
--- a/charts/bitwarden-crd-operator/Chart.yaml
+++ b/charts/bitwarden-crd-operator/Chart.yaml
@ -4,9 +4,9 @@ description: Deploy the Bitwarden CRD Operator
 type: application
-version: "v0.4.0"
+version: "v0.5.0"
-appVersion: "0.4.0"
+appVersion: "0.5.0"
 keywords:
  - operator
@ -85,23 +85,21 @@ annotations:
          ---
          api:
            enabled: True
-            key: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "key") }}
+            key: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "fields", "key") }}
            allowCrossOrigin: false
            apps:
              "some.app.identifier:some_version":
-                pubkey: {{ bitwarden_lookup("466fc4b0-ffca-4444-8d88-b59d4de3d928", "fields", "public_key") }}
+                pubkey: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "fields", "public_key") }}
                enabled: true  
  artifacthub.io/license: MIT
  artifacthub.io/operator: "true"  
  artifacthub.io/changes: |
    - kind: added
-      description: "Added Template type"
+      description: "Implemented update handling"
    - kind: added
      description: "Added logo"
    - kind: changed
-      description: "BitwardenSecret now requires a 'secretScope' to be defined. Can eigher be 'login' or 'fields'"
+      description: "Changed default logging structure to json logging"
-    - kind: fixed
+    - kind: changed
-      description: "fixed hardcoded reference to 'login' even tho secrets could also be in 'fields' scope"
+      description: "Secrets are periodically updated every 15 minutes"
  artifacthub.io/images: |
    - name: bitwarden-crd-operator
-      image: lerentis/bitwarden-crd-operator:0.4.0
+      image: lerentis/bitwarden-crd-operator:0.5.0
--- a/charts/bitwarden-crd-operator/README.md
+++ b/charts/bitwarden-crd-operator/README.md
@ -4,9 +4,14 @@
 Bitwarden CRD Operator is a kubernetes Operator based on [kopf](https://github.com/nolar/kopf/). The goal is to create kubernetes native secret objects from bitwarden.
 <p align="center">
  <img src="https://github.com/Lerentis/bitwarden-crd-operator/blob/main/logo.png?raw=true" alt="Bitwarden CRD Operator Logo" width="200"/>
 </p>
 > DISCLAIMER:  
 > This project is still very work in progress :)
 ## Getting started
 You will need a `ClientID` and `ClientSecret` ([where to get these](https://bitwarden.com/help/personal-api-key/)) as well as your password.
@ -51,7 +56,7 @@ And you are set to create your first secret using this operator. For that you ne
 ```yaml
 ---
-apiVersion: "lerentis.uploadfilter24.eu/v1beta3"
+apiVersion: "lerentis.uploadfilter24.eu/v1beta4"
 kind: BitwardenSecret
 metadata:
  name: name-of-your-management-object
@ -60,9 +65,11 @@ spec:
    - element:
        secretName: nameOfTheFieldInBitwarden # for example username
        secretRef: nameOfTheKeyInTheSecretToBeCreated 
        secretScope: login # for custom entries on bitwarden use 'fields' 
    - element:
        secretName: nameOfAnotherFieldInBitwarden # for example password
        secretRef: nameOfAnotherKeyInTheSecretToBeCreated 
        secretScope: login # for custom entries on bitwarden use 'fields' 
  id: "A Secret ID from bitwarden"
  name: "Name of the secret to be created"
  namespace: "Namespace of the secret to be created"
@ -91,7 +98,7 @@ For managing registry credentials, or pull secrets, you can create another kind
 ```yaml
 ---
-apiVersion: "lerentis.uploadfilter24.eu/v1beta3"
+apiVersion: "lerentis.uploadfilter24.eu/v1beta4"
 kind: RegistryCredential
 metadata:
  name: name-of-your-management-object
@ -120,10 +127,46 @@ metadata:
 type: dockerconfigjson
 ```
-## Short Term Roadmap
+## BitwardenTemplate
- [ ] support more types
+One of the more freely defined types that can be used with this operator you can just pass a whole template:
- [x] offer option to use a existing secret in helm chart
+
- [x] host chart on gh pages
+```yaml
- [x] write release pipeline
+---
- [x] maybe extend spec to offer modification of keys as well
+apiVersion: "lerentis.uploadfilter24.eu/v1beta4"
 kind: BitwardenTemplate
 metadata:
  name: name-of-your-management-object
 spec:
  filename: "Key of the secret to be created"
  name: "Name of the secret to be created"
  namespace: "Namespace of the secret to be created"
  template: |
    ---
    api:
      enabled: True
      key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields", "name of a field in bitwarden") }}
      allowCrossOrigin: false
      apps:
        "some.app.identifier:some_version":
          pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields", "name of a field in bitwarden") }}
          enabled: true
 ```
 This will result in something like the following object:
 ```yaml
 apiVersion: v1
 data:
  Key of the secret to be created: "base64 encoded and rendered template with secrets injected directly from bitwarden"
 kind: Secret
 metadata:
  annotations:
    managed: bitwarden-template.lerentis.uploadfilter24.eu
    managedObject: namespace/name-of-your-management-object
  name: Name of the secret to be created
  namespace: Namespace of the secret to be created
 type: Opaque
 ```
 please note that the rendering engine for this template is jinja2, with an addition of a custom `bitwarden_lookup` function, so there are more possibilities to inject here.
--- a/requirements.txt
+++ b/requirements.txt
@ -1,3 +1,3 @@
-kopf==1.35.6
+kopf==1.36.0
 kubernetes==25.3.0
 Jinja2==3.1.2
--- a/src/dockerlogin.py
+++ b/src/dockerlogin.py
@ -53,8 +53,39 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs):
    logger.info(f"Registry Secret {secret_namespace}/{secret_name} has been created")
@kopf.on.update('registry-credential.lerentis.uploadfilter24.eu')
-def my_handler(spec, old, new, diff, **_):
+@kopf.timer('registry-credential.lerentis.uploadfilter24.eu', interval=900)
-    pass
+def update_managed_registry_secret(spec, status, name, namespace, logger, body, **kwargs):
    username_ref = spec.get('usernameRef')
    password_ref = spec.get('passwordRef')
    registry = spec.get('registry')
    id = spec.get('id')
    secret_name = spec.get('name')
    secret_namespace = spec.get('namespace')
    unlock_bw(logger)
    logger.info(f"Locking up secret with ID: {id}")
    secret_json_object = json.loads(get_secret_from_bitwarden(id))
    api = kubernetes.client.CoreV1Api()
    annotations = {
        "managed": "registry-credential.lerentis.uploadfilter24.eu",
        "managedObject": f"{namespace}/{name}"
    }
    secret = kubernetes.client.V1Secret()
    secret.metadata = kubernetes.client.V1ObjectMeta(name=secret_name, annotations=annotations)
    secret = create_dockerlogin(logger, secret, secret_json_object, username_ref, password_ref, registry)
    try:
        obj = api.replace_namespaced_secret(
            name=secret_name,
            body=secret,
            namespace="{}".format(secret_namespace))
        logger.info(f"Secret {secret_namespace}/{secret_name} has been updated")
    except:
        logger.warn(
            f"Could not update secret {secret_namespace}/{secret_name}!")
@kopf.on.delete('registry-credential.lerentis.uploadfilter24.eu')
 def delete_managed_secret(spec, name, namespace, logger, **kwargs):
--- a/src/kv.py
+++ b/src/kv.py
@ -5,12 +5,13 @@ import json
 from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope
 def create_kv(secret, secret_json, content_def):
    secret.type = "Opaque"
    secret.data = {}
    for eleml in content_def:
        for k, elem in eleml.items():
-            for key,value in elem.items():
+            for key, value in elem.items():
                if key == "secretName":
                    _secret_key = value
                if key == "secretRef":
@ -18,11 +19,14 @@ def create_kv(secret, secret_json, content_def):
                if key == "secretScope":
                    _secret_scope = value
            if _secret_scope == "login":
-                secret.data[_secret_ref] = str(base64.b64encode(parse_login_scope(secret_json, _secret_key).encode("utf-8")), "utf-8")
+                secret.data[_secret_ref] = str(base64.b64encode(
                    parse_login_scope(secret_json, _secret_key).encode("utf-8")), "utf-8")
            if _secret_scope == "fields":
-                secret.data[_secret_ref] = str(base64.b64encode(parse_fields_scope(secret_json, _secret_key).encode("utf-8")), "utf-8")
+                secret.data[_secret_ref] = str(base64.b64encode(
                    parse_fields_scope(secret_json, _secret_key).encode("utf-8")), "utf-8")
    return secret
@kopf.on.create('bitwarden-secret.lerentis.uploadfilter24.eu')
 def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
@ -42,18 +46,53 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
        "managedObject": f"{namespace}/{name}"
    }
    secret = kubernetes.client.V1Secret()
-    secret.metadata = kubernetes.client.V1ObjectMeta(name=secret_name, annotations=annotations)
+    secret.metadata = kubernetes.client.V1ObjectMeta(
-    secret = create_kv(secret, secret_json_object, content_def)   
+        name=secret_name, annotations=annotations)
    secret = create_kv(secret, secret_json_object, content_def)
    obj = api.create_namespaced_secret(
-        secret_namespace, secret
+        namespace="{}".format(secret_namespace),
        body=secret
    )
    logger.info(f"Secret {secret_namespace}/{secret_name} has been created")
@kopf.on.update('bitwarden-secret.lerentis.uploadfilter24.eu')
-def my_handler(spec, old, new, diff, **_):
+@kopf.timer('bitwarden-secret.lerentis.uploadfilter24.eu', interval=900)
-    pass
+def update_managed_secret(spec, status, name, namespace, logger, body, **kwargs):
    content_def = body['spec']['content']
    id = spec.get('id')
    secret_name = spec.get('name')
    secret_namespace = spec.get('namespace')
    unlock_bw(logger)
    logger.info(f"Locking up secret with ID: {id}")
    secret_json_object = json.loads(get_secret_from_bitwarden(id))
    api = kubernetes.client.CoreV1Api()
    annotations = {
        "managed": "bitwarden-secret.lerentis.uploadfilter24.eu",
        "managedObject": f"{namespace}/{name}"
    }
    secret = kubernetes.client.V1Secret()
    secret.metadata = kubernetes.client.V1ObjectMeta(
        name=secret_name, annotations=annotations)
    secret = create_kv(secret, secret_json_object, content_def)
    try:
        obj = api.replace_namespaced_secret(
            name=secret_name,
            body=secret,
            namespace="{}".format(secret_namespace))
        logger.info(f"Secret {secret_namespace}/{secret_name} has been updated")
    except:
        logger.warn(
            f"Could not update secret {secret_namespace}/{secret_name}!")
@kopf.on.delete('bitwarden-secret.lerentis.uploadfilter24.eu')
 def delete_managed_secret(spec, name, namespace, logger, **kwargs):
@ -63,6 +102,8 @@ def delete_managed_secret(spec, name, namespace, logger, **kwargs):
    try:
        api.delete_namespaced_secret(secret_name, secret_namespace)
-        logger.info(f"Secret {secret_namespace}/{secret_name} has been deleted")
+        logger.info(
            f"Secret {secret_namespace}/{secret_name} has been deleted")
    except:
-        logger.warn(f"Could not delete secret {secret_namespace}/{secret_name}!")
+        logger.warn(
            f"Could not delete secret {secret_namespace}/{secret_name}!")
--- a/src/template.py
+++ b/src/template.py
@ -49,8 +49,35 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs):
    logger.info(f"Secret {secret_namespace}/{secret_name} has been created")
@kopf.on.update('bitwarden-template.lerentis.uploadfilter24.eu')
-def my_handler(spec, old, new, diff, **_):
+@kopf.timer('bitwarden-template.lerentis.uploadfilter24.eu', interval=900)
-    pass
+def update_managed_secret(spec, status, name, namespace, logger, body, **kwargs):
    template = spec.get('template')
    filename = spec.get('filename')
    secret_name = spec.get('name')
    secret_namespace = spec.get('namespace')
    unlock_bw(logger)
    api = kubernetes.client.CoreV1Api()
    annotations = {
        "managed": "bitwarden-template.lerentis.uploadfilter24.eu",
        "managedObject": f"{namespace}/{name}"
    }
    secret = kubernetes.client.V1Secret()
    secret.metadata = kubernetes.client.V1ObjectMeta(name=secret_name, annotations=annotations)
    secret = create_template_secret(secret, filename, template)
    try:
        obj = api.replace_namespaced_secret(
            name=secret_name,
            body=secret,
            namespace="{}".format(secret_namespace))
        logger.info(f"Secret {secret_namespace}/{secret_name} has been updated")
    except:
        logger.warn(
            f"Could not update secret {secret_namespace}/{secret_name}!")
@kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu')
 def delete_managed_secret(spec, name, namespace, logger, **kwargs):
@ -63,10 +90,3 @@ def delete_managed_secret(spec, name, namespace, logger, **kwargs):
        logger.info(f"Secret {secret_namespace}/{secret_name} has been deleted")
    except:
        logger.warn(f"Could not delete secret {secret_namespace}/{secret_name}!")
 #if __name__ == '__main__':
 #    tpl = """
 #        Calling the 'bitwarden_lookup' function:
 #        {{ bitwarden_lookup(2, 2) }}
 #    """
 #    print(render_template(tpl))
Author	SHA1	Message	Date
Tobias Trabelsi	40f76a8bdb	update and retry handler All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2022-12-26 16:29:14 +01:00
Tobias Trabelsi	8546855412	updated bitwarden CLI version All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2022-12-24 17:42:07 +01:00
Tobias Trabelsi	938ddd1bb6	download from action run before uploading to release	2022-12-18 18:08:52 +01:00
Tobias Trabelsi	5adc7785d0	okay then manually	2022-12-18 17:05:36 +01:00
Tobias Trabelsi	df1fdcbb14	attach sbom to GH release next time	2022-12-18 16:37:22 +01:00
Tobias Trabelsi	3328016da4	update chart and try to publish a sbom	2022-12-18 16:31:52 +01:00
Tobias Trabelsi	fdd3808c7e	fixed cves in image All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2022-12-18 12:09:37 +01:00
Tobias Trabelsi	fee8dfb97a	Fixed documentation and examples	2022-11-27 13:35:29 +01:00
Tobias Trabelsi	2611231c8a	fixed readme in charts folder for artifacthub	2022-11-27 13:32:03 +01:00
Tobias Trabelsi	884476606c	fixed readme	2022-11-26 21:59:39 +01:00
Tobias Trabelsi	92c51a21d0	Merge pull request #5 from Lerentis/feature/tt/raw-templates	2022-11-26 21:43:29 +01:00
Tobias Trabelsi	12edc8445f	Merge pull request #4 from Lerentis/dependabot/pip/kopf-1.36.0 Bump kopf from 1.35.6 to 1.36.0	2022-11-21 07:51:39 +01:00
dependabot[bot]	df7b9fd043	Bump kopf from 1.35.6 to 1.36.0 Bumps [kopf](https://github.com/nolar/kopf) from 1.35.6 to 1.36.0. - [Release notes](https://github.com/nolar/kopf/releases) - [Commits](https://github.com/nolar/kopf/compare/1.35.6...1.36.0) --- updated-dependencies: - dependency-name: kopf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2022-11-21 06:45:35 +00:00