From 38459629bc62758c96893936afcfdb351c92a1c4 Mon Sep 17 00:00:00 2001 From: Christoph Thalhammer <25662281+chrthal@users.noreply.github.com> Date: Wed, 19 Jun 2024 11:24:22 +0200 Subject: [PATCH] Updated CRDs and added custom secret type to templates --- charts/bitwarden-crd-operator/Chart.yaml | 25 ++++--------- .../crds/bitwarden-templates.yaml | 32 +++++++++++++++++ .../crds/registry-credentials.yaml | 36 +++++++++++++++++++ src/template.py | 15 ++++++-- 4 files changed, 88 insertions(+), 20 deletions(-) diff --git a/charts/bitwarden-crd-operator/Chart.yaml b/charts/bitwarden-crd-operator/Chart.yaml index 59fc471..8f0bd75 100644 --- a/charts/bitwarden-crd-operator/Chart.yaml +++ b/charts/bitwarden-crd-operator/Chart.yaml @@ -37,12 +37,12 @@ annotations: displayName: Bitwarden Secret description: Management Object to create secrets from bitwarden - kind: RegistryCredential - version: v1beta6 + version: v1beta7 name: registry-credential displayName: Regestry Credentials description: Management Object to create regestry secrets from bitwarden - kind: BitwardenTemplate - version: v1beta6 + version: v1beta7 name: bitwarden-template displayName: Bitwarden Template description: Management Object to create secrets from a jinja template with a bitwarden lookup @@ -67,7 +67,7 @@ annotations: key: value annotations: key: value - - apiVersion: lerentis.uploadfilter24.eu/v1beta6 + - apiVersion: lerentis.uploadfilter24.eu/v1beta7 kind: RegistryCredential metadata: name: test @@ -82,13 +82,14 @@ annotations: key: value annotations: key: value - - apiVersion: "lerentis.uploadfilter24.eu/v1beta6" + - apiVersion: "lerentis.uploadfilter24.eu/v1beta7" kind: BitwardenTemplate metadata: name: test spec: filename: "config.yaml" name: "test-regcred" + secretType: Obaque #Optional namespace: "default" labels: key: value @@ -110,22 +111,10 @@ annotations: artifacthub.io/changes: | - kind: added description: "Allow custom type for generated secrets" - - kind: changed - description: "Update python to 3.11.9-r0" - - kind: changed - description: "Update Node to 20.12.1-r0" - - kind: changed - description: "Update libcrypto3 to 3.1.4-r5" - - kind: changed - description: "Update alpine to 3.19.1" - - kind: changed - description: "Update kopf to 1.37.2" - - kind: changed - description: "Update jinja to 3.1.4" - kind: added - description: "Allow custom annotations to generated secrets" + description: "Allow attachments in generated secrets" - kind: added - description: "Set ownership of generated secrets if CRD is in the same namespace" + description: "Allow custom type in templated secrets" artifacthub.io/images: | - name: bitwarden-crd-operator image: ghcr.io/lerentis/bitwarden-crd-operator:0.12.0 diff --git a/charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml b/charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml index 8cc47f5..fd5ef4a 100644 --- a/charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml +++ b/charts/bitwarden-crd-operator/crds/bitwarden-templates.yaml @@ -65,6 +65,36 @@ spec: - namespace - name - name: v1beta6 + served: true + storage: false + deprecated: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + filename: + type: string + template: + type: string + namespace: + type: string + name: + type: string + labels: + type: object + x-kubernetes-preserve-unknown-fields: true + annotations: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - filename + - template + - namespace + - name + - name: v1beta7 served: true storage: true schema: @@ -82,6 +112,8 @@ spec: type: string name: type: string + secretType: + type: string labels: type: object x-kubernetes-preserve-unknown-fields: true diff --git a/charts/bitwarden-crd-operator/crds/registry-credentials.yaml b/charts/bitwarden-crd-operator/crds/registry-credentials.yaml index 233ddb6..5fe4b75 100644 --- a/charts/bitwarden-crd-operator/crds/registry-credentials.yaml +++ b/charts/bitwarden-crd-operator/crds/registry-credentials.yaml @@ -77,6 +77,42 @@ spec: - passwordRef - registry - name: v1beta6 + served: true + storage: false + deprecated: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + usernameRef: + type: string + passwordRef: + type: string + registry: + type: string + id: + type: string + namespace: + type: string + name: + type: string + labels: + type: object + x-kubernetes-preserve-unknown-fields: true + annotations: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - id + - namespace + - name + - usernameRef + - passwordRef + - registry + - name: v1beta7 served: true storage: true schema: diff --git a/src/template.py b/src/template.py index c3ff026..5ccf7c5 100644 --- a/src/template.py +++ b/src/template.py @@ -17,7 +17,6 @@ def render_template(logger, template): def create_template_secret(logger, secret, filename, template): - secret.type = "Opaque" secret.data = {} secret.data[filename] = str( base64.b64encode( @@ -35,6 +34,7 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs): secret_namespace = spec.get('namespace') labels = spec.get('labels') custom_annotations = spec.get('annotations') + custom_secret_type = spec.get('secretType') unlock_bw(logger) @@ -48,12 +48,16 @@ def create_managed_secret(spec, name, namespace, logger, body, **kwargs): if custom_annotations: annotations.update(custom_annotations) + if not custom_secret_type: + custom_secret_type = 'Opaque' + if not labels: labels = {} secret = kubernetes.client.V1Secret() secret.metadata = kubernetes.client.V1ObjectMeta( name=secret_name, annotations=annotations, labels=labels) + secret.type = custom_secret_type secret = create_template_secret(logger, secret, filename, template) # Garbage collection will delete the generated secret if the owner @@ -85,20 +89,26 @@ def update_managed_secret( secret_namespace = spec.get('namespace') labels = spec.get('labels') custom_annotations = spec.get('annotations') + custom_secret_type = spec.get('secretType') + + if not custom_secret_type: + custom_secret_type = 'Opaque' old_config = None old_secret_name = None old_secret_namespace = None + old_secret_type = None if 'kopf.zalando.org/last-handled-configuration' in body.metadata.annotations: old_config = json.loads( body.metadata.annotations['kopf.zalando.org/last-handled-configuration']) old_secret_name = old_config['spec'].get('name') old_secret_namespace = old_config['spec'].get('namespace') + old_secret_type = old_config['spec'].get('type') secret_name = spec.get('name') secret_namespace = spec.get('namespace') if old_config is not None and ( - old_secret_name != secret_name or old_secret_namespace != secret_namespace): + old_secret_name != secret_name or old_secret_namespace != secret_namespace or old_secret_type != custom_secret_type): # If the name of the secret or the namespace of the secret is different # We have to delete the secret an recreate it logger.info("Secret name or namespace changed, let's recreate it") @@ -129,6 +139,7 @@ def update_managed_secret( secret = kubernetes.client.V1Secret() secret.metadata = kubernetes.client.V1ObjectMeta( name=secret_name, annotations=annotations, labels=labels) + secret.type = custom_secret_type secret = create_template_secret(logger, secret, filename, template) # Garbage collection will delete the generated secret if the owner