Skip to content

Commit

Permalink
Add bitwarden secret manager (#1685)
Browse files Browse the repository at this point in the history 
* feat: add bw sm

* chore: update service account
  • Loading branch information
@joryirving
joryirving committed Feb 8, 2024
1 parent e50a20f commit 807227d
Show file tree
Hide file tree
Showing 6 changed files with 170 additions and 0 deletions.
17 changes: 17 additions & 0 deletions .../apps/external-secrets/external-secrets/bitwarden-secrets-manager/clustersecretstore.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: bitwarden-secrets-manager
spec:
provider:
webhook:
url: "http://bitwarden-secrets-manager.external-secrets.svc.cluster.local:5000/key/{{ .remoteRef.key }}"
headers:
Authorization: "Bearer {{ print .serviceaccount.token }}"
result:
jsonPath: "$.value"
secrets:
- name: serviceaccount
secretRef:
name: bws-secret
16 changes: 16 additions & 0 deletions ...yvat/apps/external-secrets/external-secrets/bitwarden-secrets-manager/externalsecret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: test
spec:
refreshInterval: "15s"
secretStoreRef:
name: bitwarden-secrets-manager
kind: ClusterSecretStore
target:
name: test-secret
data:
- secretKey: data
remoteRef:
key: Test_secret
78 changes: 78 additions & 0 deletions .../teyvat/apps/external-secrets/external-secrets/bitwarden-secrets-manager/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: bitwarden-secrets-manager
spec:
interval: 5m
chart:
spec:
chart: app-template
version: 2.5.0
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 2
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
controllers:
main:
annotations:
reloader.stakater.com/auto: "true"
containers:
main:
image:
repository: ghcr.io/ripplefcl/bws-cache
tag: latest@sha256:9f60a8e009300263a773053f8f04aac8f2f66f3bb7416f4a0a8a5ad5d7376a26
env:
ORG_ID:
valueFrom:
secretKeyRef:
name: bws-secret
key: ORG_ID
# probes:
# liveness:
# enabled: true
# custom: true
# spec:
# httpGet:
# path: /heartbeat
# port: 5000
# initialDelaySeconds: 15
# periodSeconds: 30
# failureThreshold: 3
# readiness:
# enabled: true
# custom: true
# spec:
# httpGet:
# path: /health
# port: 5000
# initialDelaySeconds: 15
startup:
enabled: false
securityContext: &securityContext
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
resources: &resources
requests:
cpu: 10m
memory: 10Mi
limits:
memory: 100Mi
service:
main:
ports:
http:
port: 5000
9 changes: 9 additions & 0 deletions ...eyvat/apps/external-secrets/external-secrets/bitwarden-secrets-manager/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./clustersecretstore.yaml
- ./externalsecret.yaml
- ./helmrelease.yaml
- ./secret.sops.yaml
27 changes: 27 additions & 0 deletions .../teyvat/apps/external-secrets/external-secrets/bitwarden-secrets-manager/secret.sops.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: v1
kind: Secret
metadata:
name: bws-secret
stringData:
token: ENC[AES256_GCM,data:cgZoXvRDeANUDAv9y5AgcYdIod+lRTI6Gqpi0BO8x1qq9+Wg8EQPenTjCwekSMu9mm8MOn59AKavH2SuoQwi+UBBeLlTyyEJ+bYFH9uorkaO4kl0nfjfjj2PICHPuQ==,iv:OUvqDld+aq+Tp48uGt68/s+saEGf0hDoNlKTsQCAiN4=,tag:FecIjgOdeSp5Tbb+iPKb4Q==,type:str]
ORG_ID: ENC[AES256_GCM,data:LxGlNDbW7lwP3JdeOBaBHZR7YXaIZJ8NRPYqhYJLOYDZXZNU,iv:OtJyTdqscLtZd67+C5ktyL3AZTp+ZYHZZ54sDJwJD8k=,tag:1tI3pA23w7vHci+VT/vL6A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age12v9uw8k6myrr49z9aq6jmcwa79aepu0p6p462nrv968qcae72pcspwldec
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByWVR4eGJYWUJ1V0F4Z2x0
NW8wbFQrY1YxakY3RGtuQmozbFlyL0NqekVzCmZXNWFBdVg5RlBtdUp1dHVFWDlm
ZVlGOXRjUGpJRm1rMzh1ck5BSVhadmsKLS0tIGVqeE5HUnZVczl4NkJmNEJ1NVoz
KzRDbWFsVEpsalByQ1pKL2VsbHZuaTQKKQ+Ia4b12/kVhKvypUlf/riQuTQFh9zy
T/Lp0g6o1eW7KoE+tFk9QgPGYLphyXn/iVNWpz+bMTXhcgFL0qTQZA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-08T17:51:45Z"
mac: ENC[AES256_GCM,data:nGBKDOcJSdRjzi/9nMaGxl5DyMjiqNT0rwVfnDSAplMOB78nKO2/tCzvlCCooqT+LkmDqr7nKpALG+yVbjBPn1qI9EnpJV+on7DpEatkl4uR47Dr9hjdsKl30ek+nEp+9y2q9I4tjAQX60wjqaxTXjdO/qXIbWP8COLuJlO+2Xw=,iv:+NTFW+O2yw7xvOi/3F75P+e647FoJ/VJwz4ul59MaF0=,tag:x+8SnyOyexLYMpU9YJaHsA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.8.1
23 changes: 23 additions & 0 deletions kubernetes/teyvat/apps/external-secrets/external-secrets/ks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,26 @@ spec:
interval: 30m
retryInterval: 1m
timeout: 5m
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app external-secrets-bitwarden-secrets-manager
namespace: flux-system
spec:
targetNamespace: external-secrets
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: external-secrets
path: ./kubernetes/teyvat/apps/external-secrets/external-secrets/bitwarden-secrets-manager
prune: true
sourceRef:
kind: GitRepository
name: home-kubernetes
wait: true
interval: 30m
retryInterval: 1m
timeout: 5m

0 comments on commit 807227d

Please sign in to comment.