diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml index 761a37c..a037ac3 100644 --- a/.github/workflows/semantic-pr.yaml +++ b/.github/workflows/semantic-pr.yaml @@ -19,7 +19,5 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: - scopes: bitwarden-webhook - sidero-omni requireScope: true subjectPattern: ^(?![A-Z]).+$ diff --git a/.kube-linter.yaml b/.kube-linter.yaml new file mode 100644 index 0000000..01fbb40 --- /dev/null +++ b/.kube-linter.yaml @@ -0,0 +1,6 @@ +checks: + exclude: + - "no-read-only-root-fs" + - "run-as-non-root" + - "unset-cpu-requirements" + - "unset-memory-requirements" diff --git a/anza-labs/bitwarden-webhook/.helmignore b/anza-labs/bitwarden-webhook/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/anza-labs/bitwarden-webhook/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/anza-labs/bitwarden-webhook/Chart.yaml b/anza-labs/bitwarden-webhook/Chart.yaml index 8b82daf..d169dcc 100644 --- a/anza-labs/bitwarden-webhook/Chart.yaml +++ b/anza-labs/bitwarden-webhook/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: bitwarden-webhook description: A BitWarden Webhook provider for External Secrets Operator type: application -version: 0.1.0 +version: 1.0.0 diff --git a/anza-labs/bitwarden-webhook/README.md b/anza-labs/bitwarden-webhook/README.md new file mode 100644 index 0000000..49f2261 --- /dev/null +++ b/anza-labs/bitwarden-webhook/README.md @@ -0,0 +1,39 @@ +# bitwarden-webhook + +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat) + +A BitWarden Webhook provider for External Secrets Operator + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity settings for the pods. | +| fullnameOverride | string | `""` | Override for the full name. | +| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. | +| image.repository | string | `"ghcr.io/charlesthomas/bitwarden-cli"` | Registry and repository for the image. | +| image.tag | string | `"2023.12.1"` | Tag for the image. | +| imagePullSecrets | list | `[]` | Secrets for pulling images. | +| nameOverride | string | `""` | Override for the name. | +| networkPolicy.create | bool | `true` | Specifies whether a network policy should be created. | +| networkPolicy.podSelectors | list | `[{"app.kubernetes.io/instance":"external-secrets","app.kubernetes.io/name":"external-secrets"}]` | Pod selectors for the network policy. | +| nodeSelector | object | `{}` | Node selector for the pods. | +| podAnnotations | object | `{}` | Annotations to be added to the pods. | +| podLabels | object | `{}` | Labels to be added to the pods. | +| podSecurityContext | object | `{}` | | +| replicaCount | int | `1` | Number of replicas for the deployment. | +| resources | object | `{}` | | +| secret.bitwardenHost | string | `""` | Host for Bitwarden. | +| secret.bitwardenPassword | string | `""` | Password for Bitwarden. | +| secret.bitwardenUsername | string | `""` | Username for Bitwarden. | +| secret.create | bool | `true` | Specifies whether a secret should be created. | +| secret.existingSecretName | string | `""` | Name of the existing secret. | +| securityContext | object | `{}` | | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | +| serviceAccount.automount | bool | `true` | Automatically mount a ServiceAccount's API credentials. | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. | +| tolerations | list | `[]` | Tolerations for the pods. | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/anza-labs/bitwarden-webhook/templates/_helpers.tpl b/anza-labs/bitwarden-webhook/templates/_helpers.tpl new file mode 100644 index 0000000..2d4e7b5 --- /dev/null +++ b/anza-labs/bitwarden-webhook/templates/_helpers.tpl @@ -0,0 +1,73 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "bitwarden-webhook.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "bitwarden-webhook.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "bitwarden-webhook.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "bitwarden-webhook.labels" -}} +helm.sh/chart: {{ include "bitwarden-webhook.chart" . }} +{{ include "bitwarden-webhook.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "bitwarden-webhook.selectorLabels" -}} +app.kubernetes.io/name: {{ include "bitwarden-webhook.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "bitwarden-webhook.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "bitwarden-webhook.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the secret to use +*/}} +{{- define "bitwarden-webhook.secretName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "bitwarden-webhook.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- required ".Values.secret.existingSecretName is required when not creating the secret!" .Values.secret.existingSecretName }} +{{- end }} +{{- end }} diff --git a/anza-labs/bitwarden-webhook/templates/deployment.yaml b/anza-labs/bitwarden-webhook/templates/deployment.yaml new file mode 100644 index 0000000..456bb5d --- /dev/null +++ b/anza-labs/bitwarden-webhook/templates/deployment.yaml @@ -0,0 +1,94 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "bitwarden-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "bitwarden-webhook.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "bitwarden-webhook.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "bitwarden-webhook.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "bitwarden-webhook.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: BW_HOST + valueFrom: + secretKeyRef: + name: {{ include "bitwarden-webhook.secretName" . }} + key: BW_HOST + - name: BW_USER + valueFrom: + secretKeyRef: + name: {{ include "bitwarden-webhook.secretName" . }} + key: BW_USERNAME + - name: BW_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "bitwarden-webhook.secretName" . }} + key: BW_PASSWORD + ports: + - name: http + containerPort: 8087 + protocol: TCP + livenessProbe: + exec: + command: + - wget + - -q + - http://127.0.0.1:8087/sync?force=true + - --post-data='' + initialDelaySeconds: 20 + failureThreshold: 3 + timeoutSeconds: 1 + periodSeconds: 120 + readinessProbe: + tcpSocket: + port: 8087 + initialDelaySeconds: 20 + failureThreshold: 3 + timeoutSeconds: 1 + periodSeconds: 10 + startupProbe: + tcpSocket: + port: 8087 + initialDelaySeconds: 10 + failureThreshold: 30 + timeoutSeconds: 1 + periodSeconds: 5 + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/anza-labs/bitwarden-webhook/templates/networkpolicy.yaml b/anza-labs/bitwarden-webhook/templates/networkpolicy.yaml new file mode 100644 index 0000000..8582a17 --- /dev/null +++ b/anza-labs/bitwarden-webhook/templates/networkpolicy.yaml @@ -0,0 +1,20 @@ +{{- if .Values.networkPolicy.create -}} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ include "bitwarden-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "bitwarden-webhook.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "bitwarden-webhook.selectorLabels" . | nindent 6 }} + ingress: + - from: + {{- range $v := .Values.networkPolicy.podSelectors }} + - podSelector: + matchLabels: + {{- $v | toYaml | nindent 12 }} + {{- end }} +{{- end }} diff --git a/anza-labs/bitwarden-webhook/templates/secret.yaml b/anza-labs/bitwarden-webhook/templates/secret.yaml new file mode 100644 index 0000000..bb8ba2a --- /dev/null +++ b/anza-labs/bitwarden-webhook/templates/secret.yaml @@ -0,0 +1,20 @@ +{{- if .Values.secret.create -}} +{{- $bitwardenHost := .Values.secret.bitwardenHost | required ".Values.secret.bitwardenHost is required." -}} +{{- $bitwardenUsername := .Values.secret.bitwardenUsername | required ".Values.secret.bitwardenUsername is required." -}} +{{- $bitwardenPassword := .Values.secret.bitwardenPassword | required ".Values.secret.bitwardenPassword is required." -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "bitwarden-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "bitwarden-webhook.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} +type: Opaque +stringData: + BW_HOST: {{ $bitwardenHost }} + BW_USERNAME: {{ $bitwardenUsername }} + BW_PASSWORD: {{ $bitwardenPassword }} +{{- end }} diff --git a/anza-labs/bitwarden-webhook/templates/service.yaml b/anza-labs/bitwarden-webhook/templates/service.yaml new file mode 100644 index 0000000..6291f1c --- /dev/null +++ b/anza-labs/bitwarden-webhook/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "bitwarden-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "bitwarden-webhook.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 8087 + targetPort: http + protocol: TCP + name: http + selector: + {{- include "bitwarden-webhook.selectorLabels" . | nindent 4 }} diff --git a/anza-labs/bitwarden-webhook/templates/serviceaccount.yaml b/anza-labs/bitwarden-webhook/templates/serviceaccount.yaml new file mode 100644 index 0000000..5129447 --- /dev/null +++ b/anza-labs/bitwarden-webhook/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "bitwarden-webhook.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "bitwarden-webhook.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/anza-labs/bitwarden-webhook/values.yaml b/anza-labs/bitwarden-webhook/values.yaml new file mode 100644 index 0000000..4b82e7e --- /dev/null +++ b/anza-labs/bitwarden-webhook/values.yaml @@ -0,0 +1,86 @@ +# Default values for bitwarden-webhook. + +# -- Number of replicas for the deployment. +replicaCount: 1 + +image: + # -- Registry and repository for the image. + repository: ghcr.io/charlesthomas/bitwarden-cli + # -- Tag for the image. + tag: "2023.12.1" + # -- Image pull policy. + pullPolicy: IfNotPresent + +# -- Secrets for pulling images. +imagePullSecrets: [] +# -- Override for the name. +nameOverride: "" +# -- Override for the full name. +fullnameOverride: "" + +serviceAccount: + # -- Specifies whether a service account should be created. + create: true + # -- Automatically mount a ServiceAccount's API credentials. + automount: true + # -- Annotations to add to the service account. + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" + +networkPolicy: + # -- Specifies whether a network policy should be created. + create: true + # -- Pod selectors for the network policy. + podSelectors: + - app.kubernetes.io/instance: external-secrets + app.kubernetes.io/name: external-secrets + +secret: + # -- Specifies whether a secret should be created. + create: true + # -- Name of the existing secret. + existingSecretName: "" + # -- Host for Bitwarden. + bitwardenHost: "" + # -- Username for Bitwarden. + bitwardenUsername: "" + # -- Password for Bitwarden. + bitwardenPassword: "" + +# -- Annotations to be added to the pods. +podAnnotations: {} +# -- Labels to be added to the pods. +podLabels: {} + +podSecurityContext: + {} + # fsGroup: 2000 + +securityContext: + {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +resources: + {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# -- Node selector for the pods. +nodeSelector: {} + +# -- Tolerations for the pods. +tolerations: [] + +# -- Affinity settings for the pods. +affinity: {}