A kubernetes operator which synchronizes secrets from Bitwarden™ Secrets Manager.
This operator is designed to be installed in a cluster to manage secrets in namespaces in any namespace.
A Helm chart is provided for installation. It can be installed directly with helm or by using the helm chart as a source for ArgoCD.
helm repo add bitwarden-k8s-secrets-manager https://rhpds.github.io/bitwarden-k8s-secrets-manager helm install bitwarden-k8s-secrets-manager bitwarden-k8s-secrets-manager/bitwarden-k8s-secrets-manager
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: bitwarden-k8s-secrets-manager
namespace: openshift-gitops
spec:
destination:
name: in-cluster
project: default
helm:
path: helm
repoURL: https://github.com/rhpds/bitwarden-k8s-secrets-manager.git
targetRevision: {{ .Values.bitwardenK8sSecretsManager.version }}
A custom resource definition is provided to allow creation of BitwardenSyncConfig resources.
The Helm chart supports creating BitwardenSyncConfigs on installation with values specifying a dictionary in the values with the key being the BitwardenSyncConfig name and the value being the spec.
Example default BitwardenSyncConfig:
apiVersion: bitwarden-k8s-secrets-manager.demo.redhat.com/v1
kind: BitwardenSyncConfig
metadata:
name: default
namespace: bitwarden-k8s-secrets-manager
spec:
accessTokenSecret:
name: bitwarden-access-token
secrets:
# Bitwarden secret named "app_secret_key" is a simple string value synced
# to secret "app-secret-key" in "app-namespace" under data item "token".
- name: app-secret-key
namespace: app-namespace
data:
token:
secret: app_secret_key
# Bitwarden secret named "app_database_auth" has a value in YAML or JSON dict
# format with keys "server", "username", and "password".
# Secret is synced to secret "app-database-auth" in "app-namespace" with
# labels "app.kubernetes.io/name" with a value "example-app" and
# "database-server" with value that exposes the server value.
- name: app-database-auth
namespace: app-namespace
data:
server:
secret: app_database_auth
key: server
username:
secret: app_database_auth
key: username
password:
secret: app_database_auth
key: password
database:
secret: app_database_auth
key: dbname
port:
secret: app_database_auth
key: dbport
labels:
app.kubernetes.io/name:
value: example-app
database-server:
secret: app_database_auth
key: server
Example Bitwarden Secrets Manager values for using these entries.
Secrets Manager Secret Name: ------------------------------------------------------------------------------- app_database_auth ------------------------------------------------------------------------------- Value:
server: productiondb.example.com password: <our_really_strong_c0mpl#X_PASSWORD!> username: tannerite dbname: tracking dbport: 12345
Example BitwardenSyncSecret which uses default BitwardenSyncConfig:
apiVersion: bitwarden-k8s-secrets-manager.demo.redhat.com/v1
kind: BitwardenSyncSecret
metadata:
name: myapp-db
namespace: myapp
spec:
data:
server:
secret: ldap_creds
key: server
bind_dn:
secret: ldap_creds
key: bind_dn
bind_pw:
secret: ldap_creds
key: bind_password
labels:
app.kubernetes.io/name:
value: example-app
ldap-server:
secret: ldap_creds
key: server
env:
secret: ldap_creds
key: environment
Example Bitwarden Secrets Manager values for using these entries.
Secrets Manager Secret Name: ------------------------------------------------------------------------------- ldap_creds ------------------------------------------------------------------------------- Value:
server: ldap.mydomain.example.com bind_dn: uid=clustera-euwest2-robot,cn=users,dc=mydomain,dc=example,dc=com bind_password: <ANOTHER_hideously_COMPL3X_PASSW0$%> environment: dev
Example Bitwarden Secrets Manager values for combining two separate secrets into one k8s secret - assumes yaml-formatted data to create a dict.
NOTE: if "key" is not defined here, then the whole secret is dumped out under the entry in the combined secret
apiVersion: bitwarden-k8s-secrets-manager.demo.redhat.com/v1
kind: BitwardenSyncSecret
metadata:
name: myapp-db
namespace: myapp
spec:
data:
ldap:
secret: ldap_creds
database:
secret: app_database_auth
Example BitwardenSyncSecret which uses non-YAML formatted secrets: Note: it is possible to have multiple secrets like this - just make sure no "key:" is defined under the secret name
apiVersion: bitwarden-k8s-secrets-manager.demo.redhat.com/v1 kind: BitwardenSyncSecret metadata: name: myapp-db namespace: myapp spec: data: conf.d_ssl.conf: secret: apache_config labels: app.kubernetes.io/name: value: example-app
Example Bitwarden Secrets Manager values for using these entries.
Secrets Manager Secret
Name:
apache_config
Value:
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Example BitwardenSyncSecret which uses secrets from 2 specific projects from YAML-formatted secrets. NOTE: this is useful if you have secrets that have the same values defined and you need to combine two different entries from different projects
apiVersion: bitwarden-k8s-secrets-manager.demo.redhat.com/v1 kind: BitwardenSyncSecret metadata: name: myapp-db namespace: myapp_uat_munging spec: data: server: project: superdupersecret_prod secret: app_database_auth key: server username: project: supersecret_uat secret: app_database_auth key: username password: project: supersecret_uat secret: app_database_auth key: password