Compare commits
	
		
			90 Commits
		
	
	
		
			v0.5.3
			...
			6a8945af21
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|  | 6a8945af21 | ||
|  | 6160723a72 | ||
|  | 7527163f26 | ||
|  | c6ee9fdc39 | ||
|  | 313cf7d6e9 | ||
|  | 8649c4e865 | ||
|  | 23037bafc1 | ||
|  | be98eb9b88 | ||
|  | 80d8db6924 | ||
|  | d6c207ba82 | ||
|  | fc37a12737 | ||
|  | 58b990db2a | ||
|  | f3cba82c9f | ||
|  | f7a0f43cab | ||
|  | 382b6776ce | ||
|  | 94bc6b10b1 | ||
| 53dae0aaaf | |||
| 41a085c475 | |||
|  | 70546b7484 | ||
|  | ae5b39bbcb | ||
|  | 02dfca5a44 | ||
|  | 31cba57a1a | ||
|  | f0a9258b71 | ||
|  | 63e6f8ab7b | ||
|  | 9fe5bde4e8 | ||
|  | 7e0a5b6b57 | ||
|  | b7ef2480be | ||
|  | 25a825b712 | ||
|  | 963446d9dc | ||
|  | bd000cc23a | ||
|  | 72bb525e9a | ||
|  | 0bb67e4503 | ||
|  | 3f35179983 | ||
|  | 68ffb94870 | ||
|  | ddf13aae1c | ||
|  | f63e0ac090 | ||
|  | 39a49ab95b | ||
|  | 187da26b30 | ||
|  | 62a2b488d2 | ||
|  | bec7476ace | ||
|  | d629fa600f | ||
|  | ba8c35da9f | ||
|  | e85ea8357a | ||
|  | 69d1af8ba5 | ||
|  | 293ac2a0b0 | ||
|  | 5c8d10b060 | ||
|  | 25ebf35835 | ||
|  | 1427715823 | ||
|  | 57b6d69b6b | ||
|  | 0e33c33415 | ||
|  | 4d36cd468f | ||
| 6f099c4bf2 | |||
|  | aa015cc7ba | ||
|  | 2de9bbb0bf | ||
|  | 4505f3985c | ||
|  | 82b684e460 | ||
|  | 8ec698f50e | ||
|  | 9b8fe1d8ef | ||
|  | 516f2a34cf | ||
| 361d0866e9 | |||
| 9d4ade904e | |||
| 8c3714f7e0 | |||
| 36ae5cc602 | |||
| d908419b78 | |||
| 2d399ff8ce | |||
| c753737497 | |||
| 886fe3783d | |||
|  | 18a47f8ad2 | ||
|  | e405734e72 | ||
| 8bf4292991 | |||
|  | b149b26485 | ||
|  | 5263a811e1 | ||
|  | 4b59ff1aac | ||
|  | ad1cc9f646 | ||
| 0f518ab28d | |||
| 1bf2a24cf2 | |||
| a73e8ff982 | |||
|  | 54a4ffa212 | ||
| 16040bf87a | |||
|  | 9c1c7417e1 | ||
|  | 0f9ca0869c | ||
|  | 6fbf060044 | ||
|  | 3bb40cdcb4 | ||
|  | 219c9d0413 | ||
|  | 4f92bfe86a | ||
|  | 640333cfc7 | ||
|  | 6a907f149f | ||
|  | 3db74524ca | ||
|  | e49df1fb4d | ||
|  | bb3ca7573b | 
							
								
								
									
										31
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										31
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							| @@ -8,11 +8,13 @@ on: | |||||||
| jobs: | jobs: | ||||||
|   release: |   release: | ||||||
|     permissions: |     permissions: | ||||||
|  |       id-token: write | ||||||
|       contents: write |       contents: write | ||||||
|  |       packages: write | ||||||
|     runs-on: ubuntu-latest |     runs-on: ubuntu-latest | ||||||
|     steps: |     steps: | ||||||
|       - name: Checkout |       - name: Checkout | ||||||
|         uses: actions/checkout@v3 |         uses: actions/checkout@v4 | ||||||
|         with: |         with: | ||||||
|           fetch-depth: 0 |           fetch-depth: 0 | ||||||
|  |  | ||||||
| @@ -27,22 +29,43 @@ jobs: | |||||||
|           version: v3.10.0 |           version: v3.10.0 | ||||||
|  |  | ||||||
|       - name: Run chart-releaser |       - name: Run chart-releaser | ||||||
|         uses: helm/chart-releaser-action@v1.5.0 |         uses: helm/chart-releaser-action@v1.6.0 | ||||||
|         with: |         with: | ||||||
|           charts_dir: charts |           charts_dir: charts | ||||||
|         env: |         env: | ||||||
|           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" |           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||||||
|  |  | ||||||
|       - name: Get app version from chart |       - name: Get app version from chart | ||||||
|         uses: mikefarah/yq@v4.31.1 |         uses: mikefarah/yq@v4.40.2 | ||||||
|         id: app_version |         id: app_version | ||||||
|         with: |         with: | ||||||
|           cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml |           cmd: yq '.appVersion' charts/bitwarden-crd-operator/Chart.yaml | ||||||
|  |  | ||||||
|  |       - name: "GHCR Login" | ||||||
|  |         uses: docker/login-action@v3 | ||||||
|  |         with: | ||||||
|  |           registry: ghcr.io | ||||||
|  |           username: lerentis | ||||||
|  |           password: ${{ secrets.GITHUB_TOKEN }} | ||||||
|  |  | ||||||
|  |       - name: Set up QEMU | ||||||
|  |         uses: docker/setup-qemu-action@v3 | ||||||
|  |        | ||||||
|  |       - name: Set up Docker Buildx | ||||||
|  |         uses: docker/setup-buildx-action@v3 | ||||||
|  |  | ||||||
|  |       - name: "GHCR Build and Push" | ||||||
|  |         id: docker_build | ||||||
|  |         uses: docker/build-push-action@v5 | ||||||
|  |         with: | ||||||
|  |           push: true | ||||||
|  |           platforms: linux/amd64,linux/arm64 | ||||||
|  |           tags: ghcr.io/lerentis/bitwarden-crd-operator:${{ steps.app_version.outputs.result }} | ||||||
|  |  | ||||||
|       - name: Create SBOM |       - name: Create SBOM | ||||||
|         uses: anchore/sbom-action@v0 |         uses: anchore/sbom-action@v0 | ||||||
|         with: |         with: | ||||||
|           image: lerentis/bitwarden-crd-operator:${{ steps.app_version.outputs.result }} |           image: ghcr.io/lerentis/bitwarden-crd-operator:${{ steps.app_version.outputs.result }} | ||||||
|          |          | ||||||
|       - name: Publish SBOM |       - name: Publish SBOM | ||||||
|         uses: anchore/sbom-action/publish-sbom@v0 |         uses: anchore/sbom-action/publish-sbom@v0 | ||||||
|   | |||||||
							
								
								
									
										55
									
								
								.github/workflows/test-and-lint.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										55
									
								
								.github/workflows/test-and-lint.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,55 @@ | |||||||
|  | name: Lint and Test | ||||||
|  |  | ||||||
|  | on: pull_request | ||||||
|  |  | ||||||
|  | jobs: | ||||||
|  |   lint-test: | ||||||
|  |     runs-on: ubuntu-latest | ||||||
|  |     steps: | ||||||
|  |       - name: Checkout | ||||||
|  |         uses: actions/checkout@v4 | ||||||
|  |         with: | ||||||
|  |           fetch-depth: 0 | ||||||
|  |  | ||||||
|  |       - name: Set up Helm | ||||||
|  |         uses: azure/setup-helm@v3 | ||||||
|  |         with: | ||||||
|  |           version: v3.11.2 | ||||||
|  |  | ||||||
|  |       - uses: actions/setup-python@v4 | ||||||
|  |         with: | ||||||
|  |           python-version: '3.9' | ||||||
|  |           check-latest: true | ||||||
|  |  | ||||||
|  |       - name: Set up chart-testing | ||||||
|  |         uses: helm/chart-testing-action@v2.6.1 | ||||||
|  |  | ||||||
|  |       - name: Run chart-testing (list-changed) | ||||||
|  |         id: list-changed | ||||||
|  |         run: | | ||||||
|  |           changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) | ||||||
|  |           if [[ -n "$changed" ]]; then | ||||||
|  |             echo "changed=true" >> "$GITHUB_OUTPUT" | ||||||
|  |           fi | ||||||
|  |  | ||||||
|  |       - name: Run chart-testing (lint) | ||||||
|  |         if: steps.list-changed.outputs.changed == 'true' | ||||||
|  |         run: ct lint --target-branch ${{ github.event.repository.default_branch }} | ||||||
|  |  | ||||||
|  |   pr-build: | ||||||
|  |     runs-on: ubuntu-latest | ||||||
|  |     steps: | ||||||
|  |       - name: Set up QEMU | ||||||
|  |         uses: docker/setup-qemu-action@v3 | ||||||
|  |        | ||||||
|  |       - name: Set up Docker Buildx | ||||||
|  |         uses: docker/setup-buildx-action@v3 | ||||||
|  |  | ||||||
|  |       - name: "GHCR Build" | ||||||
|  |         id: docker_build | ||||||
|  |         uses: docker/build-push-action@v5 | ||||||
|  |         with: | ||||||
|  |           push: false | ||||||
|  |           platforms: linux/amd64,linux/arm64 | ||||||
|  |           tags: ghcr.io/lerentis/bitwarden-crd-operator:dev | ||||||
|  |  | ||||||
							
								
								
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @@ -166,3 +166,5 @@ lib | |||||||
| lib64 | lib64 | ||||||
|  |  | ||||||
| myvalues.yaml | myvalues.yaml | ||||||
|  |  | ||||||
|  | .vscode | ||||||
							
								
								
									
										50
									
								
								Dockerfile
									
									
									
									
									
								
							
							
						
						
									
										50
									
								
								Dockerfile
									
									
									
									
									
								
							| @@ -1,29 +1,45 @@ | |||||||
| FROM alpine:latest as builder | FROM alpine:3.18.3 | ||||||
|  |  | ||||||
|  | LABEL org.opencontainers.image.source=https://github.com/Lerentis/bitwarden-crd-operator | ||||||
|  | LABEL org.opencontainers.image.description="Kubernetes Operator to create k8s secrets from bitwarden" | ||||||
|  | LABEL org.opencontainers.image.licenses=MIT | ||||||
|  |  | ||||||
|  | ARG PYTHON_VERSION=3.11.6-r0 | ||||||
|  | ARG PIP_VERSION=23.1.2-r0 | ||||||
|  | ARG GCOMPAT_VERSION=1.1.0-r1 | ||||||
|  | ARG LIBCRYPTO_VERSION=3.1.2-r0 | ||||||
| ARG BW_VERSION=2023.1.0 | ARG BW_VERSION=2023.1.0 | ||||||
|  |  | ||||||
| RUN apk add wget unzip | COPY requirements.txt /requirements.txt | ||||||
|  |  | ||||||
| RUN cd /tmp && wget https://github.com/bitwarden/clients/releases/download/cli-v${BW_VERSION}/bw-linux-${BW_VERSION}.zip && \ |  | ||||||
|     unzip /tmp/bw-linux-${BW_VERSION}.zip |  | ||||||
|  |  | ||||||
| FROM alpine:3.17.2 |  | ||||||
|  |  | ||||||
| ARG PYTHON_VERSION=3.10.10-r0 |  | ||||||
| ARG PIP_VERSION=22.3.1-r1 |  | ||||||
| ARG GCOMPAT_VERSION=1.1.0-r0 |  | ||||||
|  |  | ||||||
| COPY --from=builder /tmp/bw /usr/local/bin/bw |  | ||||||
| COPY requirements.txt requirements.txt |  | ||||||
|  |  | ||||||
| RUN set -eux; \ | RUN set -eux; \ | ||||||
|  |     apk add --virtual build-dependencies wget unzip; \ | ||||||
|  |     ARCH="$(apk --print-arch)"; \ | ||||||
|  |     case "${ARCH}" in \ | ||||||
|  |        aarch64|arm64) \ | ||||||
|  |           apk add npm; \ | ||||||
|  |           npm install -g @bitwarden/cli@${BW_VERSION}; \ | ||||||
|  |          ;; \ | ||||||
|  |        amd64|x86_64) \ | ||||||
|  |           cd /tmp; \ | ||||||
|  |           wget https://github.com/bitwarden/clients/releases/download/cli-v${BW_VERSION}/bw-linux-${BW_VERSION}.zip; \ | ||||||
|  |           unzip /tmp/bw-linux-${BW_VERSION}.zip; \ | ||||||
|  |           mv /tmp/bw /usr/local/bin/bw; \ | ||||||
|  |           chmod +x /usr/local/bin/bw; \ | ||||||
|  |          ;; \ | ||||||
|  |        *) \ | ||||||
|  |          echo "Unsupported arch: ${ARCH}"; \ | ||||||
|  |          exit 1; \ | ||||||
|  |          ;; \ | ||||||
|  |     esac; \ | ||||||
|  |     apk del --purge build-dependencies; \ | ||||||
|     addgroup -S -g 1000 bw-operator; \ |     addgroup -S -g 1000 bw-operator; \ | ||||||
|     adduser -S -D -u 1000 -G bw-operator bw-operator; \ |     adduser -S -D -u 1000 -G bw-operator bw-operator; \ | ||||||
|     mkdir -p /home/bw-operator; \ |     mkdir -p /home/bw-operator; \ | ||||||
|     chown -R bw-operator /home/bw-operator; \ |     chown -R bw-operator /home/bw-operator; \ | ||||||
|     chmod +x /usr/local/bin/bw; \ |     apk add gcc musl-dev libstdc++ gcompat=${GCOMPAT_VERSION} python3=${PYTHON_VERSION} py3-pip=${PIP_VERSION} libcrypto3=${LIBCRYPTO_VERSION}; \ | ||||||
|     apk add gcc musl-dev libstdc++ gcompat=${GCOMPAT_VERSION} python3=${PYTHON_VERSION} py3-pip=${PIP_VERSION}; \ |     pip install -r /requirements.txt --no-warn-script-location; \ | ||||||
|     pip install -r requirements.txt --no-warn-script-location; \ |     rm /requirements.txt; \ | ||||||
|     apk del --purge gcc musl-dev libstdc++; |     apk del --purge gcc musl-dev libstdc++; | ||||||
|  |  | ||||||
| COPY --chown=bw-operator:bw-operator src /home/bw-operator | COPY --chown=bw-operator:bw-operator src /home/bw-operator | ||||||
|   | |||||||
							
								
								
									
										27
									
								
								Makefile
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								Makefile
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,27 @@ | |||||||
|  | deployment_name ?= bitwarden-crd-operator | ||||||
|  | namespace ?= bitwarden-crd-operator | ||||||
|  | label_filter = -l app.kubernetes.io/instance=bitwarden-crd-operator -l app.kubernetes.io/name=bitwarden-crd-operator | ||||||
|  |  | ||||||
|  | create-namespace: | ||||||
|  | 	kubectl create namespace ${namespace} | ||||||
|  |  | ||||||
|  | dev: | ||||||
|  | 	skaffold dev -n ${namespace} | ||||||
|  |  | ||||||
|  | run: | ||||||
|  | 	skaffold run -n ${namespace} | ||||||
|  |  | ||||||
|  | pods: | ||||||
|  | 	kubectl -n ${namespace} get pods | ||||||
|  |  | ||||||
|  | desc-pods: | ||||||
|  | 	kubectl -n ${namespace} describe pod ${label_filter} | ||||||
|  |  | ||||||
|  | delete-pods-force: | ||||||
|  | 	kubectl -n ${namespace} delete pod ${label_filter} --force | ||||||
|  |  | ||||||
|  | exec: | ||||||
|  | 	kubectl -n ${namespace} exec -it deployment/${deployment_name} -- sh | ||||||
|  |  | ||||||
|  | logs: | ||||||
|  | 	kubectl -n ${namespace} logs -f --tail 30 deployment/${deployment_name} | ||||||
							
								
								
									
										26
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										26
									
								
								README.md
									
									
									
									
									
								
							| @@ -129,7 +129,7 @@ type: dockerconfigjson | |||||||
|  |  | ||||||
| ## BitwardenTemplate | ## BitwardenTemplate | ||||||
|  |  | ||||||
| One of the more freely defined types that can be used with this operator you can just pass a whole template: | One of the more freely defined types that can be used with this operator you can just pass a whole template. Also the lookup function `bitwarden_lookup` is available to reference parts of the secret: | ||||||
|  |  | ||||||
| ```yaml | ```yaml | ||||||
| --- | --- | ||||||
| @@ -145,11 +145,11 @@ spec: | |||||||
|     --- |     --- | ||||||
|     api: |     api: | ||||||
|       enabled: True |       enabled: True | ||||||
|       key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields", "name of a field in bitwarden") }} |       key: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }} | ||||||
|       allowCrossOrigin: false |       allowCrossOrigin: false | ||||||
|       apps: |       apps: | ||||||
|         "some.app.identifier:some_version": |         "some.app.identifier:some_version": | ||||||
|           pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields", "name of a field in bitwarden") }} |           pubkey: {{ bitwarden_lookup("A Secret ID from bitwarden", "login or fields or attachment", "name of a field in bitwarden") }} | ||||||
|           enabled: true |           enabled: true | ||||||
| ``` | ``` | ||||||
|  |  | ||||||
| @@ -169,12 +169,18 @@ metadata: | |||||||
| type: Opaque | type: Opaque | ||||||
| ``` | ``` | ||||||
|  |  | ||||||
| please note that the rendering engine for this template is jinja2, with an addition of a custom `bitwarden_lookup` function, so there are more possibilities to inject here. | The signature of `bitwarden_lookup` is `(item_id, scope, field)`: | ||||||
|  | - `item_id`: The item ID of the secret in Bitwarden | ||||||
|  | - `scope`: one of `login`, `fields` or `attachment` | ||||||
|  | - `field`: | ||||||
|  |   - when `scope` is `login`: either `username` or `password` | ||||||
|  |   - when `scope` is `fields`: the name of a custom field | ||||||
|  |   - when `scope` is `attachment`: the filename of a file attached to the item | ||||||
|  |  | ||||||
| ## Short Term Roadmap | Please note that the rendering engine for this template is jinja2, with an addition of a custom `bitwarden_lookup` function, so there are more possibilities to inject here. | ||||||
|  |  | ||||||
| - [ ] support more types | ## Configurations parameters | ||||||
| - [x] offer option to use a existing secret in helm chart |  | ||||||
| - [x] host chart on gh pages | The operator uses the bitwarden cli in the background and does not communicate to the api directly. The cli mirrors the credential store locally but doesn't sync it on every get request. Instead it will sync each secret every 15 minutes (900 seconds). You can adjust the interval by setting `BW_SYNC_INTERVAL` in the values. If your secrets update very very frequently, you can force the operator to do a sync before each get by setting `BW_FORCE_SYNC="true"`. You might run into rate limits if you do this too frequent. | ||||||
| - [x] write release pipeline |  | ||||||
| - [x] maybe extend spec to offer modification of keys as well | Additionally the bitwarden cli session may expire at some time. In order to create a new session, the login command is triggered from time to time. In what interval exactly can be configured with the env `BW_RELOGIN_INTERVAL` which defaults to 3600s. | ||||||
|   | |||||||
| @@ -4,9 +4,9 @@ description: Deploy the Bitwarden CRD Operator | |||||||
|  |  | ||||||
| type: application | type: application | ||||||
|  |  | ||||||
| version: "v0.5.3" | version: "v0.10.1" | ||||||
|  |  | ||||||
| appVersion: "0.5.3" | appVersion: "0.9.1" | ||||||
|  |  | ||||||
| keywords: | keywords: | ||||||
|   - operator |   - operator | ||||||
| @@ -20,7 +20,7 @@ home: https://lerentis.github.io/bitwarden-crd-operator/ | |||||||
| sources: | sources: | ||||||
|   - https://github.com/Lerentis/bitwarden-crd-operator |   - https://github.com/Lerentis/bitwarden-crd-operator | ||||||
|  |  | ||||||
| kubeVersion: '>= 1.23.0-0' | kubeVersion: ">= 1.23.0-0" | ||||||
|  |  | ||||||
| maintainers: | maintainers: | ||||||
|   - name: lerentis |   - name: lerentis | ||||||
| @@ -89,15 +89,14 @@ annotations: | |||||||
|             allowCrossOrigin: false |             allowCrossOrigin: false | ||||||
|             apps: |             apps: | ||||||
|               "some.app.identifier:some_version": |               "some.app.identifier:some_version": | ||||||
|                 pubkey: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "fields", "public_key") }} |                 pubkey: {{ bitwarden_lookup("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "attachment", "public_key") }} | ||||||
|                 enabled: true |                 enabled: true | ||||||
|   artifacthub.io/license: MIT |   artifacthub.io/license: MIT | ||||||
|   artifacthub.io/operator: "true" |   artifacthub.io/operator: "true" | ||||||
|  |   artifacthub.io/containsSecurityUpdates: "false" | ||||||
|   artifacthub.io/changes: | |   artifacthub.io/changes: | | ||||||
|     - kind: changed |  | ||||||
|       description: "Bump kubernetes from 25.3.0 to 26.1.0" |  | ||||||
|     - kind: fixed |     - kind: fixed | ||||||
|       description: "Fixed artifacthub images annotation" |       description: "Fixed type and content of RegistryCredential" | ||||||
|   artifacthub.io/images: | |   artifacthub.io/images: | | ||||||
|     - name: bitwarden-crd-operator |     - name: bitwarden-crd-operator | ||||||
|       image: lerentis/bitwarden-crd-operator:0.5.3 |       image: ghcr.io/lerentis/bitwarden-crd-operator:0.9.1 | ||||||
|   | |||||||
| @@ -50,10 +50,20 @@ spec: | |||||||
|             httpGet: |             httpGet: | ||||||
|               path: /healthz |               path: /healthz | ||||||
|               port: http |               port: http | ||||||
|  |             failureThreshold: {{ .Values.livenessProbe.failureThreshold }} | ||||||
|  |             initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} | ||||||
|  |             periodSeconds: {{ .Values.livenessProbe.periodSeconds }} | ||||||
|  |             successThreshold: {{ .Values.livenessProbe.successThreshold }} | ||||||
|  |             timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} | ||||||
|           readinessProbe: |           readinessProbe: | ||||||
|             httpGet: |             httpGet: | ||||||
|               path: /healthz |               path: /healthz | ||||||
|               port: http |               port: http | ||||||
|  |             failureThreshold: {{ .Values.readinessProbe.failureThreshold }} | ||||||
|  |             initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} | ||||||
|  |             periodSeconds: {{ .Values.readinessProbe.periodSeconds }} | ||||||
|  |             successThreshold: {{ .Values.readinessProbe.successThreshold }} | ||||||
|  |             timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} | ||||||
|           resources: |           resources: | ||||||
|             {{- toYaml .Values.resources | nindent 12 }} |             {{- toYaml .Values.resources | nindent 12 }} | ||||||
|       {{- with .Values.nodeSelector }} |       {{- with .Values.nodeSelector }} | ||||||
|   | |||||||
| @@ -5,7 +5,7 @@ | |||||||
| replicaCount: 1 | replicaCount: 1 | ||||||
|  |  | ||||||
| image: | image: | ||||||
|   repository: lerentis/bitwarden-crd-operator |   repository: ghcr.io/lerentis/bitwarden-crd-operator | ||||||
|   pullPolicy: IfNotPresent |   pullPolicy: IfNotPresent | ||||||
|   # Overrides the image tag whose default is the chart appVersion. |   # Overrides the image tag whose default is the chart appVersion. | ||||||
|   # tag: "0.1.0" |   # tag: "0.1.0" | ||||||
| @@ -14,7 +14,11 @@ imagePullSecrets: [] | |||||||
| nameOverride: "" | nameOverride: "" | ||||||
| fullnameOverride: "" | fullnameOverride: "" | ||||||
|  |  | ||||||
| #env: | # env: | ||||||
|  | #   - name: BW_FORCE_SYNC | ||||||
|  | #     value: "false" | ||||||
|  | #   - name: BW_SYNC_INTERVAL | ||||||
|  | #     value: "900" | ||||||
| #   - name: BW_HOST | #   - name: BW_HOST | ||||||
| #     value: "define_it" | #     value: "define_it" | ||||||
| #   - name: BW_CLIENTID | #   - name: BW_CLIENTID | ||||||
| @@ -23,6 +27,8 @@ fullnameOverride: "" | |||||||
| #     value: "define_it" | #     value: "define_it" | ||||||
| #   - name: BW_PASSWORD | #   - name: BW_PASSWORD | ||||||
| #     value: "define_id" | #     value: "define_id" | ||||||
|  | ##  - name: BW_RELOGIN_INTERVAL | ||||||
|  | ##    value: "3600" | ||||||
|  |  | ||||||
| externalConfigSecret: | externalConfigSecret: | ||||||
|   enabled: false |   enabled: false | ||||||
| @@ -51,6 +57,20 @@ securityContext: {} | |||||||
|   # runAsNonRoot: true |   # runAsNonRoot: true | ||||||
|   # runAsUser: 1000 |   # runAsUser: 1000 | ||||||
|  |  | ||||||
|  | readinessProbe: | ||||||
|  |   failureThreshold: 3 | ||||||
|  |   initialDelaySeconds: 10 | ||||||
|  |   periodSeconds: 10 | ||||||
|  |   successThreshold: 1 | ||||||
|  |   timeoutSeconds: 1 | ||||||
|  |  | ||||||
|  | livenessProbe: | ||||||
|  |   failureThreshold: 3 | ||||||
|  |   initialDelaySeconds: 10 | ||||||
|  |   periodSeconds: 10 | ||||||
|  |   successThreshold: 1 | ||||||
|  |   timeoutSeconds: 1 | ||||||
|  |  | ||||||
| resources: {} | resources: {} | ||||||
|   # We usually recommend not to specify default resources and to leave this as a conscious |   # We usually recommend not to specify default resources and to leave this as a conscious | ||||||
|   # choice for the user. This also increases chances charts run on environments with little |   # choice for the user. This also increases chances charts run on environments with little | ||||||
|   | |||||||
							
								
								
									
										14
									
								
								example.yaml
									
									
									
									
									
								
							
							
						
						
									
										14
									
								
								example.yaml
									
									
									
									
									
								
							| @@ -16,3 +16,17 @@ spec: | |||||||
|   id: "88781348-c81c-4367-9801-550360c21295" |   id: "88781348-c81c-4367-9801-550360c21295" | ||||||
|   name: "test-secret" |   name: "test-secret" | ||||||
|   namespace: "default" |   namespace: "default" | ||||||
|  | --- | ||||||
|  | apiVersion: "lerentis.uploadfilter24.eu/v1beta4" | ||||||
|  | kind: BitwardenSecret | ||||||
|  | metadata: | ||||||
|  |   name: test-scope | ||||||
|  | spec: | ||||||
|  |   content: | ||||||
|  |     - element: | ||||||
|  |         secretName: public_key | ||||||
|  |         secretRef: pubKey  | ||||||
|  |         secretScope: fields | ||||||
|  |   id: "466fc4b0-ffca-4444-8d88-b59d4de3d928" | ||||||
|  |   name: "test-scope" | ||||||
|  |   namespace: "default" | ||||||
| @@ -1,3 +1,4 @@ | |||||||
| kopf==1.36.0 | kopf==1.36.2 | ||||||
| kubernetes==26.1.0 | kubernetes==26.1.0 | ||||||
| Jinja2==3.1.2 | Jinja2==3.1.2 | ||||||
|  | schedule==1.2.1 | ||||||
							
								
								
									
										17
									
								
								skaffold.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								skaffold.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | |||||||
|  | apiVersion: skaffold/v4beta5 | ||||||
|  | kind: Config | ||||||
|  | metadata: | ||||||
|  |   name: bitwarden-crd-operator | ||||||
|  | build: | ||||||
|  |   artifacts: | ||||||
|  |     - image: ghcr.io/lerentis/bitwarden-crd-operator | ||||||
|  |       docker: | ||||||
|  |         dockerfile: Dockerfile | ||||||
|  | deploy: | ||||||
|  |   helm: | ||||||
|  |     releases: | ||||||
|  |       - name: bitwarden-crd-operator | ||||||
|  |         chartPath: charts/bitwarden-crd-operator | ||||||
|  |         valuesFiles: | ||||||
|  |           - env/values.yaml | ||||||
|  |         version: v0.7.4 | ||||||
| @@ -1,20 +1,47 @@ | |||||||
| #!/usr/bin/env python3 | #!/usr/bin/env python3 | ||||||
| import kopf |  | ||||||
| import os | import os | ||||||
|  | import kopf | ||||||
|  | import schedule | ||||||
|  | import time | ||||||
|  | import threading | ||||||
|  |  | ||||||
| from utils.utils import command_wrapper, unlock_bw | from utils.utils import command_wrapper, unlock_bw, sync_bw | ||||||
|  |  | ||||||
| @kopf.on.startup() |  | ||||||
| def bitwarden_signin(logger, **kwargs): | def bitwarden_signin(logger, **kwargs): | ||||||
|     if 'BW_HOST' in os.environ: |     if 'BW_HOST' in os.environ: | ||||||
|         try: |         try: | ||||||
|             command_wrapper(f"config server {os.getenv('BW_HOST')}") |             command_wrapper(logger, f"config server {os.getenv('BW_HOST')}") | ||||||
|         except: |         except BaseException: | ||||||
|             logger.warn("Revieved none zero exit code from server config") |             logger.warn("Received non-zero exit code from server config") | ||||||
|             logger.warn("This is expected from startup") |             logger.warn("This is expected from startup") | ||||||
|             pass |             pass | ||||||
|     else: |     else: | ||||||
|         logger.info(f"BW_HOST not set. Assuming SaaS installation") |         logger.info("BW_HOST not set. Assuming SaaS installation") | ||||||
|     command_wrapper("login --apikey") |     command_wrapper(logger, "login --apikey") | ||||||
|     unlock_bw(logger) |     unlock_bw(logger) | ||||||
|  |  | ||||||
|  | def run_continuously(interval=30): | ||||||
|  |     cease_continuous_run = threading.Event() | ||||||
|  |  | ||||||
|  |     class ScheduleThread(threading.Thread): | ||||||
|  |         @classmethod | ||||||
|  |         def run(cls): | ||||||
|  |             while not cease_continuous_run.is_set(): | ||||||
|  |                 schedule.run_pending() | ||||||
|  |                 time.sleep(interval) | ||||||
|  |  | ||||||
|  |     continuous_thread = ScheduleThread() | ||||||
|  |     continuous_thread.start() | ||||||
|  |     return cease_continuous_run | ||||||
|  |  | ||||||
|  | @kopf.on.startup() | ||||||
|  | def load_schedules(logger, **kwargs): | ||||||
|  |     bitwarden_signin(logger) | ||||||
|  |     logger.info("Loading schedules") | ||||||
|  |     bw_relogin_interval = float(os.environ.get('BW_RELOGIN_INTERVAL', 3600)) | ||||||
|  |     bw_sync_interval = float(os.environ.get('BW_SYNC_INTERVAL', 900)) | ||||||
|  |     schedule.every(bw_relogin_interval).seconds.do(bitwarden_signin, logger=logger) | ||||||
|  |     logger.info(f"relogin scheduled every {bw_relogin_interval} seconds") | ||||||
|  |     schedule.every(bw_sync_interval).seconds.do(sync_bw, logger=logger) | ||||||
|  |     logger.info(f"sync scheduled every {bw_relogin_interval} seconds") | ||||||
|  |     stop_run_continuously = run_continuously() | ||||||
|   | |||||||
| @@ -3,10 +3,17 @@ import kubernetes | |||||||
| import base64 | import base64 | ||||||
| import json | import json | ||||||
|  |  | ||||||
| from utils.utils import unlock_bw, get_secret_from_bitwarden | from utils.utils import unlock_bw, get_secret_from_bitwarden, bw_sync_interval | ||||||
|  |  | ||||||
| def create_dockerlogin(logger, secret, secret_json, username_ref, password_ref, registry): |  | ||||||
|     secret.type = "dockerconfigjson" | def create_dockerlogin( | ||||||
|  |         logger, | ||||||
|  |         secret, | ||||||
|  |         secret_json, | ||||||
|  |         username_ref, | ||||||
|  |         password_ref, | ||||||
|  |         registry): | ||||||
|  |     secret.type = "kubernetes.io/dockerconfigjson" | ||||||
|     secret.data = {} |     secret.data = {} | ||||||
|     auths_dict = {} |     auths_dict = {} | ||||||
|     registry_dict = {} |     registry_dict = {} | ||||||
| @@ -15,14 +22,20 @@ def create_dockerlogin(logger, secret, secret_json, username_ref, password_ref, | |||||||
|     _username = secret_json["login"][username_ref] |     _username = secret_json["login"][username_ref] | ||||||
|     logger.info(f"Creating login with username: {_username}") |     logger.info(f"Creating login with username: {_username}") | ||||||
|     _password = secret_json["login"][password_ref] |     _password = secret_json["login"][password_ref] | ||||||
|     cred_field = str(base64.b64encode(f"{_username}:{_password}".encode("utf-8")), "utf-8") |     cred_field = str( | ||||||
|  |         base64.b64encode( | ||||||
|  |             f"{_username}:{_password}".encode("utf-8")), | ||||||
|  |         "utf-8") | ||||||
|  |     reg_auth_dict["username"] = _username | ||||||
|  |     reg_auth_dict["password"] = _password | ||||||
|     reg_auth_dict["auth"] = cred_field |     reg_auth_dict["auth"] = cred_field | ||||||
|     registry_dict[registry] = reg_auth_dict |     registry_dict[registry] = reg_auth_dict | ||||||
|     auths_dict["auths"] = registry_dict |     auths_dict["auths"] = registry_dict | ||||||
|     secret.data[".dockerconfigjson"] = str(base64.b64encode(json.dumps(auths_dict).encode("utf-8")), "utf-8") |     secret.data[".dockerconfigjson"] = str(base64.b64encode( | ||||||
|  |         json.dumps(auths_dict).encode("utf-8")), "utf-8") | ||||||
|     return secret |     return secret | ||||||
|  |  | ||||||
|  |  | ||||||
| @kopf.on.create('registry-credential.lerentis.uploadfilter24.eu') | @kopf.on.create('registry-credential.lerentis.uploadfilter24.eu') | ||||||
| def create_managed_registry_secret(spec, name, namespace, logger, **kwargs): | def create_managed_registry_secret(spec, name, namespace, logger, **kwargs): | ||||||
|     username_ref = spec.get('usernameRef') |     username_ref = spec.get('usernameRef') | ||||||
| @@ -34,7 +47,7 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs): | |||||||
|  |  | ||||||
|     unlock_bw(logger) |     unlock_bw(logger) | ||||||
|     logger.info(f"Locking up secret with ID: {id}") |     logger.info(f"Locking up secret with ID: {id}") | ||||||
|     secret_json_object = json.loads(get_secret_from_bitwarden(id)) |     secret_json_object = get_secret_from_bitwarden(logger, id) | ||||||
|  |  | ||||||
|     api = kubernetes.client.CoreV1Api() |     api = kubernetes.client.CoreV1Api() | ||||||
|  |  | ||||||
| @@ -43,18 +56,34 @@ def create_managed_registry_secret(spec, name, namespace, logger, **kwargs): | |||||||
|         "managedObject": f"{namespace}/{name}" |         "managedObject": f"{namespace}/{name}" | ||||||
|     } |     } | ||||||
|     secret = kubernetes.client.V1Secret() |     secret = kubernetes.client.V1Secret() | ||||||
|     secret.metadata = kubernetes.client.V1ObjectMeta(name=secret_name, annotations=annotations) |     secret.metadata = kubernetes.client.V1ObjectMeta( | ||||||
|     secret = create_dockerlogin(logger, secret, secret_json_object, username_ref, password_ref, registry)    |         name=secret_name, annotations=annotations) | ||||||
|  |     secret = create_dockerlogin( | ||||||
|  |         logger, | ||||||
|  |         secret, | ||||||
|  |         secret_json_object["data"], | ||||||
|  |         username_ref, | ||||||
|  |         password_ref, | ||||||
|  |         registry) | ||||||
|  |  | ||||||
|     obj = api.create_namespaced_secret( |     obj = api.create_namespaced_secret( | ||||||
|         secret_namespace, secret |         secret_namespace, secret | ||||||
|     ) |     ) | ||||||
|  |  | ||||||
|     logger.info(f"Registry Secret {secret_namespace}/{secret_name} has been created") |     logger.info( | ||||||
|  |         f"Registry Secret {secret_namespace}/{secret_name} has been created") | ||||||
|  |  | ||||||
|  |  | ||||||
| @kopf.on.update('registry-credential.lerentis.uploadfilter24.eu') | @kopf.on.update('registry-credential.lerentis.uploadfilter24.eu') | ||||||
| @kopf.timer('registry-credential.lerentis.uploadfilter24.eu', interval=900) | @kopf.timer('registry-credential.lerentis.uploadfilter24.eu', interval=bw_sync_interval) | ||||||
| def update_managed_registry_secret(spec, status, name, namespace, logger, body, **kwargs): | def update_managed_registry_secret( | ||||||
|  |         spec, | ||||||
|  |         status, | ||||||
|  |         name, | ||||||
|  |         namespace, | ||||||
|  |         logger, | ||||||
|  |         body, | ||||||
|  |         **kwargs): | ||||||
|  |  | ||||||
|     username_ref = spec.get('usernameRef') |     username_ref = spec.get('usernameRef') | ||||||
|     password_ref = spec.get('passwordRef') |     password_ref = spec.get('passwordRef') | ||||||
| @@ -63,28 +92,34 @@ def update_managed_registry_secret(spec, status, name, namespace, logger, body, | |||||||
|     secret_name = spec.get('name') |     secret_name = spec.get('name') | ||||||
|     secret_namespace = spec.get('namespace') |     secret_namespace = spec.get('namespace') | ||||||
|  |  | ||||||
|  |  | ||||||
|     old_config = None |     old_config = None | ||||||
|     old_secret_name = None |     old_secret_name = None | ||||||
|     old_secret_namespace = None |     old_secret_namespace = None | ||||||
|     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: |     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: | ||||||
|         old_config = json.loads(body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) |         old_config = json.loads( | ||||||
|  |             body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) | ||||||
|         old_secret_name = old_config['spec'].get('name') |         old_secret_name = old_config['spec'].get('name') | ||||||
|         old_secret_namespace = old_config['spec'].get('namespace') |         old_secret_namespace = old_config['spec'].get('namespace') | ||||||
|     secret_name = spec.get('name') |     secret_name = spec.get('name') | ||||||
|     secret_namespace = spec.get('namespace') |     secret_namespace = spec.get('namespace') | ||||||
|  |  | ||||||
|     if old_config is not None and (old_secret_name != secret_name or old_secret_namespace != secret_namespace): |     if old_config is not None and ( | ||||||
|  |             old_secret_name != secret_name or old_secret_namespace != secret_namespace): | ||||||
|         # If the name of the secret or the namespace of the secret is different |         # If the name of the secret or the namespace of the secret is different | ||||||
|         # We have to delete the secret an recreate it |         # We have to delete the secret an recreate it | ||||||
|         logger.info("Secret name or namespace changed, let's recreate it") |         logger.info("Secret name or namespace changed, let's recreate it") | ||||||
|         delete_managed_secret(old_config['spec'], name, namespace, logger, **kwargs) |         delete_managed_secret( | ||||||
|  |             old_config['spec'], | ||||||
|  |             name, | ||||||
|  |             namespace, | ||||||
|  |             logger, | ||||||
|  |             **kwargs) | ||||||
|         create_managed_registry_secret(spec, name, namespace, logger, **kwargs) |         create_managed_registry_secret(spec, name, namespace, logger, **kwargs) | ||||||
|         return |         return | ||||||
|  |  | ||||||
|     unlock_bw(logger) |     unlock_bw(logger) | ||||||
|     logger.info(f"Locking up secret with ID: {id}") |     logger.info(f"Locking up secret with ID: {id}") | ||||||
|     secret_json_object = json.loads(get_secret_from_bitwarden(id)) |     secret_json_object = get_secret_from_bitwarden(logger, id) | ||||||
|  |  | ||||||
|     api = kubernetes.client.CoreV1Api() |     api = kubernetes.client.CoreV1Api() | ||||||
|  |  | ||||||
| @@ -93,15 +128,23 @@ def update_managed_registry_secret(spec, status, name, namespace, logger, body, | |||||||
|         "managedObject": f"{namespace}/{name}" |         "managedObject": f"{namespace}/{name}" | ||||||
|     } |     } | ||||||
|     secret = kubernetes.client.V1Secret() |     secret = kubernetes.client.V1Secret() | ||||||
|     secret.metadata = kubernetes.client.V1ObjectMeta(name=secret_name, annotations=annotations) |     secret.metadata = kubernetes.client.V1ObjectMeta( | ||||||
|     secret = create_dockerlogin(logger, secret, secret_json_object, username_ref, password_ref, registry) |         name=secret_name, annotations=annotations) | ||||||
|  |     secret = create_dockerlogin( | ||||||
|  |         logger, | ||||||
|  |         secret, | ||||||
|  |         secret_json_object["data"], | ||||||
|  |         username_ref, | ||||||
|  |         password_ref, | ||||||
|  |         registry) | ||||||
|     try: |     try: | ||||||
|         obj = api.replace_namespaced_secret( |         obj = api.replace_namespaced_secret( | ||||||
|             name=secret_name, |             name=secret_name, | ||||||
|             body=secret, |             body=secret, | ||||||
|             namespace="{}".format(secret_namespace)) |             namespace="{}".format(secret_namespace)) | ||||||
|         logger.info(f"Secret {secret_namespace}/{secret_name} has been updated") |         logger.info( | ||||||
|     except: |             f"Secret {secret_namespace}/{secret_name} has been updated") | ||||||
|  |     except BaseException: | ||||||
|         logger.warn( |         logger.warn( | ||||||
|             f"Could not update secret {secret_namespace}/{secret_name}!") |             f"Could not update secret {secret_namespace}/{secret_name}!") | ||||||
|  |  | ||||||
| @@ -114,6 +157,8 @@ def delete_managed_secret(spec, name, namespace, logger, **kwargs): | |||||||
|  |  | ||||||
|     try: |     try: | ||||||
|         api.delete_namespaced_secret(secret_name, secret_namespace) |         api.delete_namespaced_secret(secret_name, secret_namespace) | ||||||
|         logger.info(f"Secret {secret_namespace}/{secret_name} has been deleted") |         logger.info( | ||||||
|     except: |             f"Secret {secret_namespace}/{secret_name} has been deleted") | ||||||
|         logger.warn(f"Could not delete secret {secret_namespace}/{secret_name}!") |     except BaseException: | ||||||
|  |         logger.warn( | ||||||
|  |             f"Could not delete secret {secret_namespace}/{secret_name}!") | ||||||
|   | |||||||
							
								
								
									
										44
									
								
								src/kv.py
									
									
									
									
									
								
							
							
						
						
									
										44
									
								
								src/kv.py
									
									
									
									
									
								
							| @@ -3,8 +3,7 @@ import kubernetes | |||||||
| import base64 | import base64 | ||||||
| import json | import json | ||||||
|  |  | ||||||
| from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope | from utils.utils import unlock_bw, get_secret_from_bitwarden, parse_login_scope, parse_fields_scope, bw_sync_interval | ||||||
|  |  | ||||||
|  |  | ||||||
| def create_kv(secret, secret_json, content_def): | def create_kv(secret, secret_json, content_def): | ||||||
|     secret.type = "Opaque" |     secret.type = "Opaque" | ||||||
| @@ -21,13 +20,15 @@ def create_kv(secret, secret_json, content_def): | |||||||
|             if _secret_scope == "login": |             if _secret_scope == "login": | ||||||
|                 value = parse_login_scope(secret_json, _secret_key) |                 value = parse_login_scope(secret_json, _secret_key) | ||||||
|                 if value is None: |                 if value is None: | ||||||
|                     raise Exception(f"Field {_secret_key} has no value in bitwarden secret") |                     raise Exception( | ||||||
|  |                         f"Field {_secret_key} has no value in bitwarden secret") | ||||||
|                 secret.data[_secret_ref] = str(base64.b64encode( |                 secret.data[_secret_ref] = str(base64.b64encode( | ||||||
|                     value.encode("utf-8")), "utf-8") |                     value.encode("utf-8")), "utf-8") | ||||||
|             if _secret_scope == "fields": |             if _secret_scope == "fields": | ||||||
|                 value = parse_fields_scope(secret_json, _secret_key) |                 value = parse_fields_scope(secret_json, _secret_key) | ||||||
|                 if value is None: |                 if value is None: | ||||||
|                     raise Exception(f"Field {_secret_key} has no value in bitwarden secret") |                     raise Exception( | ||||||
|  |                         f"Field {_secret_key} has no value in bitwarden secret") | ||||||
|                 secret.data[_secret_ref] = str(base64.b64encode( |                 secret.data[_secret_ref] = str(base64.b64encode( | ||||||
|                     value.encode("utf-8")), "utf-8") |                     value.encode("utf-8")), "utf-8") | ||||||
|     return secret |     return secret | ||||||
| @@ -43,7 +44,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs): | |||||||
|  |  | ||||||
|     unlock_bw(logger) |     unlock_bw(logger) | ||||||
|     logger.info(f"Locking up secret with ID: {id}") |     logger.info(f"Locking up secret with ID: {id}") | ||||||
|     secret_json_object = json.loads(get_secret_from_bitwarden(id)) |     secret_json_object = get_secret_from_bitwarden(logger, id) | ||||||
|  |  | ||||||
|     api = kubernetes.client.CoreV1Api() |     api = kubernetes.client.CoreV1Api() | ||||||
|  |  | ||||||
| @@ -65,8 +66,15 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs): | |||||||
|  |  | ||||||
|  |  | ||||||
| @kopf.on.update('bitwarden-secret.lerentis.uploadfilter24.eu') | @kopf.on.update('bitwarden-secret.lerentis.uploadfilter24.eu') | ||||||
| @kopf.timer('bitwarden-secret.lerentis.uploadfilter24.eu', interval=900) | @kopf.timer('bitwarden-secret.lerentis.uploadfilter24.eu', interval=bw_sync_interval) | ||||||
| def update_managed_secret(spec, status, name, namespace, logger, body, **kwargs): | def update_managed_secret( | ||||||
|  |         spec, | ||||||
|  |         status, | ||||||
|  |         name, | ||||||
|  |         namespace, | ||||||
|  |         logger, | ||||||
|  |         body, | ||||||
|  |         **kwargs): | ||||||
|  |  | ||||||
|     content_def = body['spec']['content'] |     content_def = body['spec']['content'] | ||||||
|     id = spec.get('id') |     id = spec.get('id') | ||||||
| @@ -74,23 +82,30 @@ def update_managed_secret(spec, status, name, namespace, logger, body, **kwargs) | |||||||
|     old_secret_name = None |     old_secret_name = None | ||||||
|     old_secret_namespace = None |     old_secret_namespace = None | ||||||
|     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: |     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: | ||||||
|         old_config = json.loads(body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) |         old_config = json.loads( | ||||||
|  |             body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) | ||||||
|         old_secret_name = old_config['spec'].get('name') |         old_secret_name = old_config['spec'].get('name') | ||||||
|         old_secret_namespace = old_config['spec'].get('namespace') |         old_secret_namespace = old_config['spec'].get('namespace') | ||||||
|     secret_name = spec.get('name') |     secret_name = spec.get('name') | ||||||
|     secret_namespace = spec.get('namespace') |     secret_namespace = spec.get('namespace') | ||||||
|  |  | ||||||
|     if old_config is not None and (old_secret_name != secret_name or old_secret_namespace != secret_namespace): |     if old_config is not None and ( | ||||||
|  |             old_secret_name != secret_name or old_secret_namespace != secret_namespace): | ||||||
|         # If the name of the secret or the namespace of the secret is different |         # If the name of the secret or the namespace of the secret is different | ||||||
|         # We have to delete the secret an recreate it |         # We have to delete the secret an recreate it | ||||||
|         logger.info("Secret name or namespace changed, let's recreate it") |         logger.info("Secret name or namespace changed, let's recreate it") | ||||||
|         delete_managed_secret(old_config['spec'], name, namespace, logger, **kwargs) |         delete_managed_secret( | ||||||
|  |             old_config['spec'], | ||||||
|  |             name, | ||||||
|  |             namespace, | ||||||
|  |             logger, | ||||||
|  |             **kwargs) | ||||||
|         create_managed_secret(spec, name, namespace, logger, body, **kwargs) |         create_managed_secret(spec, name, namespace, logger, body, **kwargs) | ||||||
|         return |         return | ||||||
|  |  | ||||||
|     unlock_bw(logger) |     unlock_bw(logger) | ||||||
|     logger.info(f"Locking up secret with ID: {id}") |     logger.info(f"Locking up secret with ID: {id}") | ||||||
|     secret_json_object = json.loads(get_secret_from_bitwarden(id)) |     secret_json_object = get_secret_from_bitwarden(logger, id) | ||||||
|  |  | ||||||
|     api = kubernetes.client.CoreV1Api() |     api = kubernetes.client.CoreV1Api() | ||||||
|  |  | ||||||
| @@ -109,8 +124,9 @@ def update_managed_secret(spec, status, name, namespace, logger, body, **kwargs) | |||||||
|             name=secret_name, |             name=secret_name, | ||||||
|             body=secret, |             body=secret, | ||||||
|             namespace="{}".format(secret_namespace)) |             namespace="{}".format(secret_namespace)) | ||||||
|         logger.info(f"Secret {secret_namespace}/{secret_name} has been updated") |         logger.info( | ||||||
|     except: |             f"Secret {secret_namespace}/{secret_name} has been updated") | ||||||
|  |     except BaseException: | ||||||
|         logger.warn( |         logger.warn( | ||||||
|             f"Could not update secret {secret_namespace}/{secret_name}!") |             f"Could not update secret {secret_namespace}/{secret_name}!") | ||||||
|  |  | ||||||
| @@ -125,6 +141,6 @@ def delete_managed_secret(spec, name, namespace, logger, **kwargs): | |||||||
|         api.delete_namespaced_secret(secret_name, secret_namespace) |         api.delete_namespaced_secret(secret_name, secret_namespace) | ||||||
|         logger.info( |         logger.info( | ||||||
|             f"Secret {secret_namespace}/{secret_name} has been deleted") |             f"Secret {secret_namespace}/{secret_name} has been deleted") | ||||||
|     except: |     except BaseException: | ||||||
|         logger.warn( |         logger.warn( | ||||||
|             f"Could not delete secret {secret_namespace}/{secret_name}!") |             f"Could not delete secret {secret_namespace}/{secret_name}!") | ||||||
|   | |||||||
| @@ -1,9 +1,15 @@ | |||||||
| import json | from utils.utils import get_secret_from_bitwarden, get_attachment, parse_fields_scope, parse_login_scope | ||||||
|  |  | ||||||
| from utils.utils import get_secret_from_bitwarden, parse_fields_scope, parse_login_scope |  | ||||||
|  |  | ||||||
| def bitwarden_lookup(id, scope, field): | class BitwardenLookupHandler: | ||||||
|     _secret_json = json.loads(get_secret_from_bitwarden(id)) |  | ||||||
|  |     def __init__(self, logger) -> None: | ||||||
|  |         self.logger = logger | ||||||
|  |  | ||||||
|  |     def bitwarden_lookup(self, id, scope, field): | ||||||
|  |         if scope == "attachment": | ||||||
|  |             return get_attachment(self.logger, id, field) | ||||||
|  |         _secret_json = get_secret_from_bitwarden(self.logger, id) | ||||||
|         if scope == "login": |         if scope == "login": | ||||||
|             return parse_login_scope(_secret_json, field) |             return parse_login_scope(_secret_json, field) | ||||||
|         if scope == "fields": |         if scope == "fields": | ||||||
|   | |||||||
| @@ -3,26 +3,29 @@ import base64 | |||||||
| import kubernetes | import kubernetes | ||||||
| import json | import json | ||||||
|  |  | ||||||
| from utils.utils import unlock_bw | from utils.utils import unlock_bw, bw_sync_interval | ||||||
| from lookups.bitwarden_lookup import bitwarden_lookup | from lookups.bitwarden_lookup import BitwardenLookupHandler | ||||||
| from jinja2 import Environment, BaseLoader | from jinja2 import Environment, BaseLoader | ||||||
|  |  | ||||||
|  |  | ||||||
| lookup_func_dict = { | def render_template(logger, template): | ||||||
|     "bitwarden_lookup": bitwarden_lookup, |  | ||||||
| } |  | ||||||
|  |  | ||||||
| def render_template(template): |  | ||||||
|     jinja_template = Environment(loader=BaseLoader()).from_string(template) |     jinja_template = Environment(loader=BaseLoader()).from_string(template) | ||||||
|     jinja_template.globals.update(lookup_func_dict) |     jinja_template.globals.update({ | ||||||
|  |         "bitwarden_lookup": BitwardenLookupHandler(logger).bitwarden_lookup, | ||||||
|  |     }) | ||||||
|     return jinja_template.render() |     return jinja_template.render() | ||||||
|  |  | ||||||
| def create_template_secret(secret, filename, template): |  | ||||||
|  | def create_template_secret(logger, secret, filename, template): | ||||||
|     secret.type = "Opaque" |     secret.type = "Opaque" | ||||||
|     secret.data = {} |     secret.data = {} | ||||||
|     secret.data[filename] = str(base64.b64encode(render_template(template).encode("utf-8")), "utf-8") |     secret.data[filename] = str( | ||||||
|  |         base64.b64encode( | ||||||
|  |             render_template(logger, template).encode("utf-8")), | ||||||
|  |         "utf-8") | ||||||
|     return secret |     return secret | ||||||
|  |  | ||||||
|  |  | ||||||
| @kopf.on.create('bitwarden-template.lerentis.uploadfilter24.eu') | @kopf.on.create('bitwarden-template.lerentis.uploadfilter24.eu') | ||||||
| def create_managed_secret(spec, name, namespace, logger, body, **kwargs): | def create_managed_secret(spec, name, namespace, logger, body, **kwargs): | ||||||
|  |  | ||||||
| @@ -40,8 +43,9 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs): | |||||||
|         "managedObject": f"{namespace}/{name}" |         "managedObject": f"{namespace}/{name}" | ||||||
|     } |     } | ||||||
|     secret = kubernetes.client.V1Secret() |     secret = kubernetes.client.V1Secret() | ||||||
|     secret.metadata = kubernetes.client.V1ObjectMeta(name=secret_name, annotations=annotations) |     secret.metadata = kubernetes.client.V1ObjectMeta( | ||||||
|     secret = create_template_secret(secret, filename, template) |         name=secret_name, annotations=annotations) | ||||||
|  |     secret = create_template_secret(logger, secret, filename, template) | ||||||
|  |  | ||||||
|     obj = api.create_namespaced_secret( |     obj = api.create_namespaced_secret( | ||||||
|         secret_namespace, secret |         secret_namespace, secret | ||||||
| @@ -49,9 +53,17 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs): | |||||||
|  |  | ||||||
|     logger.info(f"Secret {secret_namespace}/{secret_name} has been created") |     logger.info(f"Secret {secret_namespace}/{secret_name} has been created") | ||||||
|  |  | ||||||
|  |  | ||||||
| @kopf.on.update('bitwarden-template.lerentis.uploadfilter24.eu') | @kopf.on.update('bitwarden-template.lerentis.uploadfilter24.eu') | ||||||
| @kopf.timer('bitwarden-template.lerentis.uploadfilter24.eu', interval=900) | @kopf.timer('bitwarden-template.lerentis.uploadfilter24.eu', interval=bw_sync_interval) | ||||||
| def update_managed_secret(spec, status, name, namespace, logger, body, **kwargs): | def update_managed_secret( | ||||||
|  |         spec, | ||||||
|  |         status, | ||||||
|  |         name, | ||||||
|  |         namespace, | ||||||
|  |         logger, | ||||||
|  |         body, | ||||||
|  |         **kwargs): | ||||||
|  |  | ||||||
|     template = spec.get('template') |     template = spec.get('template') | ||||||
|     filename = spec.get('filename') |     filename = spec.get('filename') | ||||||
| @@ -62,17 +74,24 @@ def update_managed_secret(spec, status, name, namespace, logger, body, **kwargs) | |||||||
|     old_secret_name = None |     old_secret_name = None | ||||||
|     old_secret_namespace = None |     old_secret_namespace = None | ||||||
|     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: |     if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: | ||||||
|         old_config = json.loads(body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) |         old_config = json.loads( | ||||||
|  |             body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) | ||||||
|         old_secret_name = old_config['spec'].get('name') |         old_secret_name = old_config['spec'].get('name') | ||||||
|         old_secret_namespace = old_config['spec'].get('namespace') |         old_secret_namespace = old_config['spec'].get('namespace') | ||||||
|     secret_name = spec.get('name') |     secret_name = spec.get('name') | ||||||
|     secret_namespace = spec.get('namespace') |     secret_namespace = spec.get('namespace') | ||||||
|  |  | ||||||
|     if old_config is not None and (old_secret_name != secret_name or old_secret_namespace != secret_namespace): |     if old_config is not None and ( | ||||||
|  |             old_secret_name != secret_name or old_secret_namespace != secret_namespace): | ||||||
|         # If the name of the secret or the namespace of the secret is different |         # If the name of the secret or the namespace of the secret is different | ||||||
|         # We have to delete the secret an recreate it |         # We have to delete the secret an recreate it | ||||||
|         logger.info("Secret name or namespace changed, let's recreate it") |         logger.info("Secret name or namespace changed, let's recreate it") | ||||||
|         delete_managed_secret(old_config['spec'], name, namespace, logger, **kwargs) |         delete_managed_secret( | ||||||
|  |             old_config['spec'], | ||||||
|  |             name, | ||||||
|  |             namespace, | ||||||
|  |             logger, | ||||||
|  |             **kwargs) | ||||||
|         create_managed_secret(spec, name, namespace, logger, body, **kwargs) |         create_managed_secret(spec, name, namespace, logger, body, **kwargs) | ||||||
|         return |         return | ||||||
|  |  | ||||||
| @@ -85,19 +104,22 @@ def update_managed_secret(spec, status, name, namespace, logger, body, **kwargs) | |||||||
|         "managedObject": f"{namespace}/{name}" |         "managedObject": f"{namespace}/{name}" | ||||||
|     } |     } | ||||||
|     secret = kubernetes.client.V1Secret() |     secret = kubernetes.client.V1Secret() | ||||||
|     secret.metadata = kubernetes.client.V1ObjectMeta(name=secret_name, annotations=annotations) |     secret.metadata = kubernetes.client.V1ObjectMeta( | ||||||
|     secret = create_template_secret(secret, filename, template) |         name=secret_name, annotations=annotations) | ||||||
|  |     secret = create_template_secret(logger, secret, filename, template) | ||||||
|  |  | ||||||
|     try: |     try: | ||||||
|         obj = api.replace_namespaced_secret( |         obj = api.replace_namespaced_secret( | ||||||
|             name=secret_name, |             name=secret_name, | ||||||
|             body=secret, |             body=secret, | ||||||
|             namespace="{}".format(secret_namespace)) |             namespace="{}".format(secret_namespace)) | ||||||
|         logger.info(f"Secret {secret_namespace}/{secret_name} has been updated") |         logger.info( | ||||||
|     except: |             f"Secret {secret_namespace}/{secret_name} has been updated") | ||||||
|  |     except BaseException: | ||||||
|         logger.warn( |         logger.warn( | ||||||
|             f"Could not update secret {secret_namespace}/{secret_name}!") |             f"Could not update secret {secret_namespace}/{secret_name}!") | ||||||
|  |  | ||||||
|  |  | ||||||
| @kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu') | @kopf.on.delete('bitwarden-template.lerentis.uploadfilter24.eu') | ||||||
| def delete_managed_secret(spec, name, namespace, logger, **kwargs): | def delete_managed_secret(spec, name, namespace, logger, **kwargs): | ||||||
|     secret_name = spec.get('name') |     secret_name = spec.get('name') | ||||||
| @@ -106,6 +128,8 @@ def delete_managed_secret(spec, name, namespace, logger, **kwargs): | |||||||
|  |  | ||||||
|     try: |     try: | ||||||
|         api.delete_namespaced_secret(secret_name, secret_namespace) |         api.delete_namespaced_secret(secret_name, secret_namespace) | ||||||
|         logger.info(f"Secret {secret_namespace}/{secret_name} has been deleted") |         logger.info( | ||||||
|     except: |             f"Secret {secret_namespace}/{secret_name} has been deleted") | ||||||
|         logger.warn(f"Could not delete secret {secret_namespace}/{secret_name}!") |     except BaseException: | ||||||
|  |         logger.warn( | ||||||
|  |             f"Could not delete secret {secret_namespace}/{secret_name}!") | ||||||
|   | |||||||
| @@ -1,38 +1,91 @@ | |||||||
| import os | import os | ||||||
| import json | import json | ||||||
| import subprocess | import subprocess | ||||||
|  | import distutils | ||||||
|  |  | ||||||
|  | bw_sync_interval = float(os.environ.get( | ||||||
|  |     'BW_SYNC_INTERVAL', 900)) | ||||||
|  |  | ||||||
| class BitwardenCommandException(Exception): | class BitwardenCommandException(Exception): | ||||||
|     pass |     pass | ||||||
|  |  | ||||||
| def get_secret_from_bitwarden(id): |  | ||||||
|     return command_wrapper(command=f"get item {id}") | def get_secret_from_bitwarden(logger, id, force_sync=False): | ||||||
|  |     sync_bw(logger, force=force_sync) | ||||||
|  |     return command_wrapper(logger, command=f"get item {id}") | ||||||
|  |  | ||||||
|  |  | ||||||
|  | def sync_bw(logger, force=False): | ||||||
|  |  | ||||||
|  |     def _sync(logger): | ||||||
|  |         status_output = command_wrapper(logger, command=f"sync") | ||||||
|  |         logger.info(f"Sync successful {status_output}") | ||||||
|  |         return | ||||||
|  |  | ||||||
|  |     if force: | ||||||
|  |         _sync(logger) | ||||||
|  |         return | ||||||
|  |  | ||||||
|  |     global_force_sync = bool(distutils.util.strtobool( | ||||||
|  |         os.environ.get('BW_FORCE_SYNC', "false"))) | ||||||
|  |  | ||||||
|  |     if global_force_sync: | ||||||
|  |         logger.debug("Running forced sync") | ||||||
|  |         status_output = _sync(logger) | ||||||
|  |         logger.info(f"Sync successful {status_output}") | ||||||
|  |     else: | ||||||
|  |         logger.debug("Running scheduled sync") | ||||||
|  |         status_output = _sync(logger) | ||||||
|  |         logger.info(f"Sync successful {status_output}") | ||||||
|  |  | ||||||
|  |  | ||||||
|  | def get_attachment(logger, id, name): | ||||||
|  |     return command_wrapper(logger, command=f"get attachment {name} --itemid {id}", raw=True) | ||||||
|  |  | ||||||
|  |  | ||||||
| def unlock_bw(logger): | def unlock_bw(logger): | ||||||
|     status_output = command_wrapper("status") |     status_output = command_wrapper(logger, "status", False) | ||||||
|     status = json.loads(status_output)['status'] |     status = status_output['data']['template']['status'] | ||||||
|     if status == 'unlocked': |     if status == 'unlocked': | ||||||
|         logger.info("Already unlocked") |         logger.info("Already unlocked") | ||||||
|         return |         return | ||||||
|     token_output = command_wrapper("unlock --passwordenv BW_PASSWORD") |     token_output = command_wrapper(logger, "unlock --passwordenv BW_PASSWORD") | ||||||
|     tokens = token_output.split('"')[1::2] |     os.environ["BW_SESSION"] = token_output["data"]["raw"] | ||||||
|     os.environ["BW_SESSION"] = tokens[1] |  | ||||||
|     logger.info("Signin successful. Session exported") |     logger.info("Signin successful. Session exported") | ||||||
|  |  | ||||||
| def command_wrapper(command): |  | ||||||
|  | def command_wrapper(logger, command, use_success: bool = True, raw: bool = False): | ||||||
|     system_env = dict(os.environ) |     system_env = dict(os.environ) | ||||||
|     sp = subprocess.Popen([f"bw {command}"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True, shell=True, env=system_env) |     response_flag = "--raw" if raw else "--response" | ||||||
|  |     sp = subprocess.Popen( | ||||||
|  |         [f"bw {response_flag} {command}"], | ||||||
|  |         stdout=subprocess.PIPE, | ||||||
|  |         stderr=subprocess.PIPE, | ||||||
|  |         close_fds=True, | ||||||
|  |         shell=True, | ||||||
|  |         env=system_env) | ||||||
|     out, err = sp.communicate() |     out, err = sp.communicate() | ||||||
|     if err: |     if err: | ||||||
|         raise BitwardenCommandException(err) |         logger.warn(err) | ||||||
|  |         return None | ||||||
|  |     if raw: | ||||||
|         return out.decode(encoding='UTF-8') |         return out.decode(encoding='UTF-8') | ||||||
|  |     if "DEBUG" in system_env: | ||||||
|  |         logger.info(out.decode(encoding='UTF-8')) | ||||||
|  |     resp = json.loads(out.decode(encoding='UTF-8')) | ||||||
|  |     if resp["success"] != None and (not use_success or (use_success and resp["success"] == True)): | ||||||
|  |         return resp | ||||||
|  |     logger.warn(resp) | ||||||
|  |     return None | ||||||
|  |  | ||||||
|  |  | ||||||
| def parse_login_scope(secret_json, key): | def parse_login_scope(secret_json, key): | ||||||
|     return secret_json["login"][key] |     return secret_json["data"]["login"][key] | ||||||
|  |  | ||||||
|  |  | ||||||
| def parse_fields_scope(secret_json, key): | def parse_fields_scope(secret_json, key): | ||||||
|     if "fields" not in secret_json: |     if "fields" not in secret_json["data"]: | ||||||
|         return None |         return None | ||||||
|     for entry in secret_json["fields"]: |     for entry in secret_json["data"]["fields"]: | ||||||
|         if entry['name'] == key: |         if entry['name'] == key: | ||||||
|             return entry['value'] |             return entry['value'] | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user