Compare commits
	
		
			23 Commits
		
	
	
		
			v0.5.0
			...
			6a907f149f
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|  | 6a907f149f | ||
|  | 3db74524ca | ||
|  | e49df1fb4d | ||
|  | bb3ca7573b | ||
| 097712c6c6 | |||
|  | 3845fd8045 | ||
|  | 3caacac98a | ||
|  | beeca5a6b6 | ||
|  | 2d4c8ec14b | ||
| 10cc864275 | |||
| 689a6e5bae | |||
|  | 4e23b67f5d | ||
|  | f4d05fdd0f | ||
|  | 48bc422974 | ||
|  | 41d4959422 | ||
|  | c2116c24ec | ||
|  | 67692b372f | ||
| 8a6219718a | |||
|  | a10f6b3c9a | ||
|  | 56657df85a | ||
|  | 6a324e66da | ||
|  | 6081374696 | ||
|  | a3cec12284 | 
							
								
								
									
										6
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										6
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							| @@ -27,14 +27,14 @@ jobs: | |||||||
|           version: v3.10.0 |           version: v3.10.0 | ||||||
|  |  | ||||||
|       - name: Run chart-releaser |       - name: Run chart-releaser | ||||||
|         uses: helm/chart-releaser-action@v1.4.1 |         uses: helm/chart-releaser-action@v1.5.0 | ||||||
|         with: |         with: | ||||||
|           charts_dir: charts |           charts_dir: charts | ||||||
|         env: |         env: | ||||||
|           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" |           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||||||
|  |  | ||||||
|       - name: Get app version from chart |       - name: Get app version from chart | ||||||
|         uses: mikefarah/yq@v4.30.6 |         uses: mikefarah/yq@v4.32.2 | ||||||
|         id: app_version |         id: app_version | ||||||
|         with: |         with: | ||||||
|           cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml |           cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml | ||||||
| @@ -65,4 +65,4 @@ jobs: | |||||||
|           file_glob: true |           file_glob: true | ||||||
|           file: lerentis-bitwarden-crd-operator_*.spdx.json |           file: lerentis-bitwarden-crd-operator_*.spdx.json | ||||||
|           tag:  ${{ steps.previoustag.outputs.tag }} |           tag:  ${{ steps.previoustag.outputs.tag }} | ||||||
|           overwrite: false |           overwrite: true | ||||||
|   | |||||||
| @@ -1,15 +1,15 @@ | |||||||
| FROM alpine:latest as builder | FROM alpine:latest as builder | ||||||
|  |  | ||||||
| ARG BW_VERSION=2022.11.0 | ARG BW_VERSION=2023.1.0 | ||||||
|  |  | ||||||
| RUN apk add wget unzip | RUN apk add wget unzip | ||||||
|  |  | ||||||
| RUN cd /tmp && wget https://github.com/bitwarden/clients/releases/download/cli-v${BW_VERSION}/bw-linux-${BW_VERSION}.zip && \ | RUN cd /tmp && wget https://github.com/bitwarden/clients/releases/download/cli-v${BW_VERSION}/bw-linux-${BW_VERSION}.zip && \ | ||||||
|     unzip /tmp/bw-linux-${BW_VERSION}.zip |     unzip /tmp/bw-linux-${BW_VERSION}.zip | ||||||
|  |  | ||||||
| FROM alpine:3.17 | FROM alpine:3.17.2 | ||||||
|  |  | ||||||
| ARG PYTHON_VERSION=3.10.9-r1 | ARG PYTHON_VERSION=3.10.10-r0 | ||||||
| ARG PIP_VERSION=22.3.1-r1 | ARG PIP_VERSION=22.3.1-r1 | ||||||
| ARG GCOMPAT_VERSION=1.1.0-r0 | ARG GCOMPAT_VERSION=1.1.0-r0 | ||||||
|  |  | ||||||
| @@ -22,7 +22,7 @@ RUN set -eux; \ | |||||||
|     mkdir -p /home/bw-operator; \ |     mkdir -p /home/bw-operator; \ | ||||||
|     chown -R bw-operator /home/bw-operator; \ |     chown -R bw-operator /home/bw-operator; \ | ||||||
|     chmod +x /usr/local/bin/bw; \ |     chmod +x /usr/local/bin/bw; \ | ||||||
|     apk add gcc musl-dev libstdc++ gcompat=${GCOMPAT_VERSION} python3=${PYTHON_VERSION} py-pip=${PIP_VERSION}; \ |     apk add gcc musl-dev libstdc++ gcompat=${GCOMPAT_VERSION} python3=${PYTHON_VERSION} py3-pip=${PIP_VERSION}; \ | ||||||
|     pip install -r requirements.txt --no-warn-script-location; \ |     pip install -r requirements.txt --no-warn-script-location; \ | ||||||
|     apk del --purge gcc musl-dev libstdc++; |     apk del --purge gcc musl-dev libstdc++; | ||||||
|  |  | ||||||
|   | |||||||
| @@ -4,9 +4,9 @@ description: Deploy the Bitwarden CRD Operator | |||||||
|  |  | ||||||
| type: application | type: application | ||||||
|  |  | ||||||
| version: "v0.5.0" | version: "v0.5.3" | ||||||
|  |  | ||||||
| appVersion: "0.5.0" | appVersion: "0.5.3" | ||||||
|  |  | ||||||
| keywords: | keywords: | ||||||
|   - operator |   - operator | ||||||
| @@ -94,12 +94,10 @@ annotations: | |||||||
|   artifacthub.io/license: MIT |   artifacthub.io/license: MIT | ||||||
|   artifacthub.io/operator: "true"   |   artifacthub.io/operator: "true"   | ||||||
|   artifacthub.io/changes: | |   artifacthub.io/changes: | | ||||||
|     - kind: added |  | ||||||
|       description: "Implemented update handling" |  | ||||||
|     - kind: changed |     - kind: changed | ||||||
|       description: "Changed default logging structure to json logging" |       description: "Bump kubernetes from 25.3.0 to 26.1.0" | ||||||
|     - kind: changed |     - kind: fixed | ||||||
|       description: "Secrets are periodically updated every 15 minutes" |       description: "Fixed artifacthub images annotation" | ||||||
|   artifacthub.io/images: | |   artifacthub.io/images: | | ||||||
|     - name: bitwarden-crd-operator |     - name: bitwarden-crd-operator | ||||||
|       image: lerentis/bitwarden-crd-operator:0.5.0 |       image: lerentis/bitwarden-crd-operator:0.5.3 | ||||||
|   | |||||||
| @@ -1,3 +1,3 @@ | |||||||
| kopf==1.36.0 | kopf==1.36.0 | ||||||
| kubernetes==25.3.0 | kubernetes==26.1.0 | ||||||
| Jinja2==3.1.2 | Jinja2==3.1.2 | ||||||
|   | |||||||
| @@ -63,6 +63,25 @@ def update_managed_registry_secret(spec, status, name, namespace, logger, body, | |||||||
|     secret_name = spec.get('name') |     secret_name = spec.get('name') | ||||||
|     secret_namespace = spec.get('namespace') |     secret_namespace = spec.get('namespace') | ||||||
|  |  | ||||||
|  |  | ||||||
|  |     old_config = None | ||||||
|  |     old_secret_name = None | ||||||
|  |     old_secret_namespace = None | ||||||
|  |     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: | ||||||
|  |         old_config = json.loads(body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) | ||||||
|  |         old_secret_name = old_config['spec'].get('name') | ||||||
|  |         old_secret_namespace = old_config['spec'].get('namespace') | ||||||
|  |     secret_name = spec.get('name') | ||||||
|  |     secret_namespace = spec.get('namespace') | ||||||
|  |  | ||||||
|  |     if old_config is not None and (old_secret_name != secret_name or old_secret_namespace != secret_namespace): | ||||||
|  |         # If the name of the secret or the namespace of the secret is different | ||||||
|  |         # We have to delete the secret an recreate it | ||||||
|  |         logger.info("Secret name or namespace changed, let's recreate it") | ||||||
|  |         delete_managed_secret(old_config['spec'], name, namespace, logger, **kwargs) | ||||||
|  |         create_managed_registry_secret(spec, name, namespace, logger, **kwargs) | ||||||
|  |         return | ||||||
|  |  | ||||||
|     unlock_bw(logger) |     unlock_bw(logger) | ||||||
|     logger.info(f"Locking up secret with ID: {id}") |     logger.info(f"Locking up secret with ID: {id}") | ||||||
|     secret_json_object = json.loads(get_secret_from_bitwarden(id)) |     secret_json_object = json.loads(get_secret_from_bitwarden(id)) | ||||||
|   | |||||||
							
								
								
									
										25
									
								
								src/kv.py
									
									
									
									
									
								
							
							
						
						
									
										25
									
								
								src/kv.py
									
									
									
									
									
								
							| @@ -19,11 +19,17 @@ def create_kv(secret, secret_json, content_def): | |||||||
|                 if key == "secretScope": |                 if key == "secretScope": | ||||||
|                     _secret_scope = value |                     _secret_scope = value | ||||||
|             if _secret_scope == "login": |             if _secret_scope == "login": | ||||||
|  |                 value = parse_login_scope(secret_json, _secret_key) | ||||||
|  |                 if value is None: | ||||||
|  |                     raise Exception(f"Field {_secret_key} has no value in bitwarden secret") | ||||||
|                 secret.data[_secret_ref] = str(base64.b64encode( |                 secret.data[_secret_ref] = str(base64.b64encode( | ||||||
|                     parse_login_scope(secret_json, _secret_key).encode("utf-8")), "utf-8") |                     value.encode("utf-8")), "utf-8") | ||||||
|             if _secret_scope == "fields": |             if _secret_scope == "fields": | ||||||
|  |                 value = parse_fields_scope(secret_json, _secret_key) | ||||||
|  |                 if value is None: | ||||||
|  |                     raise Exception(f"Field {_secret_key} has no value in bitwarden secret") | ||||||
|                 secret.data[_secret_ref] = str(base64.b64encode( |                 secret.data[_secret_ref] = str(base64.b64encode( | ||||||
|                     parse_fields_scope(secret_json, _secret_key).encode("utf-8")), "utf-8") |                     value.encode("utf-8")), "utf-8") | ||||||
|     return secret |     return secret | ||||||
|  |  | ||||||
|  |  | ||||||
| @@ -64,9 +70,24 @@ def update_managed_secret(spec, status, name, namespace, logger, body, **kwargs) | |||||||
|  |  | ||||||
|     content_def = body['spec']['content'] |     content_def = body['spec']['content'] | ||||||
|     id = spec.get('id') |     id = spec.get('id') | ||||||
|  |     old_config = None | ||||||
|  |     old_secret_name = None | ||||||
|  |     old_secret_namespace = None | ||||||
|  |     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: | ||||||
|  |         old_config = json.loads(body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) | ||||||
|  |         old_secret_name = old_config['spec'].get('name') | ||||||
|  |         old_secret_namespace = old_config['spec'].get('namespace') | ||||||
|     secret_name = spec.get('name') |     secret_name = spec.get('name') | ||||||
|     secret_namespace = spec.get('namespace') |     secret_namespace = spec.get('namespace') | ||||||
|  |  | ||||||
|  |     if old_config is not None and (old_secret_name != secret_name or old_secret_namespace != secret_namespace): | ||||||
|  |         # If the name of the secret or the namespace of the secret is different | ||||||
|  |         # We have to delete the secret an recreate it | ||||||
|  |         logger.info("Secret name or namespace changed, let's recreate it") | ||||||
|  |         delete_managed_secret(old_config['spec'], name, namespace, logger, **kwargs) | ||||||
|  |         create_managed_secret(spec, name, namespace, logger, body, **kwargs) | ||||||
|  |         return | ||||||
|  |  | ||||||
|     unlock_bw(logger) |     unlock_bw(logger) | ||||||
|     logger.info(f"Locking up secret with ID: {id}") |     logger.info(f"Locking up secret with ID: {id}") | ||||||
|     secret_json_object = json.loads(get_secret_from_bitwarden(id)) |     secret_json_object = json.loads(get_secret_from_bitwarden(id)) | ||||||
|   | |||||||
| @@ -1,6 +1,7 @@ | |||||||
| import kopf | import kopf | ||||||
| import base64 | import base64 | ||||||
| import kubernetes | import kubernetes | ||||||
|  | import json | ||||||
|  |  | ||||||
| from utils.utils import unlock_bw | from utils.utils import unlock_bw | ||||||
| from lookups.bitwarden_lookup import bitwarden_lookup | from lookups.bitwarden_lookup import bitwarden_lookup | ||||||
| @@ -57,6 +58,24 @@ def update_managed_secret(spec, status, name, namespace, logger, body, **kwargs) | |||||||
|     secret_name = spec.get('name') |     secret_name = spec.get('name') | ||||||
|     secret_namespace = spec.get('namespace') |     secret_namespace = spec.get('namespace') | ||||||
|  |  | ||||||
|  |     old_config = None | ||||||
|  |     old_secret_name = None | ||||||
|  |     old_secret_namespace = None | ||||||
|  |     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: | ||||||
|  |         old_config = json.loads(body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) | ||||||
|  |         old_secret_name = old_config['spec'].get('name') | ||||||
|  |         old_secret_namespace = old_config['spec'].get('namespace') | ||||||
|  |     secret_name = spec.get('name') | ||||||
|  |     secret_namespace = spec.get('namespace') | ||||||
|  |  | ||||||
|  |     if old_config is not None and (old_secret_name != secret_name or old_secret_namespace != secret_namespace): | ||||||
|  |         # If the name of the secret or the namespace of the secret is different | ||||||
|  |         # We have to delete the secret an recreate it | ||||||
|  |         logger.info("Secret name or namespace changed, let's recreate it") | ||||||
|  |         delete_managed_secret(old_config['spec'], name, namespace, logger, **kwargs) | ||||||
|  |         create_managed_secret(spec, name, namespace, logger, body, **kwargs) | ||||||
|  |         return | ||||||
|  |  | ||||||
|     unlock_bw(logger) |     unlock_bw(logger) | ||||||
|  |  | ||||||
|     api = kubernetes.client.CoreV1Api() |     api = kubernetes.client.CoreV1Api() | ||||||
|   | |||||||
| @@ -1,4 +1,5 @@ | |||||||
| import os | import os | ||||||
|  | import json | ||||||
| import subprocess | import subprocess | ||||||
|  |  | ||||||
| class BitwardenCommandException(Exception): | class BitwardenCommandException(Exception): | ||||||
| @@ -8,6 +9,11 @@ def get_secret_from_bitwarden(id): | |||||||
|     return command_wrapper(command=f"get item {id}") |     return command_wrapper(command=f"get item {id}") | ||||||
|  |  | ||||||
| def unlock_bw(logger): | def unlock_bw(logger): | ||||||
|  |     status_output = command_wrapper("status") | ||||||
|  |     status = json.loads(status_output)['status'] | ||||||
|  |     if status == 'unlocked': | ||||||
|  |         logger.info("Already unlocked") | ||||||
|  |         return | ||||||
|     token_output = command_wrapper("unlock --passwordenv BW_PASSWORD") |     token_output = command_wrapper("unlock --passwordenv BW_PASSWORD") | ||||||
|     tokens = token_output.split('"')[1::2] |     tokens = token_output.split('"')[1::2] | ||||||
|     os.environ["BW_SESSION"] = tokens[1] |     os.environ["BW_SESSION"] = tokens[1] | ||||||
| @@ -25,6 +31,8 @@ def parse_login_scope(secret_json, key): | |||||||
|     return secret_json["login"][key] |     return secret_json["login"][key] | ||||||
|  |  | ||||||
| def parse_fields_scope(secret_json, key): | def parse_fields_scope(secret_json, key): | ||||||
|  |     if "fields" not in secret_json: | ||||||
|  |         return None | ||||||
|     for entry in secret_json["fields"]: |     for entry in secret_json["fields"]: | ||||||
|         if entry['name'] == key: |         if entry['name'] == key: | ||||||
|             return entry['value'] |             return entry['value'] | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user