mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
6c070bb538
* Add bitwarden example Signed-off-by: Thibault Cohen <47721+titilambert@users.noreply.github.com> * Fix bitwarden docs Signed-off-by: Thibault Cohen <47721+titilambert@users.noreply.github.com> * fix: punctuation, newline for bullet list Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> --------- Signed-off-by: Thibault Cohen <47721+titilambert@users.noreply.github.com> Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>
99 lines
2.9 KiB
Markdown
99 lines
2.9 KiB
Markdown
# Bitwarden support using webhook provider
|
|
|
|
Bitwarden is an integrated open source password management solution for individuals, teams, and business organizations.
|
|
|
|
## How is it working ?
|
|
|
|
To make external-secret compatible with BitWarden, we need:
|
|
|
|
* External-Secret >= 0.8.0
|
|
* To use the Webhook Provider
|
|
* 2 (Cluster)SecretStores
|
|
* BitWarden CLI image running `bw serve`
|
|
|
|
When you create a new external-secret object,
|
|
External-Secret Webhook provider will do a query to the Bitwarden CLI pod,
|
|
which is synced with the BitWarden server.
|
|
|
|
## Requirements
|
|
|
|
* Bitwarden account (it works also with VaultWarden)
|
|
* A Kubernetes secret which contains your BitWarden Credentials
|
|
* You need a Docker image with BitWarden CLI installed.
|
|
You could use `registry.gitlab.com/ttblt-oss/docker-bw:2023.1.0` or build your own.
|
|
|
|
Here an example of Dockerfile use to build this image:
|
|
```dockerfile
|
|
FROM debian:sid
|
|
|
|
ENV BW_CLI_VERSION=2023.1.0
|
|
|
|
RUN apt update && \
|
|
apt install -y wget unzip && \
|
|
wget https://github.com/bitwarden/clients/releases/download/cli-v${BW_CLI_VERSION}/bw-linux-${BW_CLI_VERSION}.zip && \
|
|
unzip bw-linux-${BW_CLI_VERSION}.zip && \
|
|
chmod +x bw && \
|
|
mv bw /usr/local/bin/bw && \
|
|
rm -rfv *.zip
|
|
|
|
COPY entrypoint.sh /
|
|
|
|
CMD ["/entrypoint.sh"]
|
|
```
|
|
|
|
And the content of `entrypoint.sh`
|
|
```bash
|
|
#!/bin/bash
|
|
|
|
set -e
|
|
|
|
bw config server ${BW_HOST}
|
|
|
|
export BW_SESSION=$(bw login ${BW_USER} --passwordenv BW_PASSWORD --raw)
|
|
|
|
bw unlock --check
|
|
|
|
echo 'Running `bw server` on port 8087'
|
|
bw serve --hostname 0.0.0.0 #--disable-origin-protection
|
|
```
|
|
|
|
|
|
## Deploy Bitwarden Credentials
|
|
|
|
```yaml
|
|
{% include 'bitwarden-cli-secrets.yaml' %}
|
|
```
|
|
|
|
## Deploy Bitwarden CLI container
|
|
|
|
```yaml
|
|
{% include 'bitwarden-cli-deployment.yaml' %}
|
|
```
|
|
|
|
> NOTE: Deploying a network policy is recommended since, there is no authentication to query the BitWarden CLI, which means that your secrets are exposed.
|
|
|
|
> NOTE: In this example the Liveness probe is quering /sync to ensure that the BitWarden CLI is able to connect to the server and also to sync secrets. (The secret sync is only every 2 minutes in this example)
|
|
|
|
## Deploy ClusterSecretStore (Or SecretStore)
|
|
|
|
Here the two ClusterSecretStore to deploy
|
|
|
|
```yaml
|
|
{% include 'bitwarden-secret-store.yaml' %}
|
|
```
|
|
|
|
|
|
## How to use it ?
|
|
|
|
* If you need the `username` or the `password` of a secret, you have to use `bitwarden-login`
|
|
* If you need a custom field of a secret, you have to use `bitwarden-fields`
|
|
* The `key` is the ID of a secret, which can be find in the URL with the `itemId` value:
|
|
`https://myvault.com/#/vault?itemId=........-....-....-....-............`
|
|
* The `property` is the name of the field:
|
|
* `username` for the username of a secret (`bitwarden-login` SecretStore)
|
|
* `password` for the password of a secret (`bitwarden-login` SecretStore)
|
|
* `name_of_the_custom_field` for any custom field (`bitwarden-fields` SecretStore)
|
|
|
|
```yaml
|
|
{% include 'bitwarden-secret.yaml' %}
|
|
```
|