Compare commits
	
		
			20 Commits
		
	
	
		
			v0.4.1
			...
			10cc864275
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 10cc864275 | |||
| 689a6e5bae | |||
|  | 4e23b67f5d | ||
|  | f4d05fdd0f | ||
|  | 48bc422974 | ||
|  | 41d4959422 | ||
|  | c2116c24ec | ||
|  | 67692b372f | ||
| 8a6219718a | |||
|  | a10f6b3c9a | ||
|  | 56657df85a | ||
|  | 6a324e66da | ||
|  | 6081374696 | ||
|  | a3cec12284 | ||
| 40f76a8bdb | |||
| 8546855412 | |||
| 938ddd1bb6 | |||
| 5adc7785d0 | |||
| df1fdcbb14 | |||
| 3328016da4 | 
							
								
								
									
										36
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										36
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							| @@ -27,8 +27,42 @@ jobs: | ||||
|           version: v3.10.0 | ||||
|  | ||||
|       - name: Run chart-releaser | ||||
|         uses: helm/chart-releaser-action@v1.4.1 | ||||
|         uses: helm/chart-releaser-action@v1.5.0 | ||||
|         with: | ||||
|           charts_dir: charts | ||||
|         env: | ||||
|           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||||
|  | ||||
|       - name: Get app version from chart | ||||
|         uses: mikefarah/yq@v4.30.8 | ||||
|         id: app_version | ||||
|         with: | ||||
|           cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml | ||||
|  | ||||
|       - name: Create SBOM | ||||
|         uses: anchore/sbom-action@v0 | ||||
|         with: | ||||
|           image: lerentis/bitwarden-crd-operator:${{ steps.app_version.outputs.result }} | ||||
|          | ||||
|       - name: Publish SBOM | ||||
|         uses: anchore/sbom-action/publish-sbom@v0 | ||||
|         with: | ||||
|           sbom-artifact-match: ".*\\.spdx\\.json" | ||||
|  | ||||
|       - name: Get Latest Tag | ||||
|         id: previoustag | ||||
|         uses: WyriHaximus/github-action-get-previous-tag@v1 | ||||
|  | ||||
|       - name: Download SBOM from github action | ||||
|         uses: actions/download-artifact@v3 | ||||
|         with: | ||||
|           name: ${{ env.ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT }} | ||||
|  | ||||
|       - name: Add SBOM to release | ||||
|         uses: svenstaro/upload-release-action@v2 | ||||
|         with: | ||||
|           repo_token: ${{ secrets.GITHUB_TOKEN }} | ||||
|           file_glob: true | ||||
|           file: lerentis-bitwarden-crd-operator_*.spdx.json | ||||
|           tag:  ${{ steps.previoustag.outputs.tag }} | ||||
|           overwrite: true | ||||
|   | ||||
							
								
								
									
										10
									
								
								Dockerfile
									
									
									
									
									
								
							
							
						
						
									
										10
									
								
								Dockerfile
									
									
									
									
									
								
							| @@ -1,15 +1,15 @@ | ||||
| FROM alpine:latest as builder | ||||
|  | ||||
| ARG BW_VERSION=2022.8.0 | ||||
| ARG BW_VERSION=2023.1.0 | ||||
|  | ||||
| RUN apk add wget unzip | ||||
|  | ||||
| RUN cd /tmp && wget https://github.com/bitwarden/clients/releases/download/cli-v${BW_VERSION}/bw-linux-${BW_VERSION}.zip && \ | ||||
|     unzip /tmp/bw-linux-${BW_VERSION}.zip | ||||
|  | ||||
| FROM alpine:3.17 | ||||
| FROM alpine:3.17.2 | ||||
|  | ||||
| ARG PYTHON_VERSION=3.10.9-r1 | ||||
| ARG PYTHON_VERSION=3.10.10-r0 | ||||
| ARG PIP_VERSION=22.3.1-r1 | ||||
| ARG GCOMPAT_VERSION=1.1.0-r0 | ||||
|  | ||||
| @@ -22,7 +22,7 @@ RUN set -eux; \ | ||||
|     mkdir -p /home/bw-operator; \ | ||||
|     chown -R bw-operator /home/bw-operator; \ | ||||
|     chmod +x /usr/local/bin/bw; \ | ||||
|     apk add gcc musl-dev libstdc++ gcompat=${GCOMPAT_VERSION} python3=${PYTHON_VERSION} py-pip=${PIP_VERSION}; \ | ||||
|     apk add gcc musl-dev libstdc++ gcompat=${GCOMPAT_VERSION} python3=${PYTHON_VERSION} py3-pip=${PIP_VERSION}; \ | ||||
|     pip install -r requirements.txt --no-warn-script-location; \ | ||||
|     apk del --purge gcc musl-dev libstdc++; | ||||
|  | ||||
| @@ -30,5 +30,5 @@ COPY --chown=bw-operator:bw-operator src /home/bw-operator | ||||
|  | ||||
| USER bw-operator | ||||
|  | ||||
| ENTRYPOINT [ "kopf", "run", "--all-namespaces", "--liveness=http://0.0.0.0:8080/healthz" ] | ||||
| ENTRYPOINT [ "kopf", "run", "--log-format=json", "--all-namespaces", "--liveness=http://0.0.0.0:8080/healthz" ] | ||||
| CMD [ "/home/bw-operator/bitwardenCrdOperator.py", "/home/bw-operator/kv.py", "/home/bw-operator/dockerlogin.py", "/home/bw-operator/template.py"] | ||||
|   | ||||
| @@ -4,9 +4,9 @@ description: Deploy the Bitwarden CRD Operator | ||||
|  | ||||
| type: application | ||||
|  | ||||
| version: "v0.4.1" | ||||
| version: "v0.5.2" | ||||
|  | ||||
| appVersion: "0.4.0" | ||||
| appVersion: "0.5.2" | ||||
|  | ||||
| keywords: | ||||
|   - operator | ||||
| @@ -94,8 +94,12 @@ annotations: | ||||
|   artifacthub.io/license: MIT | ||||
|   artifacthub.io/operator: "true"   | ||||
|   artifacthub.io/changes: | | ||||
|     - kind: fixed | ||||
|       description: "Fixed documentation and examples" | ||||
|     - kind: changed | ||||
|       description: "Bump alpine from 3.17.1 to 3.17.2" | ||||
|     - kind: changed | ||||
|       description: "Bump bitwarden cli from 2022.11.0 to 2023.1.0" | ||||
|     - kind: changed | ||||
|       description: "Bump python version from 3.10.9-r1 to 3.10.10-r0" | ||||
|   artifacthub.io/images: | | ||||
|     - name: bitwarden-crd-operator | ||||
|       image: lerentis/bitwarden-crd-operator:0.4.0 | ||||
|       image: lerentis/bitwarden-crd-operator:0.5.1 | ||||
|   | ||||
| @@ -53,8 +53,58 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs): | ||||
|     logger.info(f"Registry Secret {secret_namespace}/{secret_name} has been created") | ||||
|  | ||||
| @kopf.on.update('registry-credential.lerentis.uploadfilter24.eu') | ||||
| def my_handler(spec, old, new, diff, **_): | ||||
|     pass | ||||
| @kopf.timer('registry-credential.lerentis.uploadfilter24.eu', interval=900) | ||||
| def update_managed_registry_secret(spec, status, name, namespace, logger, body, **kwargs): | ||||
|  | ||||
|     username_ref = spec.get('usernameRef') | ||||
|     password_ref = spec.get('passwordRef') | ||||
|     registry = spec.get('registry') | ||||
|     id = spec.get('id') | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|  | ||||
|  | ||||
|     old_config = None | ||||
|     old_secret_name = None | ||||
|     old_secret_namespace = None | ||||
|     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: | ||||
|         old_config = json.loads(body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) | ||||
|         old_secret_name = old_config['spec'].get('name') | ||||
|         old_secret_namespace = old_config['spec'].get('namespace') | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|  | ||||
|     if old_config is not None and (old_secret_name != secret_name or old_secret_namespace != secret_namespace): | ||||
|         # If the name of the secret or the namespace of the secret is different | ||||
|         # We have to delete the secret an recreate it | ||||
|         logger.info("Secret name or namespace changed, let's recreate it") | ||||
|         delete_managed_secret(old_config['spec'], name, namespace, logger, **kwargs) | ||||
|         create_managed_registry_secret(spec, name, namespace, logger, **kwargs) | ||||
|         return | ||||
|  | ||||
|     unlock_bw(logger) | ||||
|     logger.info(f"Locking up secret with ID: {id}") | ||||
|     secret_json_object = json.loads(get_secret_from_bitwarden(id)) | ||||
|  | ||||
|     api = kubernetes.client.CoreV1Api() | ||||
|  | ||||
|     annotations = { | ||||
|         "managed": "registry-credential.lerentis.uploadfilter24.eu", | ||||
|         "managedObject": f"{namespace}/{name}" | ||||
|     } | ||||
|     secret = kubernetes.client.V1Secret() | ||||
|     secret.metadata = kubernetes.client.V1ObjectMeta(name=secret_name, annotations=annotations) | ||||
|     secret = create_dockerlogin(logger, secret, secret_json_object, username_ref, password_ref, registry) | ||||
|     try: | ||||
|         obj = api.replace_namespaced_secret( | ||||
|             name=secret_name, | ||||
|             body=secret, | ||||
|             namespace="{}".format(secret_namespace)) | ||||
|         logger.info(f"Secret {secret_namespace}/{secret_name} has been updated") | ||||
|     except: | ||||
|         logger.warn( | ||||
|             f"Could not update secret {secret_namespace}/{secret_name}!") | ||||
|  | ||||
|  | ||||
| @kopf.on.delete('registry-credential.lerentis.uploadfilter24.eu') | ||||
| def delete_managed_secret(spec, name, namespace, logger, **kwargs): | ||||
|   | ||||
							
								
								
									
										80
									
								
								src/kv.py
									
									
									
									
									
								
							
							
						
						
									
										80
									
								
								src/kv.py
									
									
									
									
									
								
							| @@ -5,12 +5,13 @@ import json | ||||
|  | ||||
| from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope | ||||
|  | ||||
|  | ||||
| def create_kv(secret, secret_json, content_def): | ||||
|     secret.type = "Opaque" | ||||
|     secret.data = {} | ||||
|     for eleml in content_def: | ||||
|         for k, elem in eleml.items(): | ||||
|             for key,value in elem.items(): | ||||
|             for key, value in elem.items(): | ||||
|                 if key == "secretName": | ||||
|                     _secret_key = value | ||||
|                 if key == "secretRef": | ||||
| @@ -18,11 +19,20 @@ def create_kv(secret, secret_json, content_def): | ||||
|                 if key == "secretScope": | ||||
|                     _secret_scope = value | ||||
|             if _secret_scope == "login": | ||||
|                 secret.data[_secret_ref] = str(base64.b64encode(parse_login_scope(secret_json, _secret_key).encode("utf-8")), "utf-8") | ||||
|                 value = parse_login_scope(secret_json, _secret_key) | ||||
|                 if value is None: | ||||
|                     raise Exception(f"Field {_secret_key} has no value in bitwarden secret") | ||||
|                 secret.data[_secret_ref] = str(base64.b64encode( | ||||
|                     value.encode("utf-8")), "utf-8") | ||||
|             if _secret_scope == "fields": | ||||
|                 secret.data[_secret_ref] = str(base64.b64encode(parse_fields_scope(secret_json, _secret_key).encode("utf-8")), "utf-8") | ||||
|                 value = parse_fields_scope(secret_json, _secret_key) | ||||
|                 if value is None: | ||||
|                     raise Exception(f"Field {_secret_key} has no value in bitwarden secret") | ||||
|                 secret.data[_secret_ref] = str(base64.b64encode( | ||||
|                     value.encode("utf-8")), "utf-8") | ||||
|     return secret | ||||
|  | ||||
|  | ||||
| @kopf.on.create('bitwarden-secret.lerentis.uploadfilter24.eu') | ||||
| def create_managed_secret(spec, name, namespace, logger, body, **kwargs): | ||||
|  | ||||
| @@ -42,18 +52,68 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs): | ||||
|         "managedObject": f"{namespace}/{name}" | ||||
|     } | ||||
|     secret = kubernetes.client.V1Secret() | ||||
|     secret.metadata = kubernetes.client.V1ObjectMeta(name=secret_name, annotations=annotations) | ||||
|     secret.metadata = kubernetes.client.V1ObjectMeta( | ||||
|         name=secret_name, annotations=annotations) | ||||
|     secret = create_kv(secret, secret_json_object, content_def) | ||||
|  | ||||
|     obj = api.create_namespaced_secret( | ||||
|         secret_namespace, secret | ||||
|         namespace="{}".format(secret_namespace), | ||||
|         body=secret | ||||
|     ) | ||||
|  | ||||
|     logger.info(f"Secret {secret_namespace}/{secret_name} has been created") | ||||
|  | ||||
|  | ||||
| @kopf.on.update('bitwarden-secret.lerentis.uploadfilter24.eu') | ||||
| def my_handler(spec, old, new, diff, **_): | ||||
|     pass | ||||
| @kopf.timer('bitwarden-secret.lerentis.uploadfilter24.eu', interval=900) | ||||
| def update_managed_secret(spec, status, name, namespace, logger, body, **kwargs): | ||||
|  | ||||
|     content_def = body['spec']['content'] | ||||
|     id = spec.get('id') | ||||
|     old_config = None | ||||
|     old_secret_name = None | ||||
|     old_secret_namespace = None | ||||
|     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: | ||||
|         old_config = json.loads(body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) | ||||
|         old_secret_name = old_config['spec'].get('name') | ||||
|         old_secret_namespace = old_config['spec'].get('namespace') | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|  | ||||
|     if old_config is not None and (old_secret_name != secret_name or old_secret_namespace != secret_namespace): | ||||
|         # If the name of the secret or the namespace of the secret is different | ||||
|         # We have to delete the secret an recreate it | ||||
|         logger.info("Secret name or namespace changed, let's recreate it") | ||||
|         delete_managed_secret(old_config['spec'], name, namespace, logger, **kwargs) | ||||
|         create_managed_secret(spec, name, namespace, logger, body, **kwargs) | ||||
|         return | ||||
|  | ||||
|     unlock_bw(logger) | ||||
|     logger.info(f"Locking up secret with ID: {id}") | ||||
|     secret_json_object = json.loads(get_secret_from_bitwarden(id)) | ||||
|  | ||||
|     api = kubernetes.client.CoreV1Api() | ||||
|  | ||||
|     annotations = { | ||||
|         "managed": "bitwarden-secret.lerentis.uploadfilter24.eu", | ||||
|         "managedObject": f"{namespace}/{name}" | ||||
|     } | ||||
|  | ||||
|     secret = kubernetes.client.V1Secret() | ||||
|     secret.metadata = kubernetes.client.V1ObjectMeta( | ||||
|         name=secret_name, annotations=annotations) | ||||
|     secret = create_kv(secret, secret_json_object, content_def) | ||||
|  | ||||
|     try: | ||||
|         obj = api.replace_namespaced_secret( | ||||
|             name=secret_name, | ||||
|             body=secret, | ||||
|             namespace="{}".format(secret_namespace)) | ||||
|         logger.info(f"Secret {secret_namespace}/{secret_name} has been updated") | ||||
|     except: | ||||
|         logger.warn( | ||||
|             f"Could not update secret {secret_namespace}/{secret_name}!") | ||||
|  | ||||
|  | ||||
| @kopf.on.delete('bitwarden-secret.lerentis.uploadfilter24.eu') | ||||
| def delete_managed_secret(spec, name, namespace, logger, **kwargs): | ||||
| @@ -63,6 +123,8 @@ def delete_managed_secret(spec, name, namespace, logger, **kwargs): | ||||
|  | ||||
|     try: | ||||
|         api.delete_namespaced_secret(secret_name, secret_namespace) | ||||
|         logger.info(f"Secret {secret_namespace}/{secret_name} has been deleted") | ||||
|         logger.info( | ||||
|             f"Secret {secret_namespace}/{secret_name} has been deleted") | ||||
|     except: | ||||
|         logger.warn(f"Could not delete secret {secret_namespace}/{secret_name}!") | ||||
|         logger.warn( | ||||
|             f"Could not delete secret {secret_namespace}/{secret_name}!") | ||||
|   | ||||
| @@ -1,6 +1,7 @@ | ||||
| import kopf | ||||
| import base64 | ||||
| import kubernetes | ||||
| import json | ||||
|  | ||||
| from utils.utils import unlock_bw | ||||
| from lookups.bitwarden_lookup import bitwarden_lookup | ||||
| @@ -49,8 +50,53 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs): | ||||
|     logger.info(f"Secret {secret_namespace}/{secret_name} has been created") | ||||
|  | ||||
| @kopf.on.update('bitwarden-template.lerentis.uploadfilter24.eu') | ||||
| def my_handler(spec, old, new, diff, **_): | ||||
|     pass | ||||
| @kopf.timer('bitwarden-template.lerentis.uploadfilter24.eu', interval=900) | ||||
| def update_managed_secret(spec, status, name, namespace, logger, body, **kwargs): | ||||
|  | ||||
|     template = spec.get('template') | ||||
|     filename = spec.get('filename') | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|  | ||||
|     old_config = None | ||||
|     old_secret_name = None | ||||
|     old_secret_namespace = None | ||||
|     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: | ||||
|         old_config = json.loads(body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) | ||||
|         old_secret_name = old_config['spec'].get('name') | ||||
|         old_secret_namespace = old_config['spec'].get('namespace') | ||||
|     secret_name = spec.get('name') | ||||
|     secret_namespace = spec.get('namespace') | ||||
|  | ||||
|     if old_config is not None and (old_secret_name != secret_name or old_secret_namespace != secret_namespace): | ||||
|         # If the name of the secret or the namespace of the secret is different | ||||
|         # We have to delete the secret an recreate it | ||||
|         logger.info("Secret name or namespace changed, let's recreate it") | ||||
|         delete_managed_secret(old_config['spec'], name, namespace, logger, **kwargs) | ||||
|         create_managed_secret(spec, name, namespace, logger, body, **kwargs) | ||||
|         return | ||||
|  | ||||
|     unlock_bw(logger) | ||||
|  | ||||
|     api = kubernetes.client.CoreV1Api() | ||||
|  | ||||
|     annotations = { | ||||
|         "managed": "bitwarden-template.lerentis.uploadfilter24.eu", | ||||
|         "managedObject": f"{namespace}/{name}" | ||||
|     } | ||||
|     secret = kubernetes.client.V1Secret() | ||||
|     secret.metadata = kubernetes.client.V1ObjectMeta(name=secret_name, annotations=annotations) | ||||
|     secret = create_template_secret(secret, filename, template) | ||||
|  | ||||
|     try: | ||||
|         obj = api.replace_namespaced_secret( | ||||
|             name=secret_name, | ||||
|             body=secret, | ||||
|             namespace="{}".format(secret_namespace)) | ||||
|         logger.info(f"Secret {secret_namespace}/{secret_name} has been updated") | ||||
|     except: | ||||
|         logger.warn( | ||||
|             f"Could not update secret {secret_namespace}/{secret_name}!") | ||||
|  | ||||
| @kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu') | ||||
| def delete_managed_secret(spec, name, namespace, logger, **kwargs): | ||||
| @@ -63,10 +109,3 @@ def delete_managed_secret(spec, name, namespace, logger, **kwargs): | ||||
|         logger.info(f"Secret {secret_namespace}/{secret_name} has been deleted") | ||||
|     except: | ||||
|         logger.warn(f"Could not delete secret {secret_namespace}/{secret_name}!") | ||||
|  | ||||
| #if __name__ == '__main__': | ||||
| #    tpl = """ | ||||
| #        Calling the 'bitwarden_lookup' function: | ||||
| #        {{ bitwarden_lookup(2, 2) }} | ||||
| #    """ | ||||
| #    print(render_template(tpl)) | ||||
| @@ -1,4 +1,5 @@ | ||||
| import os | ||||
| import json | ||||
| import subprocess | ||||
|  | ||||
| class BitwardenCommandException(Exception): | ||||
| @@ -8,6 +9,11 @@ def get_secret_from_bitwarden(id): | ||||
|     return command_wrapper(command=f"get item {id}") | ||||
|  | ||||
| def unlock_bw(logger): | ||||
|     status_output = command_wrapper("status") | ||||
|     status = json.loads(status_output)['status'] | ||||
|     if status == 'unlocked': | ||||
|         logger.info("Already unlocked") | ||||
|         return | ||||
|     token_output = command_wrapper("unlock --passwordenv BW_PASSWORD") | ||||
|     tokens = token_output.split('"')[1::2] | ||||
|     os.environ["BW_SESSION"] = tokens[1] | ||||
| @@ -25,6 +31,8 @@ def parse_login_scope(secret_json, key): | ||||
|     return secret_json["login"][key] | ||||
|  | ||||
| def parse_fields_scope(secret_json, key): | ||||
|     if "fields" not in secret_json: | ||||
|         return None | ||||
|     for entry in secret_json["fields"]: | ||||
|         if entry['name'] == key: | ||||
|             return entry['value'] | ||||
|   | ||||
		Reference in New Issue
	
	Block a user