mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity
external-secrets/docs/examples/bitwarden.md

100 lines
2.9 KiB
Markdown
Raw Normal View History

Add bitwarden example (#2139) * Add bitwarden example Signed-off-by: Thibault Cohen <47721+titilambert@users.noreply.github.com> * Fix bitwarden docs Signed-off-by: Thibault Cohen <47721+titilambert@users.noreply.github.com> * fix: punctuation, newline for bullet list Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> --------- Signed-off-by: Thibault Cohen <47721+titilambert@users.noreply.github.com> Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
2023-03-20 20:47:47 +00:00
# Bitwarden support using webhook provider
Bitwarden is an integrated open source password management solution for individuals, teams, and business organizations.
## How is it working ?
To make external-secret compatible with BitWarden, we need:
* External-Secret >= 0.8.0
* To use the Webhook Provider
* 2 (Cluster)SecretStores
* BitWarden CLI image running `bw serve`
When you create a new external-secret object,
External-Secret Webhook provider will do a query to the Bitwarden CLI pod,
which is synced with the BitWarden server.
## Requirements
* Bitwarden account (it works also with VaultWarden)
* A Kubernetes secret which contains your BitWarden Credentials
* You need a Docker image with BitWarden CLI installed.
You could use `registry.gitlab.com/ttblt-oss/docker-bw:2023.1.0` or build your own.
Here an example of Dockerfile use to build this image:
```dockerfile
FROM debian:sid
ENV BW_CLI_VERSION=2023.1.0
RUN apt update && \
apt install -y wget unzip && \
wget https://github.com/bitwarden/clients/releases/download/cli-v${BW_CLI_VERSION}/bw-linux-${BW_CLI_VERSION}.zip && \
unzip bw-linux-${BW_CLI_VERSION}.zip && \
chmod +x bw && \
mv bw /usr/local/bin/bw && \
rm -rfv *.zip
COPY entrypoint.sh /
CMD ["/entrypoint.sh"]
```
And the content of `entrypoint.sh`
```bash
#!/bin/bash
set -e
bw config server ${BW_HOST}
export BW_SESSION=$(bw login ${BW_USER} --passwordenv BW_PASSWORD --raw)
bw unlock --check
echo 'Running `bw server` on port 8087'
bw serve --hostname 0.0.0.0 #--disable-origin-protection
```
## Deploy Bitwarden Credentials
```yaml
{% include 'bitwarden-cli-secrets.yaml' %}
```
## Deploy Bitwarden CLI container
```yaml
{% include 'bitwarden-cli-deployment.yaml' %}
```
> NOTE: Deploying a network policy is recommended since, there is no authentication to query the BitWarden CLI, which means that your secrets are exposed.
> NOTE: In this example the Liveness probe is quering /sync to ensure that the BitWarden CLI is able to connect to the server and also to sync secrets. (The secret sync is only every 2 minutes in this example)
## Deploy ClusterSecretStore (Or SecretStore)
Here the two ClusterSecretStore to deploy
```yaml
{% include 'bitwarden-secret-store.yaml' %}
```
## How to use it ?
* If you need the `username` or the `password` of a secret, you have to use `bitwarden-login`
* If you need a custom field of a secret, you have to use `bitwarden-fields`
* The `key` is the ID of a secret, which can be find in the URL with the `itemId` value:
`https://myvault.com/#/vault?itemId=........-....-....-....-............`
* The `property` is the name of the field:
* `username` for the username of a secret (`bitwarden-login` SecretStore)
* `password` for the password of a secret (`bitwarden-login` SecretStore)
* `name_of_the_custom_field` for any custom field (`bitwarden-fields` SecretStore)
```yaml
{% include 'bitwarden-secret.yaml' %}
```
Copy permalink