Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Bitwarden Secrets provider #513

Merged
merged 1 commit into from
Sep 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,17 @@ jobs:
with:
go-version-file: 'go.mod'
cache: true
- name: build
- name: Install musl-gcc
run: |
sudo apt-get update
sudo apt-get install musl-tools -y
- name: build
run: make build

unit-test:
runs-on: ubuntu-latest
env:
SKIP_TESTS: true
SKIP_TESTS: true
steps:
- name: Create k8s Kind Cluster
uses: helm/[email protected]
Expand All @@ -40,5 +44,9 @@ jobs:
with:
go-version-file: 'go.mod'
cache: true
- name: Install musl-gcc
run: |
sudo apt-get update
sudo apt-get install musl-tools -y
- name: test
run: make test
5 changes: 5 additions & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,11 @@ jobs:
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
-
name: Install musl-gcc
run: |
sudo apt-get update
sudo apt-get install musl-tools -y
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@v6
Expand Down
5 changes: 3 additions & 2 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,10 @@ builds:
- id: vals
main: ./cmd/vals
env:
- CGO_ENABLED=0
- CGO_ENABLED=1
- CC=musl-gcc
ldflags:
- -s -w -X main.version={{.Version}} -X main.commit={{.Commit}}
- -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -linkmode external -extldflags "-static -Wl,-unresolved-symbols=ignore-all"
goos:
- darwin
- linux
Expand Down
21 changes: 16 additions & 5 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,19 +1,30 @@
Version := $(shell git describe --tags --dirty --always)
PKGS := $(shell go list ./... | grep -v /vendor/)
GitCommit := $(shell git rev-parse HEAD)
LDFLAGS := "-X main.version=$(Version) -X main.commit=$(GitCommit)"
INITIAL_LDFLAGS := -X main.version=$(Version) -X main.commit=$(GitCommit)

platform := $(shell uname -o)

ifeq ($(platform),Darwin)
CC_FLAGS := CC=clang CXX=clang++
LDFLAGS := '$(INITIAL_LDFLAGS)'
endif

ifeq ($(platform),GNU/Linux)
CC_FLAGS := CC=musl-gcc
LDFLAGS := '$(INITIAL_LDFLAGS) -linkmode external -extldflags "-static -Wl,-unresolved-symbols=ignore-all"'
endif

build:
go build -ldflags $(LDFLAGS) -o bin/vals ./cmd/vals
CGO_ENABLED=1 $(CC_FLAGS) go build -ldflags $(LDFLAGS) -o bin/vals ./cmd/vals

install: build
mv bin/vals ~/bin/

lint:
golangci-lint run -v --out-format=github-actions


test:
go test -v ${PKGS} -coverprofile cover.out -race -p=1
CGO_ENABLED=1 $(CC_FLAGS) go test -ldflags=$(LDFLAGS) -v ${PKGS} -coverprofile cover.out -race -p=1
go tool cover -func cover.out
.PHONY: test
.PHONY: test
112 changes: 83 additions & 29 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ It supports various backends including:
- Conjur
- HCP Vault Secrets
- Bitwarden
- Bitwarden Secrets
- HTTP JSON

- Use `vals eval -f refs.yaml` to replace all the `ref`s in the file to actual values and secrets.
Expand Down Expand Up @@ -206,30 +207,53 @@ Please see the [relevant unit test cases](https://github.com/helmfile/vals/blob/

## Supported Backends

- [Vault](#vault)
- [AWS SSM Parameter Store](#aws-ssm-parameter-store)
- [AWS Secrets Manager](#aws-secrets-manager)
- [AWS S3](#aws-s3)
- [GCP Secrets Manager](#gcp-secrets-manager)
- [GCP KMS](#gcp-kms)
- [Google Sheets](#google-sheets)
- [Google GCS](#google-gcs)
- [SOPS](#sops) powered by [sops](https://github.com/getsops/sops)
- [Terraform (tfstate)](#terraform-tfstate) powered by [tfstate-lookup](https://github.com/fujiwara/tfstate-lookup)
- [Echo](#echo)
- [File](#file)
- [Azure Key Vault](#azure-key-vault)
- [EnvSubst](#envsubst)
- [GitLab](#gitlab)
- [1Password](#1password)
- [1Password Connect](#1password-connect)
- [Doppler](#doppler)
- [Pulumi State](#pulumi-state)
- [Kubernetes](#kubernetes)
- [Conjur](#conjur)
- [HCP Vault Secrets](#hcp-vault-secrets)
- [HTTP JSON](#http-json)
- [Bitwarden](#bitwarden)
- [vals](#vals)
- [Usage](#usage)
- [CLI](#cli)
- [Helm](#helm)
- [Go](#go)
- [Expression Syntax](#expression-syntax)
- [Supported Backends](#supported-backends)
- [Vault](#vault)
- [Authentication](#authentication)
- [AWS](#aws)
- [AWS SSM Parameter Store](#aws-ssm-parameter-store)
- [AWS Secrets Manager](#aws-secrets-manager)
- [AWS S3](#aws-s3)
- [AWS KMS](#aws-kms)
- [Google GCS](#google-gcs)
- [GCP Secrets Manager](#gcp-secrets-manager)
- [GCP KMS](#gcp-kms)
- [Google Sheets](#google-sheets)
- [Terraform (tfstate)](#terraform-tfstate)
- [Terraform in GCS bucket (tfstategs)](#terraform-in-gcs-bucket-tfstategs)
- [Terraform in S3 bucket (tfstates3)](#terraform-in-s3-bucket-tfstates3)
- [Terraform in AzureRM Blob storage (tfstateazurerm)](#terraform-in-azurerm-blob-storage-tfstateazurerm)
- [Terraform in Terraform Cloud / Terraform Enterprise (tfstateremote)](#terraform-in-terraform-cloud--terraform-enterprise-tfstateremote)
- [SOPS](#sops)
- [Echo](#echo)
- [File](#file)
- [Azure Key Vault](#azure-key-vault)
- [Authentication](#authentication-1)
- [EnvSubst](#envsubst)
- [GitLab Secrets](#gitlab-secrets)
- [1Password](#1password)
- [1Password Connect](#1password-connect)
- [Doppler](#doppler)
- [Pulumi State](#pulumi-state)
- [Kubernetes](#kubernetes)
- [Conjur](#conjur)
- [HCP Vault Secrets](#hcp-vault-secrets)
- [Bitwarden](#bitwarden)
- [Bitwarden Secrets](#bitwarden-secrets)
- [HTTP JSON](#http-json)
- [Fetch string value](#fetch-string-value)
- [Fetch integer value](#fetch-integer-value)
- [Advanced Usages](#advanced-usages)
- [Discriminating config and secrets](#discriminating-config-and-secrets)
- [Non-Goals](#non-goals)
- [Complex String-Interpolation / Template Functions](#complex-string-interpolation--template-functions)
- [Merge](#merge)

Please see [pkg/providers](https://github.com/helmfile/vals/tree/master/pkg/providers) for the implementations of all the providers. The package names corresponds to the URI schemes.

Expand Down Expand Up @@ -831,9 +855,9 @@ Example:
`ref+hcpvaultsecrets://APPLICATION_NAME/SECRET_NAME[?client_id=HCP_CLIENT_ID&client_secret=HCP_CLIENT_SECRET&organization_id=HCP_ORGANIZATION_ID&organization_name=HCP_ORGANIZATION_NAME&project_id=HCP_PROJECT_ID&project_name=HCP_PROJECT_NAME&version=2]`
### Bitwarden
This provider retrieves the secrets stored in Bitwarden. It uses the [Bitwarden Vault-Management API](https://bitwarden.com/help/vault-management-api/) that is included in the [Bitwarden CLI](https://github.com/bitwarden/clients) by executing `bw serve`.
This provider retrieves the secrets stored in Bitwarden. It uses the [Bitwarden Vault-Management API](https://bitwarden.com/help/vault-management-api/) that is included in the [Bitwarden CLI](https://github.com/bitwarden/clients) by executing `bw serve`.
Environment variables:
Expand All @@ -852,11 +876,41 @@ Examples:
- `ref+bw://4d084b01-87e7-4411-8de9-2476ab9f3f48/{username,password,uri,notes,item}` gets username, password, uri, notes or the whole item of the given item id
- `ref+bw://4d084b01-87e7-4411-8de9-2476ab9f3f48/notes#/key1` gets the *key1* from the yaml stored as note in the item
### Bitwarden Secrets
This provider retrieves the secrets stored in Bitwarden SECRETS MANAGER (not BitWarden Password Manager like [Bitwarden](#bitwarden)).
It authenticates using an Access Token from a "Machine account", which can be created by opening the Bitwarden Web Vault, switching to Bitwarden `Secrets Manager`, then **Machine accounts**. Create a new machine account, grant at least "Can read" permission to a Project, and generate an Access Token.
This provider also needs the `Organization ID` which is a UUID that you can find in the URL like: https://vault.bitwarden.com/#/sm/00000000-0000-0000-0000-000000000000, where 00000000-0000-0000-0000-000000000000 is the Organization ID.
It is based on the [Bitwarden SDK in Go](https://github.com/bitwarden/sdk/tree/main/languages/go) lib.
Environment variables:
- `BWS_API_URL`: The Bitwarden API service endpoint, defaults to `https://api.bitwarden.com`
- `BWS_IDENTITY_URL`: The Bitwarden Identity service endpoint, defaults to `https://identity.bitwarden.com`
- `BWS_ACCESS_TOKEN`: The Bitwarden Access Token for the Machine Account
- `BWS_ORGANIZATION_ID`: The Bitwarden Organization ID
Parameters:
Parameters are optional and can be passed as query parameters in the URI, taking precedence over environment variables.
- `api_url`: The Bitwarden API service endpoint, defaults to `https://api.bitwarden.com`
- `identity_url`: The Bitwarden Identity service endpoint, defaults to `https://identity.bitwarden.com`
- `access_token`: The Bitwarden Access Token for the Machine Account
- `organization_id`: The Bitwarden Organization ID
Example:
`ref+bws://PROJECT_NAME/SECRET_NAME[?api_url=BWS_API_URL&identity_url=BWS_IDENTITY_URL&access_token=BWS_ACCESS_TOKEN&organization_id=BWS_ORGANIZATION_ID]`
### HTTP JSON
This provider retrieves values stored in JSON hosted by a HTTP frontend.
This provider is built on top of [jsonquery](https://pkg.go.dev/github.com/antchfx/[email protected]) and [xpath](https://pkg.go.dev/github.com/antchfx/[email protected]) packages.
This provider is built on top of [jsonquery](https://pkg.go.dev/github.com/antchfx/[email protected]) and [xpath](https://pkg.go.dev/github.com/antchfx/[email protected]) packages.
Given the diverse array of JSON structures that can be encountered, utilizing jsonquery with XPath presents a more effective approach for handling this variability in data structures.
Expand All @@ -880,7 +934,7 @@ Let's say you want to fetch the below JSON object from https://api.github.com/us
"name": "go-yaml"
}
]
```
```
```
# To get name="chartify" using https protocol you would use:
ref+httpjson://api.github.com/users/helmfile/repos#///*[1]/name
Expand All @@ -903,7 +957,7 @@ Let's say you want to fetch the below JSON object from https://api.github.com/us
"id": 251296379
}
]
```
```
```
# Running the following will return: 2.51296379e+08
ref+httpjson://api.github.com/users/helmfile/repos#///*[1]/id
Expand Down
2 changes: 2 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ require (
cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
cloud.google.com/go/longrunning v0.6.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/bitwarden/sdk-go v1.0.0 // indirect
github.com/extism/go-sdk v1.3.1 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/go-jose/go-jose/v4 v4.0.2 // indirect
Expand All @@ -49,6 +50,7 @@ require (
github.com/go-openapi/strfmt v0.23.0 // indirect
github.com/go-openapi/validate v0.24.0 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/gofrs/uuid v4.4.0+incompatible // indirect
github.com/google/go-jsonnet v0.20.0 // indirect
github.com/hashicorp/go-version v1.6.0 // indirect
github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
Expand Down
4 changes: 4 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,8 @@ github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas=
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4=
github.com/bitwarden/sdk-go v1.0.0 h1:XupMlyu7CxdtKFi7obSknwICQ2J+WtmzndfVkkiGShI=
github.com/bitwarden/sdk-go v1.0.0/go.mod h1:RuYh+gqffp3h8wNUVWz1bvp2Pho10AFz+WIlI26iWY4=
github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M=
Expand Down Expand Up @@ -231,6 +233,8 @@ github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1YrTJupqA=
github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
Expand Down
Loading
Loading